Domain administrators can use encrypted credentials stored in the so-called cPassword to create group policies. Microsoft accidentally released the key used for encryption, so in unpatched servers (typically Server 2012 and before) any domain user can access the SYSVOL and decrypt cPassword to obtain domain administrator credentials.
Exploit: Metasploit
Metasploit module smb_enum_gpp
can be used to access SYSVOL and decrypt cPassword through SMB.
Exploit: Manual
Manual: The Replication
SMB share can be accessed by all domain users and is not listed by default (unless the share was misconfigured with anonymous access).
Look for the cPassword
attribute in Groups.xml in the downloaded files. Use gpp-decrypt $CPASSWORD
to decrypt the attribute into a valid password. The corresponding username is also in the XML file.