HackTheBox Writeup — Intelligence

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.10.248

Port Scan / Enumeration

nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.10.248

Way to User

From the NMAP results, it seems that the machine is taken from AD environment, but we do have Port 80 open for Web, so checking it in the browser

We were presented with a nice looking page which had an option for Contact, clicking on it leads to a download option for some documents

We had links towards two PDF documents, looking at the naming convention, it can be seen that the format of those documents goes as YYYY-MM-DD-upload.php

I used a tool called datelist to create a wordlist similar to the pdf naming convention we saw

Using ffuf to fuzz the files and get actual pdf files present on the server

Since there were so many pdfs,I had to check them one by one and found a leaked password in one of the pdfs

Checking the creator of the PDF, I got the name of the pdf owner as Jason.Patterson but the password didnt worked with that user anywhere

I downloaded all the pdfs present on the server

Checked the Creator of all the pdfs using exiftool and created a list of usernames through it

Used crackmapexec tool for password spraying and got success with Tiffany.Molina user

I was able to list shares with the user

Used smbclient to connect to the SMB server with the credentials I got and found user file

Way to Root

Since the environment was very limited and I didnt had proper shell to work on, I used impacket-tools for this machine, so to get the bloodhound dump, i used bloodhound.py tool

We had more shares accessible with the current user, so I connected to the IT shares and found a powershell script named downdetector.ps1 which I downloaded to my machine

Checking the contents of the file, I saw that it checks for DNS starting with web and then invokes a web request from it and then sends a mail to Ted.Graves user

I used dnstool.py to setup a DNS for the machine to web.intelligence.htb and then link it towards my kali machine

On my responder listener, I was able to capture the hash of Ted.Graves user

Successfully cracked the hash of the user to My.Teddy

Checking the bloodhound, I can see that the user Ted.Graves is a member of the domain group ITSupport which has ReadGMSAPassword permissions towards SVC_INT domain account

Using gmsadumper tool to dump the hash of the user

Enumerating the svc_int user in bloodhound, we find that it has delegation permissions towards the DC

Requesting the TGT from the DC using getST.py tool from Impacket Tools and got error

Had to make a request to the web, I wasnt sure why this error was happening

Trying again got me success this time and the ticket was saved to my machine

Using Impacket’s psexec tool to perform pass-the-hash after getting the hash of the user from DC

Getting root flag from the machine

References

--

--

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Faisal Husaini

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover