CASCADE - Kaosam: My Profile

Download as pdf or txt
Download as pdf or txt
You are on page 1of 11

CASCADE | Kaosam

My profile -> https://www.hackthebox.eu/home/users/profile/149676

Port scanning results:

The open ports are the most common on Windows machines (Kerberos, Ldap, Smb ...).

Initially, I tried to make a zone-transfer request (DIG AXFR), but having found nothing I started with the
most famous tools for Windows enumeration.

With Enum4linux I got the list of users:


enum4linux -U 10.10.10.182
Testing the list of users, written on a text file, I tried with crackmapexec to prove the validity of common
passwords such as admin, passwords ... but the result was negative.

So I tried ldapsearch:

Once the naming context was obtained, I continued with the tool, saving the output to a file.

Since there is a lot of information, I manually tried to search for keywords within the file, and I have found
the cascadeLegacyPwd field, through a simple grep:

This is a base64-encoded password:


echo "clk0bjVldmE=" | base64 -d
rY4n5eva
So, we have obtained the password, and if we open the file with a text editor (such as Sublime Text),
looking for the field in question, we see that it is the user r.thompson:

Credentials do not work for Evil-WinRM, however we have access to shares:

We enter the share Data with:


smbclient //10.10.10.182/Data -U r.thompson
And we find some interesting files:

Transferring the files found locally, with the get command from smbclient, we open the first one, which is a
log file of the TightVNC program. Inside there is the password of the user s.smith:
Being a particular type of VNC decoding, to get it in the clear, I used the following program found online:

VNC Password Decoder (vncpwd) tool by Luigi Auriemma

Before testing the password with Evil-WinRM, let's open the other file, an HTML page, and get information
that will surely be useful for the next steps:

We know that in the past a TempAdmin user was temporarily created, having the same login credentials as
the System Administrator. So, we will have to find a way to recover the TempAdmin password.

The message immediately made me think of another file that I had found with smbclient, but that I had not
initially considered important. It was the following:
If we open it, in fact, we can see how it is about the ArkSvc user who deleted the "files" belonging to the
user TempAdmin:

So, we will have to become "ArkSvc" to read the contents of these.

For now, however, we enter with s.smith, and we get the shell by connecting through Evil-WinRm (there is
also the user flag):

With whoami / all, we see that we are enabled to visit a new share:
Let's go back to smbclient and explore the content:

It is an exe file, and seeing the other folders, it does "something" by connecting to a SQLite database.

Transferring the entire content to my local Windows machine, on which I installed IDA, I tried to run the
program, in order to understand how it works.

Inside the DB folder, there is the database to which it connects. I uploaded it on this site:

https://sqliteonline.com/

With a select in the Ldap table, there is the ArkSvc password, which is encrypted:
Using IDA, I have disassembled the program trying to extract information regarding the type of encryption
used:

We see that there is a call to CascCrypto, which is the DLL file in the folder that we downloaded, and in
addition, we found a decryption key.

Let’s import the DLL file on IDA:

And we see that this is symmetric AES encryption. We also got another key, and it is IV, the initialization
vector.

There are all the elements to decrypt the ArkSvc password.

To do this, I used this online tool:

https://www.devglan.com/online-tools/aes-encryption-decryption
We also got the password for this other user. Let's enter Evil-WinRM:

With whoami / all, we see that the user is the owner of the AD Recycle Bin:

At the following site, I found details about the group:

https://blog.stealthbits.com/active-directory-object-recovery-recycle-bin/

Plus, on the mentioned website, I found the following command, which allows you to have the list of
deleted objects:
Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted
Objects"' -includeDeletedObjects -property *

Running it, we find the password of TempAdmin, in base64:

Now, remember the information found previously (s.smith’s email), we know that this password is the
same as Administrator!
Rooted!

Contact me on Twitter: https://twitter.com/samuelpiatanesi

You can find other writeups on my Github repo: https://github.com/Kaosam/HTBWriteups

You might also like