Intelligence
Nmap Scan
$ nmap -sC -sV -Pn -oN nmap 10.10.10.248
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 02:19 EDT
Nmap scan report for 10.10.10.248
Host is up (0.011s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Intelligence
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-27 13:13:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2024-05-27T12:24:52
|_Not valid after: 2025-05-27T12:24:52
|_ssl-date: 2024-05-27T13:14:50+00:00; +6h54m19s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-05-27T13:14:51+00:00; +6h54m19s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2024-05-27T12:24:52
|_Not valid after: 2025-05-27T12:24:52
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-05-27T13:14:50+00:00; +6h54m19s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2024-05-27T12:24:52
|_Not valid after: 2025-05-27T12:24:52
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2024-05-27T12:24:52
|_Not valid after: 2025-05-27T12:24:52
|_ssl-date: 2024-05-27T13:14:51+00:00; +6h54m19s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 6h54m18s, deviation: 0s, median: 6h54m18s
| smb2-time:
| date: 2024-05-27T13:14:11
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.52 secondsInitial Access
enum4linux
Anonymous
Guest
Port 80
Directory Enumeration
If I took a look at the documents naming convention, I can see that they used this format: <YYYY>-<MM>-<DD>-upload.pdf
So I used this python script to generate the dates first
Then next, I appended -upload.pdf to each of the line to create the finalised wordlist.
So the final wordlist will look like this:
So when we run gobuster with that wordlist again, it will give this:
So i copied out the necessary information:
I used this python script to craft the script to download all the files from the server.
After running the script we can see some interesting documents.
2020-12-30 - IT Internal Update
2020-06-04 - New Account Guide
So the default password is NewIntelligenceCorpUser9876. However, we do not know the username. So the next step is to see if we can find anything in the metadata
If I use exiftool, i can see who is the Creator.
I can create another python script to craft a bash script to get all the Creator information.
After running the python script to get the bash script, I can run the bash script to get all the Creator information. However, it might not be unique.
So I modified the command to be this, so that it will be unique and pipe into a output file.
After running crackmapexec to see what is the username that has the default credentials, there is 1 user that did not change the password: Tiffany.Molina.
So I tried to see what shares the user can access, the user can read the User and IT share folder.
So I accessed the User share to get the user flag.
Privilege Escalation
In the IT share folder, there is this file downdetector.ps1.
When I look at the content of the file, I can see that they get the record from the server with anything that has web*.
So the next step is to inject our own DNS record into the server.
I will then inject the record into the server using dnstool.py.
After running responder, I can see this.
The next step is to try to crack the hash and we got the password from the user which is Mr.Teddy.
ReadGMSAPassword
Using bloodhound, I can see that Ted.Graves is a member of ITSUPPORT group which is able to READGMSAPassword of the user SVC_INT.
After searching online, there is a tool which is able to dump out the password.
After running the tool, the LM Hash for SVC_INT user is dumped out.
From the finding in bloodhound, the SVC_INT user is able to do this: AllowedToDelegate to DC.INTELLIGENCE.HTB. So, we can use impacket-getST to get the TGT as Administrator user. However, due to the time skew we need to ensure the set-ntp is set to 0 in order to change the date time
After generating the ccache file, I am able to login using impacket-wmicexec to get the Administrator shell.
Last updated