Rebound is an Insane Windows machine featuring a tricky Active Directory environment. User enumeration via RID cycling reveals an AS-REP-roastable user, whose TGT is used to Kerberoast another user with a crackable password. Weak ACLs are abused to obtain access to a group with FullControl over an OU, performing a Descendant Object Takeover (DOT), followed by a ShadowCredentials attack on a user with winrm access. On the target system, cross-session relay is leveraged to obtain the NetNTLMv2 hash of a logged-in user, which, once cracked, leads to a gMSA password read. Finally, the gMSA account allows delegation, but without protocol transition. Resource-Based Constrained Delegation (RBCD) is used to impersonate the Domain Controller, enabling a DCSync attack, leading to fully elevated privileges.
Enumeration
IP Address: 10.10.11.231
Nmap Scan
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-port-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
5985/tcp open wsman
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nmap -p53,88,135,139,389,445,5985 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-31 20:41:24Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-31T20:43:17+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m01s
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Host script results:
| smb2-time:
| date: 2024-10-31T20:41:42
|_ start_date: N/A
|_clock-skew: 7h00m01s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Summary
* Open ports: 53,88,135,139,445,5985
* UDP open ports: 53,88,123,389
* Services: DNS - RPC - SMB - KERBEROS - LDAP - NTP - winRM
* Important notes: DNS:dc01.rebound.htb - Domain: rebound.htb
Before I start, I'd prefer to update /etc/hosts file to prevent further issues and to easily communicate with the box without typing the IP each time.
I tried to query ldap anonymously but got nothing from it.
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $ldapsearch -H ldap://10.10.11.231 -x -s sub '*' -b "DC=rebound,DC=htb"
# LDAPv3
# base <DC=rebound,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: *
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090ACD, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
The last option now is Kerberos. With my usernames list, I can try two possible attacks, one common and one new to many people.
Let's check the validity of these credentials. Authentication to smb worked but LDAP failed
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u ldap_monitor -p '1GR8t@$$4u'
SMB 10.10.11.231 445 DC01 [+] rebound.htb\ldap_monitor:1GR8t@$$4u
┌──[kali@parrot]─[~/HackTheBox/platform/machines/Rebound/ldapdomaindump]
└──╼ $nxc ldap dc01 -u ldap_monitor -p '1GR8t@$$4u'
LDAPS 10.10.11.231 636 DC01 [-] rebound.htb\ldap_monitor:1GR8t@$$4u
LDAPS 10.10.11.231 636 DC01 [-] LDAPS channel binding might be enabled, this is only supported with kerberos authentication. Try using '-k'.
It looks like it needs Kerberos authentication to be enforced, I will try again with -k
I faced kerberos clock skew problem and didn't work with common solutions, so I write this script to sync with kerberos each second. "Not the best way, but it worked :)" while True;do ntpdate 10.10.11.231;sleep 1;done
With valid domain credentials, I can move to the the domain enumeration process, credentialed enumeration against LDAP, smb, and try password spray. I will start with bloodhound.py
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $bloodhound-python -u 'ldap_monitor@rebound.htb' -p '1GR8t@$$4u' -ns 10.10.11.231 -d rebound.htb --zip -k
INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 16 users
INFO: Found 53 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.rebound.htb
INFO: Done in 00M 42S
INFO: Compressing output into 20241031191948_bloodhound.zip
Lateral Movement
I found that two users shared the same passwords and the third was group not user.
Looking at permission on shares and files inside with spider_plus module but nothing interesting. I will enumerate the domain manually with PowerView.py
User oorend has AddSelf to ServiceMgmt groups, So I'm curious to see the ACLs of this group I found that it had FullControl over Organisational unit (OU) Service Users
When enumerating the Domain object under this OU, I found that it contains winrm_svc account who is a member of Remote Management users, So he can access the machine via winRM
The Exploitation path is: Abuse AddSelf => Abuse FullControl Inhertiance => ChangePassword of winrm_svc or shadow Credentials
After getting a shell in metasploit, I want to query logged-on users but it didn't give me anything, However when using logon type 9 (network logon), it shows that tbrady user is logged on.
Looking into Bloodhound for privileges of that use, I found that it can read GMSA account hash
To get this account, I can use cross-sission an attack, steal its NTLMv2 hash, and try to crack it.
Following this repo instruction, I get these two commands.
I want to enumerate the delegate of the account delegator$
(impacket) ┌─[kali@parrot]─[/opt/impacket/bin]
└──╼ $findDelegation.py rebound.htb/'delegator$'@dc01 -hashes :ed8d95b20400dce3355419f277d3421c -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Getting machine hostname
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
AccountName AccountType DelegationType DelegationRightsTo SPN Exists
----------- ----------------------------------- -------------- --------------------- ----------
delegator$ ms-DS-Group-Managed-Service-Account Constrained http/dc01.rebound.htb No
From here, I stopped and couldn't go any further. the constrained delegation here is for http service and I couldn't request a ticket impersonating the administrator or the DC01, So the following attack path is very complicated and I will try to simplify it as I can.
Since I already have control of delegator$ account, I can perform RBCD and add ldap_monitor to ms-ds-allowtoactonbehalfofotheridentity list, so ldap_monitor can impersonate any user in the domain
Requesting Service Ticket as ldap_monitor impersonating the DC01, so the ticket will have forwardable flag
Using this ticket to request another ticket instead of s4u2self and impersonate the DC
