Exploiting GPOs

The KeePass vault from the users post-exploit step revealed a service account credential. Searching for this user in the Bloodhound data reveals an interesting ownership over a GPO. GPOs are saved in the SYSVOL directory when they are synchronized from the domain controller.

  • RDP into THMWRK1 as standard domain user or T2 admin

  • Inject the svcServMan as a network credential

  • Edit the GPO remotely on THMSERVER2 via MMC

THMWRK1

RDP to THMWRK1:

xfreerdp /v:thmwrk1.za.tryhackme.loc /u:t2_alan.riley /p:'Password123'

Inject the Service Account Credentials (password = Sup3rStr0ngPass!@)

runas /netonly /user:za.tryhackme.loc\svcServMan cmd.exe

mmc.exe

Modify the Group Policy Object:

  1. Add Group -> Browse -> Search “IT Support” -> Click OK

  2. Make group a member of “IT Support” Administrators and Remote Desktop Users on THMSERVER2

  3. This group policy applies to the path za.tryhackme.loc/Servers/Management Servers, as specified in the GPO path.

  4. Add the Active Directory Users and Computers snap-in to the mmc.exe session, and inspect the OU.

THMWRK2

Use the low-level user credential received from http://distributor.za.tryhackme.loc/creds. This user is a member of the IT Support group after we added the user in Exploiting permission delegation