PRIMARY CATEGORY → WINDOWS PRIVESC
GPO (Group Policy Objects) and GPP (Group Policy Preferences) configuration templates are stored in SYSVOL shared folder
This directory is replicated in all DCs and all authenticated domain users have read permissions on it
All Domain Computers need to access SYSVOL in order to download and apply the established GPOs and GPPs by the DC
Related Path → \\DOMAIN.LOCAL\SYSVOL\DOMAIN.LOCAL\Policies\
When GPPs related to Local User Accounts or Passwords are configured, this creates a Groups.xml file
This file is part of the stored configuration in SYSVOL and can contain some sensible data such as →
- Username
- CPassword
The last one stores the Cyphered User Password. But, since Microsoft published the Simmetric Cyphering Key used to encrypt that password, anyone can get it in plain text
As all authenticated domain users has read perms on SYSVOL, any user can access to this file
GPP Decryption
gpp-decrypt
gpp-decrypt <CPASSWORD>