downdetector.ps1
Using the TGT of the tiffany.molina user, I was able to briefly enumerate the SMB server and found out that there are 2 none default SMB share.
while the users share that is mapped to the c:\Users directory doesn’t have much going on, the IT share, on the other hand, contained a PowerShell script (downdetector.ps1) that appears to check the web server.
I have download the PowerShell script to kali for review.
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in get-childitem "ad:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = invoke-webrequest -uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
send-mailmessage -from 'ted graves <ted.graves@intelligence.htb>' -to 'ted graves <ted.graves@intelligence.htb>' -subject "host: $($record.Name) is down"
}
} catch {}
}this powershell script appears to perform the following tasks every 5 minutes:
- It iterates through the AD objects in the Active Directory Domain Services (AD DS) using the
Get-ChildItemcmdlet, specifically targeting a DNS zone with the distinguished nameDC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb. It filters the objects usingWhere-Objectto select only those whose names match the patternweb* - for each matching dns record, it attempts to do the following:
- It uses
Invoke-WebRequestto send an HTTP GET request to the URL constructed from the record’s name (assuming the name is a valid URL). The-UseDefaultCredentialsflag to supply the credential of the currently logged-in user for authentication. - It checks the HTTP status code of the response (
$request.StatusCode) and verifies if it’s not equal to 200 (typically indicating an HTTP error).
- It uses
- If the HTTP status code is not 200 (indicating that the host is down or experiencing an issue), it sends an email notification using the
Send-MailMessagecmdlet. The email is sent to the user himself,ted.grave, with a subject indicating that the host specified by$record.Nameis down.
While the PowerShell script above seems innocent at first, a potentially vulnerability lies within This is due to the fact that regular domain users, by default, have the ability to add DNS records to Active Directory Integrated DNS (ADIDNS) zones in an Active Directory environment. This behavior is often referred to as “dynamic DNS updates” and is a part of AD’s design although it could easily be [[Intelligence_ADIDNS_Poisoning#[ADIDNS Poisoning](https //www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing)|leveraged]] by a threat actor to perform malicious actions.
Additionally, I might as well check the DNS record since it’s brought up
DNS Records
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ KRB5CCNAME=tiffany.molina@dc.intelligence.htb.ccache powerview INTELLIGENCE.HTB/@dc.intelligence.htb --no-pass -k --dc-ip $IP -q 'Get-DomainDNSZone'
[2023-09-27 04:59:18] LDAP Signing NOT Enforced!
objectClass : top
dnsZone
cn : Zone
distinguishedName : DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb
instanceType : 4
whenCreated : 20210419005130.0Z
whenChanged : 20210419005527.0Z
name : RootDNSServers
objectGUID : {877a18ae-9cbd-4301-806e-0c0ab0df7c98}
objectCategory : CN=Dns-Zone,CN=Schema,CN=Configuration,DC=intelligence,DC=htb
dSCorePropagationData : 20210419005527.0Z
20210419005130.0Z
16010101000000.0Z
dc : RootDNSServers
objectClass : top
dnsZone
cn : Zone
distinguishedName : DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb
instanceType : 4
whenCreated : 20210419005130.0Z
whenChanged : 20210419005130.0Z
name : intelligence.htb
objectGUID : {833ee336-cfbf-406a-bb46-48e50624bdfa}
objectCategory : CN=Dns-Zone,CN=Schema,CN=Configuration,DC=intelligence,DC=htb
dSCorePropagationData : 20210419005130.0Z
16010101000000.0Z
dc : intelligence.htbThe latter one appears to be the one.
The DN is DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ bloodyAD -d INTELLIGENCE.HTB -u tiffany.molina -p NewIntelligenceCorpUser9876 --host dc.intelligence.htb get search 'DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb' --resolve-sd | grep -i web
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ bloodyAD -d INTELLIGENCE.HTB -u tiffany.molina -p NewIntelligenceCorpUser9876 --host dc.intelligence.htb get dnsDump
recordName: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.intelligence.htb
SRV: dc.intelligence.htb:389
recordName: _ldap._tcp.ForestDnsZones.intelligence.htb
SRV: dc.intelligence.htb:389
recordName: ForestDnsZones.intelligence.htb
AAAA: dead:beef::95e:6ab2:ad09:42c7; dead:beef::23b
A: 10.10.10.248
recordName: _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.intelligence.htb
SRV: dc.intelligence.htb:389
recordName: DomainDnsZones.intelligence.htb
AAAA: dead:beef::95e:6ab2:ad09:42c7; dead:beef::23b
A: 10.10.10.248
recordName: dc.intelligence.htb
AAAA: dead:beef::95e:6ab2:ad09:42c7; dead:beef::23b
A: 10.10.10.248
recordName: _msdcs.intelligence.htb
NS: dc.intelligence.htb
recordName: _ldap._tcp.DomainDnsZones.intelligence.htb
SRV: dc.intelligence.htb:389
recordName: _ldap._tcp.Default-First-Site-Name._sites.intelligence.htb
SRV: dc.intelligence.htb:389
recordName: _ldap._tcp.intelligence.htb
SRV: dc.intelligence.htb:389
recordName: _kpasswd._udp.intelligence.htb
SRV: dc.intelligence.htb:464
recordName: _kpasswd._tcp.intelligence.htb
SRV: dc.intelligence.htb:464
recordName: _kerberos._udp.intelligence.htb
SRV: dc.intelligence.htb:88
recordName: _kerberos._tcp.Default-First-Site-Name._sites.intelligence.htb
SRV: dc.intelligence.htb:88
recordName: _kerberos._tcp.intelligence.htb
SRV: dc.intelligence.htb:88
recordName: _gc._tcp.Default-First-Site-Name._sites.intelligence.htb
SRV: dc.intelligence.htb:3268
recordName: _gc._tcp.intelligence.htb
SRV: dc.intelligence.htb:3268
recordName: intelligence.htb
AAAA: dead:beef::95e:6ab2:ad09:42c7; dead:beef::23b
SOA.0.PrimaryServer: dc.intelligence.htb
SOA.0.zoneAdminEmail: hostmaster@intelligence.htb
NS: dc.intelligence.htb
A: 10.10.10.248
recordName: gc._msdcs.intelligence.htb
AAAA: dead:beef::95e:6ab2:ad09:42c7; dead:beef::23b
A: 10.10.10.248
recordName: 195d59db-c263-4e51-b00b-4d6ce30136ea._msdcs.intelligence.htb
CNAME: dc.intelligence.htb
recordName: _ldap._tcp.pdc._msdcs.intelligence.htb
SRV: dc.intelligence.htb:389
recordName: _ldap._tcp.gc._msdcs.intelligence.htb
SRV: dc.intelligence.htb:3268
recordName: _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.intelligence.htb
SRV: dc.intelligence.htb:3268
recordName: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.intelligence.htb
SRV: dc.intelligence.htb:389
recordName: _ldap._tcp.dc._msdcs.intelligence.htb
SRV: dc.intelligence.htb:389
recordName: _ldap._tcp.85b0d28f-2397-4d58-b509-811d3005299a.domains._msdcs.intelligence.htb
SRV: dc.intelligence.htb:389
recordName: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.intelligence.htb
SRV: dc.intelligence.htb:88
recordName: _kerberos._tcp.dc._msdcs.intelligence.htb
SRV: dc.intelligence.htb:88
recordName: _msdcs.intelligence.htb
NS: dc.intelligence.htb
SOA.0.PrimaryServer: dc.intelligence.htb
SOA.0.zoneAdminEmail: hostmaster@intelligence.htbAs far as the enumeration goes with BloodyAD I do not see any DNS record starting with web*