The probability that an attacker will need to escalate privileges in the target domain is high. We have already discussed why we will not touch upon the host privilege escalation theme. However, most concepts are universal. We check whether any privilege escalation exploits are applicable to the target environment. If there are none, the next step is to identify various misconfigured ACLs and GPOs and users with excessive group memberships that could have been unintentionally introduced by IT staff or during software installation in the Active Directory environment. We will reiterate these activities in every newly discovered path.

This chapter starts with examples of good old point-and-click exploits. This will again emphasize the critical role patching plays in the security posture of an environment. Then, we will cover ACL misconfigurations and Group Policy abuses. The main caveat in detecting these escalation paths is that they can be hidden and not...

In this chapter, you will need to have access to the following:

• VMware Workstation or Oracle VirtualBox with at least 16 GB of RAM, 8 CPU cores, and at least 55 GB of total space (more if you take snapshots)
• A Linux-based operating system is strongly recommended
• Vagrant installed with a plugin for the virtualization platform in use and Ansible
• The GOADv2 and DetectionLab projects

In this section, we will discuss available exploits that can provide a domain administrator’s level of access in a matter of minutes. In a mature environment with regular patching and vulnerability management, it is not very common to find such treasure. However, there is still a possibility, and checking will not hurt. We will start with a relatively old GoldenPAC vulnerability in Kerberos, discuss the root cause of Zerologon and exploit it, and get elevated privileges with PrintNightmare and noPAC. We will also briefly cover different types of “Potatoes” and discuss how wrong group membership assignment can lead to a complete domain takeover.

MS14-068

MS14-068 was a successor of MS11-013, meaning that it was a PAC validation vulnerability. The attacker was able to modify the existing TGT by adding privileged groups and the domain controller wrongly validated the tickets. This happened on the fly, so domain users’ group membership...

Access Control List (ACL) abuse provides the attacker with unique and almost undetectable ways to escalate privileges, perform lateral movement, and achieve malware-less persistence.

Note

Some of the most notable and comprehensive research on that theme was presented by SpectreOps (https://specterops.io/wp-content/uploads/sites/3/2022/06/an_ace_up_the_sleeve.pdf). We will refer to some parts of the research here and in the next chapter.

We will start with essential theory as an introduction. Each object in Active Directory has a security descriptor. Each object has associated lists of Access Control Entities (ACEs), which create two lists called the Discretionary Access Control List (DACL) and the System Access Control List (SACL). ACEs define which security principals have rights over the object. The SACL has great detection potential as it can be used for auditing access attempts. Object owners can modify the DACL. When we speak about domain objects, we are focusing...

Server and client Windows operating systems have various parameters that can be enabled, disabled, or configured. It is possible to apply required parameters locally on each object (local policy), but in the domain, it is much more convenient to prepare and push configuration changes via Group Policy to a set of machines and/or users. These sets of policies are called the Group Policy Object (GPO). Each GPO has its own GUID. Policy files are stored in the domain SYSVOL folder. By default, GPO creation and linking are allowed only to users with domain administrator’s privileges, however, these permissions can be delegated. The GPO needs to be linked to Organizational Units, a domain, or a site. The linking process requires an understanding of two more concepts: inheritance and enforcement. If GPLink is enforced, the GPO will apply to the linked OU and all child objects even if inheritance is blocked. If GPLink is not enforced, the GPO will apply to the linked...

This section will be focused on outstanding privilege escalation vectors. We will demonstrate the consequences of adding non-privileged domain users to the various built-in domain security groups. Then, we will describe privilege escalation from the child to the parent domain using Golden and inter-realm tickets. At the end, the PAM concept will be explained.

In general, privileged users, computers, and groups have to be reviewed on a regular basis. From an Active Directory perspective, there is no drastic difference between a user and computer account. If an attacker compromises a machine account that has membership of a privileged group, it will certainly lead to privilege escalation.

Note

Original research was presented by XPN: https://secarma.com/using-machine-account-passwords-during-an-engagement/. The idea is to extract the machine account hash and use it for a pass-the-hash attack, as demonstrated here: https://pentestlab.blog/2022...

In this chapter, we covered how an attacker can escalate privileges inside the domain. We started our conversation with deadly exploits that grant the highest privileges in the blink of an eye. Regular patching and vulnerability management can help to mitigate this attack vector. Next, we looked at various ACL abuses against domain objects. We reviewed the most common privilege escalation paths, accompanied by practical examples. Special attention was paid to GPO abuse, as Group Policies can be deployed throughout the domain, providing an attacker with lateral movement, privilege escalation, and persistence opportunities all at once. We also discussed built-in domain groups that can be used for privilege escalation if a member of a such group has been compromised. Lastly, we looked at privilege escalation through trust relationships between child and parent domains. Also, briefly, we touched upon the PAM trust theme and possible misconfigurations that could ruin the whole ESAE...

1. MS14-068 exploit: https://github.com/mubix/pykek
2. Zerologon relay scenario: https://dirkjanm.io/a-different-way-of-abusing-zerologon/
3. Zerologon change password scenario: https://www.thehacker.recipes/ad/movement/netlogon/zerologon
4. Zerologon exploits: https://github.com/VoidSec/CVE-2020-1472 and https://github.com/dirkjanm/CVE-2020-1472
5. Printnightmare exploitation constraints: https://www.thehacker.recipes/ad/movement/print-spooler-service/printnightmare#constraints
6. Printnightmare exploit: https://github.com/cube0x0/CVE-2021-1675
7. Windows version noPac exploit: https://github.com/cube0x0/noPac
8. Linux version noPac exploit: https://github.com/WazeHell/sam-the-admin
9. Local potato: https://decoder.cloud/2023/02/13/localpotato-when-swapping-the-context-leads-you-to-system/
10. Remote Potato0: https://github.com/antonioCoco/RemotePotato0
11. ACL mind map: https://www.thehacker.recipes/ad/movement/dacl
12. SharpGPOAbuse tool: https://github.com...

These aids for further study will let you dive deeper into the attacks covered in the chapter:

• I highly encourage you to read this blog post, as it has great insights into how the Remote Potato attack path was discovered and the general way of research thinking: https://www.sentinelone.com/labs/relaying-potatoes-another-unexpected-privilege-escalation-vulnerability-in-windows-rpc-protocol/.
• A good demonstration of the Remote Potato exploit in action: https://pentestlab.blog/2021/05/04/remote-potato-from-domain-user-to-enterprise-admin/
• Microsoft documentation about Group Policy structure: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpod/260b58dc-da14-400b-8b82-6abbfd529fbf
• Microsoft PowerShell GP-Link command reference: https://learn.microsoft.com/en-us/powershell/module/grouppolicy/new-gplink?view=windowsserver2022-ps