Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add AddSelf edge functionality to UI #370

Closed
wants to merge 1 commit into from
Closed

Add AddSelf edge functionality to UI #370

wants to merge 1 commit into from

Conversation

rookuu
Copy link

@rookuu rookuu commented Sep 11, 2020

Adds the "AddSelf" edge to the ingestion logic and UI elements. This additional ACE means that we can add the "AddSelf" edge to the GUI when a principle has the ability to add themselves (but no one else) to a group. This information is not currently collected or displayed.

Corresponding PR for SharpHound is here -> BloodHoundAD/SharpHound3#16

@rookuu rookuu mentioned this pull request Sep 11, 2020
Open
@andyrobbins
Copy link
Contributor

Thank you very much, this is a fantastic set of PRs. I'll take some time this weekend and next week to test this out.

@rvazarkar
Copy link
Contributor

rvazarkar commented Feb 12, 2021
edited
Loading

So I've been testing this in a lab, and I cant seem to actually get this ACE to work.

PS C:\Users\dfm\Desktop> Get-ObjectACL -SamAccountName "TestGroup" -ResolveGUIDs |? {$_.SecurityIdentifier -eq "S-1-5-21-3130019616-2776909439-2417379446-1105"}
AceQualifier           : AccessAllowed
ObjectDN               : CN=TestGroup,CN=Users,DC=testlab,DC=local
ActiveDirectoryRights  : Self
ObjectAceType          : Self-Membership
ObjectSID              : S-1-5-21-3130019616-2776909439-2417379446-3103
InheritanceFlags       : None
BinaryLength           : 56
AceType                : AccessAllowedObject
ObjectAceFlags         : ObjectAceTypePresent
IsCallback             : False
PropagationFlags       : None
SecurityIdentifier     : S-1-5-21-3130019616-2776909439-2417379446-1105
AccessMask             : 8
AuditFlags             : None
IsInherited            : False
AceFlags               : None
InheritedObjectAceType : All
OpaqueLength           : 0

PS C:\Users\dfm\Desktop> net group "TestGroup" dfm /add /domain
The request will be processed at a domain controller for domain testlab.local.

System error 5 has occurred.

Access is denied.

PS C:\Users\dfm\Desktop> whoami /all
USER INFORMATION
----------------
User Name   SID
=========== ==============================================
testlab\dfm S-1-5-21-3130019616-2776909439-2417379446-1105

Am I missing something?

@rookuu
Copy link
Author

rookuu commented Mar 20, 2021
edited
Loading

Hi @rvazarkar! Thanks for reviewing the PR.

For some reason you're unable to use net.exe to exercise the "Add-Self to Group" ACE. I'm not sure why this is the case, I've tested with PowerView and it works as expected.

PS C:\> Get-ObjectACL -SamAccountName "Test Group" -ResolveGUIDs |? {$_.SecurityIdentifier -eq "S-1-5-21-3878895623-4031543421-294952868-1000"}                                                            

AceQualifier           : AccessAllowed
ObjectDN               : CN=Test Group,OU=Groups,DC=test,DC=lab
ActiveDirectoryRights  : Self
ObjectAceType          : Self-Membership
ObjectSID              : S-1-5-21-3878895623-4031543421-294952868-1107
InheritanceFlags       : ContainerInherit
BinaryLength           : 56
AceType                : AccessAllowedObject
ObjectAceFlags         : ObjectAceTypePresent
IsCallback             : False
PropagationFlags       : None
SecurityIdentifier     : S-1-5-21-3878895623-4031543421-294952868-1000
AccessMask             : 8
AuditFlags             : None
IsInherited            : False
AceFlags               : ContainerInherit
InheritedObjectAceType : All
OpaqueLength           : 0

PS C:\> Add-DomainGroupMember -Identity "Test Group" -Members rookuu 

PS C:\> Add-DomainGroupMember -Identity "Test Group" -Members john                                                                                                                                         
Exception calling "Save" with "0" argument(s): "Access is denied.
"
At C:\Users\rookuu.TEST\Desktop\PowerView.ps1:11685 char:17
+                 $Group.Save()
+                 ~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : UnauthorizedAccessException

PS C:\> net group "Test Group" /domain                                                                                                                                                                     
The request will be processed at a domain controller for domain test.lab.

Group name     Test Group
Comment

Members

-------------------------------------------------------------------------------
rookuu
The command completed successfully.

PS C:\> whoami /all                                                                                                                                                                                        
USER INFORMATION
----------------

User Name   SID
=========== =============================================
test\rookuu S-1-5-21-3878895623-4031543421-294952868-1000

@rvazarkar
Copy link
Contributor

This information is being added into vnext. Unfortunately because of the way the new update had to be done, I can't accept the PR. However, the functionality is present. Thank you so much for the PR.

@rvazarkar rvazarkar added the fixed-vnext Already fixed, close when vnext drops label Jan 12, 2022
@rvazarkar rvazarkar closed this Feb 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
fixed-vnext Already fixed, close when vnext drops
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rookuu @andyrobbins @rvazarkar