🧠Intelligence
https://app.hackthebox.com/machines/357
I start by doing a Nmap -p- without anything to know all the ports open, then throw in a big command to properly enumerate the open ports to win some time:
I then go on the http webpage on port 80 and use feroxbuster:
the /documents is forbidden ->
but the subdomains are not
Nothing to see in the first place but then I saw that this was a PDF and not a txt oriented file, let's see if there is exif data ->
there was another PDF in the subdomains ->
Ok so we get 2 possible users? Let's continue enumeration:
No we need to check to see if either has the don’t require preauth flag set, which would leak the users hash (this is AS-REP-roasting):
That got me thinking that the PDFs are named based on the date they were created. So, we can conclud that we could potentially bruteforce the PDF names and download them that are not referenced in the website.
So we create a little script in python or bash to follow the nomenclature of the website:
and the one-liner to go and bruteforce and download all of this:
i made a folder to store all of the PDF's
after manually looking we find a PDF with default password:
We can easily say to ourselves that there is Exif data on all of them with valid users, we need to script it out:
So now we can spray this password to see if anyone left it by default:
So this Tiffany.Molina user left password by default
Now let's try to dig out on the SMB side of the user:
and then we connect in the Users share:
And pull the user flag out of the Desktop:
further enumeration led to going in the IT share ->
We find this PowerShell script:
The script goes into LDAP and gets a list of all the computers, and then loops over the ones where the name starts with “web”. It will try to issue a web request to that server (with the running users’s credentials), and if the status code isn’t 200, it will email Ted.Graves and let them know that the host is down. The comment at the top says it is scheduled to run every five minutes.
in theory, if we can add a DNS record that starts with
web
, which points to a machine that we control, then we can potentially get the NTLM hash of the user, the script is running as!
dnstool.py
is a script that comes with Krbrelayx
before interacting with Kerberos, we have to make sure that our machine’s time is in sync with the target machine. Generally, we can use things like Nmap output, HTTP header etc to determine the target’s time and change our machine time with date
command.
then we go and interract ->
-u
: This option specifies the username for authentication. In this case, the username isintelligence.htb\\Tiffany.Molina
.-p
: This option specifies the password for authentication. Here, the password isNewIntelligenceCorpUser9876
.-r
: This option specifies the remote DNS server to which the tool will connect. Here, the remote DNS server iswebfelix.intelligence.htb
.-a
: This option specifies the action to perform. The valueadd
indicates that a new DNS record will be added.-d
: This option specifies the IP addresses for the DNS record. In this case, the IP addresses are10.10.14.166
and10.129.44.184
. in summary, this command is attempting to add a new DNS record to thewebfelix.intelligence.htb
remote DNS server using the provided username and password, with the new DNS record pointing to the IP addresses10.10.14.166
and10.129.44.184
.
Okay, we successfully add a new record, next →
when I launch my responder, I get this error →
So I check which program is currently running on this port:
i can get more info on what's running with the following command
Last updated