{"id":1423,"date":"2025-02-15T05:09:23","date_gmt":"2025-02-15T05:09:23","guid":{"rendered":"https:\/\/hackmybox.com\/?p=1423"},"modified":"2025-09-08T16:25:38","modified_gmt":"2025-09-08T16:25:38","slug":"acl","status":"publish","type":"post","link":"https:\/\/hackmybox.com\/index.php\/2025\/02\/15\/acl\/","title":{"rendered":"Abusing ACLs"},"content":{"rendered":"<div class=\"vce-row-container\" data-vce-boxed-width=\"true\"><div class=\"vce-row vce-row--col-gap-30 vce-row-equal-height vce-row-content--top\" id=\"el-aa433d62\" data-vce-do-apply=\"all el-aa433d62\"><div class=\"vce-row-content\" data-vce-element-content=\"true\"><div class=\"vce-col vce-col--md-auto vce-col--xs-1 vce-col--xs-last vce-col--xs-first vce-col--sm-last vce-col--sm-first vce-col--md-last vce-col--lg-last vce-col--xl-last vce-col--md-first vce-col--lg-first vce-col--xl-first\" id=\"el-3173f243\"><div class=\"vce-col-inner\" data-vce-do-apply=\"border margin background  el-3173f243\"><div class=\"vce-col-content\" data-vce-element-content=\"true\" data-vce-do-apply=\"padding el-3173f243\"><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-fb39b1ed\" data-vce-do-apply=\"all el-fb39b1ed\"><p style=\"text-align: center;\"><span style=\"color: #00ff00; font-size: 14pt;\">(Insights From HTB Academy)<\/span><\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-60180951\" data-vce-do-apply=\"all el-60180951\"><p><span style=\"color: #00ff00;\">Background : <\/span>We already have control over a user (wley) whose NTLMv2 hash was retrieved using&nbsp;&nbsp;Responder. The user had a weak password, which was cracked using&nbsp;Hashcat, giving you the cleartext password.<\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-7d41b285\" data-vce-do-apply=\"all el-7d41b285\"><p><span style=\"color: #ffff00;\">Responder:<\/span> A tool used for network security testing to capture sensitive information like usernames and passwords from the network.<\/p><p><span style=\"color: #ffff00;\">-I:<\/span> Specifies which network interface to use.<\/p><p><span style=\"color: #ffff00;\">ens224:<\/span> The name of the network interface you want to listen to.<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-f768bb67\" data-vce-do-apply=\"all el-f768bb67\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 602px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 64.1196%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"602\" height=\"386\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/Responder-1-320x205.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/Responder-1-480x308.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/Responder-1-602x386.png 602w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/Responder-1-602x386.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/Responder-1.png\" data-attachment-id=\"1372\"  alt=\"\" title=\"Responder 1\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-e3b6a7a7\" data-vce-do-apply=\"all el-e3b6a7a7\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 602px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 68.2724%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"602\" height=\"411\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/Responder-2-320x218.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/Responder-2-480x328.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/Responder-2-602x411.png 602w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/Responder-2-602x411.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/Responder-2.png\" data-attachment-id=\"1373\"  alt=\"\" title=\"Responder 2\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-9a6f4b6c\" data-vce-do-apply=\"all el-9a6f4b6c\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 602px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 70.7641%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"602\" height=\"426\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/hash1-320x226.jpg 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/hash1-480x340.jpg 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/hash1-602x426.jpg 602w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/hash1-602x426.jpg\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/hash1.jpg\" data-attachment-id=\"1376\"  alt=\"\" title=\"hash1\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-966c28f9\" data-vce-do-apply=\"all el-966c28f9\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 602px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 69.6013%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"602\" height=\"419\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/hash2-e1739450036438-320x223.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/hash2-e1739450036438-480x334.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/hash2-e1739450036438-602x419.png 602w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/hash2-e1739450036438-602x419.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/hash2-e1739450036438.png\" data-attachment-id=\"1377\"  alt=\"\" title=\"hash2\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-raw-html\"><div class=\"vce-raw-html-wrapper\" id=\"el-47cce38b\" data-vce-do-apply=\"all el-47cce38b\"><script async=\"\" src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-1499161372675368\" crossorigin=\"anonymous\"><\/script>\n<ins class=\"adsbygoogle\" style=\"display:block\" data-ad-format=\"fluid\" data-ad-layout-key=\"-c2+73+2h-1m-4u\" data-ad-client=\"ca-pub-1499161372675368\" data-ad-slot=\"8728040126\"><\/ins>\n<script>\n     (adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-121ef111\" data-vce-do-apply=\"all el-121ef111\"><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-d6e6ef53\" data-vce-do-apply=\"all el-d6e6ef53\"><p><span style=\"color: #00ff00;\">2.&nbsp; Objective:<\/span> &nbsp;Gain control over the adunn user, who can perform the DCSync attack to retrieve all user password hashes in the domain, escalating privileges to Domain\/Enterprise Admin.<\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-20ccd4ba\" data-vce-do-apply=\"all el-20ccd4ba\"><p><span style=\"color: #00ff00;\">3. Steps to Achieve the Goal:<\/span><\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-f3053bba\" data-vce-do-apply=\"all el-f3053bba\"><ul><li><span style=\"color: #ffff00;\">Change Password for damundsen:<\/span><p>Use the wley user to change the password for the damundsen user. &nbsp;Tools: PowerShell and PowerView.<\/p><\/li><\/ul><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-6b4b7d1a\" data-vce-do-apply=\"all el-6b4b7d1a\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 570px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 45.7895%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"570\" height=\"261\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/powerview-1-e1739450666193-320x147.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/powerview-1-e1739450666193-480x220.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/powerview-1-e1739450666193-570x261.png 570w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/powerview-1-e1739450666193-570x261.