3 - LO 3️
Learning Object 3
Tasks
1 - Enumerate following for the dollarcorp domain:
List all the OUs
List all the computers in the DevOps OU
List the GPOs
Enumerate GPO applied on the DevOps OU
Enumerate ACLs for the Applocker and DevOps GPOs
Flag 3 [Student VM] - Display name of the GPO applied on StudentMachines OU 🚩
Solutions
1 - Enumerate following for the dollarcorp domain:
Start InviShell and PowerView
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Powerview.ps1
1.1 - List all the OUs of dollarcorp.moneycorp.local
Get-DomainOU -Domain dollarcorp.moneycorp.local | select name, ou, distinguishedname
name ou distinguishedname
---- -- -----------------
Domain Controllers Domain Controllers OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local
StudentMachines StudentMachines OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
Applocked Applocked OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local
Servers Servers OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
DevOps DevOps OU=DevOps,DC=dollarcorp,DC=moneycorp,DC=local
1.2 - List all the computers in the DevOps OU
(Get-DomainOU -Identity DevOps).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name
name
----
DCORP-CI
1.3 - List the GPOs
Get-DomainGPO | select displayname
displayname
-----------
Default Domain Policy
Default Domain Controllers Policy
Applocker
Servers
Students
DevOps Policy
1.4 - Enumerate GPO applied on the DevOps OU
To enumerate GPO applied on the DevOps OU, we need the name of the policy from the gplink attribute from the OU:
(Get-DomainOU -Identity DevOps).gplink
[LDAP://cn={0BF8D01C-1F62-4BDC-958C-57140B67D147},cn=policies,cn=system,DC=dollarcorp,DC=moneycorp,DC=local;0]
We copy the value between {} including the brackets as well: {0BF8D01C-1F62-4BDC-958C-57140B67D147}
Get-DomainGPO -Identity '{0BF8D01C-1F62-4BDC-958C-57140B67D147}'
flags : 0
displayname : DevOps Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-
A0D0-00A0C90F574B}]
whenchanged : 12/24/2024 7:09:01 AM
versionnumber : 3
name : {0BF8D01C-1F62-4BDC-958C-57140B67D147}
cn : {0BF8D01C-1F62-4BDC-958C-57140B67D147}
usnchanged : 296496
dscorepropagationdata : {12/18/2024 7:31:56 AM, 1/1/1601 12:00:00 AM}
objectguid : fc0df125-5e26-4794-93c7-e60c6eecb75f
gpcfilesyspath : \\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{0BF8D01C-1F62-4BDC-958C-57140B67D147}
distinguishedname : CN={0BF8D01C-1F62-4BDC-958C-57140B67D147},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
whencreated : 12/18/2024 7:31:22 AM
showinadvancedviewonly : True
usncreated : 293100
gpcfunctionalityversion : 2
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
1.5 - Enumerate ACLs for the Applocker and DevOps GPOs
Let's use the BloodHound CE UI, search for Applocker in the UI -> Click on the node -> Click on Inboud Object Control

It turns out that the RDPUsers group has GenericAll over the policy.

Now, search for DevOps and look at its 'Inbound Object Control':

Flag 3 [Student VM] - Display name of the GPO applied on StudentMachines OU 🚩
Retrieve the gplink of StudentMachines OU
Get-DomainOU | Where-Object {$_.Name -eq "StudentMachines"}
usncreated : 44996
displayname : StudentMachines
gplink : [LDAP://cn={7478F170-6A0C-490C-B355-9E4618BC785D},cn=policies,cn=
system,DC=dollarcorp,DC=moneycorp,DC=local;0]
whenchanged : 11/15/2022 5:46:19 AM
objectclass : {top, organizationalUnit}
usnchanged : 45933
dscorepropagationdata : {12/5/2024 12:47:28 PM, 11/15/2022 3:49:24 AM, 11/15/2022
3:49:24 AM, 1/1/1601 12:00:01 AM}
name : StudentMachines
distinguishedname : OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
ou : StudentMachines
whencreated : 11/15/2022 3:49:24 AM
instancetype : 4
objectguid : 1c7cd8cb-d8bb-412f-9d76-9cff8afa021f
objectcategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=moneycorp,DC
=local
and obtain the relative GPO name
Get-DomainGPO -Identity '{7478F170-6A0C-490C-B355-9E4618BC785D}'
flags : 0
displayname : Students
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA8
8-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14
A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged : 7/30/2024 1:30:35 PM
versionnumber : 9
name : {7478F170-6A0C-490C-B355-9E4618BC785D}
cn : {7478F170-6A0C-490C-B355-9E4618BC785D}
usnchanged : 247100
dscorepropagationdata : {12/5/2024 12:47:28 PM, 1/1/1601 12:00:01 AM}
objectguid : 0076f619-ffef-4488-bfdb-1fc028c5cb14
gpcfilesyspath : \\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local
\Policies\{7478F170-6A0C-490C-B355-9E4618BC785D}
distinguishedname : CN={7478F170-6A0C-490C-B355-9E4618BC785D},CN=Policies,CN=Syste
m,DC=dollarcorp,DC=moneycorp,DC=local
whencreated : 11/15/2022 5:46:19 AM
showinadvancedviewonly : True
usncreated : 45927
gpcfunctionalityversion : 2
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=moneyc
orp,DC=local
Last updated