7MS #441: SharpGPOAbuse
7 Minute Security15 Marras 2020

7MS #441: SharpGPOAbuse

Hello friends! Sorry to be late with this episode (again) but we've been heads-down in a lot of cool security work, coming up for air when we can! Today's episode features:

  • A little welcome music that is not the usual scatting of gibberish I torture you with

  • Some cool tools I'm playing with in the lab that we'll do future episodes on in the future:

    • DetectionLab to practice detecting all the bad things!
    • BadBlood to dirty up your AD (your test AD with groups, computers, permissions, etc.). I wish the user import script would let you choose a list of bad passwords to assign the users, but you can also run it manually if you want.
    • Cobalt Strike - we're doing a demo right now!

Most of today's episode focuses on SharpGPOAbuse, a tool that can be used to abuse "generic write" access to GPOs (which you might identify after running BloodHound). Here's a sample syntax you could run:

SharpGPOAbuse.exe --AddUserTask --TaskName "Totes Safe Windoze Updatez" --Author SAMPLECO\ADMINISTRATOR --Command "cmd.exe" --Arguments "/c net group \"Domain Admins\" SomeLowPrivUser /ADD DOMAIN" --GPOName "Name of GPO with Generic Write Access"

This will push a ScheduledTasks.xml file to \\sample.company\Policies\LONG-STRING-REPRESENTING-THE-GPO-ID\User\Preferences\ScheduledTasks

Now if you find that the task is not pushing correctly, it may be that SharpGPOAbuse.exe hasn't been able to update either the GPT.INI file (in the root of the GPO path) and/or the versionNumber value assigned to the GPO itself.
If you need to adjust the versionNumber and GPT.INI value manually, definitely read this Microsoft article so you know how the number is generated and how to increment it properly. This flippin' sweet RastaMouse blog article also helped this click for me.

If you can't seem to update versionNumber using the PowerShell in Rasta's article, you can also open up ADSI Edit and navigate to Default naming context > DC=your,DC=com > CN=System > CN=Policies > CN=LONG-STRING-REPRESENTING-THE-GPO-ID then get the properties of the folder, scroll down and manually adjust the value for versionNumber.

Jaksot(715)

7MS #667: Pentesting GOAD SCCM - Part 2!

7MS #667: Pentesting GOAD SCCM - Part 2!

Hey friends, our good buddy Joe "The Machine" Skeen and I are back this week with part 2 (check out part 1!) tackling GOAD SCCM again! Spoiler alert: this time we get DA! YAY! Definitely check out t...

21 Maalis 202528min

7MS #666: Tales of Pentest Pwnage – Part 68

7MS #666: Tales of Pentest Pwnage – Part 68

Today we have a smattering of miscellaneous pentest tips to help you pwn all the stuff! Selective Snaffling with Snaffler The importance of having plenty of dropbox disk space – for redundant remote ...

14 Maalis 202545min

7MS #665: What I'm Working on This Week - Part 2

7MS #665: What I'm Working on This Week - Part 2

Hello there friends, I'm doing another "what I'm working on this week" episode which includes: BPATTY v1.6 release – big/cool/new content to share here PWPUSH – this looks to be an awesome way (both ...

7 Maalis 202528min

7MS #664: What I'm Working on This Week

7MS #664: What I'm Working on This Week

In today's episode I talk about what I'm working on this week, including: Playing with Sliver C2 and pairing it with ShellcodePack Talking about Netexecer, my upcoming tool that helps automate some o...

28 Helmi 202525min

7MS #663: Pentesting GOAD SCCM

7MS #663: Pentesting GOAD SCCM

Today we live-hack an SCCM server via GOAD SCCM using some attack guidance from Misconfiguration Manager!  Attacks include: Unauthenticated PXE attack PXE (with password) attack Relaying the machine ...

21 Helmi 202529min

7MS #662: Pentesting Potatoes - Part 2

7MS #662: Pentesting Potatoes - Part 2

Hi friends, today we're talking about pentesting potatoes (not really, but this episode is sort of a homage to episode 333 where I went to Boise to do a controls assessment and ended up doing an impro...

14 Helmi 202537min

7MS #661: Baby's First Hetzner and Ludus – Part 2

7MS #661: Baby's First Hetzner and Ludus – Part 2

Today we continue our journey from last week where we spun up a Hetzner cloud server and Ludus.cloud SCCM pentesting range! Topics include: Building a Proxmox Backup Server (this YouTube video was s...

8 Helmi 202537min

7MS #660: Baby's First Hetzner and Ludus

7MS #660: Baby's First Hetzner and Ludus

I had an absolute ball this week spinning up my first Hetzner server, though it was not without some drama (firewall config frustrations and failing hard drives). Once I got past that, though, I got ...

1 Helmi 202534min

Suosittua kategoriassa Politiikka ja uutiset

uutiscast
aikalisa
ootsa-kuullut-tasta-2
politiikan-puskaradio
rss-ootsa-kuullut-tasta
tervo-halme
rss-vaalirankkurit-podcast
rss-podme-livebox
et-sa-noin-voi-sanoo-esittaa
rss-asiastudio
otetaan-yhdet
the-ulkopolitist
rss-hyvaa-huomenta-bryssel
rss-merja-mahkan-rahat
aihe
rikosmyytit
rss-kaikki-uusiksi
rss-raha-talous-ja-politiikka
rss-aijat-hopottaa-podcast
rss-polikulaari-pitka-kiekko-ja-muut-ts-podcastit