Undergrad CyberSec Notes
  • About Me
  • Course Reviews
    • Certified Red Team Expert
  • Walkthroughs (OSCE)
    • Introduction
    • Vulnserver - TRUN Command
    • Vulnserver - GMON Command
    • Vulnserver - HTER Command
    • Vulnserver - LTER Command
    • Vulnserver - KSTET Command
    • Vulnserver - GTER Command
    • Exploiting HP OpenView NNM - B.07.53
  • Walkthroughs (OSCP)
    • Introduction
    • Vulnhub - Cynix
    • Vulnhub - MyExpense
    • Hack The Box - Monteverde
    • Hack The Box - Control
    • Hack The Box - Resolute
    • Hack The Box - Sauna
  • Active Directory - Enumeration
    • PowerView CheatSheet
  • Active Directory - ACL Abuse
    • WriteOwner Exploit
    • GenericWrite Exploit
    • Self Exploit
  • Privilege Escalation
    • Windows Priv Esc
  • Powershell
    • Basic PowerShell for Pentesters
    • Powershell
  • Useful Commands
    • General Tips
  • Active Directory Enumeration Cheetsheet
Powered by GitBook
On this page
  • What are Generic rights?
  • Scenario:

Was this helpful?

  1. Active Directory - ACL Abuse

GenericWrite Exploit

Refer to: https://www.youtube.com/watch?v=ob9SgtFm6_g&t=1431s

PreviousWriteOwner ExploitNextSelf Exploit

Last updated 4 years ago

Was this helpful?

What are Generic rights?

Generic rights include GenericAll and GenericWrite, which implicitly grant particular object-specific rights. The control rights we care about are WriteDacl and WriteOwner, which allow for the modification of the DACL and the owner of an object, respectively. Since the owner of an Active Directory object implicitly grants complete control of an object, ownership modification is a valuable object takeover primitive.

Scenario:

You have managed to compromise an account belonging to Claire. Your goal is to gain access to the Backup_Admins group. The user CLAIRE@HTB.LOCAL has generic write access to the group BACKUP_ADMINS@HTB.LOCAL.

Generic Write access grants you the ability to write to any non-protected attribute on the target object, including "members" for a group, and "serviceprincipalnames" for a user.

Guided by the article, we can update the BACKUP_ADMINSobject's attributes since we have the GenericWrite permissions.

An Ace Up The Sleeve
Attack Path
Current Users in the Backup Admins Group
Successfully Added Claire to the Backup_Admins Group