# WriteDacl
## Configuring
1. Login to `DC03` with the Administrator user and the password `Welcome01!`.
2. Open the "Active Directory Users and Computers" administration tool.
3\. Click on "View" and enable "Advanced Features.
4\. Right click the "Secure.local" domain object and select "Properties". Then open the "Security" tab and click "Add".
5\. Click on "Object Types" and select "Computers", then select "OK".
6\. Fill in `Data01` and click "Check Names", then click "Advanced" and "OK".
7\. Click on "DATA01" and then on "Advanced". Scroll through the list and search for the `DATA01` entry. Then click on "Edit" and select "Modify permissions".
8\. Click on "OK", "Apply" and "OK". Then on "Apply" and "OK" again to close and apply all the permissions screens.
## Attacking
### How it works
With the ability to modify the DACL on the target object, you can grant yourself almost any privilege against the object you wish. Basically giving yourself Genericall over the object.
{% hint style="info" %}
In the lab we will only give a user DCSync privileges to the domain object. But it is possible to give almost all privileges to the object you have the rights too and then abuse these privileges like described in the GenericAll page.
{% endhint %}
### Tools
* [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
### Executing the attack
The attack is executed from the perspective of already having high privileged access to the `DATA01` server in the `secure.local` domain and having control of an user.
1. Login to `DATA01` with the username `bank\secure_admin` and the password `rFKbUJrDu$sz*36ffKr6`.
2. In the page DACL-Abuses I showed you how to check for ACL's using BloodHound. In this attack we will abuse the ACL Data01 has on the domain object:
3\. Open PowerShell as an Administrator and download an amsi, MimiKatz and PowerView into memory.
4\. We are currently running in the context of the secure\_admin user, but we need to run in the context of the `DATA01` computeraccount, we can do this by getting system. Execute the following MimiKatz command to do just that:
```
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate"'
```
5\. Now we can give `secure_admin` DCSync privileges on the `secure.local` domain object using the Add-DomainObjectAcl cmdlet from PowerView:
```
Add-DomainObjectAcl -TargetIdentity 'DC=secure,DC=local' -PrincipalIdentity 'secure_admin' -PrincipalDomain bank.local -Rights DCSync -Verbose
```
7\. We can quickly run BloodHound to check if the correct permissions are applied to the `secure_admin` user:
8\. The next steps of the attack to execute DCSync is described on the following page:
{% content-ref url="/pages/VodCix6ht67b5lB2pFni" %}
[Get-Changes](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/get-changes.md)
{% endcontent-ref %}
## Defending
### Recommendations
### Detection
## References
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/writedacl.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.