Privilege Escalation Via Group Policy Preferences (GPP)
While this is not a new topic in the penetration testing world by any means [Chris Gates (@carnal0wnage) and others were speaking about this way back in 2012], it is still prevalent across many networks today. It’s important enough to talk about because it is “low-hanging fruit” for pentesters (and hackers) and often one of the first things checked for after an initial foothold into a network, as it can quickly allow for escalation to Local Administrator and lateral movement. At that point, it often is just a matter of time before complete Domain compromise.
In this post we will explore the Windows Active Directory feature, Group Policy Preferences (GPP), that was introduced with Server 2008 and how we can exploit this feature to obtain cleartext credentials for privileged accounts in the Domain.
The past couple days I’ve been building out the lab that will be utilized for a lot of my tool demonstrations and exploit walkthroughs presented on this blog. The setup is beautifully simple: a Windows Active Directory Domain environment with several connected workstations of various O/S versions and patch status. This lab will at least vaguely mimic some key aspects of a typical corporate Windows environment and will allow for lateral movement and privilege escalation scenarios across the Domain. As you’ll quickly notice upon reviewing the listing of lab machines below, there is a definite theme to this blog (got […]
Welcome to my new blog! The intent of this page is to post on security issues that I’m researching or witness during penetration testing engagements. I hope this page will serve as a reference for other penetration testers as well as system administrators (as I will often propose mitigation strategies for issues presented). Please feel free to leave any constructive feedback as I begin posting. About Me: I’m an penetration tester who got his start as a government employee working for the Department of Defense (DOD) in a five-sided building. During this time, I got hands-on experience building, growing and “selling” proactive security […]