# GPO的利用 在 AD 环境中进行渗透测试时,GPO 对我们来说会是一个具有吸引力的目标。如果我们对 GPO 具有修改权限或更高权限,我们就可以攻陷其他用户并获得**远程代码执行**或/和**横向移动**,以及**持久化访问**。 以下屏幕截图显示了 PROD 域 中的所有 GPO。 在开始枚举和利用之前,让我们熟悉一些有关 GPO 的术语。 ### **概念与术语** #### **组策略** 组策略是 Windows 操作系统的一项功能,用于控制用户和计算机帐户的工作环境。 组策略在 Active Directory 环境中提供操作系统、应用程序和用户设置的集中管理和配置。 #### **GPO** 组策略对象 (GPO) 是一组设置,用于定义系统的配置及其对预定义用户组的作用。 GPO 可以链接到 AD 中的**站点**、**域**或**组织单位 (OU)**。 它们可用于配置系统设置、安装软件以及将安全策略应用于这些容器中的用户和计算机。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/l2vJkLxoIgMlWMiP-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/l2vJkLxoIgMlWMiP-image.png) 新建域中有两个默认 GPO:**默认域控制器策略**和**默认域策略**。每个 GPO 都有一个唯一的 GUID。 例如,默认域控制器策略的 GUID 是 **{6AC1786C-016F-11D2-945F-00C04fB984F9}**,每个域都将具有相同的值。自定义 GPO **AppLocker** 的 GUID 是 **{6CBEAF1A-9C1D-4FEA-A0A8-4D4053996030}**。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/mRTtXii9Q9AEQ4kY-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/mRTtXii9Q9AEQ4kY-image.png) [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/pOlFAhvz3dURVxPX-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/pOlFAhvz3dURVxPX-image.png) #### **OU 组织单位** 组织单位 (OU) 是一个容器对象,可以容纳其他 AD 对象,例如用户帐户、计算机帐户和其他 OU。OU 用于分层组织和管理 AD 对象,并可用于委派对特定对象或对象组的管理控制。 PROD 域中有 6 个 OU; 它们分别是 **Domain Controllers**,、**Groups**, **Assets**,、**File Server**,、**Web Server**、**SQL Server**。其中,OU Assets 包含了 2 个 OU:File Server, SQL Server。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/NnU58YB1VHaAJfpR-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/NnU58YB1VHaAJfpR-image.png) #### **GPLink** GPLink,即 GPO 链接,可以连接到 AD 容器,例如站点、域或 OU。GPO 链接将 GPO 应用于它们链接到的容器内的对象。GPO 链接可以被**启用**或**禁用**、**强制**或**不强制**,以及配置 GPO 作用的顺序。一个 GPO 可以链接到多个 OU,链接到 OU 的 GPO 将应用于该 OU 和所有子 OU 中的所有对象。 但是,如果链接**已启用但未强制**,则子 OU 可以选择**阻止继承**。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/uK8GXyOBuJr7R1oM-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/uK8GXyOBuJr7R1oM-image.png) [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/KybC8Czlm9Fp933w-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/KybC8Czlm9Fp933w-image.png) 以 PROD 的上下文为例子,GPO **Writable** 作用于 **Assets** 这个 OU,默认情况下,Assets 包含的 2 个子 OU 全部会继承该 GPO 的作用。除非该 GPLink 被配置了启用但不强制,且子 OU 选择阻止继承。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/Ljg5KaZOIDCsDEKV-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/Ljg5KaZOIDCsDEKV-image.png) 在我们的例子中,GPO AppLocker 被链接到了 File Server,RunAsPPL 被链接到了 SQL Server,分别是域主机 File01,Srv0 被作用。 而默认域策略链接到 PROD 域,默认域控制器策略链接到了 OU Domain Controllers。 #### **安全筛选** 安全过滤是指定哪些用户和组帐户应受 GPO 影响的过程。 这允许管理员将策略应用于特定用户组,而不是组织单位 (OU) 中的所有用户。 我们注意到 GPO 的默认安全过滤设置是 Authenticated Users 组。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/LcggctShfcqRKbjl-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/LcggctShfcqRKbjl-image.png) #### **WMI 筛选器** WMI 过滤是 GPO 的一项功能,它允许管理员仅在满足 **Windows Management Instrumentation (WMI)** 查询的条件时才应用 GPO,进一步限制哪些计算机和用户受到影响。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/qtobomtEB6p79DK0-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/qtobomtEB6p79DK0-image.png) WMI 查询的语法与 SQL 查询非常相似; 例如,要过滤所有 64 位计算机(尽管所有计算机都满足此查询),WMI 查询应该是: ```sql SELECT * FROM Win32_OperatingSystem WHERE OSArchitecture ="64-bit" ``` PROD 域中存在一个 WMI筛选器 Example,筛选出了所有的 64 位主机。