SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
Hi,
i wonder if its possible to add a new function for creating new GPOs. I recently found myself in a situation where the user had "Create-GPO" rights but i did not find any suitable tool to add a new GPO but only the Group Policy Management Console or Microsofts New-GPO Ps1-function.
Greetings
Hi,
This tool looks promising but during testing I encountered an error that simply breaks the targeted GPO rendering it unusable for me as a pentester and for my client. The broken GPO cannot even be deleted. This is as you understand really bad and as long as this is not fixed I cannot use your tool. pyGPOAbuse suffers from the same issue so to me it seems something has changed on the Windows Server side making both tools incompatible.
I whish I could write the specific scenario that triggers this but I have yet to find a pattern. It seems to happen more frequently when things go "wrong". For example when I forget to add the parameter "--force" or when I enter a GPO that does not exist or I do not have write access on. Just keep trying to execute various sheduled tasks and you will eventually get an error in your shell. Once you get that , access your DC and open Group Policy Management. In that, rightclick your targeted GPO and select "Edit...". Then expand "Preferences" under either "Computer Configuration" or "User configuration" depending on what object you are targeting. Finally leftclick "Control Panel Settings" and you will get the below error popup.
One may not want to install a Windows VM + install Visual Studio just to build a tool. So I tried to build SharpGPOAbuse exe with Mono, MSBuild, .NET SDk, and NuGet on Linux.
On ArchLinux:
$ pacman -S mono-msbuild dotnet-sdk nuget
$ pikaur -S mono-git
$ git clone https://github.com/FSecureLABS/SharpGPOAbuse.git
$ cd SharpGPOAbuse
$ nuget restore
$ msbuild SharpGPOAbuse.sln
Microsoft (R) Build Engine version 16.10.1 for Mono
Copyright (C) Microsoft Corporation. All rights reserved.
Building the projects in this solution one at a time. To enable parallel build, please add the "-m" switch.
Build started 12/22/2021 5:34:00 PM.
Project "/tmp/SharpGPOAbuse/SharpGPOAbuse.sln" on node 1 (default targets).
ValidateSolutionConfiguration:
Building solution configuration "Debug|Any CPU".
Project "/tmp/SharpGPOAbuse/SharpGPOAbuse.sln" (1) is building "/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj" (2) on node 1 (default targets).
PrepareForBuild:
Creating directory "bin/Debug/".
Creating directory "obj/Debug/".
ResolveAssemblyReferences:
Primary reference "System.DirectoryServices.AccountManagement".
/usr/lib/mono/msbuild/Current/bin/Microsoft.Common.CurrentVersion.targets(2218,5): warning MSB3245: Could not resolve this reference. Could not locate the assembly "System.DirectoryServices.AccountManagement". Check to make sure the assembly exists on disk. If this reference is required by your code, you may get compilation errors. [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
For SearchPath "{TargetFrameworkDirectory}".
Considered "/usr/lib/mono/xbuild-frameworks/.NETFramework/v3.5/System.DirectoryServices.AccountManagement.winmd", but it didn't exist.
Considered "/usr/lib/mono/xbuild-frameworks/.NETFramework/v3.5/System.DirectoryServices.AccountManagement.dll", but it didn't exist.
Considered "/usr/lib/mono/xbuild-frameworks/.NETFramework/v3.5/System.DirectoryServices.AccountManagement.exe", but it didn't exist.
Considered "/usr/lib/mono/xbuild-frameworks/.NETFramework/v3.0/System.DirectoryServices.AccountManagement.winmd", but it didn't exist.
Considered "/usr/lib/mono/xbuild-frameworks/.NETFramework/v3.0/System.DirectoryServices.AccountManagement.dll", but it didn't exist.
Considered "/usr/lib/mono/xbuild-frameworks/.NETFramework/v3.0/System.DirectoryServices.AccountManagement.exe", but it didn't exist.
Considered "/usr/lib/mono/2.0-api/System.DirectoryServices.AccountManagement.winmd", but it didn't exist.
Considered "/usr/lib/mono/2.0-api/System.DirectoryServices.AccountManagement.dll", but it didn't exist.
Considered "/usr/lib/mono/2.0-api/System.DirectoryServices.AccountManagement.exe", but it didn't exist.
For SearchPath "{GAC}".
Considered "System.DirectoryServices.AccountManagement", which was not found in the GAC.
For SearchPath "{RawFileName}".
Considered treating "System.DirectoryServices.AccountManagement" as a file name, but it didn't exist.
For SearchPath "bin/Debug/".
Considered "bin/Debug/System.DirectoryServices.AccountManagement.winmd", but it didn't exist.
Considered "bin/Debug/System.DirectoryServices.AccountManagement.dll", but it didn't exist.
Considered "bin/Debug/System.DirectoryServices.AccountManagement.exe", but it didn't exist.
