Kerberoasting
Roasting the three header dog
In a previous post, we discussed about Active Directory ACL/ACE and how to abuse them. Now we will see how to abuse Active Directory’s GPOs
Active Directory Group Policy Objects (GPOs) are a feature of Microsoft’s Active Directory that allows administrators to easily manage and configure settings for users, computers, and other Active Directory objects.
GPOs, in general, allow us to define and enforce policies across a network, such as security settings, software installations, and user preferences. This is super useful for keeping everything running smoothly!
GPOs are rules and preferences assigned to objects in the Active Directory and stored in the Active Directory database.
To apply a GPO to an object, we can use the Group Policy Management Console (GPMC) or other management tools.
Settings we can configure using GPO include, but not limited to:
Every OU with a GPO can be discovered via the gpLink attribute.
GpLink is an attribute of the AD Object to which the group policy is linked.
The Group Policy Objects are located in the Policies container.
Creating a new GPO in the Group Policy Management Console will place the object in the CN=Policies.
Again, we can use PowerView to start enumerating the permissions for all GPOs in the current domain.
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
We find that the User ‘GPOWRITE.USER’ can modify the ‘Default Domain Controllers Policy’ GPO linked to the ‘Domain Controllers’ OU, which contains the ‘FIRST-DC’ computer object
In Bloodhound, this looks like this:
Now, to abuse this, we can use SharpGPOAbuse
The command was successful, and the GPO is now updated.
The updated file is visible on the First-DC, and the Group Policy Management console shows the precise settings.
The GPO is refreshed by default about every 90 minutes. We can afterward verify our results on the target system.
Looking at the Task Scheduler, we can see that Taks1 has been created.
When executed, we receive our callback.
And we got our shell.