Permission delegation

Resources

1. Access Control Entries (ACEs)

Access Control Entries - Win32 appsMicrosoftLearn

1. TryHackMe Exploiting AD room

TryHackMe | Cyber Security TrainingTryHackMe

1. AD-RSAT (Active Directory Remote Administration Tools)

The Active Directory module for Windows PowerShell is a PowerShell module that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, etc.

ActiveDirectory ModuleMicrosoftLearn

Remote Server Administration Tools - Windows ServerMicrosoftLearn

Exploiting Access Control Entries (ACEs)

An access control entry (ACE) is an element in an access control list (ACL). An ACL can have zero or more ACEs. Each ACE controls or monitors access to an object by a specified trustee.

There exists ACEs that can be exploited when delegated wrongly, by allowing us to perform dangerous actions:

a. ForceChangePassword: Set a user's password without knowing their current password

b. AddMembers: Add users (including our own account), groups or computers to a target group

c. GenericAll: Provides us with complete control over an object

• change user's password

• register an Service Principal Name (SPN)

• add an AD object to a target group

d. GenericWrite: Update any non-protected parameters of a target object

e. WriteOwner: Update the owner of a target object

• this means that we can make ourselves the owner, allowing us to gain additional permissions over the object

f. WriteDACL: Write new ACEs to a target object's Discretionary Access Control List (DACL)

• for example, we could write an ACE that grants our account full control over a target object

g. AllExtendedRights: Perform any action associated with extended AD rights such as force changing a user's password

Bloodhound

Bloodhound | Penetration testing & ethical hacking conceptsjarrettgxz-sec.gitbook.io

We could use Bloodhound to enumerate for dangerous permission delegations, by simply adding the user account we have compromised at the start position, and our desired endpoint in the end position field. Bloodhound will provide us with any misconfigured permission delegations that we can exploit to increase our foothold.

Example from TryHackMe

TryHackMe | Cyber Security TrainingTryHackMe

Given that we have gained access to a user account REECE.BARTLETT in the DOMAIN USERS group, and we wish to discover a path to compromise the TIER 2 ADMINS group.

Privilege escalation

From the information gathered with Bloodhound, we can use the AD-RSAT PowerShell cmdlets (refer to the link in the "Resources" section above) to interact with AD.

AddMember

Suppose our account has the AddMembers ACE. We can use the Add-ADGroupMember cmdlet to add a member to a group. Subsequently, we can use the Get-ADGroupMember cmdlet to verify our addition:

PS C:\> Add-ADGroupMember -Identity "<group_name>" -Members "member_name, ..."

• -Identity: Specifies an Active Directory group object

• -Members: Specifies an array of user, group, and computer objects in a comma-separated list to add to a group

PS C:\> Get-ADGroupMember -Identity "<group_name>"
distinguishedName : xxxx
name              : xxxx
...

ForceChangePassword

Suppose our account has the ForceChangePassword ACE. We can use the Set-ADAccountPassword cmdlet to reset the password of a target user account:

# define the password
PS C:\> $Password = ConvertTo-SecureString "<new_password>" -AsPlainText -Force 

PS C:\> Set-ADAccountPassword -Identity "<username>" -Reset -NewPassword $Password