STRLCPY/GOAD

Add Gpo abuse, refactor vulnerabilities call, change acl relations, add some groups
Mayfly277 committed 1 year ago

e9c68b8c

1 parent 417e357f

■ ■ ■ ■ ■ ■

ad/sevenkingdoms.local/data/config.json

		skipped 12 lines
13	13		"sevenkingdoms\\cersei.lannister"
14	14		],
15	15		"Remote Desktop Users" : [
16		-	"sevenkingdoms\\Small Council"
	16	+	"sevenkingdoms\\Small Council",
	17	+	"sevenkingdoms\\Baratheon"
17	18		]
18		-	}
	19	+	},
	20	+	"scripts" : [],
	21	+	"vulns" : []
19	22		},
20	23		"srv01" : {
21	24		"hostname" : "casterlyrock",
		skipped 9 lines
31	34		},
32	35		"Remote Desktop Users" : [
33	36		"sevenkingdoms\\Lanister"
34		-	]
	37	+	],
	38	+	"scripts" : [],
	39	+	"vulns" : []
35	40		},
36	41		"dc02" : {
37	42		"hostname" : "winterfell",
		skipped 10 lines
48	53		"Remote Desktop Users" : [
49	54		"north\\Stark"
50	55		]
51		-	}
	56	+	},
	57	+	"scripts" : [
	58	+	"asrep_roasting.ps1",
	59	+	"constrained_delegation_use_any.ps1",
	60	+	"constrained_delegation_kerb_only.ps1",
	61	+	"ntlm_relay.ps1",
	62	+	"responder.ps1",
	63	+	"gpo_abuse.ps1"
	64	+	],
	65	+	"vulns" : []
52	66		},
53	67		"srv02" : {
54	68		"hostname" : "castelblack",
		skipped 12 lines
67	81		"north\\Stark"
68	82		]
69	83		},
	84	+	"scripts" : [],
	85	+	"vulns" : ["openshares"],
70	86		"mssql":{
71	87		"sa_password": "Sup1_sa_P@ssw0rd!",
72	88		"svcaccount" : "sql_svc",
		skipped 39 lines
112	128		"Remote Desktop Users" : [
113	129		"essos\\Targaryen"
114	130		]
115		-	}
	131	+	},
	132	+	"scripts" : [],
	133	+	"vulns" : ["ntlmdowngrade"]
116	134		},
117	135		"srv03" : {
118	136		"hostname" : "braavos",
		skipped 10 lines
129	147		"Remote Desktop Users" : [
130	148		"essos\\Dothraki"
131	149		],
	150	+	"scripts" : [],
	151	+	"vulns" : ["openshares"],
132	152		"mssql":{
133	153		"sa_password": "sa_P@ssw0rd!Ess0s",
134	154		"svcaccount" : "sql_svc",
		skipped 64 lines
199	219		"GenericAll_khal_viserys" : {"for": "khal.drogo", "to": "viserys.targaryen", "right": "GenericAll", "inheritance": "None"},
200	220		"GenericAll_spy_jorah" : {"for": "Spys", "to": "jorah.mormont", "right": "GenericAll", "inheritance": "None"},
201	221		"GenericAll_khal_esc4" : {"for": "khal.drogo", "to": "CN=ESC4,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=essos,DC=local", "right": "GenericAll", "inheritance": "None"},
202		-	"WriteProperty_petyer_domadmin" : {"for": "viserys.targaryen", "to": "jorah.mormont", "right": "WriteProperty", "inheritance": "All"}
	222	+	"WriteProperty_petyer_domadmin" : {"for": "viserys.targaryen", "to": "jorah.mormont", "right": "WriteProperty", "inheritance": "All"},
	223	+	"GenericWrite_DragonsFriends_braavos" : {"for": "DragonsFriends", "to": "braavoos$", "right": "GenericWrite", "inheritance": "None"}
203	224		},
204	225		"users" : {
205	226		"daenerys.targaryen" : {
		skipped 225 lines
431	452		},
432	453		"Small Council" : {
433	454		"path" : "OU=Crownlands,DC=sevenkingdoms,DC=local"
	455	+	},
	456	+	"DragonStone" : {
	457	+	"path" : "OU=Crownlands,DC=sevenkingdoms,DC=local"
	458	+	},
	459	+	"KingsGuard" : {
	460	+	"path" : "OU=Crownlands,DC=sevenkingdoms,DC=local"
434	461		}
435	462		},
436	463		"domainlocal" : {
		skipped 8 lines