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/4RhNcDwM0huBNqbw-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/4RhNcDwM0huBNqbw-image.png) 一个 GPO 一次只能分配 1 个 WMI 筛选器,并且域主体可以对其拥有 DACL。因此,WMI 过滤也会成为攻击目标。 #### **SYSVOL** 在 Dc01 上,**SYSVOL** 共享目录位于 **C:\\windows\\sysvol**。默认情况下,它对于域中所有认证用户都是可读的。SYSVOL 是 Windows AD 环境中域控制器上的一个文件夹,其中包含所有 GPO 策略文件的服务器副本。它们被复制到域中的所有其他域控制器。SYSVOL 文件夹确保相同的组策略和登录脚本文件在域中的所有计算机上可用。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/R1h88Pge0Szy2Eym-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/R1h88Pge0Szy2Eym-image.png) #### **组策略首选项** 组策略首选项 (GPP) 是 AD 中组策略的一项功能,允许管理员配置和管理传统组策略设置未涵盖的设置。它扩展了组策略,使我们能够配置未包含在标准组策略设置中的设置,例如映射驱动器、计划任务和注册表设置。比如我们添加了一个GPP,它从指定的 SMB 服务器拉取一个文件,保存到 C 盘根目录。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/DDa5dG8E8CoZYpwF-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/DDa5dG8E8CoZYpwF-image.png) 添加完之后,在受影响的主机上,例如 File01,执行 gpupdate /force 命令。然后,文件就被拉取下来了。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/6nPRttdBhbS4TDNN-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/6nPRttdBhbS4TDNN-image.png) #### **客户端扩展** 根据 Microsoft[ https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v=ws.11)](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v=ws.11)) ,组策略首选项是**组策略客户端扩展 (CSE)** 的集合。 属性 **gPCMachineExtensionNames** 指定了组策略需要哪些 CSE。根据截图,上文我们提到的能拉取文件的 GPP 的preference值为 **\[{00000000-0000-0000-0000-000000000000}{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}\]\[{7150F9BF-48AD-4DA4-A49C-29EF4A836 9BA }{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}\]** [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/5UoVG39Kvclm7qzr-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/5UoVG39Kvclm7qzr-image.png) 根据 [https://gist.github.com/MyITGuy/92dcede89ab861ffb31cac9f284ffcc3](https://gist.github.com/MyITGuy/92dcede89ab861ffb31cac9f284ffcc3) 的脚本,这个值所对应的含义是 **\[{Core GPO Engine}{Preference Tool CSE GUID Files}\]\[{Preference CSE GUID Files}{Preference Tool CSE GUID Files }\]** ```shell {00000000-0000-0000-0000-000000000000} Core GPO Engine {0E28E245-9368-4853-AD84-6DA3BA35BB75} Preference CSE GUID Environment Variables {0F6B957D-509E-11D1-A7CC-0000F87571E3} Tool Extension GUID (Computer Policy Settings) {0F6B957E-509E-11D1-A7CC-0000F87571E3} Tool Extension GUID (User Policy Settings) – Restrict Run {1612b55c-243c-48dd-a449-ffc097b19776} Preference Tool CSE GUID Data Sources {17D89FEC-5C44-4972-B12D-241CAEF74509} Preference CSE GUID Local users and groups {1A6364EB-776B-4120-ADE1-B63A406A76B5} Preference CSE GUID Devices {1b767e9a-7be4-4d35-85c1-2e174a7ba951} Preference Tool CSE GUID Devices {25537BA6-77A8-11D2-9B6C-0000F8080861} Folder Redirection {2EA1A81B-48E5-45E9-8BB7-A6E3AC170006} Preference Tool CSE GUID Drives {3060E8CE-7020-11D2-842D-00C04FA372D4} Remote Installation Services. {35141B6B-498A-4CC7-AD59-CEF93D89B2CE} Preference Tool CSE GUID Environment Variables {35378EAC-683F-11D2-A89A-00C04FBBCFA2} Registry Settings {3610EDA5-77EF-11D2-8DC5-00C04FA31A66} Microsoft Disk Quota {3A0DBA37-F8B2-4356-83DE-3E90BD5C261F} Preference CSE GUID Network Options {3BAE7E51-E3F4-41D0-853D-9BB9FD47605F} Preference Tool CSE GUID Files {3BFAE46A-7F3A-467B-8CEA-6AA34DC71F53} Preference Tool CSE GUID Folder Options {3EC4E9D3-714D-471F-88DC-4DD4471AAB47} Preference Tool CSE GUID Folders {40B66650-4972-11D1-A7CA-0000F87571E3} Scripts (Logon/Logoff) Run Restriction {42B5FAAE-6536-11d2-AE5A-0000F87571E3} ProcessScriptsGroupPolicy {47BA4403-1AA0-47F6-BDC5-298F96D1C2E3} Print Policy in PolicyMaker {4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} Internet Explorer Zonemapping {516FC620-5D34-4B08-8165-6A06B623EDEB} Preference Tool CSE GUID Ini Files {53D6AB1D-2488-11D1-A28C-00C04FB94F17} Certificates Run Restriction {5794DAFD-BE60-433f-88A2-1A31939AC01F} Preference CSE GUID Drives {5C935941-A954-4F7C-B507-885941ECE5C4} Preference Tool CSE GUID Internet Settings {6232C319-91AC-4931-9385-E70C2B099F0E} Group Policy Folders {6232C319-91AC-4931-9385-E70C2B099F0E} Preference CSE GUID Folders {6A4C88C6-C502-4f74-8F60-2CB23EDC24E2} Preference CSE GUID Network Shares {7150F9BF-48AD-4da4-A49C-29EF4A8369BA} Preference CSE GUID Files {728EE579-943C-4519-9EF7-AB56765798ED} Preference CSE GUID Data Sources {74EE6C03-5363-4554-B161-627540339CAB} Preference CSE GUID Ini Files {79F92669-4224-476c-9C5C-6EFB4D87DF4A} Preference Tool CSE GUID Local users and groups {7B849a69-220F-451E-B3FE-2CB811AF94AE} Internet Explorer User Accelerators/PolicyMaker {803E14A0-B4FB-11D0-A0D0-00A0C90F574B} Computer Restricted Groups {827D319E-6EAC-11D2-A4EA-00C04F79F83A} Security {88E729D6-BDC1-11D1-BD2A-00C04FB9603F} Folder Redirection {8A28E2C5-8D06-49A4-A08C-632DAA493E17} Deployed Printer Connections {91FBB303-0CD5-4055-BF42-E512A681B325} Preference CSE GUID Services {942A8E4F-A261-11D1-A760-00C04FB9603F} Software Installation (Computers). {949FB894-E883-42C6-88C1-29169720E8CA} Preference Tool CSE GUID Network Options {9AD2BAFE-63B4-4883-A08C-C3C6196BCAFD} Preference Tool CSE GUID Power Options {A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} Internet Explorer Maintenance policy processing {A3F3E39B-5D83-4940-B954-28315B82F0A8} Preference CSE GUID Folder Options {A8C42CEA-CDB8-4388-97F4-5831F933DA84} Preference Tool CSE GUID Printers {AADCED64-746C-4633-A97C-D61349046527} Preference CSE GUID Scheduled Tasks {B087BE9D-ED37-454f-AF9C-04291E351182} Preference CSE GUID Registry {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} EFS Recovery {B587E2B1-4D59-4e7e-AED9-22B9DF11D053} 802.3 Group Policy {B9CCA4DE-E2B9-4CBD-BF7D-11B6EBFBDDF7} Preference Tool CSE GUID Regional Options {BACF5C8A-A3C7-11D1-A760-00C04FB9603F} Software Installation (Users) Run Restriction {BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} Preference CSE GUID Printers {BEE07A6A-EC9F-4659-B8C9-0B1937907C83} Preference Tool CSE GUID Registry {BFCBBEB0-9DF4-4c0c-A728-434EA66A0373} Preference Tool CSE GUID Network Shares {C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} Preference CSE GUID Shortcuts {C631DF4C-088F-4156-B058-4375F0853CD8} Microsoft Offline Files {C6DC5466-785A-11D2-84D0-00C04FB169F7} Application Management {CAB54552-DEEA-4691-817E-ED4A4D1AFC72} Preference Tool CSE GUID Scheduled Tasks {CC5746A9-9B74-4be5-AE2E-64379C86E0E4} Preference Tool CSE GUID Services {cdeafc3d-948d-49dd-ab12-e578ba4af7aa} TCPIP {CEFFA6E2-E3BD-421B-852C-6F6A79A59BC1} Preference Tool CSE GUID Shortcuts {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} Internet Explorer Machine Accelerators {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} Policy Maker {CF848D48-888D-4F45-B530-6A201E62A605} Preference Tool CSE GUID Start Menu {D02B1F72-3407-48AE-BA88-E8213C6761F1} Tool Extension GUID (Computer Policy Settings) {D02B1F73-3407-48AE-BA88-E8213C6761F1} Tool Extension GUID (User Policy Settings) {e437bc1c-aa7d-11d2-a382-00c04f991e27} IP Security {E47248BA-94CC-49C4-BBB5-9EB7F05183D0} Preference CSE GUID Internet Settings {E4F48E54-F38D-4884-BFB9-D4D2E5729C18} Preference CSE GUID Start Menu {E5094040-C46C-4115-B030-04FB2E545B00} Preference CSE GUID Regional Options {E62688F0-25FD-4c90-BFF5-F508B9D2E31F} Preference CSE GUID Power Options {F0DB2806-FD46-45B7-81BD-AA3744B32765} Policy Maker {F17E8B5B-78F2-49A6-8933-7B767EDA5B41} Policy Maker {F27A6DA8-D22B-4179-A042-3D715F9E75B5} Policy Maker {f3ccc681-b74c-4060-9f26-cd84525dca2a} Audit Policy Configuration {F581DAE7-8064-444A-AEB3-1875662A61CE} Policy Maker {F648C781-42C9-4ED4-BB24-AEB8853701D0} Policy Maker {F6E72D5A-6ED3-43D9-9710-4440455F6934} Policy Maker {F9C77450-3A41-477E-9310-9ACD617BD9E3} Group Policy Applications {FB2CA36D-0B40-4307-821B-A13B252DE56C} Enterprise QoS {FC715823-C5FB-11D1-9EEF-00A0C90347FF} Internet Explorer Maintenance Extension protocol {FD2D917B-6519-4BF7-8403-456C0C64312F} Policy Maker {FFC64763-70D2-45BC-8DEE-7ACAF1BA7F89} Policy Maker ``` ### **枚举** 我们有多种方式来枚举GPO,无论是通过系统自身特性,还是工具。收集足够的信息对于利用 GPO 至关重要。 #### **SYSVOL** 考虑到 SYSVOL 包含所有 GPO 的策略文件,并且任何认证的域用户都可以访问此共享,我们可以检查文件和文件夹以枚举 GPO 信息。 访问UNC路径 **\\\\dc01.prod.raven-med.local\\sysvol\\prod.raven-med.local\\policies**,我们可以看到所有GPO的文件夹: [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/BmiT9akaUIFbS6rV-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/BmiT9akaUIFbS6rV-image.png) 每个文件夹都是 **{GUID}** 的格式,因此,文件夹 **{6CBEAF1A-9C1D-4FEA-A0A8-4D4053996030}** 存储 GPO AppLocker 的策略文件。GPO 文件夹中有 **Machines** 和 **User** 两个文件夹和一个 ini 文件 **GPT.INI**。ini文件包含版本信息,如果版本值增加,命令 gpupdate 将应用新设置。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/MYZSHHLnif1CRuP0-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/MYZSHHLnif1CRuP0-image.png) 我们在 Machine 文件夹中找到一个文件 Registry.pol; 它包含详细的 AppLocker 设置。虽然显示较为凌乱,但是我们还是能提取到配置信息的。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/cyevRXqe0hxi5OQv-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/cyevRXqe0hxi5OQv-image.png) 查看 GPO RunAsPPL 的配置文件,我们发现 Registry.xml 文件配置了作用于目标 OU 的注册表设置 ```xml ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/mQ7onaxR5p7Qfq2L-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/mQ7onaxR5p7Qfq2L-image.png) #### **寻血猎犬** 在 BloodHound 中,我们可以直观地观察域对象与 GPO 之间的关系。