20-Reverse Engineering
➜ www cat RunAudit.bat
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"%
The .exe is doing something with the db file, lets check it out with dnspy.
Transfer all the file retrieved from smb audit share to your windows machine.
Opened the caseCrypto.dll first because it had crypto in its name.
Its doing some kind of aes magic with a plain text and a key.
Opened the .exe file in dnsspy
Its decrypting the encrypted string
We ll set a break point with f9, execute the executable, bring the .db file in same working dir as of .exe,
Press f10 to step one step forward. And we ll be able to see the credentail.
arksvc:w3lc0meFr31nd