Active Directory & Group Policy Privilege Escalation Vulnerability

So you’ve had a successful phishing trip and obtained a shell on a target machine that is joined up a Windows domain. Obviously, the goal is escalate privileges and pivot across the network…which is easier said than done.  This is just one technique (of many) to consider employing on your travels.

We can see below that the target computer’ s domain controller is CN-DC04.


We should now map a drive to the sysvol share on the DC.


We are ultimately trying to find groups.xml, which can be done by using the command below:


Once found, we want to identify the one with the most recent date.


Once we’ve found the file we want, we need to enter the below command: Type groups.xml

Inside this file, if we’re lucky, we’ll be able to determine the name of a local administrator account (redacted in the picture below) and also an encrypted password (in the red box, but also redacted).


Using a tool like gpp-decrypt in Kali Linux, we can easily determine the password.


In a nutshell, organizations should not use Group Policy Preferences to manage local administrator passwords for domain computers.  Instead they should use something like Microsoft LAPS, which is significantly more secure. In addition, Microsoft LAPS will ensure that all of the local administrator passwords are changed on a regular basis AND also randomized on each domain joined machine.  Those credentials are then stored in Active Directory.


Cracking The Name of a Hidden SSID

The process outlined below can be used for obtaining the name of a wireless network that is “hiding” it’s SSID.

We can see on my Windows box, that there is a hidden wireless network in range:


Within our Kali Linux VM, we type iwconfig to obtain the interface name of our wireless card. For any of this to work, you’ll need a compatible Wifi adapter (not covered in this post).


Running the following command will list all of the available wireless networks within range: airodump-ng wlan0

We can easily determine that the hidden wireless network’s BSSID is: E0:1C:41:C9:2D:57 and that it’s broadcasting on channel 1.  We need both pieces of information for the next command.


We can now focus solely on the target BSSID on channel 1 by running the command: airodump-ng wlan0 -c 1 –bssid E0:1C:41:C9:2D:57

If there are any connected clients to the hidden wireless network, this will tell us their network card’s MAC address, which can be seen below.


With this information, we now run the next command: aireplay-ng -0 5 -a E0:1C:41:C9:2D:57 -c 1C:5C:F2:17:C0:BB


The above command, when run, will forcibly disconnect/boot the connected user off the BSSID.  When this happens, a device will automatically attempt to reconnect to the wireless network.  Upon reconnection, we should be able to glean the name of the hidden wireless network (ESSID).