HackTheBox Writeup — Intelligence
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.10.248
Port Scan / Enumeration
nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.10.248
Way to User
From the NMAP results, it seems that the machine is taken from AD environment, but we do have Port 80 open for Web, so checking it in the browser
We were presented with a nice looking page which had an option for Contact, clicking on it leads to a download option for some documents
We had links towards two PDF documents, looking at the naming convention, it can be seen that the format of those documents goes as YYYY-MM-DD-upload.php
I used a tool called datelist to create a wordlist similar to the pdf naming convention we saw
Using ffuf to fuzz the files and get actual pdf files present on the server
Since there were so many pdfs,I had to check them one by one and found a leaked password in one of the pdfs
Checking the creator of the PDF, I got the name of the pdf owner as Jason.Patterson but the password didnt worked with that user anywhere
I downloaded all the pdfs present on the server
Checked the Creator of all the pdfs using exiftool and created a list of usernames through it
Used crackmapexec tool for password spraying and got success with Tiffany.Molina user
I was able to list shares with the user
Used smbclient to connect to the SMB server with the credentials I got and found user file
Way to Root
Since the environment was very limited and I didnt had proper shell to work on, I used impacket-tools for this machine, so to get the bloodhound dump, i used bloodhound.py tool
We had more shares accessible with the current user, so I connected to the IT shares and found a powershell script named downdetector.ps1 which I downloaded to my machine
Checking the contents of the file, I saw that it checks for DNS starting with web and then invokes a web request from it and then sends a mail to Ted.Graves user
I used dnstool.py to setup a DNS for the machine to web.intelligence.htb and then link it towards my kali machine
On my responder listener, I was able to capture the hash of Ted.Graves user
Successfully cracked the hash of the user to My.Teddy
Checking the bloodhound, I can see that the user Ted.Graves is a member of the domain group ITSupport which has ReadGMSAPassword permissions towards SVC_INT domain account
Using gmsadumper tool to dump the hash of the user
Enumerating the svc_int user in bloodhound, we find that it has delegation permissions towards the DC
Requesting the TGT from the DC using getST.py tool from Impacket Tools and got error
Had to make a request to the web, I wasnt sure why this error was happening
Trying again got me success this time and the ticket was saved to my machine
Using Impacket’s psexec tool to perform pass-the-hash after getting the hash of the user from DC
Getting root flag from the machine