Closed albfflk closed 1 year ago
Hello
First about AdminCount :
Question: What is AdminCount, and why is it not being decremented to ‘0’ or ‘
’ when I remove a user from a Protected Group?
Answer: AdminCount is an attribute on the user account that is set to 1 on any users being protected by AdminSdHolder. When protected, the user gets this attribute set and the security inheritance bit is removed from their account.
The reason AdminCount isn’t set back to 0 when the user is removed from a protected group is that you told us not to! A survey of customers early on in Windows 2000's design found that they favored deleting a user account after its high-privilege rights were revoked, as the account could have created explicit backdoors before having its rights stripped. Therefore the DC does not remove the AdminCount attribute entry, as it is assumed that the account is going to be disabled or deleted.
If for some reason you didn’t want to get rid of that account after ‘de-admining’ it, you must manually set back to allowing inheritance and set AdminCount to 0, usually through ADSIEDIT.MSC..
more here
Also, about give_dcsync action of acltoolkit, there was a bug, which I fixed in cddc37f9. So now it should work well.
About get-objectacl: The ACEs of an object describe what permissions other object have on it, not the opposite.
About your attack paths in BH: I don't really know why it is not working, could be inheritence problem, or BH false positive, or anything else.
To help you to dig on the subject, here are some great resources:
Hello zblurx
Happy new year and congratulations for your super b tool.
It's my first time trying to exploit a Windows Domain ACL issue, I found your tool linked in a blogpost from DCSync, I discovered bloodyAD and acltoolkit with this blogpost. Well, I failed miserable trying to exploit it, I will be very helpful if you could provide some insights. My case is like the one below (obtained via bloodhound - if you think it helps, I can upload images anywhere or send to your email if you prefer), looks like two paths exist from MyUser to DomainAdmins via ACL issues.
I'm using output from the 3 tools, I hope that you don't mind, I wanted to make sure it was not an specific issue of a specific tool.
My first try as a dumb guy was to use DCSync from the blog post and I failed miserable.
It says that I don't have privilege, my guess was that I had to follow PATH2 for example and add MyUser to Enterprise Key Accounts or give GenericAll to Users Privileged Group and than DCSync, but I also failed miserable.
It says that I have no privilege at all, however bloodhound told that I could AddMember, I was thinking if Bloodhound could have interpreted it wrong, but I guess the error is me. Any advice here?
I moved to give GenericAll to the Privileged group and this time the error was different in both tools which called my attention
Where -target-sid is the value of "Users Privileged Group" and -granted-sid is the SID of Myuser.
One thing that called my attention is that the errors are different from both tools. Curious, not?
Have you seen this before? I searched at Google and it says in some forums that the error from the second tool could be privilege missing (similar to the error of the first tool) and others some crazy stuff about CN / DN names. Any guess?
I was curious if Bloodhound got data wrong, so I used these awesome tools to see the privilege of Myuser and it display the following.
The first thing that called my attention was this "adminCount: True". Does it means that the user was supposed to be Admin?
A bunch of information about groups that I'm member and finally the end (that looks interesting to me):
I got a bit confused here, in this case the ADRights is what I should consider? Or the IsInherited as False means that I dont have this priv?
This AccessMask appears weird to me, I was searching about it and found https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask
But I cant find a value that represent for example 983487, even converting from decimal to hex (983487) it does not match. Do you know any tool or site that may help to convert it properly?
I did with the great bloodyAD as well.
I tried set-objectowner and a lot of other combinations, all with the same errors.
This thing of ACE and ACL is a bit obscure to me yet, just to try learn I got another user and this one was very different and a few things called my attention while enumerating objects and privileges...
First thing, adminCount is False, which is different from my previous user. However below it gets curious
The DS-Replication-Synchronize does not show up. Normal? Is it expected?
However on the DACL part it says:
It says GENERIC_ALL, and for enterprise admins also GENERIC_ALL and IsInherited true this time (come from a groups that this member belongs I guess).
If I try DCsync or for example set GenericAll I get the same error as before, saying INSUFF_ACCESS_RIGHTS...
I tried all kind of stuff, even the ones that are not supposed to work! LOL
Sorry for long post