CASCADE - Kaosam: My Profile
CASCADE - Kaosam: My Profile
CASCADE - Kaosam: My Profile
The open ports are the most common on Windows machines (Kerberos, Ldap, Smb ...).
Initially, I tried to make a zone-transfer request (DIG AXFR), but having found nothing I started with the
most famous tools for Windows enumeration.
So I tried ldapsearch:
Once the naming context was obtained, I continued with the tool, saving the output to a file.
Since there is a lot of information, I manually tried to search for keywords within the file, and I have found
the cascadeLegacyPwd field, through a simple grep:
Transferring the files found locally, with the get command from smbclient, we open the first one, which is a
log file of the TightVNC program. Inside there is the password of the user s.smith:
Being a particular type of VNC decoding, to get it in the clear, I used the following program found online:
Before testing the password with Evil-WinRM, let's open the other file, an HTML page, and get information
that will surely be useful for the next steps:
We know that in the past a TempAdmin user was temporarily created, having the same login credentials as
the System Administrator. So, we will have to find a way to recover the TempAdmin password.
The message immediately made me think of another file that I had found with smbclient, but that I had not
initially considered important. It was the following:
If we open it, in fact, we can see how it is about the ArkSvc user who deleted the "files" belonging to the
user TempAdmin:
For now, however, we enter with s.smith, and we get the shell by connecting through Evil-WinRm (there is
also the user flag):
With whoami / all, we see that we are enabled to visit a new share:
Let's go back to smbclient and explore the content:
It is an exe file, and seeing the other folders, it does "something" by connecting to a SQLite database.
Transferring the entire content to my local Windows machine, on which I installed IDA, I tried to run the
program, in order to understand how it works.
Inside the DB folder, there is the database to which it connects. I uploaded it on this site:
https://sqliteonline.com/
With a select in the Ldap table, there is the ArkSvc password, which is encrypted:
Using IDA, I have disassembled the program trying to extract information regarding the type of encryption
used:
We see that there is a call to CascCrypto, which is the DLL file in the folder that we downloaded, and in
addition, we found a decryption key.
And we see that this is symmetric AES encryption. We also got another key, and it is IV, the initialization
vector.
https://www.devglan.com/online-tools/aes-encryption-decryption
We also got the password for this other user. Let's enter Evil-WinRM:
With whoami / all, we see that the user is the owner of the AD Recycle Bin:
https://blog.stealthbits.com/active-directory-object-recovery-recycle-bin/
Plus, on the mentioned website, I found the following command, which allows you to have the list of
deleted objects:
Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted
Objects"' -includeDeletedObjects -property *
Now, remember the information found previously (s.smith’s email), we know that this password is the
same as Administrator!
Rooted!