WriteDacl On Group

WriteDacl

WriteDacl : Is a permission that allows you to modify object’s ACEs. If you have WriteDacl on group object, you can give yourself a right i.e writemembers that will allow you to add users to a group.

Enumeration

PowerView

WriteDacl Enumeration

We will get current user’s sid by executing whoami /user, import powerview, then execute the below command to get the list of objects on which we have WriteDacl right.

Command

get-objectacl -resolveguids | ? {($_.securityidentifier -eq "[our_current_user_sid]") -and ($_.activedirectoryrights -like "*WriteDacl*")}

Below image shows the current user usman has WriteDacl right on Domain Admins group.

BloodHound

We can also get thesame result using bloodhound.

Below image shows the current user usman has WriteDacl right on Domain Admins group.

Exploitation

Let’s check our current group.

Here usman is a member of Domain Users group. We are going to exploit WriteDacl to add usman to Domain Admins group.

PowerView

References

• https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2
• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse