WriteOwner
Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.
Last updated
Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.
Last updated
Assuming a user has WriteOwner
on a group. We can take control of the group and then we can add ourselves or any other user we compromised, into that group. We start by looking at the bloodhound graph.
For this, we have a user called JDGODD
, he has WriteOwner on a group called Core Staff
, we can take control of the group, using PowerView.
We start by importing PowerView. We can execute in memory by using IEX.
Then we use JDGOOD's password and store the password in a variable called Creds
Now we chnage the OwnerIdentity and PrincipalIdentity of the group.
After all, we add the user into the group.
To verify => net group 'CORE STAFF'
We can use Ldap
to do this, for this we use a tool called ldap_shell
After getting an interactive session, we can execute two commands that give us the important writes.