“Your most unhappy customers are your greatest source of learning.” - Bill Gates
- Machine Matrix
- Machine Summary
- Nmap Scan
- Enumeration on port 139 and 445
- Enumerating Using LDAP Queries
- Enumerating Shares with r.thompson credentials
- Acquiring User Shell - s.smith
- Privilege Escalation
- Disassembling CascAudit.exe and CascCrypto.dll
- Acquiring Administrator Access
Box is a windows machine that has Active Directory services running. Starting with, for a user account enocded password is stored in one of the account’s attributes which is retrived using ldap search. Upon enumerating the shares with the obtained credentials, VNC.reg file is witnessed from which we can crack the password for the user s.smith. Now for privilege escalation, again enumerating on shares with s.smith credentials gives us access to Audit.db that has custom encrypted password. We use the DnSpy to witness the encryption mechanisim. After decryption, we have credentials for account ArkSvc ( Service Account). We then use this account to recover a deleted account TempAdmin. Administrator’s password is same as TempAdmin.
I started the enumeration with nmap scan
nmap -sC -sV 10.10.10.182
The Box has 13 ports open
Enumeration on port 139 and 445
I used smbclient to check whether anonymous login is allowed in the machine but it was unsuccessfull. I ran enum4linux to enumerate more
CascGuest arksvc s.smith r.thompson util j.wakefield s.hickson j.goodhand a.turnbull e.crowe b.hanson d.burman BackupSvc j.allen i.croft
I checked whether any of these users have kerberos pre-authentication disabled, that would lead us to inital foothold but that didn’t workout.
Enumerating Using LDAP Queries
I started to enumerate the Active Directory using LDAP Queries
ldapsearch -x -b "dc=cascade,dc=local" -H ldap://10.10.10.182
This gave a huge amount of result so i copied this result to a text file inorder to manually enumerate on it. This gave me a lead, I got a base64 encoded password in the object cascadeLegacyPwd of ryan thompson user (r.thompson)
Encoded password: clk0bjVldmE= Decoded password: rY4n5eva
I tried to login on winrm using evilwinrm for obtained credentials but didn’t work.
Enumerating Shares with r.thompson credentials
Now i tried to enumerate on the shares with the obtained credentials of r.thompson. Thompson had access to certain shared folders.
smbclient //10.10.10.182/ -U r.thompson
I enumerated on each folders, upon enumeration i got VNC Install.reg file from \IT\Temp\s.smith\ Directory.
Acquiring User Shell - s.smith
I downloaded the file and started looking in to it. As it is an registry file, it had object which has the password in encoded form.
I thought it was in hex format but it wasn’t. Upon researching a bit, i got a tool for drypting the encoded password in VNC registry file. [vncpwd]https://aluigi.altervista.org/pwdrec/vncpwd.zip). I used this tool to decrypt the password
username: s.smith password: sT333ve2
I used to evil-winrm to get the shell
evil-winrm -u s.smith -p sT333ve2 -i 10.10.10.182
Again i went to enumerate on shares with s.smith credentials,
smbclient //10.10.10.182/Audit$ -U s.smith
There is a file called Audit.db, that may be our way for privilege escalation. I simply checked the contents on the file using strings command
I found an hash which must be the password. I tried to decrypt the hash using john and hashcat but that didn’t work. I concluded that it must be a custom encrypted password.
Disassembling CascAudit.exe and CascCrypto.dll
On shares enumerating, we found an exec and a dll file CascAudit.exe and CascCrypto.dll. These files are used for encryption, hence these must be disassembled to find the encryption technique and decrypting it.
I imported CascAudit.exe and CascCrypto.dll on DnSpy. I noticed that the encryption technique used is AES 128 bit with CBC mode. I got the Secret Key (c4scadek3y654321) and IV Optional Key (1tdyjCbY1Ix49842)
I used the online AES decrypter to decrypt the password through providing the keys and the encrypted password.
username: arksvc password: w3lc0meFr31nd
Upon enumeration of shares using the s.smith credentials, i got an log file (ArkAdRecycleBin.log) and a html file (Meeting_Notes_June_2018.html)
I downloaded these files and started to enumerate on it.
Acquiring Administrator Access
According to the log file TempAdmin User was deleted by ArkSvc user. Reading the Meeting_Notes_June_2018.html describes that the password for TempAdmin and Administrator are same.
So now if we are able to recover the TempAdmin password from the user who deleted TempAdmin (ArkSvc), we can have the administrator shell. I researched google on how to recover deleted accounts. I found a blog on how to recover the deleted accounts using powershell
Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
I ran this command in the shell of ArkSvc user
As expected we have an password encoded in base64 on the parameter cascadeLegacyPwd. I decoded it.
username: TempAdmin, Administrator password: baCT3r1aN00dles
I got the administrator shell using evil-winrm with these credentials
Happy Hacking !