InfoSec LAB

Blazorized_User_Privileges_rsa_4810

Created: 2 min read

rsa_4810

Checking for user privileges of the rsa_4810 account after making the Lateral Movement

*Evil-WinRM* PS C:\Users\RSA_4810\Documents> whoami /All
 
USER INFORMATION
----------------
 
User Name           SID
=================== =============================================
blazorized\rsa_4810 S-1-5-21-2039403211-964143010-2924010611-1107
 
 
GROUP INFORMATION
-----------------
 
Group Name                                  Type             SID                                           Attributes
=========================================== ================ ============================================= ==================================================
Everyone                                    Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
BLAZORIZED\Remote_Support_Administrators    Group            S-1-5-21-2039403211-964143010-2924010611-1115 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity  Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448
 
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
 
 
USER CLAIMS INFORMATION
-----------------------
 
User claims unknown.
 
Kerberos support for Dynamic Access Control on this device has been disabled.

As already identified, the nu_1055 account has memberships to BUILTIN\Remote Management Users and Remote_Support_Administrators groups The user also has SeMachineAccountPrivilege access. noPac exploit may be considered

bloodyAD

┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ KRB5CCNAME=rsa_4810@dc1.blazorized.htb.ccache bloodyAD -d BLAZORIZED.HTB -k --host dc1.blazorized.htb get writable --detail           
 
distinguishedName: CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
scriptPath: WRITE
 
[...REDACTED...]

Checking for additional privileges given to the rsa_4810 account, the user has WRITE access to the scriptPath attribute of the ssa_6010 account. This would mean that I can tamper the logon script of the ssa_6010 account Moving on to Lateral Movement phase

Interactive Graph View

Backlinks