Hack The Box: Rebound Machine Walkthrough – Insane Difficulty

In this post, I would like to share a walkthrough of the Rebound Machine from Hack the Box

This room will be considered an Insane machine on Hack the Box

What will you gain from the Rebound machine?

For the user flag, you will need to Infiltrate an Active Directory environment ripe with vulnerabilities. Commencing with a RID-cycle attack to compile a user inventory, followed by a fusion of AS-REP-Roasting and Kerberoasting to obtain a hash vulnerable to cracking for a service account. This compromised password is also utilized by a domain user, enabling identification of a deficient ACL permitting control over a critical group. Leveraging access to said group, I can either alter the password or acquire shadow credentials for another user with WinRM privileges.

As for the root flag, you need to executing a cross-session relay attack utilizing both RemotePotato0 to acquire a hash for the subsequent user, who possesses the capability to access the GMSA password for an additional service account. This particular account boasts a constrained delegation, necessitating exploitation of both the delegation and RBCD to obtain a ticket as the DC machine account, subsequently allowing for hash dumping across the domain.

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259

Information Gathering on Rebound Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

─[darknite@parrot]─[~/Documents/htb/Rebound]
└──╼ $ nmap -sC -sV 10.10.11.231 -oA initial -Pn --min-rate 1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-08 01:28 EDT
Nmap scan report for rebound.htb (10.10.11.231)
Host is up (0.019s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-10-08 12:28:35Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2023-10-08T12:29:23+00:00; +7h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-08T12:29:23+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-08T12:29:23+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
|_ssl-date: 2023-10-08T12:29:23+00:00; +7h00m00s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time: 
|   date: 2023-10-08T12:29:17
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.12 seconds

I cannot see any port 80 in which HTTP has been listed from the Nmap output.

As we are aware this machine includes the Active Directory.

The list of users will look something as shown above.

We manage to be sighted of the hashes of the user while getting it from the user file.

We should be obtaining the Kerberos spraying on the machine.

To fix the issues, we are requiring the execute the ntpdate command.

Boom! We have the hashes for a few users such as nnoon and tbrady.

Let’s put the hashes into the new file as shown in the screenshot above.

At last, we managed to successfully obtain the password for a user.

The information about ldapdomaindump can be found here

Let’s use the ldapdomaindump as shown above

After a while, we managed to find three users with the user credentials.

Before we proceed further, let’s download the packet to be analyzed using Bloodhound

Let’s analyze the connection using Bloodhound

We managed to create a ticket for the ldap_monitor.ccache

We can use the powerview.py to change the password for the winrm_svc access

Let’s abuse the DACL using the ACL change by using dacledit

At last, we can access with password that we changed earlier

We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access

Let’s use RemotePotato on our victim’s machine to get the NTLMv2 hash for the machine

On our machine, we need to execute the socat command where we need to run ntlmrelayx

As a result, we should copy-paste the hashes that we found earlier

We can crack the hash by using John The Ripper tool which leads to the tbrady’s password

After a while, we can use the LDAP hashes

After doing some research, we can install libfaketime as shown above.

I see that tbrady has permission to read the delegator’s gmsa password

We also can verify the gmsa password using the crackmapexec

We should able to create the ticket for the cache

Therefore, let’s delegate the LDAP monitor

As a result, we can create the ticket of dc01

Therefore, we can also export the ticket

We can impersonate the dc01 on the browser

Therefore, let’s create a ticket for the delegator

At last, we managed to retrieve the hashes for all users on the machine

Let’s access the machine with the administrator’s hashes

We can read the root flag by typing the “type root.txt” command