GPP Attacks: AD Post Compromise Attack

Aditya Jha
3 min readJul 17, 2023

Overview

  • Group Policy Preferences allowed admins to create policies using embedded credentials.
  • These credentials were encrypted and placed in a “cPassword”
  • The key was accidentally released(whoops)
  • Patched in MS14–025, but doesn’t prevent previous uses

Group Policy Pwnage: https://blog.rapid7.com/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/

ABUSING GPP

We will solve a machine which is available on hack the box. The box is named as “Active”.

So firstly we will quickly run a nmap scan.

Command: nmap -T5 <IP>

The result will look like this:

We will enumerate 445 port on this machine because this machine is utilizing SMB,

Command: smbclient -L \\\\<IP>\\

After checking all the shares, we have anonymous login in “Replication”.

Command: smbclient \\\\<IP>\\Replication

Now we are successfully into the machine:

Now we will turn off the prompt which is just going to tell us not to prompt when we tell it to download all of our files.

Command: prompt off

Now we will turn the recurse on which means it’s going to download all the files that we tell it to.

Command: recurse on

Now we will download all the files.

Command: mget *

The result will look like this:

We will check this Groups.xml file which contains the password.

The data in Groups.xml :

Now we can decrypt this password.

Command: gpp-decrypt <cPassword>

The result will be:

Now we have a username and password.

Now we can use Kerberoasting to dump the hash with the TGS ticket.

Command: GetUserSPNs.py <Domain/username:password> -dc-ip <DC IP> -request

The result will be:

Now we can see that we have successfully dumped the hash and this hash is of administrator.

Now we will crack this hash and get the password.

We will use Hashcat to crack the hash, we will store this hash in a txt file.

Command: Hashcat -m 13100 <filename> <wordlist>

The result will be:

We have successfully cracked the hash and got the password.

Now we have username and password for the administrator.

We will use the tool psexec.py to get into the machine using these credentials.

Command: psexec.py <domain/username>:<password>@<IP>

The result will be:

Now we have successfully into the machine and the attack is completed.

--

--