WS02
in the context of offense\sandy
user;sandy
has WRITE
privilege over a target computer WS01
;sandy
creates a new computer object FAKE01
in Active Directory (no admin required);sandy
leverages the WRITE
privilege on the WS01
computer object and updates its object's attribute msDS-AllowedToActOnBehalfOfOtherIdentity
to enable the newly created computer FAKE01
to impersonate and authenticate any domain user that can then access the target system WS01
. In human terms this means that the target computer WS01
is happy for the computer FAKE01
to impersonate any domain user and give them any access (even Domain Admin privileges) to WS01
;WS01
trusts FAKE01
due to the modified msDS-AllowedToActOnBehalfOfOtherIdentity
;FAKE01$
with ability to impersonate offense\spotless
who is a Domain Admin;c$
share of ws01
from the computer ws02
.ms-ds-machineaccountquota
WS01
object must not have the attribute msds-allowedtoactonbehalfofotheridentity
set:FAKE01
(as referenced earlier in the requirements table) - this is the computer that will be trusted by our target computer WS01
later on:FAKE01
computer principal:WS01
machine:offense\Sandy
belongs to security group offense\Operations
, which has full control over the target computer WS01$
although the only important one/enough is the WRITE
privilege:msDS-AllowedToActOnBehalfOfOtherIdentitity
is set, it is visible here:ws01
in msds-allowedtoactonbehalfofotheridentity
attribute refers to the fake01$
machine:fake01$
machine's SID - exactly what we want it to be:FAKE01
computer:fake01$
with ability to impersonate user spotless
who is a Domain Admin:ws01
:spotless
for the CIFS service at ws01.offense.local
, but the attack still did not work:cifs/ws01.offense.local
and we get access denied when attempting to access the remote admin shares of ws01
:cifs/ws01
- we can now access C$
share of the ws01
which means we have admin rights on the target system WS01
:ws02
to ws01
in c:\users\administrator:offense\spotless
rights are effective only on the target system - i.e. on the system that delegated (WS01
) another computer resource (FAKE01
) to act on the target's (WS01
) behalf and allow to impersonate any domain user.offense\spotless
only on the WS01
machine and not on any other machine in the domain.