InfoSec LAB

Cascade_Audit

Created: 2 min read

Audit

*evil-winrm* ps c:\> dir
 
 
    directory: C:\
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/9/2020   8:14 PM                inetpub
d-----        7/14/2009   4:20 AM                PerfLogs
d-r---        1/28/2020   7:27 PM                Program Files
d-r---         2/4/2021   4:24 PM                Program Files (x86)
d-----        1/15/2020   9:38 PM                Shares
d-r---        1/28/2020  11:37 PM                Users
d-----         2/4/2021   4:32 PM                Windows

After performing some basic enumeration, I was strolling through the system to find a potential vulnerabilities. Then, I came across a directory named, Shares, at the system root

*evil-winrm* ps c:\> dir C:\Shares
access to the path 'c:\Shares' is denied.
at line:1 char:1
+ dir c:\Shares
+ ~~~~~~~~~~~~~
    + categoryinfo          : PermissionDenied: (C:\Shares:String) [Get-ChildItem], UnauthorizedAccessException
    + fullyqualifiederrorid : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

While it seemed pretty obvious that the directory must be linked to the the SMB server, I was unable to confirm it due to lack of privileges

By checking the user privileges, I remember that the s.smith user has interesting memberships to the following groups; Audit and Data Those two match the SMB shares that I saw earlier. It is very much possible that the groups have either GPO or ACL configured to access the SMB shares In which case, I should be able to access the share

┌──(kali㉿kali)-[~/…/labs/cascade/smb/Audit]
└─$ smbmap -H casc-dc1.cascade.local -u 's.smith' -p 'sT333ve2'
[+] ip: casc-dc1.cascade.local:445	Name: unknown                                           
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	Audit$                                            	READ ONLY	
	C$                                                	NO ACCESS	Default share
	Data                                              	READ ONLY	
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	print$                                            	READ ONLY	Printer Drivers
	SYSVOL                                            	READ ONLY	Logon server share

Yes, the s.smith user has READ access to both Audit$ and Data share those two shares are presumably mapped to the c:\Shares directory

*evil-winrm* ps c:\> dir C:\Shares\Audit
 
 
    directory: C:\Shares\Audit
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/28/2020   9:40 PM                DB
d-----        1/26/2020  10:25 PM                x64
d-----        1/26/2020  10:25 PM                x86
-a----        1/28/2020   9:46 PM          13312 CascAudit.exe
-a----        1/29/2020   6:00 PM          12288 CascCrypto.dll
-a----        1/28/2020  11:29 PM             45 RunAudit.bat
-a----       10/27/2019   6:38 AM         363520 System.Data.SQLite.dll
-a----       10/27/2019   6:38 AM         186880 System.Data.SQLite.EF6.dll

My theory was correct. There appears to be a custom application, CascAudit.exe, within the share

Reverse engineering may be required to proceed further.

Interactive Graph View

Backlinks