445	472		]
446	473		},
447	474		"acls" : {
448		-	"GenericAll_tywin_cersei" : {"for": "tywin.lannister", "to": "cersei.lannister", "right": "GenericAll", "inheritance": "None"},
449		-	"GenericAll_varys_domadmin" : {"for": "lord.varys", "to": "Domain Admins", "right": "GenericAll", "inheritance": "None"},
450		-	"GenericAll_stanis_dc" : {"for": "stannis.baratheon", "to": "kingslanding$", "right": "GenericAll", "inheritance": "None"},
451		-	"WriteProperty_petyer_domadmin" : {"for": "petyer.baelish", "to": "Domain Admins", "right": "WriteProperty", "inheritance": "All"},
452		-	"self-self-membership-on-group_tyron_domadmin" : {"for": "tyron.lannister", "to": "Domain Admins", "right": "Ext-Self-Self-Membership", "inheritance": "None"},
453		-	"writeproperty-self-membership_stanis_stannis" : {"for": "stannis.baratheon", "to": "Domain Admins", "right": "Ext-Write-Self-Membership", "inheritance": "All"},
454	475		"forcechangepassword_tywin_jaime" : {"for": "tywin.lannister", "to": "jaime.lannister", "right": "Ext-User-Force-Change-Password", "inheritance": "None"},
455		-	"write_on_group_pycelle_domadmin" : {"for": "maester.pycelle", "to": "Domain Admins", "right": "WriteOwner", "inheritance": "None"},
456		-	"GenericAll_group_acrrosdom_domadmin" : {"for": "AcrossTheNarrowSea", "to": "Domain Admins", "right": "GenericAll", "inheritance": "None"},
457		-	"GenericWrite_on_user_jaimie_cersei" : {"for": "jaime.lannister", "to": "cersei.lannister", "right": "GenericWrite", "inheritance": "None"},
458		-	"Writedacl_tywin_council" : {"for": "tywin.lannister", "to": "Small Council", "right": "WriteDacl", "inheritance": "None"}
	476	+	"GenericWrite_on_user_jaimie_joffrey" : {"for": "jaime.lannister", "to": "joffrey.baratheon", "right": "GenericWrite", "inheritance": "None"},
	477	+	"Writedacl_joffrey_tyron" : {"for": "joffrey.baratheon", "to": "tyron.lannister", "right": "WriteDacl", "inheritance": "None"},
	478	+	"self-self-membership-on-group_tyron_small_council" : {"for": "tyron.lannister", "to": "Small Council", "right": "Ext-Self-Self-Membership", "inheritance": "None"},
	479	+	"addmember_smallcouncil_DragonStone" : {"for": "Small Council", "to": "DragonStone", "right": "Ext-Write-Self-Membership", "inheritance": "All"},
	480	+	"write_owner_dragonstone_kingsguard" : {"for": "DragonStone", "to": "KingsGuard", "right": "WriteOwner", "inheritance": "None"},
	481	+	"GenericAll_kingsguard_stanis" : {"for": "KingsGuard", "to": "stannis.baratheon", "right": "GenericAll", "inheritance": "None"},
	482	+	"GenericAll_stanis_dc" : {"for": "stannis.baratheon", "to": "kingslanding$", "right": "GenericAll", "inheritance": "None"},
	483	+	"GenericAll_group_acrrosdom_varys" : {"for": "AcrossTheNarrowSea", "to": "lord.varys", "right": "GenericAll", "inheritance": "None"},
	484	+	"GenericAll_varys_domadmin" : {"for": "lord.varys", "to": "Domain Admins", "right": "GenericAll", "inheritance": "None"},
	485	+	"GenericAll_varys_domadmin_holder" : {"for": "lord.varys", "to": "CN=AdminSDHolder,CN=System,DC=sevenkingdoms,DC=local", "right": "GenericAll", "inheritance": "None"}
459	486		},
460	487		"users" : {
461	488		"tywin.lannister" : {
		skipped 103 lines

