Rebound
Rebound
Rebound 560
Rebound
RETIRED MACHINE

Rebound

Rebound - Windows Windows
Rebound - Insane Insane

4.9

MACHINE RATING

1158

USER OWNS

1019

SYSTEM OWNS

09/09/2023

RELEASED
Created by Geiseric

Machine Synopsis

Rebound is an Insane Windows machine featuring a tricky Active Directory environment. User enumeration via RID cycling reveals an AS-REP-roastable user, whose TGT is used to Kerberoast another user with a crackable password. Weak ACLs are abused to obtain access to a group with FullControl over an OU, performing a Descendant Object Takeover (DOT), followed by a ShadowCredentials attack on a user with winrm access. On the target system, cross-session relay is leveraged to obtain the NetNTLMv2 hash of a logged-in user, which, once cracked, leads to a gMSA password read. Finally, the gMSA account allows delegation, but without protocol transition. Resource-Based Constrained Delegation (RBCD) is used to impersonate the Domain Controller, enabling a DCSync attack, leading to fully elevated privileges.

Machine Matrix

Ready to start your
hacking journey?