coffeetohack
  • Introduction
  • Methodology
  • Cheatsheet
    • Ports
    • Nmap
    • Directory Bruteforce
    • Password Cracking
    • Web Server
    • Shells
    • TTY Shells
    • File Transfers
    • XSS | SQLi
    • LFI / RFI
    • File Uploads
    • Port Forwarding
  • Framework/Application
    • CMS Made Simple
    • Blundit
    • Wordpress
    • OctoberCMS
    • Tomcat
  • Windows PrivEsc
    • Scheduled Tasks
    • Stored Passwords
    • Installed Apps
    • Unquoted Service Path
    • Binary Paths
    • DLL Hijacking
    • Startup Apps
    • Executable Files
    • Registry
    • Run As
  • Linux PrivEsc
    • Sudo
    • SUID
    • Capabilities
    • Scheduled Tasks
    • NFS Root Squashing
    • Docker
  • Buffer Overflow
    • dostackbufferoverflow
    • BoF 1
    • Vulnserver
    • Brainpan
    • Brainstorm
  • Initial Shell Exploits
  • PrivEsc Exploits
  • Cisco Packet Tracer
  • Active Directory
    • Methodology
    • LLMNR Poisioning
    • Cracking Hashes
    • SMB Relay
    • IPv6 Attacks
    • PowerView
    • Bloodhound
    • Pass The Hash
    • Token Impersonation
    • Kerberoasting
    • GPP Attack
    • URL File Attack
    • PrintNightmare
    • Mimikatz
    • Golden Ticket Attack
  • OSINT
Powered by GitBook
On this page

Was this helpful?

  1. Active Directory

GPP Attack

PreviousKerberoastingNextURL File Attack

Last updated 2 years ago

Was this helpful?

MS14-025

The Group Policy Preferences allowed admins to create policies using embedded credentials

These credentials were encrypted and placed into XML document and stored in the type called as cPassword.

The key of this was accidently released. It was patched in MS14-025 but it doesn’t prevent previous issues.

Most of the times these credentials are domain admin credentials and give access to domain admin accounts.

Mostly found on Server 2012 machines.

The password hash can be found in Groups.xml file

We can use gpp-decrypt tool to decrypt the password: gpp-decrypt <hash>

We can then use GetUserSPNs to dump the service account hash. This can then be cracked using hashcat and used with psexec to log into the machine.

LogoPentesting in the Real World: Group Policy Pwnage | Rapid7 BlogRapid7