🎫
Cascade
  • Cascade
    • Summary
  • Enumeration
    • TCP
    • UDP
    • Web Services
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
      • Robots
      • WhatWeb
    • Other Services
      • Kerberos
      • MSRCP
      • LDAP
      • SMB
      • DNS
    • Authenticated Enumeration
      • Kerberos
      • MSRCP
      • LDAP
      • SMB
      • DNS
  • Exploitation
  • Priv Escalation
  • Notes
Powered by GitBook
On this page

Exploitation

PreviousDNSNextPriv Escalation

Last updated 2 years ago

Upon initial access as the user s.smith, we are part of a group that has Audit Share

Evil-WinRM PS C:\shares\audit\Db> net localgroup "Audit Share" Alias name Audit Share Comment \Casc-DC1\Audit$

Members

s.smith The command completed successfully.

The group has access to a share named audit.

The share contained .NET Binaries and a database file that could be accessed with sqlite3

I did not know how to reverse these so I had to a write up for this part.

That writeup explained everything well.

We got access to the user arksvc which then was part of the AD Recycle bin group which allowed us to retrieve the password of the TempAdmin the IT dept email was talking about.

https://0xdf.gitlab.io/2020/07/25/htb-cascade.html#privesc-arksvc--administrator