Vigilant (Chain)

Operating System: Microsoft Windows Server 2022 Standard

Chain: True (2 Machines)

Credentials

Username	Password	Method	Scope
svc_auditreporter	DeVeLoPeR712	Extracted from .dll	Domain user
Pamela.Clark	Vigilant@Tech2024	Extracted from decrypted PDF	Domain user
Alex.Powell	Vigilant_Market2024	Extracted from decrypted PDF	Domain user
Edwin.Dixon	Vigilant_Finance$	Extracted from decrypted PDF	Domain user
Daniel.Washington	Vigilant&Strategy!	Extracted from decrypted PDF	Domain user

✅ Valid Usernames

Adrian.Hunter
Adrian.Ray
Albert.Shelton
Alexa.Chavez
Alex.Alexander
Alex.Bailey
Alex.Powell
Alyssa.Gonzalez
Amelia.Morales
Amy.Ross
Arlene.Fowler
Audrey.Austin
Avery.Sanchez
Bertha.Hopkins
Bessie.Fuller
Brandie.Mason
Brandon.Lambert
Brandy.Edwards
Byron.Gordon
Carole.Dean
Caroline.Chavez
Carter.Ruiz
Chad.Meyer
Charlene.Flores
Charlene.Jenkins
Cindy.Steeves
Clara.Carlson
Clarence.Dunn
Claude.Stone
Daniel.Washington
Dan.Wells
Deanna.Johnston
Denise.Grant
Dylan.Mason
Eduardo.Anderson
Eduardo.Burns
Edwin.Dixon
Erika.Armstrong
Ethan.Carter
Ethel.Armstrong
Everett.Morrison
Frances.Lewis
Gabriella.Morrison
Gabriel.Stewart
Heather.Green
Isobel.Martin
Ivan.Mendoza
Jerome.Perry
John.Chapman
Kristina.Perry
Lauren.Cooper
Leah.Sullivan
Leo.Mitchell
Leona.Adams
Lewis.Newman
Lily.Young
Marcia.Hudson
Nathan.Stanley
Nicole.Thompson
Pamela.Clark
Patrick.Hart
Paul.Brewer
Phyllis.Silva
Randy.Tucker
Rene.Chapman
Robin.Wagner
Rodney.Smith
Roland.Johnson
Scott.Rivera
Shannon.Simpson
Sophia.Kelley
Stacy.Richardson
svc_auditreporter
svc_elastic
svc_iis
Tiffany.Nelson
Timmothy.Bates
Tonya.Lynch
Travis.Willis
Tristan.Payne
Tyler.Holmes
Tyrone.Carroll
Veronica.Ruiz
Wesley.Rogers
William.Fernandez

🔑 Passwords list

Information Gathering

Nmap Scan

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
5601/tcp open  esmagent
9200/tcp open  wap-wsp

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Service enumeration

vigilant.vl

DNS

• Not vulnerable to DNS Zone transfer

SMB (enum4linux-ng)

• Domain SID: S-1-5-21-2615182196-3196294898-3079774137

• Root/parent domain

• SMB signing: true (Not vulnerable to NTLM Relay attacks)

• NetBIOS computer name: DC

• NetBIOS domain name: VIGILANT

• Domain: vigilant.vl

• FQDN: DC.vigilant.vl

• Server allows null session authentication

• server allows guest session authentication (useful for enumeation)

10.10.145.214

HTTP:80

Compromise X

Discovering a sensitive files on SMB

❯ nxc smb vigilant.vl  -u 'Intrusionz3r0' -p '' --shares  -M spider_plus
❯ nxc smb vigilant.vl  -u 'Intrusionz3r0' -p '' --shares  -M spider_plus -o DOWNLOAD_FLAG=True