CoreCompile:
/usr/lib/mono/msbuild/Current/bin/Roslyn/csc.exe /noconfig /nowarn:1701,1702 /fullpaths /nostdlib+ /platform:AnyCPU /errorreport:prompt /warn:4 /define:DEBUG;TRACE /highentropyva- /reference:/tmp/SharpGPOAbuse/packages/CommandLineParser.1.9.3.15/lib/CommandLine.dll /reference:/usr/lib/mono/2.0-api/mscorlib.dll /reference:/usr/lib/mono/2.0-api/System.Core.dll /reference:/usr/lib/mono/2.0-api/System.Data.DataSetExtensions.dll /reference:/usr/lib/mono/2.0-api/System.Data.dll /reference:/usr/lib/mono/2.0-api/System.DirectoryServices.dll /reference:/usr/lib/mono/2.0-api/System.DirectoryServices.Protocols.dll /reference:/usr/lib/mono/2.0-api/System.dll /reference:/usr/lib/mono/2.0-api/System.Xml.dll /reference:/usr/lib/mono/2.0-api/System.Xml.Linq.dll /debug+ /debug:full /filealign:512 /optimize- /out:obj/Debug/SharpGPOAbuse.exe /target:exe /utf8output /deterministic+ /langversion:7.3 Program.cs Properties/AssemblyInfo.cs
Using shared compilation with compiler from directory: /usr/lib/mono/msbuild/Current/bin/Roslyn
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(593,38): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(593,108): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(593,143): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(594,38): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(597,23): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(597,100): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(951,38): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(951,108): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(951,143): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(952,38): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(955,23): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(955,100): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
Done Building Project "/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj" (default targets) -- FAILED.
Done Building Project "/tmp/SharpGPOAbuse/SharpGPOAbuse.sln" (default targets) -- FAILED.
Build FAILED.
"/tmp/SharpGPOAbuse/SharpGPOAbuse.sln" (default target) (1) ->
"/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj" (default target) (2) ->
(ResolveAssemblyReferences target) ->
/usr/lib/mono/msbuild/Current/bin/Microsoft.Common.CurrentVersion.targets(2218,5): warning MSB3245: Could not resolve this reference. Could not locate the assembly "System.DirectoryServices.AccountManagement". Check to make sure the assembly exists on disk. If this reference is required by your code, you may get compilation errors. [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
"/tmp/SharpGPOAbuse/SharpGPOAbuse.sln" (default target) (1) ->
"/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj" (default target) (2) ->
(CoreCompile target) ->
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(593,38): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(593,108): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(593,143): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(594,38): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(597,23): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(597,100): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(951,38): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(951,108): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(951,143): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(952,38): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(955,23): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
/tmp/SharpGPOAbuse/SharpGPOAbuse/Program.cs(955,100): error CS0234: The type or namespace name 'AccountManagement' does not exist in the namespace 'System.DirectoryServices' (are you missing an assembly reference?) [/tmp/SharpGPOAbuse/SharpGPOAbuse/SharpGPOAbuse.csproj]
1 Warning(s)
12 Error(s)
Time Elapsed 00:00:01.26
How to build SharpGPOAbuse exe from Linux?
During testing, I have come across an issue with a very large domain of 60k machines, the GPT.INI file gets locked by a process not allowing the file to be written to. This doesn't allow the version number to be updated to match the attribute number updated in AD. An easy work around is to try this again in a few minutes or rename the the GPT.INI to GPT.INI.BAK and recreate it with the new version number. As a bonus I think it would be great to display in console the updated version number if manual changes are needed. I had to manually update the GPT.INI file and had to query AD to see what was the updated number was set in AD.
Application Update Ideas:
The way the admin user is added should be changed to create a group and add the user of choice into this group, then assigning the group to the local administrators.
I have only done testing around adding a user into an already created AD group, and then assigning that group to a GPO to gain access to domain controllers and servers. The current way is dangerous and will remove all previous users from the administrators group.
Using this option in an engagement is impossible due to the nature of being detected by removing admins from servers administrators group.
In the code where you handle checking/adding gPCMachineExtensionNames GUIDs, you are likely going to have issues with the way you're handling that today. The GP client engine has specific expectations about how GUIDs are sorted/listed in that attribute in order for processing to actually work. All bracketed ([]) GUID pairs need to be sorted alphanumerically within the list. In addition, GP Preferences GUIDs require special treatment. The Zero GUID needs to be added to the attribute if there are no Preferences in that GPO yet, and then the 2nd GUID of a given GPP CSE pair needs to be appended to the Zero GUID, also alphanumerically. So, as an example: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}] indicates that GPP Drive Maps and Admin Templates have been implemented in this GPO. Note that the 2nd GUID for GPP Drive Maps is tacked onto the end of the zero GUID and then the Admin Templates ({35378EA...) GUID pair comes next because it falls before the GPP Drive Maps GUID pair, alphanumerically.
Adding a cleanup parameter to all of the abuse methods will help the operator to perform cleanups on the exploited systems and reduces artifacts lying around on the remote system.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.