https://tryhackme.com/room/exploitingad
Task 1 - Introduction
Connecting to the Network
Configure DNS by adding THMDC's IP to the DNS
Network Manager > Advanced Network Configuration > Your Connection > IPv4 Settings
Then restart the resolved service
sudo systemctl restart NetworkManager
Requesting Your Credentials
For SSH access - Getting credentials from http://distributor.za.tryhackme.loc/creds
ssh za.tryhackme.loc\\\\<AD Username>@thmwrk1.za.tryhackme.loc
Task 2 - Exploiting Permission Delegation
20220614162804BloodHound.zip
A significant amount of ACEs can be misconfigured, and the exploits for each vary.
The Bloodhound documentation assists in explaining enumerated ACEs and how they can be exploited. However, we will look at a couple of notable ones here:
- ForceChangePassword: We have the ability to set the user's current password without knowing their current password.
- AddMembers: We have the ability to add users (including our own account), groups or computers to the target group.
- GenericAll: We have complete control over the object, including the ability to change the user's password, register an SPN or add an AD object to the target group.
- GenericWrite: We can update any
non-protected parameters of our target object. This could allow us to, for example, update the scriptPath parameter, which would cause a script to execute the next time the user logs on.
- WriteOwner:
We have the ability to update the owner of the target object. We could make ourselves the owner, allowing us to gain additional permissions over the object.
- WriteDACL: We have the ability to write new ACEs to the target object's DACL. We could, for example, write an ACE that grants our account full control over the target object.
- AllExtendedRights: We have the ability to perform any action associated with extended AD
rights against the target object. This includes, for example, the ability to force change a user's password.