In this post, I would like to share a walkthrough of the Rebound Machine from Hack the Box


This room will be considered an Insane machine on Hack the Box

What will you gain from the Rebound machine?


For the user flag, you will need to Infiltrate an Active Directory environment ripe with vulnerabilities. Commencing with a RID-cycle attack to compile a user inventory, followed by a fusion of AS-REP-Roasting and Kerberoasting to obtain a hash vulnerable to cracking for a service account. This compromised password is also utilized by a domain user, enabling identification of a deficient ACL permitting control over a critical group. Leveraging access to said group, I can either alter the password or acquire shadow credentials for another user with WinRM privileges.


As for the root flag, you need to executing a cross-session relay attack utilizing both RemotePotato0 to acquire a hash for the subsequent user, who possesses the capability to access the GMSA password for an additional service account. This particular account boasts a constrained delegation, necessitating exploitation of both the delegation and RBCD to obtain a ticket as the DC machine account, subsequently allowing for hash dumping across the domain.

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259

Information Gathering on Rebound Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start

─[darknite@parrot]─[~/Documents/htb/Rebound]
└──╼ $ nmap -sC -sV 10.10.11.231 -oA initial -Pn --min-rate 1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-08 01:28 EDT
Nmap scan report for rebound.htb (10.10.11.231)
Host is up (0.019s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-10-08 12:28:35Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2023-10-08T12:29:23+00:00; +7h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-08T12:29:23+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-08T12:29:23+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2023-10-08T12:29:23+00:00; +7h00m00s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time: 
|   date: 2023-10-08T12:29:17
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.12 seconds

I cannot see any port 80 in which HTTP has been listed from the Nmap output.


As we are aware this machine includes the Active Directory.


The list of users will look something as shown above.


We manage to be sighted of the hashes of the user while getting it from the user file.


We should be obtaining the Kerberos spraying on the machine.


To fix the issues, we are requiring the execute the ntpdate command.


Boom! We have the hashes for a few users such as nnoon and tbrady.


Let’s put the hashes into the new file as shown in the screenshot above.


At last, we managed to successfully obtain the password for a user.


The information about ldapdomaindump can be found here


Let’s use the ldapdomaindump as shown above


After a while, we managed to find three users with the user credentials.


Before we proceed further, let’s download the packet to be analyzed using Bloodhound


Let’s analyze the connection using Bloodhound


We managed to create a ticket for the ldap_monitor.ccache



We can use the powerview.py to change the password for the winrm_svc access


Let’s abuse the DACL using the ACL change by using dacledit



At last, we can access with password that we changed earlier



We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access



Let’s use RemotePotato on our victim’s machine to get the NTLMv2 hash for the machine


On our machine, we need to execute the socat command where we need to run ntlmrelayx


As a result, we should copy-paste the hashes that we found earlier


We can crack the hash by using John The Ripper tool which leads to the tbrady’s password


After a while, we can use the LDAP hashes


After doing some research, we can install libfaketime as shown above.


I see that tbrady has permission to read the delegator’s gmsa password


We also can verify the gmsa password using the crackmapexec


We should able to create the ticket for the cache


Therefore, let’s delegate the LDAP monitor


As a result, we can create the ticket of dc01


Therefore, we can also export the ticket


We can impersonate the dc01 on the browser


Therefore, let’s create a ticket for the delegator


At last, we managed to retrieve the hashes for all users on the machine


Let’s access the machine with the administrator’s hashes



We can read the root flag by typing the “type root.txt” command