🌲Enumeration
Enumerating ACLs Powerview
Let's say we got the user wley
, which we obtained after solving the last question in the LLMNR/NBT-NS Poisoning - from Linux.
We are going to use PowerView to see if this user has any interesting ACL rights that we could take advantage of.
Get-DomainObjectACL
We could Google for the GUID value 00299570-246d-11d0-a768-00aa006e0529
and uncover this page showing that the user has the right to force change the other user's password.
Reverse Search & Mapping to a GUID Value
-ResolveGUIDs
We could've used ResolveGUIDs first
but it's good to see how to manually do things if the client does not want us to put tools on his sytems
Creating a List of Domain Users
We then read each line of the file using a foreach
loop, and use the Get-Acl
cmdlet to retrieve ACL information for each domain user by feeding each line of the ad_users.txt
file to the Get-ADUser
cmdlet. We then select just the Access property
, which will give us information about access rights. Finally, we set the IdentityReference
property to the user we are in control of (or looking to see what rights they have), in our case, wley
.
Once we have this data, we could follow the same methods shown above to convert the GUID to a human-readable format to understand what rights we have over the target user.
we started with the user wley
and now have control over the user damundsen
via the User-Force-Change-Password
extended right. Let's use Powerview to hunt for where, if anywhere, control over the damundsen
account could take us.
user damundsen
has GenericWrite
privileges over the Help Desk Level 1
group. This means, among other things, that we can add any user (or ourselves) to this group and inherit any rights that this group has applied to it.
Let's look and see if this group is nested into any other groups, remembering that nested group membership will mean that any users in group A will inherit all rights of any group that group A is nested into (a member of).
So we can obtain any rights that the Information Technology
group grants to its members if we just add ourselves to the Help Desk Level 1
group where our user damundsen
has GenericWrite
privileges.
Here is a recap:
recap where we're at:
We have control over the user
wley
whose hash we retrieved earlier in the module (assessment) using Responder and cracked offline using Hashcat to reveal the cleartext password valueWe enumerated objects that the user
wley
has control over and found that we could force change the password of the userdamundsen
From here, we found that the
damundsen
user can add a member to theHelp Desk Level 1
group usingGenericWrite
privilegesThe
Help Desk Level 1
group is nested into theInformation Technology
group, which grants members of that group any rights provisioned to theInformation Technology
group
Let's look at what members of Information Technology
can do
Get-DomainObjectACL
shows us that members of the Information Technology
group have GenericAll
rights over the user adunn
, which means we could:
Modify group membership
Force change a password
Perform a targeted Kerberoasting attack and attempt to crack the user's password if it is weak
Now we want to see if the adunn
user has any type of interesting access that we may be able to leverage to get closer to our goal.
adunn
user has DS-Replication-Get-Changes
and DS-Replication-Get-Changes-In-Filtered-Set
rights over the domain object. This means that this user can be leveraged to perform a DCSync attack.
Enumerating ACLs with BloodHound
we can set the wley
user as our starting node, select the Node Info
tab and scroll down to Outbound Control Rights
. This option will show us objects we have control over directly, via group membership, and the number of objects that our user could lead to us controlling via ACL attack paths under Transitive Object Control
. If we click on the 1
next to First Degree Object Control
, we see the first set of rights that we enumerated, ForceChangePassword
over the damundsen
user.
ForceChangePassword
If we click on the 16
next to Transitive Object Control
, we will see the entire path that we painstakingly enumerated above.
Finally, we can use the pre-built queries in BloodHound to confirm that the adunn
user has DCSync rights.
What is the rights GUID for User-Force-Change-Password?
What flag can we use with PowerView to show us the ObjectAceType in a human-readable format during our enumeration?
What privileges does the user damundsen have over the Help Desk Level 1 group?
Using the skills learned in this section, enumerate the ActiveDirectoryRights that the user forend has over the user dpayne (Dagmar Payne).
Last updated