Any ethical hacker at one point comes across the Groups.xml file, a distant artifact of a less secure time in Windows history. They still exist out in the wild of course, but it is part of the essential ethical hacking education.
In terms of what should you ask your company’s pentester, how would you exploit the Groups.xml file is one of the most basic questions they should be able to answer.
So then how does one setup a lab and exploit the Groups.xml file themselves? Like many articles I write, such as how to add exploits to Metasploit, this is another one where I fill the need that exists that noone seems to care to fill already.
Where else do you see an example of how to setup your own lab, create your own Groups.xml file and then exploit it? I’ll wait…
Table of Contents
Here’s What You Need
- Kali Linux
- Windows 2008 R2 Server
Install Domain Controller
To set up the 2008 server as a domain controller simply add the Active Directory Domain Services role and then promote the server to domain controller.
Now promote the server to Domain Controller.
Creating New Local Users
The next step is to create a new local user in our new Group Policy object. But first create a new GPO and then click Edit on it.
Now on Local Users and Groups click on create new user.
Be sure to change the default action of Update to Create.
Now to kick off the changes use the gpupdate /force command to update the GPO setttings.
Decrypt In Kali Linux
Kali Linux comes with a script that can decrypt the cpassword value.
Run this command to decrypt the cpassword value since Windows so brilliantly released the key you need to decrypt the encryption scheme.
kali@kali:~$ gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE
As you can see I now have the password for the user that was creating using the Group Policy Editor in the Windows 2008 R2 server.
How did this vulnerability get resolved? Windows patched it eventually, and it is not present in newer Windows Server versions such as 2019.