例如,计算机帐户 **Srv01$** 对GPO **Writable** 具有修改权限。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/Mp6VeNWKiaDseTUj-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/Mp6VeNWKiaDseTUj-image.png) 而 Writable 影响 OU **Assets** [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/BPwxSy1mRj2HHdii-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/BPwxSy1mRj2HHdii-image.png) 因为 Assets 包含子 OU,最终有 2 台域主机被 Writable 所影响。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/TAr2uTJiFaOrfOsJ-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/TAr2uTJiFaOrfOsJ-image.png) #### **PowerView** 我们在前面的章节中简要地谈到了使用 PowerView 来枚举 GPO,让我们回顾一下,以 GPO AppLocker 为例。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/nbezZvtVo2ggDAcA-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/nbezZvtVo2ggDAcA-image.png) 我们可以看到 GPO 的多个属性,例如 displayname、GUID、gpcmachineextensionnames、版本信息等。 要查找对 GPO 具有修改权限的普通用户 (非域管理员等高权限用户),执行以下命令: ```powershell Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl ConvertFrom-SID <得到的SID> get-netgpo | ?{$_.name -eq "{<得到的GUID>}"} ``` 我们发现,有一个普通用户对一 GPO 具有修改权限,查询返回了该用户的 SID 与 GPO 的 GUID。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/iV4M3GLsrCVRE9jV-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/iV4M3GLsrCVRE9jV-image.png) 查询该 SID,发现是 **SRV01$** 主机账号。查询该 GPO,发现是 GPO **Writable**。那么,至此,我们已经发现了一个 GPO 的利用途径。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/vcnVAaf0A6S9KZyZ-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/vcnVAaf0A6S9KZyZ-image.png) #### **SharpGPO** SharpGPO ([https://github.com/Dliv3/SharpGPO](https://github.com/Dliv3/SharpGPO)) 是枚举和操纵 GPO、OU、GPLink 和安全过滤器的优秀工具。我们先下载源码,打开项目文件,然后将文件 **GPO.cs** 中 **199 行到 203 行**的代码片段注释掉。否则,在运行时我们会遇到异常。 修改后重新编译,得到二进制文件。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/7HPK2CwqQuzd01Tl-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/7HPK2CwqQuzd01Tl-image.png) ```c# /* DirectoryEntry[] sites = GetSites(); foreach (DirectoryEntry site in sites) { links.Add(site, GetGPOByGpLink((string)site.Properties["gPLink"].Value)); }*/ ``` **枚举所有 OU:** ```powershell SharpGPO.exe --Action GetOU ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/zm1kmhFdAvFr9Q5n-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/zm1kmhFdAvFr9Q5n-image.png) **枚举所有 GPO:** ```powershell SharpGPO.exe --Action GetGPO ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/HXigwGmhOxhxwCj2-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/HXigwGmhOxhxwCj2-image.png) **枚举所有 GPLink:** ```powershell SharpGPO.exe --Action GetGPLink ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/cb7cBJlJz445debS-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/cb7cBJlJz445debS-image.png) 如果没有注释之前提到的代码片段,会有如下报错: [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/fwqs4ZEeKvxvPmST-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/fwqs4ZEeKvxvPmST-image.png) **枚举特定 GPO 的安全过滤器:** ```powershell SharpGPO.exe --Action GetSecurityFiltering --gponame AppLocker ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/RL8wjHowXzOv7bg9-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/RL8wjHowXzOv7bg9-image.png) ### ### **利用** 根据前面的枚举,主机账号 Srv01 对GPO Writable 有修改权限,因此,我们可以利用不安全的权限来获得代码执行、横向移动和访问持久化。