Read my Write-up to Intelligence machine on:
TL;DR
User 1: Discovering PDF’s with filenames based upon the date, Building a customized wordlist based upon the date, Downloading the PDF’s with python script and then examining users, Finding the password NewIntelligenceCorpUser987 which is the password of Tiffany.Molina.
User 2: Found PowerShell script downdetector.ps1 which is scheduled a DNS request for each 5 min, Using Responder we found the NTLMv2 hash of Ted.Graves.
User 3: Importing the bloodhound results for attack paths - Discovering we probably need to get access to the SVC_INT GMSA (Group Managed Service Account).
Root: Using impacket’s getST to generate a SilverTicket which we can use for impersonating an Administrator, Using our ticket with psexec to gain access to the server as Administrator.