SharpHound2 icon indicating copy to clipboard operation
SharpHound2 copied to clipboard

Published 20 hours ago verified publisher icon BloodHoundAD

No computer object acls

Open JoernHe opened this issue 5 years ago • 5 comments

Hi, first of all thank you for this amazing project. One point: If a user has e.g. ResetPassword rights on an domain controller object, wouldn't this be a privilege escalation vulnerability because of the dc sync privilege of a domain controller object? The same with an exchange server object, because this object can manipulate ACEs of the domain root. At the moment you just care about computer object acls if they have LAPS installed. Or am i wrong? Thank you!

JoernHe avatar Feb 26 '19 20:02 JoernHe

As far as I'm aware, if you reset the password of a computer account, it becomes de-synced from active directory, and can cause several issues. I'll have to test again, but that's my understanding of the issue

rvazarkar avatar Feb 27 '19 01:02 rvazarkar

You are right. But you can authenticate as a domain controller to another domain controller after the reset and perform a dc sync (and get the history of the DC object password). After that you could reset it to the old password. The same with an exchange computer object.

JoernHe avatar Feb 27 '19 08:02 JoernHe

I just saw that issue #230 in bloodhound is almost the same.

JoernHe avatar Feb 27 '19 09:02 JoernHe

Can you design a Proof of Concept of this attack? What risks are involved?

rvazarkar avatar Feb 27 '19 19:02 rvazarkar

"you could reset it to the old password" - as you only have the hash, does that mean you would need to use the mimikatz lsadump::setntlm or dcshadow approach to plant the previous hash into the AD database? My gut feeling is that this approach would be fairly disruptive to a normal environment with a lot of things that could go wrong operationally.

HarmJ0y avatar Feb 27 '19 21:02 HarmJ0y