Hack the box-Cascade: An Active Directory Penetration Test.
Cascade is a Windows machine that just got retired. This had got an active directory which we will try to penetrate in and get the admin privilege.
Let's begin with the nmap scan
sudo nmap -sS -sV 10.10.10.182
After doing the map enumeration, I decided to try LDAP enumeration using ldapsearch
ldapsearch -x -b “dc=CASCADE, dc=local” -h 10.10.10.182
From this enumeration, I found few usernames and something interesting with r.thompson user
We got a password
Let's try to decode it.
Here I used the online tool to decode it
Base64 Decode and Encode - Online
Decode from Base64 or Encode to Base64 with advanced formatting options. Enter our site for an easy-to-use online tool.
Now we have the password!
username - r.thompson
password - rY4n5eva
Even though the enumeration with smbclient was not effective in the initial stage and since now we have the username and password lets try login with smbclient.
smbclient -L 10.10.10.182 -U r.thompson
We got some disks listed, lets try to access each disk using smbclient
smbclient //10.10.10.182/”diskname” -U r.thompson
We have an access to “Data” disk here