Group Policy Object (GPO) Abuse (Windows Active Directory Privilege Escalation)
GPO is a collection of Group Policy settings which define how the system should behave for a defined group of users, if we are able to gain a foothold on a user which have misconfigured rights over a GPO, we may use it to move laterally in an Active Directory Environment or even escalate our privileges.
This article will cover on how to add a local admin user over a host which we have GPO rights over
Enumerating for GPO rights
We can use Powerview to perform our enumeration to find possible GPO we have rights over
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Run this to list all GPOs:
Get-NetGPO | select displaynameLets say we wish to enumerate the “Default Domain Policy” GPO listed, execute the following and take note of the Id:
Get-GPO -Name "Default Domain Policy"
Now we shall check for the permissions our current user have over the Default Domain Policy GPO
Get-GPPermission -Guid 31b2f340-016d-11d2-945f-00c04fb984f9 -TargetType User -TargetName <user>The following output would indicate that we have several useful permissions, which we could leverage to take control of the GPO
Abusing GPO to add a new local admin
Now lets move on to the exciting part! Git clone SharpGPOAbuse to get started
Now execute the following to add our current user to the local admin group.
The GPOName flag will simply be the GPO which we have rights over which you should have enumerated out in the previous section, in our case, Default Domain Policy. UserAccount should be our current user that we are logged in with.
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount <user> --GPOName "Default Domain Policy"
Now the next step here is quite important, we will have to run this in order to force update the policy new settings so our changes can take effect
After that, simple run net localgroup administrators and we should see our current user now part of the administrators group!
gpupdate /force
