Read my Write-up to Intelligence machine on:
TL;DR
User 1: Discovering PDF’s with filenames based upon the date, Building a customized wordlist based upon the date, Downloading the PDF’s with python
script and then examining users, Finding the password NewIntelligenceCorpUser987
which is the password of Tiffany.Molina
.
User 2: Found PowerShell script downdetector.ps1
which is scheduled a DNS request for each 5 min, Using Responder
we found the NTLMv2 hash of Ted.Graves
.
User 3: Importing the bloodhound
results for attack paths - Discovering we probably need to get access to the SVC_INT
GMSA (Group Managed Service Account).
Root: Using impacket’s getST
to generate a SilverTicket which we can use for impersonating an Administrator, Using our ticket with psexec
to gain access to the server as Administrator.