🔎🦶Enumeration/Foothold

Intelligence is an Medium Windows box from HTB and created by Micah. This box features a website that leaks internal information, corporate password reuse and a DNS rebinding scenario.  I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. Running RustScan with NMAP filters. Reviewing the results I see multiple ports open:

I started my recon with 135/139 but came up empty as anonymous authentication was not available. I then went over to the website hosted at Port 80.

Port 80 showing a website available with downloadable documents.

Port 80 showing a website available with downloadable documents.

I altered my hosts file to include Intelligence.htb and noticed two Downloads available on the site. Both downloads were active PDFs and went to a documents directory. I tried to navigate to documents unfortunately directory indexing was not available.

Thinking it might be a good idea to see if further files existed in the documents directory I pulled DateList and created a date list from the oldest PDF to today’s date:

Copy

I then used ffuf to show me all the active documents and exported a list of them to CSV. I cleaned up the list and used WGET to pull the files to my Attack VM.

Copy

I then proceeded to go through each PDF manually which allowed me to find:

Internal IT Update
There has recently been some outages on our web servers. Ted has gotten a script in place to help notify us if this happens again.

Also, after discussion following our recent security audit we are in the process of locking down our service accounts.

New Account Guide
Welcome to Intelligence Corp!

Please login using your username and the default password of:

NewIntelligenceCorpUser9876

After logging in please change your password as soon as possible.

Now that I had a username of Ted and a password I tried to access SMB. Failing I went back to the PDFs and realized some of the PDFs had metadata attached. I ran the PDFs through exiftool and piped the Creator field into a users list.

Copy

Using the password and list of users I ran CrackMapExec to do a password spray and got a hit back:

Copy

I then used smbclient to enumerate the shares Tiffany had access too.

Copy

I saw that Tiffany had access to an IT and Users share which are not normally available by default. I viewed the IT share and noticed a downdetector.ps1 file. I pulled it to my machine for review:

Copy

🔝Escalation

Reviewing the PowerShell script I can see I will need to setup Responder as we did in another box. Essentially we want to use the krbrelayx to modify the Active Directory DNS records so it points to Responder. Responder will pick up the request and display the hash.

TAB1

Copy

TAB2

Copy

I then took the hash and used john to crack.

Copy

After reviewing the shares that Ted has access too I saw nothing interesting. I decided to further poke at LDAP using BloodHound. I first exported the data:

Copy

I then imported the JSON data into BloodHound. Reviewing the Ted Graves user turned up nothing. I did notice a SVC_INT computer and normally in organizations SVC = service and INT = Internal.

Reviewing the domain accounts using BloodHound.

Reviewing the domain accounts using BloodHound.

This lead me too PayloadAllTheThings – gMSA which is a way that Active Directory can store service account passwords. I grabbed gMSADumper and ran it.

Copy

This means running hashcat or john probably won’t succeed. Referring back to BloodHound from earlier I remembered that the svc_int account had the ability to delegate WWW/dc.intelligence.htb.

Bloodhound shows delegation.

Bloodhound shows delegation.

I use an Impacket script impacket-getST to generate a Silver Ticket for the Administrator account.

Copy

An error came back regarding the clock skew. I had seen this in a previous ippsec video regarding AD attacks and how the clock on your attacking machine needs to precisely sync to the AD (within 5-10min).

I stopped the VirtualBox Guest utilities service (as I was not using my dedicated Parrot machine) and updated ther time to match the server. I then used impacket-geTST to grab the Silver Ticket:

⚠ Attack Machine

Copy

Finally I used PSEXEC to log into the machine as the Administrator:

Copy

and grabbed both hashes:

Copy
Rooted Intelligence from HTB.

Rooted Intelligence from HTB.

Published On: November 26th, 2021 / Categories: HTB, Technology / Tags: , , , , , , , , , /

Leave A Comment