我们也有多种方式来实现这些目标。 #### **可写 GPO** 从 Srv01 获取 SYSTEM 会话,并分别尝试将文件写入 **AppLocker** 和 **Writable** 的文件夹。Srv01$ 不可以在 AppLocker 文件夹中写入文件,即没有写权限。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/ewxzjtugd53xpWhg-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/ewxzjtugd53xpWhg-image.png) 而对于拥有写权限的 GPO Writable 的文件夹,Srv01$ 成功写入了文件。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/1sTIerIxAsrqajG9-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/1sTIerIxAsrqajG9-image.png) 因此,用户对 GPO 及其 SYSVOL 共享文件夹的权限是一致的。考虑到 Srv01 没有足够的权限来操作 Dc01。 之前,我们在 GPO Writable 上添加了一个 GPP,即从 File01 的 **Tools 共享**中拉取一个文本文件。这篇文章 ([https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/?utm\_content=140183152&utm\_medium=social&utm\_source=twitter&hss\_channel=tw-403811306](https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/?utm_content=140183152&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306)) 很好地说明了如何操作策略文件,以及 **gPCMachineExtensionNames** 属性以修改首选项。例如,我们可以修改首选项以**创建计划任务**来执行我们的载荷。但是,要实现这一点,我们需要以正确的格式创建一个 XML 文件 **ScheduledTasks.xml**,找到所需的 **gPCMachineExtensionNames** 属性值 **\[{00000000-0000-0000-0000-000000000000}{79F92669-4224-476C-9C5C-6EFB4D87DF4A} {CAB54552-DEEA-4691-817E-ED4A4D1AFC72}\]\[{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}\]**,并更新 **GPT.INI** 文件。SharpGPOAbuse ([https://github.com/FSecureLABS/SharpGPOAbuse](https://github.com/FSecureLABS/SharpGPOAbuse)) 或 SharpGPO 等工具已经为我们包装了这些步骤和操作,我们可以使用以下命令运行 SharpGPOAbuse: ```powershell sharpgpoabuse.exe --AddComputerScript --ScriptName logon.bat --ScriptContents "calc.exe" --GPOName "Writable" ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/cEbgCZUhm4QPb08A-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/cEbgCZUhm4QPb08A-image.png) 我们可以看到,脚本被创建成功了: [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/22yXO8V6Q4lbHyPa-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/22yXO8V6Q4lbHyPa-image.png) GPT.INI 也被修改了,现在版本为 9。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/7Qd9pC2VvgBIRJYo-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/7Qd9pC2VvgBIRJYo-image.png) #### **可写 GPLink** Srv01 对 GPO Writable 具有修改权限,但并非是整个 GPO 功能,所以不能新建 GPO。考虑到 Srv01 可以将 GPO 链接到域控制器,我们可以进而拿下 Dc01。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/XxzRJmZ9rAuxh5gf-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/XxzRJmZ9rAuxh5gf-image.png) 要创建到 OU Domain Controllers 的新 GPLink,命令应为: ```powershell sharpgpo.exe --Action NewGPLink --DN "OU=Domain Controllers,DC=prod,DC=raven-med,DC=local" --GPOName Writable ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/k80AmR6pxIJ8BljT-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/k80AmR6pxIJ8BljT-image.png) 查看当前的 GPLink,Writable 成功被链接到了 OU **Domain Controllers**。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/Uwf1iZw9kJZw9UzX-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/Uwf1iZw9kJZw9UzX-image.png) #### **修改 WMI 筛选器** Rasta Mouse 曾发布了一篇有关 WMI 筛选器利用的文章 ([https://rastamouse.me/ous-and-gpos-and-wmi-filters-oh-my/](https://rastamouse.me/ous-and-gpos-and-wmi-filters-oh-my/))。