21 - GPO Abuse - JA Smith

# GPO Ibtroduction - Group policy objects (GPOs) provide administrators with many advanced settings that can be applied to both user and computer objects in an AD environment - Group Policy, when used right, is an excellent tool for hardening an AD environment by configuring user settings, operating systems, and applications - On the flip side, Group Policy can also be abused by attackers - If we can gain rights over a Group Policy Object via an ACL misconfiguration, we could leverage this for lateral movement, privilege escalation, domain compromise, and even as a persistence mechanism within the domain - GPO misconfigurations can be abused to perform the following attacks: - Adding additional rights to a user such as: - `SeDebugPrivilege` - `SeTakeOwnershipPrivilege` - `SeImpersonatePrivilege` - Adding a local admin user to one or more hosts - Creating an immediate scheduled task to perform any number of actions - Enumerate GPO Names with `PowerView` ```powershell PS C:\htb> Import-Module .\PowerView.ps1 PS C:\htb> Get-DomainGPO |select displayname displayname ----------- Default Domain Policy Default Domain Controllers Policy Deny Control Panel Access Disallow LM Hash Deny CMD Access Disable Forced Restarts Block Removable Media Disable Guest Account Service Accounts Password Policy Logon Banner Disconnect Idle RDP Disable NetBIOS AutoLogon GuardAutoLogon Certificate Services ``` - Enumerate GPO Names with Built-in Cmdlet ```powershell PS C:\htb> Get-GPO -All | Select DisplayName DisplayName ----------- Certificate Services Default Domain Policy Disable NetBIOS Disable Guest Account AutoLogon Default Domain Controllers Policy Disconnect Idle RDP Disallow LM Hash Deny CMD Access Block Removable Media GuardAutoLogon Service Accounts Password Policy Logon Banner Disable Forced Restarts Deny Control Panel Access ``` - Enumerate `Domain Users` group's GPO rights with `PowerView` - As we can see, the `Domain Users` group has various permissions over a GPO, such as `WriteProperty` and `WriteDacl`, which we could leverage to give ourselves full control over the GPO and pull off any number of attacks that would be pushed down to any users and computers in OUs that the GPO is applied to ```powershell PS C:\htb> Import-Module .\PowerView.ps1 PS C:\htb> $sid=Convert-NameToSid "Domain Users" PS C:\htb> Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid} ObjectDN : CN={7CA9C789-14CE-46E3-A722-83F4097AF532},CN=Policies,CN=System,DC=INLANEFREIGHT,DC=LOCAL ObjectSID : ActiveDirectoryRights : CreateChild, DeleteChild, ReadProperty, WriteProperty, Delete, GenericExecute, WriteDacl, WriteOwner BinaryLength : 36 AceQualifier : AccessAllowed IsCallback : False OpaqueLength : 0 AccessMask : 983095 SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-513 AceType : AccessAllowed AceFlags : ObjectInherit, ContainerInherit IsInherited : False InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : None AuditFlags : None ``` - Convert the GPOP GUID to a name - As shown below, we can see that the `Domain Users` group has several rights over the `Disconnect Idle RDP` GPO, which could be leveraged for full control of the object ```powershell PS C:\htb Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532 DisplayName : Disconnect Idle RDP DomainName : INLANEFREIGHT.LOCAL Owner : INLANEFREIGHT\Domain Admins Id : 7ca9c789-14ce-46e3-a722-83f4097af532 GpoStatus : AllSettingsEnabled Description : CreationTime : 10/28/2021 3:34:07 PM ModificationTime : 4/5/2022 6:54:25 PM UserVersion : AD Version: 0, SysVol Version: 0 ComputerVersion : AD Version: 0, SysVol Version: 0 WmiFilter : ``` ![[images/Pasted image 20251106143103.png]]![[images/Pasted image 20251106143113.png]]