GenericWrite Exploit

Refer to: https://www.youtube.com/watch?v=ob9SgtFm6_g&t=1431s

What are Generic rights?

Generic rights include GenericAll and GenericWrite, which implicitly grant particular object-specific rights. The control rights we care about are WriteDacl and WriteOwner, which allow for the modification of the DACL and the owner of an object, respectively. Since the owner of an Active Directory object implicitly grants complete control of an object, ownership modification is a valuable object takeover primitive.

Scenario:

You have managed to compromise an account belonging to Claire. Your goal is to gain access to the Backup_Admins group. The user CLAIRE@HTB.LOCAL has generic write access to the group BACKUP_ADMINS@HTB.LOCAL.

Generic Write access grants you the ability to write to any non-protected attribute on the target object, including "members" for a group, and "serviceprincipalnames" for a user.

Attack Path

Guided by the An Ace Up The Sleeve article, we can update the BACKUP_ADMINSobject's attributes since we have the GenericWrite permissions.

Current Users in the Backup Admins Group

Successfully Added Claire to the Backup_Admins Group