HTB | Cascade
Last updated
Last updated
This is the Box on Hack The Box Active Directory 101 Track. Find the box here.
Skill Learned
TightVNC Password Extraction
Active Directory Enumeration
Reverse Engineering - DnSpy
AD Recycle Bin
IP: 10.10.10.182
SMBMAP and SMBClient are not working
Let's try rpcclient
I will copy the users
Let's see groups
To enumerate LDAP, first I’ll get the naming context:
I will dump all the info in a file:
and Now I will look for valuable information While looking in the file I found a password for Ryan
Since it is a base64 I can decode it
Let's check the cred for winrm and smb
SMB is possible but winrm is not
Since we have Read Only on soe shares let's take a look
There are many files in each of the shares I have access to. I use the following commands to just pull all the files in each share (Data for example):
there are 5 folders
We found some files in the IT folder
On opening the Meeting Notes we found
According to the mail We have to keep an eye out for the admin account password and TempAdmin.
Let's cat the VNC Install.reg
The line "Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f jumped out as interesting.
This GitHub repo guides us to decrypt VNC password using msfconsole
There was another way shown in the repo
Now That we have the password let's try it with SMB and WinRM.
Winrm worked
I’ll use Evil-WinRM to get a shell:
and we are in. found user.txt
s.smith is a member of the Audit Share group:
Since it is not a standard Microsoft group, let's check
s.smith is the only user in the group, but the comment has a useful hint to look at this share. There’s a c:\shares, but I don’t have permission to list the directories in it:
however, I can cd into Shares\Audit based on the name from the comment
Since I have access to Audit Share:
I will copy all the files to my local system
We found an Audit.db file
Let's dump the tables using sqlite3
Nothing jumped out as particularly interesting. I thought the Ldap table could have had a password in it, but the base64-encoded data didn’t decode to ASCII. Perhaps it’s encrypted somehow.
RunAudit.bat shows that CascAudit.exe is run with the DB file as an argument:
It's a .NET binary
Download DnSpy and load the exe on it
It opens an SQLite connection to the database passed as an arg, reading from the LDAP table, and decrypting the password.
I decided to recover the plaintext password by debugging. I put a breakpoint on line 53 where the SQL connection is closed. Then I went Debug -> Start Debugging, and set the Arugument to where I had a copy of the Audit.db:
Note: Copy all the files including SQLite dll files to Windows before starting the debug
On hitting OK, it runs to the breakpoint, and I can see the decrypted password in the Locals window:
Based on the line in the SQLite DB, this password, w3lc0meFr31nd, likely pairs with the account arksvc.
Let's try this password for WinRM crackmapexec shows that not only does the password works:
Had I not known the account that was associated with this password, I could have used crackmapexec with a list of users(list that we git from rpcclient):
and we are in
from whoami /groups we can see arksvc is a part of AD Recycle
AD Recycle Bin is a well-known Windows group. Active Directory Object Recovery (or Recycle Bin) is a feature added in Server 2008 to allow administrators to recover deleted items just like the recycle bin does for files. The linked article gives a PowerShell command to query all of the deleted objects within a domain:
The last one is really interesting, because it’s the temporary administrator account mentioned in the old email I found earlier (which also said it was using the same password as the normal admin account).
I can get all the details for that account:
Immediately cascadeLegacyPwd: YmFDVDNyMWFOMDBkbGVz jumps out. It decodes to baCT3r1aN00dles:
using this password for administrator account and we are in
and we have root.txt
