Resourced_GenericAll

GenericAll

---

During the BloodHound enumeration, it was identified that the l.livingstone user has the GenericAll privilege over the ResouceDC.resourced.local host

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ KRB5CCNAME=l.livingstone@ResourceDC.resourced.local.ccache bloodyAD -d RESOURCED.LOCAL -k --host ResourceDC.resourced.local --dc-ip $IP get writable
 
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=resourced,DC=local
permission: WRITE
 
distinguishedName: CN=RESOURCEDC,OU=Domain Controllers,DC=resourced,DC=local
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
 
distinguishedName: CN=RID Set,CN=RESOURCEDC,OU=Domain Controllers,DC=resourced,DC=local
permission: WRITE
OWNER: WRITE
DACL: WRITE
 
distinguishedName: CN=DFSR-LocalSettings,CN=RESOURCEDC,OU=Domain Controllers,DC=resourced,DC=local
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
 
distinguishedName: CN=Domain System Volume,CN=DFSR-LocalSettings,CN=RESOURCEDC,OU=Domain Controllers,DC=resourced,DC=local
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
 
distinguishedName: CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=RESOURCEDC,OU=Domain Controllers,DC=resourced,DC=local
permission: WRITE
OWNER: WRITE
DACL: WRITE
 
distinguishedName: CN=L.Livingstone,CN=Users,DC=resourced,DC=local
permission: WRITE

This can be confirmed using bloodyAD

Exploit

---

GenericAll to a computer object usually leads to Resource-Based Constrained Delegation. In the current context, that computer object happens to be the DC host. Given the l.livingstone user currently has a WinRM session, I can exploit it both locally and remotely Moving on to the Privilege Escalation phase