In this post, I would like to share a walkthrough of the Rebound Machine from Hack the Box
This room will be considered an Insane machine on Hack the Box
What will you gain from the Rebound machine?
For the user flag, you will need to Infiltrate an Active Directory environment ripe with vulnerabilities. Commencing with a RID-cycle attack to compile a user inventory, followed by a fusion of AS-REP-Roasting and Kerberoasting to obtain a hash vulnerable to cracking for a service account. This compromised password is also utilized by a domain user, enabling identification of a deficient ACL permitting control over a critical group. Leveraging access to said group, I can either alter the password or acquire shadow credentials for another user with WinRM privileges.
As for the root flag, you need to executing a cross-session relay attack utilizing both RemotePotato0 to acquire a hash for the subsequent user, who possesses the capability to access the GMSA password for an additional service account. This particular account boasts a constrained delegation, necessitating exploitation of both the delegation and RBCD to obtain a ticket as the DC machine account, subsequently allowing for hash dumping across the domain.
For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259
Information Gathering on Rebound Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
─[darknite@parrot]─[~/Documents/htb/Rebound]
└──╼ $ nmap -sC -sV 10.10.11.231 -oA initial -Pn --min-rate 1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-08 01:28 EDT
Nmap scan report for rebound.htb (10.10.11.231)
Host is up (0.019s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-08 12:28:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
|_ssl-date: 2023-10-08T12:29:23+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-08T12:29:23+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-08T12:29:23+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after: 2024-08-24T22:48:10
|_ssl-date: 2023-10-08T12:29:23+00:00; +7h00m00s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time:
| date: 2023-10-08T12:29:17
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.12 seconds
I cannot see any port 80 in which HTTP has been listed from the Nmap output.
As we are aware this machine includes the Active Directory.
The list of users will look something as shown above.
We manage to be sighted of the hashes of the user while getting it from the user file.
We should be obtaining the Kerberos spraying on the machine.
To fix the issues, we are requiring the execute the ntpdate command.
Boom! We have the hashes for a few users such as nnoon and tbrady.
Let’s put the hashes into the new file as shown in the screenshot above.
At last, we managed to successfully obtain the password for a user.
The information about ldapdomaindump can be found here
Let’s use the ldapdomaindump as shown above
After a while, we managed to find three users with the user credentials.
Before we proceed further, let’s download the packet to be analyzed using Bloodhound
Let’s analyze the connection using Bloodhound
We managed to create a ticket for the ldap_monitor.ccache
We can use the powerview.py to change the password for the winrm_svc access
Let’s abuse the DACL using the ACL change by using dacledit
At last, we can access with password that we changed earlier
We can read the user flag by typing the “type user.txt” command
Escalate to Root Privileges Access
Let’s use RemotePotato on our victim’s machine to get the NTLMv2 hash for the machine
On our machine, we need to execute the socat command where we need to run ntlmrelayx
As a result, we should copy-paste the hashes that we found earlier
We can crack the hash by using John The Ripper tool which leads to the tbrady’s password
After a while, we can use the LDAP hashes
After doing some research, we can install libfaketime as shown above.
I see that tbrady has permission to read the delegator’s gmsa password
We also can verify the gmsa password using the crackmapexec
We should able to create the ticket for the cache
Therefore, let’s delegate the LDAP monitor
As a result, we can create the ticket of dc01
Therefore, we can also export the ticket
We can impersonate the dc01 on the browser
Therefore, let’s create a ticket for the delegator
At last, we managed to retrieve the hashes for all users on the machine
Let’s access the machine with the administrator’s hashes
We can read the root flag by typing the “type root.txt” command
No responses yet