So GPP stands for Group Policy Preferences allowed admins to create polices using embedded crentials. These credentials were encrypted and placed in a "cPassword".

The key was acccidently released, it has been patched in MS14-025 but doesnt prevent previous ones though. So if an admin stored embedded credentials before the patch then we ca still use this attack. Its not super duper common but still.

https://blog.rapid7.com/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/

So to check for this we can use a auxilarry module its called smb_enum_gpp and see if you can gain a user name and password .

So if we are doing CTFs and looking for ports and the ports we look after are 53,88 (because its keteberos-sc) ,ldap,ldapssl so this suggests to us that this is a domain controller so now to ennumerate this we try to ennumerate smb ssooo port 445 so we try to connect to it by using smbclient -L .And try to get in to SYSVOL folder and there we will have a Group.xml file which is where the cpassword file is stored and that is what we need. and in the smbclient place we can get all them files by doing

recurse on

mget *

and now lets go to this Groups.xml and gg thats what we need and then we can use gpp-decrypt to decrypt that password.And then use psexec.py from the impacket tool kit to connect to that machine using the credentials.