So you’ve had a successful phishing trip and obtained a shell on a target machine that is joined up a Windows domain. Obviously, the goal is escalate privileges and pivot across the network…which is easier said than done. This is just one technique (of many) to consider employing on your travels.
We can see below that the target computer’ s domain controller is CN-DC04.
We should now map a drive to the sysvol share on the DC.
We are ultimately trying to find groups.xml, which can be done by using the command below:
Once found, we want to identify the one with the most recent date.
Once we’ve found the file we want, we need to enter the below command: Type groups.xml
Inside this file, if we’re lucky, we’ll be able to determine the name of a local administrator account (redacted in the picture below) and also an encrypted password (in the red box, but also redacted).
Using a tool like gpp-decrypt in Kali Linux, we can easily determine the password.
In a nutshell, organizations should not use Group Policy Preferences to manage local administrator passwords for domain computers. Instead they should use something like Microsoft LAPS, which is significantly more secure. In addition, Microsoft LAPS will ensure that all of the local administrator passwords are changed on a regular basis AND also randomized on each domain joined machine. Those credentials are then stored in Active Directory.