1
00:00:00,120 --> 00:00:10,450
Up next on the list is the GBP or group policy preferences attack also known as M.S. 14 0 2 5.

2
00:00:10,530 --> 00:00:12,280
So a quick overview.

3
00:00:12,510 --> 00:00:19,110
The group policy preferences allowed admins to create policies using embedded credentials.

4
00:00:19,110 --> 00:00:25,470
Now these credentials were encrypted and they were placed into an Excel document and they were stored

5
00:00:25,500 --> 00:00:28,740
in this type called C password.

6
00:00:28,770 --> 00:00:30,840
Now the C password was encrypted.

7
00:00:30,840 --> 00:00:40,620
As I said and the key to this encryption was accidentally released and so therefore we can decrypt it.

8
00:00:40,620 --> 00:00:47,280
Now this has been patched in M.S. 14 0 2 5 and prevents issues going forward.

9
00:00:47,280 --> 00:00:50,290
However it does not prevent previous issues.

10
00:00:50,310 --> 00:00:58,140
So what that means is if an admin has stored a group policy preference embedded credential before the

11
00:00:58,140 --> 00:01:04,440
patch was implemented then this will still display a credential to us.

12
00:01:04,440 --> 00:01:10,770
Now most of the time these credentials are domain admin credentials and will allow us access to domain

13
00:01:10,830 --> 00:01:12,340
admin accounts.

14
00:01:12,360 --> 00:01:18,180
This is not going to come up that often but it is still something that you should be checking for because

15
00:01:18,180 --> 00:01:24,960
there are a lot of Server 2012 machines out there for example that this was not patched on or has been

16
00:01:24,960 --> 00:01:27,540
patched but this was running on previously.

17
00:01:27,540 --> 00:01:32,880
So what we're gonna do is we're going to cover how to do this and it's actually kind of difficult to

18
00:01:32,880 --> 00:01:34,830
setup in the lab environment.

19
00:01:34,830 --> 00:01:39,960
So we're going to do is we're actually going to use half the box to attack this before we do that.

20
00:01:39,960 --> 00:01:42,990
I am going to reference an article here.

21
00:01:42,990 --> 00:01:47,040
Now this article is by rapid 7 and I'm going to pace it down below.

22
00:01:47,060 --> 00:01:51,240
But this kind of shows you what GBP is and what the uses were.

23
00:01:51,240 --> 00:01:57,270
And you could see here that a password was stored and if we scroll down quickly we can see that the

24
00:01:57,270 --> 00:01:59,310
password was stored in the swiss ball.

25
00:01:59,310 --> 00:02:04,650
So as long as you have a user account and we can read that ball and it says here any domain user this

26
00:02:04,650 --> 00:02:07,470
is why this is a post exploitation attack.

27
00:02:07,470 --> 00:02:12,870
Once we have a domain user we can attempt to read this since all it stored here in the C password you

28
00:02:12,870 --> 00:02:19,560
can see it all we have to do is run a GP decrypt which is built into Calleigh and it will decrypt the

29
00:02:19,560 --> 00:02:20,510
password.

30
00:02:20,520 --> 00:02:24,530
Now there is this SMB a Newham GP here.

31
00:02:24,530 --> 00:02:27,810
This is a medical flight module and I really want you to write this down.

32
00:02:27,810 --> 00:02:29,730
This is how you would check for this.

33
00:02:29,730 --> 00:02:38,160
So you would say you have a shell and medicinally you can background that Shell run the SMB a new GP

34
00:02:38,190 --> 00:02:46,230
or you can run the post on the GP and see if you can't enumerate this and gain a username and password

35
00:02:46,230 --> 00:02:49,770
similar to this before I have seen this come up in previous assessments.

36
00:02:49,770 --> 00:02:53,910
And this is always something that you should be checking for even if it's older.

37
00:02:53,910 --> 00:03:00,030
So from here we're going to utilize hack the box there's a machine on there called active.

38
00:03:00,030 --> 00:03:06,390
We're going to use that and it's got two great examples of what we just learned on here so I'm going

39
00:03:06,390 --> 00:03:10,640
to challenge you once we get to the next video on solving half of the equation.

40
00:03:10,650 --> 00:03:16,470
We'll walk through the first half and talk about this GBP and see a live example of it.

41
00:03:16,500 --> 00:03:21,890
So I'm going to go ahead and catch you over in the next video when we explore this GBP attack.