svc_apache$
The GMSA, svc_apache$, was compromised.
The account is also part of the Remote Management Users group allowing access to the DC host; dc01.heist.offsec(172.16.155.6)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ echo -e '[realms]\n\n\tHEIST.OFFSEC = {\n\t\tkdc = dc01.heist.offsec\n\t}' | sudo tee /etc/krb5.conf
[realms]
HEIST.OFFSEC = {
kdc = dc01.heist.offsec
}/Practice/Heist_OffSec/5-Privilege_Escalation/attachments/{7226ADF1-1106-4C12-AC6F-D80A8D8196DA}.png)
Lateral Movement made to the dc01.heist.offsec(172.16.155.6) host as the svc_apache$ account via WinRM