Exploitation - GPO users rights

Overview

GPO can be used to assign users rights on the computer objects they are applied to.

User rights fall into two general categories:

  • logon rights which gives the rights to logon to the specified user and define the logon type.

  • privileges that define a number of specific privileges on the computer object.

The user rights that can be used to gain access and/or compromise the computer objects they are applied to are detailed below. Reviewing these user rights can lead to more vectors of credentials re-use, notably if user rights are defined for one of the following group:

  • Everyone, SID: S-1-1-0

  • Anonymous, SID: S-1-5-7

  • Authenticated Users, SID: S-1-5-11

  • Users, SID: S-1-5-32-545

  • Domain Users, SID: S-1-5-<DOMAIN>-513

  • Domain Computers, SID: S-1-5-<DOMAIN>-515

Find user rights assignments in GPO

Resultant Set of Policy

The Windows gpresult built-in utility can be used to compute the Resultant Set of Policy (RSoP) for the current, or specified user, on the local or a remote system. It can generate an HTLM report referencing the parameters effectively applied by GPO on the system.

The users rights assigned can be found in Computer Details -> Windows Setting -> Local Policies/User Rights Assignment.

# Generates the RSoP for the current user on the local system.
gpresult /H <REPORT_HTML>

# Generates the RSoP for the specified user on the local system.
gpresult /user <DOMAIN>\<USERNAME> /H <REPORT_HTML>

# Generates the RSoP for the current or specified user on the remote system (using the eventual given credentials).
gpresult [/u <RUN_AS_USER> /p <RUN_AS_USER_PASSWORD>] /s <HOSTNAME | IP> [/user <DOMAIN>\<USERNAME>] /H <REPORT_HTML>

Domain wide enumeration

The Grouper2 C# application and PingCastle's healthcheck can be used to enumerate user rights definition in the most sensible GPO.

Grouper2.exe -g -f <OUTPUT_HTML_FILE>
Grouper2.exe -d "<DOMAIN>" -u "<USERNAME>" -p "<PASSWORD>" -s "\\<DC_HOSTNAME | DC_IP>\SYSVOL" -g -f <OUTPUT_HTML_FILE>

All the GPOs in the domain can also be exported in an HTML or XML report using the PowerShell GroupPolicy module's Get-GPOReport cmdlet:

# Export all the GPO in the specified domain using the current security context.
# runas /Netonly should be used for enumeration from a non-domain joined computer.

Get-GPOReport -All -ReportType <HTML | XML> [-Domain <DOMAIN>] [-Server <DC_HOSTNAME | DC_IP>] -Path <OUTPUT_FILE_PATH>

A more manual search in all accessible GPO from the given privileges can be conducted directly in PowerShell:

# Conducting the search either from the current user context or using the specified credential
net use Z: \\<DC_HOSTNAME | DC_IP>\SYSVOL
net use Z: \\<DC_HOSTNAME | DC_IP>\SYSVOL <PASSWORD> /user:<DOMAIN>\<USERNAME>
Get-ChildItem -Path Z:\ -Recurse -Force | Select-String SeInteractiveLogonRight,SeRemoteInteractiveLogonRight,SeImpersonatePrivilege,SeAssignPrimaryPrivilege,SeTcbPrivilege,SeBackupPrivilege,SeRestorePrivilege,SeCreateTokenPrivilege,SeLoadDriverPrivilege,SeTakeOwnershipPrivilege,SeDebugPrivilege
net use Z: /delete

PowerView can be used to find where exploitable GPO are linked and possibly applied. Note: GPO can be linked to an OU but not necessarily applied, as an OU can blocks inheritance on an not enforced GPO or a conflicting GPO with a higher precedence order may supplant the exploitable GPO.

Get-DomainOU -GPLink "<GPO_GUID>" | ForEach-Object {
    Get-DomainComputer -SearchBase "LDAP://$($_.distinguishedname)" | Ft Name
}

User rights exploitation

Logon rights

The following logon rights can be defined to allow an user to logon onto the computer:

RightDescriptionExploitation technique

SeInteractiveLogonRight

Allows a user to connect locally on the computer

Require a physical access to the computer.

SeRemoteInteractiveLogonRight

Allow logon through Terminal Services

Interactive logon using a RDP client.

Note that the SeNetworkLogonRight allows a user to access the exposed shares on the computer (under restrictions of the shares and NTFS permissions) but is not sufficient by itself to remotely execute commands.

The SeServiceLogonRight is not directly exploitable neither as only users with administrative privileges can install and configure services.

The SeBatchLogonRight alone can not be used to remotely create and run scheduled tasks.

Privileges

The following privilege tokens can be used to locally elevate privileges to NT AUTHORITY\SYSTEM:

  • SeImpersonatePrivilege

  • SeAssignPrimaryPrivilege

  • SeTcbPrivilege

  • SeBackupPrivilege

  • SeRestorePrivilege

  • SeCreateTokenPrivilege

  • SeLoadDriverPrivilege

  • SeTakeOwnershipPrivilege

The SeDebugPrivilege privilege can be used as well to directly dump the LSASS process.

Note that the exploitation of those privilege tokens Refer to the [Windows] Local privilege escalation for more information on how to exploit those privilege tokens.


References

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb457125(v=technet.10)?redirectedfrom=MSDN

https://adsecurity.org/?p=3658

https://wald0.com/?p=179

https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/

https://www.ssi.gouv.fr/uploads/IMG/pdf/Lucas_Bouillot_et_Emmanuel_Gras_-_Chemins_de_controle_Active_Directory.pdf

https://labs.f-secure.com/tools/sharpgpoabuse

https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-policy-basics-part-2-understanding-which-gpos-to-apply/

Last updated