13 - ACL Enum - JA Smith

# Enumerating ACLs with PowerView - `Find-InterestingDomainACL` provides a copious amount of info ```powershell PS C:\htb> Import-Module .\PowerView.ps1 PS C:\htb> Find-InterestingDomainAcl ObjectDN : DC=INLANEFREIGHT,DC=LOCAL AceQualifier : AccessAllowed ActiveDirectoryRights : ExtendedRight ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b AceFlags : ContainerInherit AceType : AccessAllowedObject InheritanceFlags : ContainerInherit SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-5189 IdentityReferenceName : Exchange Windows Permissions IdentityReferenceDomain : INLANEFREIGHT.LOCAL IdentityReferenceDN : CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=INLANEFREIGHT,DC=LOCAL IdentityReferenceClass : group ObjectDN : DC=INLANEFREIGHT,DC=LOCAL <SNIP> ``` - We can use `Get-DomainObjectACL` to target a specific user (wley) - Extended rights for target user are shown as a GUID because the `ResolveGUIDs` flag is not used ```powershell PS C:\htb> $sid = Convert-NameToSid wley PS C:\htb> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid} ``` ![[images/Pasted image 20251103151616.png]] - We can perform a reverse search to map the GUID ```powershell PS C:\htb> $guid= "00299570-246d-11d0-a768-00aa006e0529" PS C:\htb> Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl Name : User-Force-Change-Password DisplayName : Reset Password DistinguishedName : CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL rightsGuid : 00299570-246d-11d0-a768-00aa006e0529 ``` - Using `Get-DomainObjectACL` to target a specific user with the `ResolveGUIDs` flag streamlines the above two steps ```powershell PS C:\htb> $sid = Convert-NameToSid wley PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} AceQualifier : AccessAllowed ObjectDN : CN=Dana Amundsen,OU=DevOps,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL ActiveDirectoryRights : ExtendedRight ObjectAceType : User-Force-Change-Password ObjectSID : S-1-5-21-3842939050-3880317879-2865463114-1176 InheritanceFlags : ContainerInherit BinaryLength : 56 AceType : AccessAllowedObject ObjectAceFlags : ObjectAceTypePresent IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1181 AccessMask : 256 AuditFlags : None IsInherited : False AceFlags : ContainerInherit InheritedObjectAceType : All OpaqueLength : 0 ``` # Enumerating ACLs with PowerShell Cmd-Lets - Create a list of domain users with the `GetADUser` cmd-let ```powershell PS C:\htb> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt ``` - Use a `foreach` loop in combination with the `Get-ACL` cmd-let to target `wley` - `wley` has `User-Force-Change-Password` (i.e., GUID 00299570-246d-11d0-a768-00aa006e0529) over `damundsen` ```powershell PS C:\htb> foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}} ``` ![[images/Pasted image 20251103153658.png]] ## Using PowerView's Get-DomainObjectACL for Further Enum - Expand our enum to see AD rights for `damundsen` - `damundsen` has `GenericWrite` over `Help Desk Level 1` group - This means that we can add ourselves to this group ```powershell PS C:\htb> $sid2 = Convert-NameToSid damundsen PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose AceType : AccessAllowed ObjectDN : CN=Help Desk Level 1,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite OpaqueLength : 0 ObjectSID : S-1-5-21-3842939050-3880317879-2865463114-4022 InheritanceFlags : ContainerInherit BinaryLength : 36 IsInherited : False IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1176 AccessMask : 131132 AuditFlags : None AceFlags : ContainerInherit AceQualifier : AccessAllowed ``` - Expand enum to see the `Help Desk Level 1` group's AD rights - `Help Desk Level 1` group is a member of the `Informatyion Technology` group ```powershell PS C:\htb> Get-DomainGroup -Identity "Help Desk Level 1" | select memberof memberof -------- CN=Information Technology,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL ``` - Expand enum to see the `Information Technology` group's AD rights - `Information Technology` group has `GenericAll` over `adunn` ```powershell PS C:\htb> $itgroupsid = Convert-NameToSid "Information Technology" PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $itgroupsid} -Verbose AceType : AccessAllowed ObjectDN : CN=Angela Dunn,OU=Server Admin,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL ActiveDirectoryRights : GenericAll OpaqueLength : 0 ObjectSID : S-1-5-21-3842939050-3880317879-2865463114-1164 InheritanceFlags : ContainerInherit BinaryLength : 36 IsInherited : False IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-4016 AccessMask : 983551 AuditFlags : None AceFlags : ContainerInherit AceQualifier : AccessAllowed ``` - Expand enum to AD rights for `adunn` who is a server admin - `adunn` has `DS-Replication-Get-Changes-In-Filtered-Set` and `DS-Replication-Get-Changes` rights, which enables a DCSync attack ```powershell PS C:\htb> $adunnsid = Convert-NameToSid adunn PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $adunnsid} -Verbose AceQualifier : AccessAllowed ObjectDN : DC=INLANEFREIGHT,DC=LOCAL ActiveDirectoryRights : ExtendedRight ObjectAceType : DS-Replication-Get-Changes-In-Filtered-Set ObjectSID : S-1-5-21-3842939050-3880317879-2865463114 InheritanceFlags : ContainerInherit BinaryLength : 56 AceType : AccessAllowedObject ObjectAceFlags : ObjectAceTypePresent IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1164 AccessMask : 256 AuditFlags : None IsInherited : False AceFlags : ContainerInherit InheritedObjectAceType : All OpaqueLength : 0 AceQualifier : AccessAllowed ObjectDN : DC=INLANEFREIGHT,DC=LOCAL ActiveDirectoryRights : ExtendedRight ObjectAceType : DS-Replication-Get-Changes ObjectSID : S-1-5-21-3842939050-3880317879-2865463114 InheritanceFlags : ContainerInherit <SNIP> ``` # Enumerating ACLs with BloodHound - Select `wley` user and look at the Outbound Control Rights within the Node info tab - Select First Degree Object Control within Outbound Control Rights to show: ![[images/Pasted image 20251103150318.png]] - We can right-click on the edge noting `ForcePasswordChange` for more info ![[images/Pasted image 20251103150456.png]] - Select Transitive Object Control within Outbound Control Rights to show: ![[images/Pasted image 20251103150645.png]] - We can also use pre-built queries to accelerate the process