InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Find user rights assignments in GPO
  • User rights exploitation
  • References
  1. Active Directory

Exploitation - GPO users rights

Overview

GPO can be used to assign users rights on the computer objects they are applied to.

User rights fall into two general categories:

  • logon rights which gives the rights to logon to the specified user and define the logon type.

  • privileges that define a number of specific privileges on the computer object.

The user rights that can be used to gain access and/or compromise the computer objects they are applied to are detailed below. Reviewing these user rights can lead to more vectors of credentials re-use, notably if user rights are defined for one of the following group:

  • Everyone, SID: S-1-1-0

  • Anonymous, SID: S-1-5-7

  • Authenticated Users, SID: S-1-5-11

  • Users, SID: S-1-5-32-545

  • Domain Users, SID: S-1-5-<DOMAIN>-513

  • Domain Computers, SID: S-1-5-<DOMAIN>-515

Find user rights assignments in GPO

Resultant Set of Policy

The Windows gpresult built-in utility can be used to compute the Resultant Set of Policy (RSoP) for the current, or specified user, on the local or a remote system. It can generate an HTLM report referencing the parameters effectively applied by GPO on the system.

The users rights assigned can be found in Computer Details -> Windows Setting -> Local Policies/User Rights Assignment.

# Generates the RSoP for the current user on the local system.
gpresult /H <REPORT_HTML>

# Generates the RSoP for the specified user on the local system.
gpresult /user <DOMAIN>\<USERNAME> /H <REPORT_HTML>

# Generates the RSoP for the current or specified user on the remote system (using the eventual given credentials).
gpresult [/u <RUN_AS_USER> /p <RUN_AS_USER_PASSWORD>] /s <HOSTNAME | IP> [/user <DOMAIN>\<USERNAME>] /H <REPORT_HTML>

Domain wide enumeration

The Grouper2 C# application and PingCastle's healthcheck can be used to enumerate user rights definition in the most sensible GPO.

Grouper2.exe -g -f <OUTPUT_HTML_FILE>
Grouper2.exe -d "<DOMAIN>" -u "<USERNAME>" -p "<PASSWORD>" -s "\\<DC_HOSTNAME | DC_IP>\SYSVOL" -g -f <OUTPUT_HTML_FILE>

All the GPOs in the domain can also be exported in an HTML or XML report using the PowerShell GroupPolicy module's Get-GPOReport cmdlet:

# Export all the GPO in the specified domain using the current security context.
# runas /Netonly should be used for enumeration from a non-domain joined computer.

Get-GPOReport -All -ReportType <HTML | XML> [-Domain <DOMAIN>] [-Server <DC_HOSTNAME | DC_IP>] -Path <OUTPUT_FILE_PATH>

A more manual search in all accessible GPO from the given privileges can be conducted directly in PowerShell:

# Conducting the search either from the current user context or using the specified credential
net use Z: \\<DC_HOSTNAME | DC_IP>\SYSVOL
net use Z: \\<DC_HOSTNAME | DC_IP>\SYSVOL <PASSWORD> /user:<DOMAIN>\<USERNAME>
Get-ChildItem -Path Z:\ -Recurse -Force | Select-String SeInteractiveLogonRight,SeRemoteInteractiveLogonRight,SeImpersonatePrivilege,SeAssignPrimaryPrivilege,SeTcbPrivilege,SeBackupPrivilege,SeRestorePrivilege,SeCreateTokenPrivilege,SeLoadDriverPrivilege,SeTakeOwnershipPrivilege,SeDebugPrivilege
net use Z: /delete

PowerView can be used to find where exploitable GPO are linked and possibly applied. Note: GPO can be linked to an OU but not necessarily applied, as an OU can blocks inheritance on an not enforced GPO or a conflicting GPO with a higher precedence order may supplant the exploitable GPO.

Get-DomainOU -GPLink "<GPO_GUID>" | ForEach-Object {
    Get-DomainComputer -SearchBase "LDAP://$($_.distinguishedname)" | Ft Name
}

User rights exploitation

Logon rights

The following logon rights can be defined to allow an user to logon onto the computer:

Right
Description
Exploitation technique

SeInteractiveLogonRight

Allows a user to connect locally on the computer

Require a physical access to the computer.

SeRemoteInteractiveLogonRight

Allow logon through Terminal Services

Interactive logon using a RDP client.

Note that the SeNetworkLogonRight allows a user to access the exposed shares on the computer (under restrictions of the shares and NTFS permissions) but is not sufficient by itself to remotely execute commands.

The SeServiceLogonRight is not directly exploitable neither as only users with administrative privileges can install and configure services.

The SeBatchLogonRight alone can not be used to remotely create and run scheduled tasks.

Privileges

The following privilege tokens can be used to locally elevate privileges to NT AUTHORITY\SYSTEM:

  • SeImpersonatePrivilege

  • SeAssignPrimaryPrivilege

  • SeTcbPrivilege

  • SeBackupPrivilege

  • SeRestorePrivilege

  • SeCreateTokenPrivilege

  • SeLoadDriverPrivilege

  • SeTakeOwnershipPrivilege

The SeDebugPrivilege privilege can be used as well to directly dump the LSASS process.

Note that the exploitation of those privilege tokens Refer to the [Windows] Local privilege escalation for more information on how to exploit those privilege tokens.

References

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb457125(v=technet.10)?redirectedfrom=MSDN

https://adsecurity.org/?p=3658

https://wald0.com/?p=179

https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/

https://www.ssi.gouv.fr/uploads/IMG/pdf/Lucas_Bouillot_et_Emmanuel_Gras_-_Chemins_de_controle_Active_Directory.pdf

https://labs.f-secure.com/tools/sharpgpoabuse

https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-policy-basics-part-2-understanding-which-gpos-to-apply/

PreviousExploitation - ACL exploitingNextExploitation - Active Directory Certificate Services

Last updated 3 years ago