Rootme Active Directory GPO
Root-me.org
Active Directory - GPO
Group Policy Preferences
The statement says “Network traffic during boot sequence was recorded for an Active Directory workstation’s. Analyze this capture and find the administrator’s password.”
And we’re given a pcap file with that. There’s a few places where a Administrator password can be located. One of the most obvious place is the file Groups.xml. This file gets transfered via SMB on the network. If we open the pcap in wireshark and try to export SMB files, we’ll see a groups.xml.
tshark -r ch12.pcap --export-objects "smb,."
There’s a big flaw on how the password are encrypted. Windows always uses the same key. More info here https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
This makes it very easy to gather to password and make a simple script to decrypt it.
This is the content of the groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Helpdesk" image="2" changed="2015-05-06 05:50:08" uid="{43F9FF29-C120-48B6-8333-9402C927BE09}"><Properties action="U" newName="" fullName="" description="" cpassword="PsmtscOuXqUMW6KQzJR8RWxCuVNmBvRaDElCKH+FU+w" changeLogon="1" noChange="0" neverExpires="0" acctDisabled="0" userName="Helpdesk"/></User><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrateur" image="2" changed="2015-05-05 14:19:53" uid="{5E34317F-8726-4F7C-BF8B-91B2E52FB3F7}" userContext="0" removePolicy="0"><Properties action="U" newName="" fullName="Admin Local" description="" cpassword="LjFWQMzS3GWDeav7+0Q0oSoOM43VwD30YZDVaItj8e0" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" subAuthority="" userName="Administrateur"/></User>
</Groups>
We can see that the password is
cpassword="LjFWQMzS3GWDeav7+0Q0oSoOM43VwD30YZDVaItj8e0"
Now we need to either make a script or fetch one on the internet. Here’s one [[https://raw.githubusercontent.com/MartinIngesen/gpocrack/master/gpocrack.py]]
A very simple python script when we run it we get this.
python gpocrack.py "LjFWQMzS3GWDeav7+0Q0oSoOM43VwD30YZDVaItj8e0"
Password is: TuM@sTrouv3
References: https://adsecurity.org/?p=2288