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/powerview-1-e1739450666193.png\" data-attachment-id=\"1379\"  alt=\"\" title=\"powerview\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-f8d3a8e2\" data-vce-do-apply=\"all el-f8d3a8e2\"><ul>\n<li><span style=\"color: #ffff00;\">Add damundsen to the Help Desk Level 1 Group:<\/span>\n<p>Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose<\/p>\n<p>Authenticate as damundsen and add a controlled user to the Help Desk Level 1 group.<\/p><\/li>\n<\/ul>\n<\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-33da1a77\" data-vce-do-apply=\"all el-33da1a77\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 564px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 68.7943%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"564\" height=\"388\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/group1-e1739450698603-320x220.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/group1-e1739450698603-480x330.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/group1-e1739450698603-564x388.png 564w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/group1-e1739450698603-564x388.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/group1-e1739450698603.png\" data-attachment-id=\"1380\"  alt=\"\" title=\"group1\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-36bdd382\" data-vce-do-apply=\"all el-36bdd382\"><ul><li><span style=\"color: #ffff00;\"><span style=\"color: #ffff00;\">Leverage Nested Group Membership.<\/span><\/span><p>The Help Desk Level 1 group is nested within the Information Technology group, which has GenericAll rights over the adunn user. Use these rights to take control of the adunn user.<\/p><\/li><\/ul><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-220b830e\" data-vce-do-apply=\"all el-220b830e\"><ul>\n<li><span style=\"color: #ffff00;\">Perform Kerberoasting<\/span>\n<p>Modify the servicePrincipalName (SPN) attribute of the adunn user to create a fake SPN.<\/p><\/li>\n<\/ul>\n<\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-7a61f788\" data-vce-do-apply=\"all el-7a61f788\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 602px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 70.598%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"602\" height=\"425\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/kerb1-320x226.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/kerb1-480x339.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/kerb1-602x425.png 602w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/kerb1-602x425.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/kerb1.png\" data-attachment-id=\"1384\"  alt=\"\" title=\"kerb1\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-3635eadc\" data-vce-do-apply=\"all el-3635eadc\"><ul><li><span style=\"color: #ffff00;\">Crack the hash offline using Hashcat to obtain the cleartext password.<\/span><\/li><\/ul><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-436eae04\" data-vce-do-apply=\"all el-436eae04\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 534px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 81.4607%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"534\" height=\"435\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/hash3-e1739450726618-320x261.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/hash3-e1739450726618-480x391.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/hash3-e1739450726618-534x435.png 534w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/hash3-e1739450726618-534x435.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/hash3-e1739450726618.png\" data-attachment-id=\"1385\"  alt=\"\" title=\"hash3\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-1aa68dd7\" data-vce-do-apply=\"all el-1aa68dd7\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 533px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 43.7148%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"533\" height=\"233\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/hash5-e1739450766557-320x140.jpg 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/hash5-e1739450766557-480x210.jpg 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/hash5-e1739450766557-533x233.jpg 533w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/hash5-e1739450766557-533x233.jpg\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/hash5-e1739450766557.jpg\" data-attachment-id=\"1434\"  alt=\"\" title=\"hash5\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-826e8c76\" data-vce-do-apply=\"all el-826e8c76\"><p><span style=\"color: #00ff00;\">Conclusion:<\/span> For effective detection and remediation&nbsp; see key points below:<\/p><ul><li>Audit ACLs: Regularly audit and remove dangerous ACLs.<\/li><li>Monitor Group Membership: Track changes in high-impact groups.<\/li><li>Enable Advanced Security Auditing: Look for Event ID 5136 (directory service object modification) to detect ACL changes.<\/li><\/ul><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-9dfa96cb\" data-vce-do-apply=\"all el-9dfa96cb\"><h2><span style=\"color: var(--kenta-content-base-color); font-size: 16px;\">Want to learn more and gain hands-on experience? Sign up with HTB Academy by clicking the link below.<\/span><\/h2><\/div><\/div><div class=\"vce-button--style-basic-container vce-button--style-basic-container--align-center\"><span class=\"vce-button--style-basic-wrapper vce\" id=\"el-2d16ec49\" data-vce-do-apply=\"margin el-2d16ec49\"><a class=\"vce-button vce-button--style-basic vce-button--style-basic--border-rounded vce-button--style-basic--size-medium vce-button--style-basic--color-b-138-198-10--fff\" href=\"https:\/\/hacktheboxltd.sjv.io\/19DPP6\" title=\"\" data-vce-do-apply=\"padding border background  el-2d16ec49\">JOIN NOW<\/a><\/span><\/div><\/div><\/div><\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>(Insights From HTB Academy)Background : We already have control over a user (wley) whose NTLMv2 hash was retrieved using&nbsp;&nbsp;Responder. The user had a weak password, which was cracked using&nbsp;Hashcat, giving you the cleartext password.Responder: A tool used for network security testing to capture sensitive information like usernames and passwords from the network.-I: Specifies which network [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2007,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","site-transparent-header":"default","prose-style":"enable","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[18],"tags":[],"class_list":["post-1423","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory"],"_links":{"self":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/comments?post=1423"}],"version-history":[{"count":12,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1423\/revisions"}],"predecessor-version":[{"id":2064,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1423\/revisions\/2064"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/media\/2007"}],"wp:attachment":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/media?parent=1423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/categories?post=1423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/tags?post=1423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}