Gpp

GPP credentials. Still out there in the wild. Active is one of those machines that aged into a legend - the technique it teaches was patched in 2014, but the lesson sticks forever. Classic AD box, clean attack path, zero fluff. Machine info Name Active Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous SMB access exposes the Replication share, which contains a Groups.xml file with a GPP-encrypted password for SVC_TGS gpp-decrypt recovers the plaintext: GPPstillStandingStrong2k18 Authenticated as SVC_TGS, the Users share is readable - user flag sitting in SVC_TGS\Desktop Kerberoasting as SVC_TGS returns an Administrator TGS ticket; John cracks it to Ticketmaster1968 impacket-psexec with Administrator creds gives a SYSTEM shell Recon Port scan The scan reveals a textbook Domain Controller fingerprint - DNS on 53, RPC on 135 and 593, SMB on 445, LDAP Global Catalog on 3269, Active Directory Web Services on 9389, and a pile of dynamic RPC ports in the high range. ...