Hack The Box Moncton Meetup #11.
Intelligence on HTB is a medium difficulty Windows box that was released on July 3rd, 2021, and challenges the user's knowledge of Microsoft’s Active Directory. The skills required to hack this machine include Insecure Direct Object Reference (IDOR), knowledge of exif data, scripting experience, and Active Directory knowledge. The tools used in this walkthrough include nmap, ZAP or Burp, Metasploit or some kind of responder, crackmapexec, krbrelayx, gMSADumper, and Impacket.
The first step in hacking the Intelligence machine is enumeration. This is done using nmap, a popular port scanning tool. The nmap results show that the machine is a Windows Active Directory Domain Controller. Before attempting any direct attacks on the DC, the web server is checked to see if it has anything interesting. The web server has a stylish site with a newsletter to subscribe to, a few documents to download, and a possible user of contact. The first document's path raises the question of whether more documents are accessible that aren't listed on the site.
The initial attack vector is the website, which is found to have a potential Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability allows the hacker to access the password and username for initial access. The username is obtained by accessing the exif data of the second document, which is found to contain the username. The password is obtained through the use of Metasploit or some other responder, which allows the hacker to get a shell on the machine and get the password from the memory dump.
Once the initial access has been gained, the next step is to get a foothold on the domain controller. This is done using the gMSADumper tool, which allows the hacker to get the password of the service account. The service account is then used to get a shell on the domain controller, which in turn allows the hacker to use krbrelayx to set up a DNS host to get the password of Ted, a user on the machine. Impacket is then used to access the machine and get the flags.
Comments