HackTheBox-Cascade

Hello everyone , in this post I will be sharing my writeup for HTB-Cascade machine , which was a medium level Active Directory machine and I personally enjoyed this as I learned something new in AD so starting with the machine , enumerating rpc through null authentication we get some usernames and along with that using ldapsearch we can get a base64 encoded password for user r.thompson which we can decode it to get clear text and access smb shares through which can find a registry file for VNC which shows the hex password for the user s.smith which I recovered it using a one liner found from github , moving further we can access Audit share which will show that there is an exe and dll file whichc we have to analyze using dnspy on windows only to get the IV key and secret key to decrypt the base64 password we can find from audit db file , on recovering the password we can login as arksvc which is in AD Recycle Bin group that can list deleted AD objects and we can recover the password of TempAdmin which will lead us to Administrator account as the password was the same

NMAP

PORT      STATE SERVICE       VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-26 11:29:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-12-26T11:30:38
|_ start_date: 2021-12-26T11:26:31

PORT 139/445 (SMB)

We can try to see if there’s null authentication on smb to see if we can list and access shares

Trying enum4linux-ng that would try to list usernames from RPC (Remote Procedure Call) using null authentication

This could also be doing from windapsearch which is written in golang

So we pretty much get the same results , let’s use grep and awk to filter out usernames and save them in a file

/opt/windap/windapsearch-linux-amd64 -d cascade.local -m users | grep sAMAccountName | awk -F:' ' {'print $2'}

Using kerbrute to see which ones are valid usernames and out of 15 users we get 11 users that are valid

Kerbrute does check for Pre-authenitcation disabled but just to be sure I used impacket’s GetNPUsers script

Foothold

So I went on using ldapsearch to see if I can get some information out of user's properties like the last password being set or can be find the plain text passwords

ldapsearch -x -LLL -h 10.10.10.182 -D 'cn=USER,ou=users,dc=cascade,dc=local' -b "dc=cascade,dc=local"

This shows us a ton of information but we can see the results in a file and use grep to filter our search

cat ldap_info | grep cascade

I then just grep for cascade and found a base64 encoded text in a cascadeLegacyPwd field under r.thompson user

On decoding the base64 text we can get a clear text , maybe this could be his password , so to verify it we can use kerbrute’s passwordspray

But we can only login to smb

Having user credentials we can try to list any accounts that are associated with a SPN in but there weren’t any accounts like that

In the smb share we do we have some files that we can access

I decided to come back at these shares and first enumerate the AD through python bloodhound-injestor

python3 /opt/Python-Bloodhound/bloodhound.py -d cascade.local -u 'r.thompson' -p 'rY4n5eva' -c all -ns 10.10.10.182

After getting those json file we need to import them to bloodhound GUI

But I didn’t find anything that we can do with this user

All we can gather was that r.thompson is a member of IT group

So going back to smb shares we see a folder named IT in Data share

I downloaded every file I could find from this directory

Looking at the html file and I didn’t get anything juicy

Privilege Escalation (s.smith)

So this was what we could gather as r.thompson, looking at VNC install.reg file there was a password in hex

Looking at this article it seems that we can get the plain text password

https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/

I found a one liner for this to decrypt the vnc hex password to get plain text

echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv

And with this we got smith’s password

Verifying with crackmapexec to see if we can get a shell through winrm

We can now use evil-winrm to get a shell as s.smith user

Privilege Escalation (arksvc)

After getting a shell one thing note is that this user is in Audit Share group and back when we listed the shares there was a share named Audit$ but we weren't able to access it but now we can

Grabbing the Audit.db file we need to open this with DB Browser For SQLite which we can install it on ubuntu (it's available by default on kali linux)

Here we can see the table names and the fields , to view the data in these table switch to Browse Data

DeletedUserAudit doesn't have anything here, switch the table to Ldap we see the same username that was in that html file and it's password which is encrypted

From here we can’t move forward only through using linux as we need to analyze the dll and the executable which can only be done through windows only (regretting for using dual boot )

So after switching to windows and downloading dnspy to analyze executable and dll files I was able to retrieve two strings , one was an encrypted string and the other was the IV key

Opening the exe , we can navigate to main module and see the secret key to decrypt the base64 string we already got from the db file

Further more , opening the dll file , we can find IV key and see that it’s using CBC mode encryption

I visited this site https://www.devglan.com/online-tools/aes-encryption-decryption as when trying on cyberchef, I didn’t understand what format I needed to specify as I was having difficulty in specifying the output to be in base64 so that site gave me the option clearly

And now all that is left is to decode this text from base64

Using kerbrute again to check which user does this password belong to (although it’s very clear but doing it anyways )

Logging with this user , we can see that we are in AD Recycle bin group

Privilege Escalation (Administrator)

Now looking back at the meeting note , I understood what it meant , being in this group we need to recover the deleted object so when we get the password of TempAdmin we get the password for the Administrator account

Searching for abusing this group , I found that we can read about deleted AD objects using AD management powershell module , so downloading the AD module from here

https://github.com/samratashok/ADModule

After listing deleted objects we can see again cascadelegacypwd field which will show base64 encoded password

Now the moment of truth, according to meeting notes we should be able to login as administrator account with this password

Further we can dump hashes using impacket’s secretsdump.py

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store