■ ■ ■ ■ ■ ■

ad/sevenkingdoms.local/scripts/gpo_abuse.ps1

1	1		Install-WindowsFeature -Name GPMC
2		-	$gpo_exist=Get-GPO -Name "StarkWallpaper" -erroraction ignore
	2	+	$gpo_exist = Get-GPO -Name "StarkWallpaper" -erroraction ignore
	3	+
3	4		if ($gpo_exist) {
4		-	Remove-GPO -Name "StarkWallpaper"
5		-	}
	5	+	# Do nothing
	6	+	#Remove-GPO -Name "StarkWallpaper"
	7	+	#Remove the link of the GPO Remove-StarkWallpaper if it exists
	8	+	#Remove-GPLink -Name "StarkWallpaper" -Target "DC=north,DC=sevenkingdoms,DC=local" -erroraction 'silentlycontinue'
	9	+	} else {
	10	+	New-GPO -Name "StarkWallpaper" -comment "Change Wallpaper"
	11	+	New-GPLink -Name "StarkWallpaper" -Target "DC=north,DC=sevenkingdoms,DC=local"
6	12
7		-	#Remove the link of the GPO Remove-StarkWallpaper if it exists
8		-	Remove-GPLink -Name "Remove-StarkWallpaper" -Target "OU=North,OU=kingdoms,DC=sevenkingdoms,DC=local" -erroraction 'silentlycontinue'
	13	+	#https://www.thewindowsclub.com/set-desktop-wallpaper-using-group-policy-and-registry-editor
	14	+	Set-GPRegistryValue -Name "StarkWallpaper" -key "HKEY_CURRENT_USER\Control Panel\Colors" -ValueName Background -Type String -Value "100 175 200"
	15	+	#Set-GPPrefRegistryValue -Name "StarkWallpaper" -Context User -Action Create -Key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName Wallpaper -Type String -Value "C:\tmp\GOAD.png"
9	16
10		-	New-GPO -Name "StarkWallpaper"-comment "Change Wallpaper"
11		-	New-GPLink -Name "StarkWallpaper" -Target "OU=North,OU=kingdoms,DC=sevenkingdoms,DC=local"
12		-
13		-	#https://www.thewindowsclub.com/set-desktop-wallpaper-using-group-policy-and-registry-editor
14		-	#Set-GPRegistryValue -Name "StarkWallpaper" -key "HKEY_CURRENT_USER\Control Panel\Colors" -ValueName Background -Type String -Value "0 0 255"
15		-	Set-GPPrefRegistryValue -Name "StarkWallpaper" -Context User -Action Create -Key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName Wallpaper -Type String -Value "C:\tmp\GOAD.png"
16		-
17		-	#Set-GPRegistryValue -Name "StarkWallpaper" -key "HKEY_CURRENT_USER\Control Panel\Desktop" -ValueName Wallpaper -Type String -Value ""
18		-	Set-GPPrefRegistryValue -Name "StarkWallpaper" -Context User -Action Create -Key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName WallpaperStyle -Type String -Value "4"
	17	+	Set-GPRegistryValue -Name "StarkWallpaper" -key "HKEY_CURRENT_USER\Control Panel\Desktop" -ValueName Wallpaper -Type String -Value ""
	18	+	#Set-GPPrefRegistryValue -Name "StarkWallpaper" -Context User -Action Create -Key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName WallpaperStyle -Type String -Value "4"
19	19
20		-	Set-GPRegistryValue -Name "StarkWallpaper" -Key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\WinLogon" -ValueName SyncForegroundPolicy -Type DWORD -Value 1
	20	+	Set-GPRegistryValue -Name "StarkWallpaper" -Key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\WinLogon" -ValueName SyncForegroundPolicy -Type DWORD -Value 1
21	21
22		-	#Allow rickon.stark to Edit Settings of the GPO
23		-	Set-GPPermissions -Name "StarkWallpaper" -PermissionLevel GpoEdit -TargetName "rickon.stark" -TargetType "User"
24		-
	22	+	# Allow samwell.tarly to Edit Settings of the GPO
	23	+	# https://learn.microsoft.com/en-us/powershell/module/grouppolicy/set-gppermission?view=windowsserver2022-ps
	24	+	Set-GPPermissions -Name "StarkWallpaper" -PermissionLevel GpoEditDeleteModifySecurity -TargetName "samwell.tarly" -TargetType "User"
	25	+	}

■ ■ ■ ■ ■ ■

ansible/ad-relations.yml

		skipped 10 lines
11	11		hosts: dc01,dc02,dc03,srv02,srv03
12	12		roles:
13	13		- { role: "settings/adjust_rights", tags: 'adjust_rights'}
	14	+	- { role: "settings/user_rights", tags: 'adjust_rights'}
14	15		vars:
15	16		local_groups: "{{lab.hosts[dict_key].local_groups}}"
16	17
		skipped 13 lines