Srv01$ 对 WMI 筛选器 Example 具有控制权。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/Wz7wheY4R2CVfPu4-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/Wz7wheY4R2CVfPu4-image.png) 登陆 Dc01,赋予 GPO AppLocker 该 WMI 筛选器。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/TYUB914cKc1zSo7E-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/TYUB914cKc1zSo7E-image.png) 当前该筛选器的作用范围是目标 OU 中的 64 位主机。编辑该 WMI 筛选器,将其修改为作用于 32 位的主机。因为 File01 是 64 位的,因此,在组策略更新后不会再被这个 GPO 所作用。 ```sql SELECT * FROM Win32_OperatingSystem WHERE OSArchitecture ="32-bit" ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/CWcXnnWI7gAz0l5y-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/CWcXnnWI7gAz0l5y-image.png) 综上所述,Srv01 可以修改应用于GPO AppLocker 的WMI 筛选器 Example,但不能修改该 GPO。让我们如下添加一个计算机首选项,然后返回 File01 的会话并检查新文件是否保存到 C 盘。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/AxQpMZZQDJJlXOF3-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/AxQpMZZQDJJlXOF3-image.png) 更新 GPO,查看本地文件,发现该文件并未被拉取到 C 盘,这是预期的,因为系统是 64 位的,并不在 WMI 筛选器的范围内。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/Vo5ndJ9XVAJbrgAF-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/Vo5ndJ9XVAJbrgAF-image.png) 使用 PowerView 枚举当前用户可写的 WMI 过滤器,命令如下所示: ```powershell Get-DomainObjectAcl -SearchBase "CN=SOM, CN=WmiPolicy, CN=System, DC=prod, DC=raven-med, DC=local" -LDAPFilter "(objectclass=msWMI-Som)" -ResolveGUIDs | ? { $_.ActiveDirectoryRights -like "*WriteProperty*" } ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/fJ0x4visPcFLfPSK-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/fJ0x4visPcFLfPSK-image.png) GUID 是 **{81E9A3D8-3295-4577-8D2E-8944B84B13DE}** 计算新查询的长度,得到是 66,通过以下语句修改 WMI 查询: ```powershell Set-DomainObject -Identity“{F0BB405E-87C9-42E0-8384-13C79692A678}”-Set @{ 'mswmi-parm2' = '1;3;10;66;WQL;root\CIMv2;SELECT * FROM Win32_OperatingSystem WHERE OSArchitecture = “64 位”' } - verbose ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/JU5I5aqNJhyLyx6s-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/JU5I5aqNJhyLyx6s-image.png) [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/Uhjci2CcHhVLqYIf-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/Uhjci2CcHhVLqYIf-image.png) 修改成功后,更新组策略。然后发现文件已经从 SMB 目录中被拉取到本地磁盘上了。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/JEmWtHDp42YmS4pc-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/JEmWtHDp42YmS4pc-image.png) #### **隐藏持久化** 我们提到 GPO 可被利用于持久化访问。为了更隐蔽地持久化访问,文章 [https://pentestmag.com/gpo-abuse-you-cant-see-me/](https://pentestmag.com/gpo-abuse-you-cant-see-me/) 讨论了一个技巧。假设我们已经通过利用 GPO 接管了域管理员或域控制器,我们可以登录 Dc01 来隐藏我们的持久化。 打开 **Active Directory Users and Computers**,选择GPO Writable 的 Security 选项卡,添加一个 **DENY ACE**,防止所有主体读写该 GPO。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/MSt9yferE7GdzkV7-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/MSt9yferE7GdzkV7-image.png) 让我们比较之前和之后: [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/IAKfhmZi0OjfBlF5-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/IAKfhmZi0OjfBlF5-image.png) 通过这种方式,我们可以隐藏我们的后门 GPO 并实现更隐蔽的持久化。