// notes/ Active Directory
🏛️

Post Compromise Attacks Gpp Cpassword Attacks

Group policy preferences (GPP) allowed Administrators to create policies using embedded credentials. These credentials were encrypted and placed in a "cPassword". The encryption k…

#active directory#adot8
source · oscp.adot8.com · active-directory/post-compromise-attacks_gpp-cpassword-attacks

GPP / cPassword Attacks

Overview

Group policy preferences (GPP) allowed Administrators to create policies using embedded credentials. These credentials were encrypted and placed in a "cPassword". The encryption key was released by accident so the all the passwords are decryptable.

<figure><img src="/files/WQnVEUWiEBXBVZxLFbNK" alt=""><figcaption><p>Hack the Box machine <em>Querier</em></p></figcaption></figure> <figure><img src="/files/LhZOzoOlcq0lj8SpIsDQ" alt=""><figcaption><p>Hack the Box machine <em>Querier</em></p></figcaption></figure>

Check with PowerUp.ps1

powerquery
01. .\PowerUp.ps1
02Invoke-AllCheck
<figure><img src="/files/Jz7MCoxOKfdJGJM4pEYL" alt=""><figcaption><p>Hack the Box machine <em>Querier</em></p></figcaption></figure>

GPP Attack via Metasploit

bash
$use auxiliary/scanner/smb/smb_enum_gpp

Mitigation

  • Be up to date on patching
  • Delete old GPP xml files inside the SYSVOL