Cascade — HackTheBox

Summary

Cascade is a medium-rated Windows box created by VbScrub. It focused mainly on password decryption and enumeration of the LDAP and SMB service. Initial foothold is gained by acquiring a base64 encoded password from a tool ‘ldapsearch’ and using it to find more information on the accessible SMB shares. User access is gained from decrypting a password in a VNC Install.reg file, which was then used to access additional shares and obtain a password string that was encrypted with a key. Administrative privilege is acquired by restoring Active Directory object of a TempAdmin user that was deleted and has the same password as the normal Administrator user.

Reconnaissance

Nmap scan discovers only SMB, LDAP, and RPC services open.

Attempting to access SMB shares anonymously does not work so I ran enum4linux.

Plenty of domain users were discovered during the enum4linux scan along with Domain name ‘CASCADE’.

Initial Foothold

After trying to get some password hashes with impacket’s GetNPUsers and automating smb_login with metasploit using common passwords, I failed to progress any further. I tried using ldapsearch to enumerate more and after a few attempts on perfecting the syntax, I was presented with an overwhelming output.

I redirected the output to a file called ldapsearch.txt and tried to grep some keywords in order to avoid looking at too many redundant information and see if i can find anything useful before I decide to read the whole output.

Luckily, I found something odd that gave me some progress. Piping the output to ‘grep Pwd’ displays an output with a password encoded in base64.

I added ‘-A 5’ and ‘-B 40’ arguments to grep in order to view what exists 40 lines before the word ‘cascadeLegacy’ and 5 lines after.

Decoding the string gives us a likely password ‘rY4n5eva’ assigned to a user ‘r.thompson’.

Attempting to login using evil-winrm does not work so I tried the credentials on SMBClient. Among the shares, only IT and Temps is accessible by r.thompson.

In the IT directory, I was able to find VNC Install.reg in s.smith’s directory, as well as an email archive and some files from the Logs/Ark AD Recycle Bin directory.

The ArkAdRecycleBin.log file contains a history of deleted objects from the Active Directory and the version of the Recycle Bin Manager being used. The domain user who performed the operations is ArkSvc.

The Meeting_Notes_June_2018.html contains an email from Steve Smith which aligns to the domain user ‘s.smith’ contains information about a TempAdmin user which will be used to perform tasks related to network migration and will be deleted at the end of 2018. The Recycle Bin log we found contains the deletion of the said account on the last entry.

Gaining User Access

The VNC Install.reg file which was found in s.smith’s directory in the Data share contains a password which is in hex.

Decoding it on CyberChef does not really give a plaintext output.

I googled the line where the password lies and found some links to a decryption of registry passwords. After a few more searches about VNC password decryption, I found this github repo that explains how to decrypt the password from the registry using Metasploit. The decrypted password is ‘sT333ve2'.

Using it on SMBClient allows me to access the Audit$ share that I was not allowed to access with r.thompson. The share contains an executable file, some dll’s and a DB directory.

I went and downloaded to Audit.db file to see if it has additional useful information.

Viewing the file using ‘cat’ is not that pretty so I loaded it in sqlite3.

There are 3 tables in the database file, but only Ldap and DeletedUserAudit has contents.

The Ldap table has an entry that has a uname of ‘ArkSvc’ and a pwd of ‘BQO5l5Kj9MdErXx6Q6AGOw==’. The other table has information about the deleted accounts where TempAdmin is one of them, but does not contain any passwords or hashes.

Decoding the pwd string of ArkSvc does not result in a plaintext password.

From here I attempted to login using to evil-winrm.rb using the credentials that I currently have. I successfully logged in using s.smith’s credentials and grabbed the user.txt flag.

Decrypting ArkSvc’s Password

I tried decoding ArkSvc’s password from the Audit.db file using other Base’s but failed to decode it. I copied the string, looked it up on google and found a script on dotnetfiddle which was uploaded anonymously.

It contains the exact same base64 looking string and a key ‘c4scadek3y654321’ so I’m guessing that this was uploaded by the creator of the box since only him could have known the key to decrypt the string. The output of the script is the decrypted password which is ‘w3lc0meFr31nd’.

I logged in using evil-winrm.rb with ArkSvc’s credentials but there was nothing that helps me move forward in his home directory. I ran winpeas.exe and found an interesting file but doesn’t contain anything useful.

Suddenly I remembered about the log file where it states that ArkSvc was in charge of the deletion of the temporary accounts. I googled ‘ARK AD RECYCLE BIN MANAGER v1.2.2’ and found some instructions on how to restore Active Directory objects.

Gaining Administrative Access

The image below shows TempAdmin as one of the deleted AD Objects. The command to view deleted objects is on the caption.

The image below shows how to restore a deleted AD Object but the response says I don’t have sufficient access rights to perform the operation.

I googled more about restoring AD Objects and came across this blog that gave me the answer to my problem.

The image below shows a familiar output from earlier. A line that has ‘cascadeLegacyPwd’ and a base64 string. The command executed to acquire this output is in the caption which i found on this blogpost.

Decoding the string gives us a likely password for the TempAdminwhich is ‘baCT3r1aN00dles’.

It was mentioned on the email discovered earlier that the password of TempAdmin is the same as the password of the normal Administrator account. Therefore, the only thing left to do is to login to the machine using the credentials, ‘Administrator : baCT3r1aN00dles’ and finish off by grabbing the root.txt flag.

Thank you for reading! Feel free to drop any comments and feedbacks on what alternate methods I could have done to approach the box. Have a nice day!

InfoSec n00b who aims to get better everyday.