Just-In-Time (JIT) Access
Users are granted privileges for a limited amount of time to perform a specific task, and once the time is up, the privileges are revoked automatically.
When JIT is used in combination with Active Directory, the Privileged Access Management Feature (PAM) must be enabled. Upon enabling the feature, it writes certain attributes that we can enumerate as a standard user. Note that once PAM is enabled in AD, it cannot be disabled again.
Most of the JIT solutions require that someone else approves the request on behalf of the user if it is not auto granted based on adding more trust to a specific user itself, so we may have to compromise several accounts in order to take advantage of the solution unless the solution itself has a vulnerability that we can exploit directly.
The AD PowerShell Module is often used by system administrators to manage AD via PowerShell and is a part of the Remote Server Administration Tools (RSAT). RSAT mostly requires administrative privileges, but simply loading the DLL used for Active Directory management does not. Microsoft.ActiveDirectory.Management.dll
Enumeration
#Microsoft.ActiveDirectory.Management.dll
Get-ADOptionalFeature -Filter *
IsDisableable : False
Name : Privileged Access Management Featurefound a JIT manager application on MGMT01 based on mary's browser history. Visiting http://mgmt01 reveals the web application.
According to the website, mary has previously requested access to the sql_admins group, and according to the status, it has been approved by someone. Reviewing the RequestedTimespan, it appears that the access lasted one hour
#check the validity of the group, see if the requested group still exist
Get-NetUser mary | select memberof
#found access group to JIT solution (j_request) instead, enum for other group and got j_approve and check its member to see if we can hack approver to approve access
Get-NetGroup | ft
Get-NetGroup j_approve | select member
#enum available GPO that applies to user groups
Get-NetGPO | select displayname
#enum interesting GPO
Get-NetGPO l_web01
gpcfilesyspath : \\corp.com\SysVol\corp.com\Policies\{99EC2AB4-0FD4-406E-8FDA-BE451DEB2AA6}
#check $gpcfilesyspath/Machine/Preferences/Groups/groups.xml to see if it configure anything, e.g.
<Properties action="U" newName="" description="" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-544" groupName="Administrators (built-in)">
<Members>
<Member name="CORP\la_web" action="ADD" sid="S-1-5-21-3515682028-2106700410-3524882512-7604"/>
</Members>
</Properties>
#GPO is configuring the built-in Administrators group on a specific machine in the domain, adding the group la_web to the Administrators groupRequests may also be configured to happen automatically, adding more trust to the user account logging in. Can try request for other group, but even it is granted, may need logout and login to refresh TGT for the new groups to be in effect. Hard to do if we do not know the password for the account.
Abusing MSSQL / WinRM enabled App Ser
In this case, the sql_admins gives access to the MSSQL instance on SQL01 and it uses a remote login. If our user is added to the sql_admins group in Active Directory, we can simply purge our existing Kerberos tickets with klist purge, initiate the login, and have a new TGT assigned. The same goes for WEB01 since it has WinRM enabled, which supports Kerberos authentication.
#check if currently already granted a interested group
whoami /groups
#after approval
klist purge
Enter-PSSession -ComputerName WEB01
#in remote session
hostname
whoami /groups
#got adminIn RDP client, #Microsoft SQL Server Management Studio#Last updated