Infiltrator Discussion [HTB] [HINTS]

Let’s talk about Infiltrator. Please do not share any flags or writeups.

It’s coming, an insane-level machine…

I cracked a hash.

$krb5asrep$23$l.clark@infiltrator.htb@INFILTRATOR.HTB:ecef063f47a7e6d193c18d4efb0adfd5$77d5f91039e8d1378a4d141d2a714ffb5441ceaadd3443c5a36b87452322a380546b06b0ba4cac8e355d6505d39c91fc05dd41d8316da6fac4f699d910be181fd3ff94839b7c2d6764f0c50423d13b33d5aa5b59aba2ad332544c619beee14a7cd94e9030d6287f80c0056cf123286bfceac3fe2164e00c048126e948c4c95aaccc29a31ddf44369445f6219e42b4dbf05b85dbe35f6f7b8790f990d2b19f558d4ac2789ef8b00b3cd52f64912a523b75bb5701e1848829359cfee7654ed5926123f97bc9a9b0d3f43c2eaf17afc23ca69d53981634c89ab1503495a3e8866271cf617e9c77e80b19d2028a02fe5fbb1b6f6:WAT?watismypass!
1 Like

Can you give me hint?

k.turner has a werid description but it didn’t help.

1. Obtain the Password for d.anderson

Perform a password spray attack with the password we cracked earlier to find the password for d.anderson.

2. Obtain a Ticket-Granting Ticket (TGT) for d.anderson

A Ticket-Granting Ticket (TGT) for the user d.anderson is requested using a provided password. This TGT is essential for authenticating future actions.

3. Write Delegation Access Control List (DACL)

The environment is configured to use the d.anderson TGT. Permissions are written to grant d.anderson full control rights over a specified directory.

4. Change Password for e.rodriguez Using GenericAll Privileges

Using d.anderson’s credentials, the password for e.rodriguez is changed to match d.anderson’s password. This grants control over the e.rodriguez account.

5. Add e.rodriguez to the CHIEFS MARKETING Group

e.rodriguez is added to the CHIEFS MARKETING group, providing additional privileges associated with this group.

6. Change Password for m.harris Using ForceChangePassword Privileges

With e.rodriguez’s credentials, the password for m.harris is changed. This action is intended to gain control over the m.harris account.

7. Obtain a TGT for m.harris

A TGT for m.harris is requested using the new password. This TGT is required for further authentication tasks.

8. Access the System Using m.harris’s Credentials

Read the user.txt file located on m.harris’s Desktop to confirm successful access.

9. MySQL Credentials

Navigate to C:\ProgramData\Output Messenger Server\Temp and inspect the files to find the MySQL credentials. These credentials will be used to access the MySQL service.

10. Port Forwarding

Forward the MySQL port to the local machine using chisel to access the MySQL service running on port 14406.

11. root.txt File (Unintended Path)

After connecting to the MySQL service, execute a SQL query to read the root.txt file located on the Administrator’s Desktop. Retrieve the file’s hash value to confirm successful access.

This is just a high-level overview of the challenge. The exact commands or detailed steps are not shared to maintain the challenge’s integrity. DM me if you need more help.

How did you work out that this was possible? I get STATUS_ACCOUNT_RESTRICTION as the result when I try cme/nxc on any protocol. Once I tried I did get a TGT for this user using the password though. What have I missed in my enumeration?

His password is required to obtain his TGT token. You can retrieve it like this.

impacket-getTGT <domain>/<username>:'<password>'

As mentioned, his password is in this thread — the cracked hash.

Thanks, I got the ticket. However, when I tried the password spray I only got STATUS_ACCOUNT_RESTRICTION. Is that just an indication that the credential was potentially valid?

There are different circumstances that might lead to STATUS_ACCOUNT_RESTRICTION. However, if you try entering a different password, you will likely get a different error code. So, yes.

So this is what I get no matter what password I use to spray - hence the confusion.

Yeah it’s confusing but you can use Kerbrute to verify that his password is correct.

1 Like

how do you enumerate the users.

Their names are exposed on the web page

1 Like

how did you find the credential of winrm_svg

I did not need it. Check the OutputMysql.ini file inside the OutputMessengerMysql.zip archive. That file contains the root MySQL password. After logging in to MySQL, you can directly read the root.txt file but this is not the intended method. This method may be fixed. I am not sure.

Enumerating with BloodHound

hey, can u explain how u get the password (im noob)

I don’t understand why neither bloodhound or impacket don’t work if anyone know how to resolve this

┌──(root㉿kali)-[/home/kali]
└─# sudo bloodhound-python -c ALL -u l.clark -p 'WAT?watismypass!' -d dc01.infiltrator.htb -ns 10.10.11.31
Traceback (most recent call last):
  File "/usr/bin/bloodhound-python", line 33, in <module>
    sys.exit(load_entry_point('bloodhound==1.7.2', 'console_scripts', 'bloodhound-python')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/bloodhound/__init__.py", line 308, in main
    ad.dns_resolve(domain=args.domain, options=args)
  File "/usr/lib/python3/dist-packages/bloodhound/ad/domain.py", line 698, in dns_resolve
    q = self.dnsresolver.query(query, 'SRV', tcp=self.dns_tcp)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1364, in query
    return self.resolve(
           ^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1321, in resolve
    timeout = self._compute_timeout(start, lifetime, resolution.errors)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1075, in _compute_timeout
    raise LifetimeTimeout(timeout=duration, errors=errors)
dns.resolver.LifetimeTimeout: The resolution lifetime expired after 3.102 seconds: Server Do53:10.10.11.31@53 answered The DNS operation timed out.
                                                                                                                    
┌──(root㉿kali)-[/home/kali]
└─# impacket-getTGT dc01.infiltrator.htb/d.anderson:'WAT?watismypass!'
Impacket v0.12.0.dev1+20240827.104624.763808d0 - Copyright 2023 Fortra

Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use)