❯ tree /tmp/nxc_hosted/nxc_spider_plus/10.10.145.213
/tmp/nxc_hosted/nxc_spider_plus/10.10.145.213
└── ITShare
    └── IT_Support
        ├── ADAudit
        │   ├── ADAudit.dll
        │   ├── ADAuditLib.dll
        │   ├── ADAuditLib.pdb
        │   ├── ADAudit.pdb
        │   ├── ADAudit.runtimeconfig.json
        │   ├── itext.bouncy-castle-connector.dll
        │   ├── itext.pdfua.dll
        │   ├── Microsoft.DotNet.PlatformAbstractions.dll
        │   ├── Microsoft.Extensions.DependencyInjection.Abstractions.dll
        │   ├── Microsoft.Extensions.Logging.dll
        │   └── Microsoft.Extensions.Primitives.dll
        └── ADAuditReports
            └── Password_Strength_Report_encrypted.pdf

5 directories, 12 files

Valuable file: Password_Strength_Report_encrypted.pdf

Discovering a domain user credentials in the ADAudit.dll

During the enumeration the tester found ADAudit.dll which containing svc_auditreporter's plaintext credentials.

Credentials: svc_auditreporter : DeVeLoPeR712

Decrypting pdf

using System;
using System.IO;

class PDFDecryptTool
{
    static void Main(string[] args)
    {
        Console.WriteLine("PDF Decryption Tool");
        Console.WriteLine("-------------------\n");

        if (args.Length == 0 || args[0] == "/?")
        {
            ShowHelp();
            return;
        }

        try
        {
            string inputFile = args[0];
            string outputFile = args.Length > 1 ? args[1] : GenerateOutputPath(inputFile);

            Console.WriteLine($"Decrypting: {inputFile}");
            DecryptFile(inputFile, outputFile);
            Console.WriteLine($"Success!\nDecrypted file saved to: {outputFile}");
        }
        catch (Exception ex)
        {
            Console.WriteLine($"\nERROR: {ex.Message}");
        }
    }

    static void ShowHelp()
    {
        Console.WriteLine("Usage:");
        Console.WriteLine("  PDFDecryptTool.exe <encrypted_file> [output_file]");
        Console.WriteLine("\nExamples:");
        Console.WriteLine("  PDFDecryptTool.exe report_encrypted.pdf");
        Console.WriteLine("  PDFDecryptTool.exe encrypted.pdf decrypted.pdf");
    }

    static void DecryptFile(string inputPath, string outputPath)
    {
        if (!File.Exists(inputPath))
            throw new FileNotFoundException("Input file not found");

        byte[] data = File.ReadAllBytes(inputPath);
        byte[] key = GenerateKey(data.Length);

        Unshuffle(ref data);

        for (int i = 0; i < data.Length; i++)
        {
            data[i] = (byte)((data[i] << 4) | (data[i] >> 4)); 
            data[i] ^= key[i % key.Length]; 
        }

        File.WriteAllBytes(outputPath, data);
    }

    static byte[] GenerateKey(int length)
    {
        byte[] key = new byte[length];
        new Random(12345).NextBytes(key); 
        return key;
    }

    static void Unshuffle(ref byte[] data)
    {
        for (int i = 0; i < data.Length - 1; i += 2)
        {
            // Swap adjacent bytes
            byte temp = data[i];
            data[i] = data[i + 1];
            data[i + 1] = temp;
        }
    }

    static string GenerateOutputPath(string inputPath)
    {
        string dir = Path.GetDirectoryName(inputPath);
        string name = Path.GetFileNameWithoutExtension(inputPath)
            .Replace("_encrypted", "")
            .Replace("_crypted", "");
        string ext = Path.GetExtension(inputPath);

        return Path.Combine(dir, $"{name}_decrypted{ext}");
    }
}

PS C:\Temp\>PDFDecryptTool.exe Password_Strength_Report_encrypted.pdf decrypted.pdf
PDF Decryption Tool
-------------------

Decrypting: Password_Strength_Report_encrypted.pdf
Success!
Decrypted file saved to: decrypted.pdf

FLARE-VM Sun 05/04/2025  2:06:44.41