less than 1 minute read


Decrypt the password and submit it as the flag!

Chall file

Author - maniac


This is a chall about the Active Directory’s Group Policy Preferences. It is a Windows feature that allows sysadmins to configure machines remotely. It is vulnerable because the password can be easily recovered by an attacker.

The file Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml contains a field cpassword="HlQWFdlPXQTU7n8W9VbsVTP245DcAJAUQeAZZfkJE/Q8ZlWgwj7CqKl6YiPvKbQFO7PWS7rSwbVtSSZUhJSj5YzjbkKtyXR5fP9VQDEieMU", which is the crypted password that we want.

I used gp3finder to decrypt it, which yields: