WriteDacl on User (Ramon-> Nicolas)

WriteDacl on User (Ramon-> Nicolas)

  • To exploit writeDacl from Ramon to Nicolas we can use acledit.py

  • First we will clone the impacket’s fork created by shutdown (@_nwodtuhs) to get the last PR with dacledit

git clone https://github.com/ThePorgs/impacket.git
cd impacket 
sudo python3 setup.py install

  • Now we can use dacledit.py

  • First let’s look at Ramon’s right on Nicolas:

dacledit.py -action 'read' -principal Ramon.Maldonado -target 'nicolas.Maduro' 'NewYork.local'/'Ramon.Maldonado':'monkey'

  • Ok now change the permission to “FullControl” and see the modification

See Modification

  • Ok now we can :

    • change Nicolas password

    • do a target kerberoasting

    • do a shadow credentials

  • Let’s just use shadowcredentials :

PreviousGenericWrite on User (Hugo -> Ramon)NextAdd self on Group (Nicolas-> RadioCity)

Last updated