Let’s search for the vulnerable GPOs

powershell Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\\d]{4,10}" }

image.png

now let’s get the GPO name

powershell Get-DomainGPO -Identity "CN={5059FAC1-5E94-4361-95D3-3BB235A23928},CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" | select displayName, gpcFileSysPath

image.png

Now let’s abuse it.

Now let’s get the name of the object that can controll the GPO.

powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107

image.png

The users in the Developers group can control the GPO.

Now let’s see the OUs that the GPOs applied to.

powershell Get-DomainOU -GPLink "{5059FAC1-5E94-4361-95D3-3BB235A23928}" | select distinguishedName

image.png

It’s applied on the Workstation OU.

Now let’s get the Computers that are members of this OU

powershell Get-DomainComputer -SearchBase "OU=Workstations,DC=dev,DC=cyberbotic,DC=io" | select dnsHostName

image.png

Notice that we have Workstation 1 and 2.

Now let’s abuse it.