General
ACL-based attacks in Windows can be facilitated by using a tool called Bloodhound. Bloodhound is a tool that uses graph theory to reveal the hidden and unintended relationships within an Active Directory environment. It helps to identify and visualize the attack paths and permission escalation paths that a potential attacker could take to gain unauthorized access to sensitive resources.
When using Bloodhound, an attacker can use the tool to identify misconfigured or overly permissive ACLs, and then use that information to craft an attack that leverages those vulnerabilities. For example, an attacker could use Bloodhound to identify a user or group with high-level permissions and then use that user or group's credentials to gain access to sensitive resources.
-
What is Access Control Entries (ACE) Access Control Entries (ACEs) are a fundamental component of access control in Windows operating systems. They define the permissions and access rights for specific users or groups for a specific object.
For example, in a shared folder that contains sensitive data, you may want to grant full access to the folder to a group of managers and read-only access to a group of regular employees. To accomplish this, you would create two ACEs, one for the managers' group granting them full access and another for the employees' group granting them read-only access. These ACEs are then added to the Discretionary Access Control List (DACL) for the shared folder, and the operating system uses the DACL to determine whether a specific user or group has the required permissions to access the folder.
It's also important to note that you can set multiple access rights for a user or group in a single ACE. For example, you can set both read and write access for a group in a single ACE, rather than creating separate ACEs for each access right. This provides a more efficient way to manage permissions, as you can control multiple access rights for a user or group in a single ACE.
ACE = Change permission(s) of one user/group DACL = Combination of all ACE for the file
![[Pasted image 20230116194137.png]]
More Information ---> [[4 - Access Control Lists]]
Exploitation ACE's
A significant amount of ACEs can be misconfigured, and the exploits for each vary. The Bloodhound documentation (opens in a new tab) assists in explaining enumerated ACEs and how they can be exploited. However, we will look at a couple of notable ones here:
-
ForceChangePassword: We have the ability to set the user's current password without knowing their current password.
-
AddMembers: We have the ability to add users (including our own account), groups or computers to the target group.
-
GenericAll: We have complete control over the object, including the ability to change the user's password, register an SPN or add an AD object to the target group.
-
GenericWrite: We can update any non-protected parameters of our target object. This could allow us to, for example, update the scriptPath parameter, which would cause a script to execute the next time the user logs on.
-
WriteOwner: We have the ability to update the owner of the target object. We could make ourselves the owner, allowing us to gain additional permissions over the object.
-
WriteDACL: We have the ability to write new ACEs to the target object's DACL. We could, for example, write an ACE that grants our account full control over the target object.
-
AllExtendedRights: We have the ability to perform any action associated with extended AD rights against the target object. This includes, for example, the ability to force change a user's password.
Misconfiguration using BloodHound
Using the information gathered from Bloodhound, identify any misconfigurations in the system and attempt to exploit them. These vulnerabilities may not always lead to gaining access to a high-level administrator account, but they could potentially provide a path to a lower-level (Tier 2) account with sufficient permissions to achieve your desired outcome.
Exploitation Example
![[Pasted image 20230116204021.png]]
- Example of exploitation (Adding user to an other groups (Generic Write))
Powershell (Add to a group)
Add-ADGroupMember "GROUPE_NAME" -Members "Your.AD.Account.Username"
Powershell (Verify the command worked)
Get-ADGroupMember -Identity "GROUP_NAME"
Powerhsell (Force refresh group permission) --> Refresh your groups and permissions in Domain
gpupdate /force
- Example of permission (Reset passwords through the new group that has been added.)
Powershell (Check who's in the Target Group)
Get-ADGroupMember -Identity "GOUP_NAME"
Powershell (ChangeForce Password Reset)
$Password = ConvertTo-SecureString "New.Password.For.User" -AsPlainText -Force
Set-ADAccountPassword -Identity "AD.Account.Username.Of.Target" -Reset -NewPassword $Password
Login via SSH/RDP to the target