■ ■ ■ ■ ■ ■

ansible/roles/settings/user_rights/tasks/main.yml

1	+	# https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment
2	+	# SeRemoteInteractiveLogonRight
3	+
4	+	- name: Add remote desktop and administrators group to rdp
5	+	ansible.windows.win_user_right:
6	+	name: SeRemoteInteractiveLogonRight
7	+	users:
8	+	- Administrators
9	+	- Remote Desktop Users
10	+	action: set

■ ■ ■ ■ ■ ■

ansible/vulnerabilities.yml

		skipped 2 lines
3	3		- import_playbook: data.yml
4	4		vars:
5	5		data_path: "../ad/{{domain_name}}/data/"
	6	+	tags: 'data'
6	7
7		-	# sevenkingdoms.local
8		-	- name: "Setup vulnerabilities dc01"
9		-	hosts: dc01
10		-	roles:
11		-	# - { role: 'ps', tags: 'acl', ps_script: "{{script_path}}/acl.ps1"} # converted to json config and roles
12		-	vars:
13		-	script_path: "../ad/{{domain_name}}/scripts"
	8	+	- name: "Setup vulnerabilities with tasks"
	9	+	hosts: dc01,dc02,dc03,srv02,srv03
	10	+	tasks:
	11	+	- include_role:
	12	+	name: "vulns/{{item}}"
	13	+	loop: "{{lab.hosts[dict_key].vulns}}"
	14	+	- include_role:
	15	+	name: "ps"
	16	+	vars:
	17	+	script_path: "../ad/{{domain_name}}/scripts"
	18	+	ps_script: "{{script_path}}/{{item}}"
	19	+	loop: "{{lab.hosts[dict_key].scripts}}"
14	20
15		-	# - name: "Setup vulnerabilities srv01"
16		-	# hosts: srv01
17		-	# roles:
18		-	# vars:
19		-	# script_path: "../ad/{{domain_name}}/scripts"
20		-
21		-	# north.sevenkingdoms.local
22		-	- name: "Setup vulnerabilities dc02"
23		-	hosts: dc02
24		-	roles:
25		-	- { role: 'ps', tags: 'asrep_roasting', ps_script: "{{script_path}}/asrep_roasting.ps1"}
26		-	- { role: 'ps', tags: 'constrained_delegation', ps_script: "{{script_path}}/constrained_delegation_use_any.ps1"}
27		-	- { role: 'ps', tags: 'constrained_delegation_kerb', ps_script: "{{script_path}}/constrained_delegation_kerb_only.ps1"}
28		-	- { role: 'ps', tags: 'ntlm_relay', ps_script: "{{script_path}}/ntlm_relay.ps1"}
29		-	- { role: 'ps', tags: 'responder', ps_script: "{{script_path}}/responder.ps1"}
30		-	# - { role: 'ps', tags: 'anonymous_ldap', ps_script: "{{script_path}}/anonymous_ldap.ps1"} # done with acl
31		-	# - { role: 'ps', tags: 'kerberoasting', ps_script: "{{script_path}}/kerberoasting.ps1"} # done by setting spn on user creation
32		-	# - { role: 'ps', tags: 'unconstrained_delegation', ps_script: "{{script_path}}/unconstrained_delegation.ps1"} # done with dc on forest to forest
33		-	# - { role: 'ps', tags: 'gpo_abuse', ps_script: "{{script_path}}/gpo_abuse.ps1"}
34		-	vars:
35		-	script_path: "../ad/{{domain_name}}/scripts"
36		-
37		-	- name: "Setup vulnerabilities srv02"
38		-	hosts: srv02
39		-	roles:
40		-	- { role: "vulns/openshares", tags: 'openshares'}
41		-	- { role: 'ps', tags: 'responder', ps_script: "{{script_path}}/responder.ps1"}
42		-	vars:
43		-	script_path: "../ad/{{domain_name}}/scripts"
44		-
45		-
46		-	# essos.local
47		-	- name: "Setup vulnerabilities dc03"
48		-	hosts: dc03
49		-	roles:
50		-	- { role: "vulns/ntlmdowngrade", tags: 'openshares'}
51		-	vars:
52		-	script_path: "../ad/{{domain_name}}/scripts"
53		-
54		-	- name: "Setup vulnerabilities srv03"
55		-	hosts: srv03
56		-	roles:
57		-	- { role: "vulns/openshares", tags: 'openshares'}
58		-	vars:
59		-	script_path: "../ad/{{domain_name}}/scripts"

Add Gpo abuse, refactor vulnerabilities call, change acl relations, add some groups