GPP/cPassword Attacks
GPP will keep passwords in an XML file
Works with smb
If we find a 334 open we can try to login anonymously Example from HTB - Active - Retired Machine
Tips:
prompt off
(will not prompt when dl file) andrecurse on
(will list everything)We can get all the file using
mget *
We can just copy cpassword and crackit using gpp-decrypt:
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
And we get the password:GPPstillStandingStrong2k18
HTB - Active - privesc
The password obtain with gpp only gave us user. To root the machine we use kerberoasting again:
We can then crack the password with hashcat
And finally get shell using psexec.py (Impacket)
GPP - Resources
Last updated