🧠Intelligence

Intelligence is a medium difficulty Windows machine that showcases a number of common attacks in an Active Directory environment.

Enumeration

We are working with a Windows AD machine We have a IIS website that let's us download two pdf files with two interesting authors

These authors are valid AD users

Now since we don't have any credentials and AS-REP roasting is not useful we cannot do much The naming pattern of the pdfs is interesting

We can try to bruteforce this pattern to uncover other documents in the website

We can use a script for this task

import requests
from datetime import datetime, timedelta

base_url = "http://10.10.10.248/documents/"
date_format = "%Y-%m-%d"
start_date = datetime(2020, 1, 1)
end_date = datetime(2022, 12, 12)

current_date = start_date
while current_date <= end_date:
    file_name = current_date.strftime(date_format) + "-upload.pdf"
    file_url = base_url + file_name

    response = requests.head(file_url)
    if response.status_code == 200:
        print(f"File found: {file_name}. Downloading...")
        
        download_response = requests.get(file_url)
        
        with open(file_name, "wb") as pdf_file:
            pdf_file.write(download_response.content)

        print(f"{file_name} downloaded successfully.")
    else:
        print(f"{file_name} not found.")

    current_date += timedelta(days=1)

We got a lot of pdf files

Now we can try to extract users from the authors, just like before

exiftool *.pdf | grep Creator | cut -d ":" -f2 | awk '{$1=$1;print}' | sort | uniq > users.txt

The users are all valid

Inside 2020-06-04-upload.pdf we find a 'New account guide' that gives us a default password to spray

We find that Tiffany.Molina gets a hit for this password

tiffany.molina:NewIntelligenceCorpUser9876

NTLMv2 hash stealing

This user can read the IT share and the Users folder

Inside the IT share we find a PowerShell script

# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
    try {
        $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
        if(.StatusCode -ne 200) {
            Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
        }
    } catch {}
}

This script makes a request to all the DNS entries that start with web in the name to check if the webserver is down, but it's using the credentials for Ted.Graves

We can add a dns entry and run Responder to retrieve a NTLMv2 hash

If this operation does not work put the machine's IP as your default DNS server

After a few minutes we get a hash

And we cracked it

GMSA credentials dumping

Now we can use Bloodhound to identify possible attack paths

We can see that this account can read a password from a GMSA account

We can do this remotely using gMSADumper

This account can also delegate to the DC, so we can abuse the delegation later

Now we can get a ticket impersonating the Administrator user abusing the delegation

And get a shell with psexec