ID04 | GPO
A GPO configured with over-permissive rights can be abused to push malicious tasks.
References:
WithSecure Labs (SharpGPOAbuse)
wald0.com (A Red Teamers’s Guide to GPOs and OUs)
Table of availables actions, states, and targets
Vulnerability ID |
Trigger available |
Default state |
Default target |
|---|---|---|---|
04 | GPO |
No |
Absent |
srv01 & gustavo.fring |
Launch
Enable
# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/04.yml --extra-vars "action=enable"
Disable
# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/04.yml --extra-vars "action=disable"
Implementation
Enable
A user called gustavo.fring is created an added to the Cartel organizational unit (OU). The machine srv01 is also added to that OU. A GPO called Los Pollos Hermanos is created and is applied to the OU (the GPO doesn’t do anything). The Authenticated Users’ group members have the GpoEditDeleteModifySecurity permission over the GPO.
Reference:
Disable
The GPO Los Pollos Hermanos is deleted as well as the gustavo.fring user. Then the machine srv01 is moved to the Computers container
Reference: