Last updated
Last updated
Cascade is a medium difficulty Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user r.thompson, which gives access to a TightVNC registry backup. The backup is decrypted to gain the password for s.smith. This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the ArkSvc account. This account belongs to the AD Recycle Bin group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded password, which can be reused to login as the primary domain administrator.
Scope
IP Address: 10.10.10.182
Nmap Scan
DNS Enumeration
No zone transfer available
RPC Enumeration
Found usernames from rpc calls
Filter out these users and create a list of them
SMB Enumeration
No data from smb
Kerberos Enumeration
I want to check that users I found are valid on the domain, So I will verify this with Kerbrute
11/15 valid usernames, Let's attempt ASREP-Roasting attack against these users
I got no hash from this attack, Let's switch to ldap protocol
LDAP Enumeration
I will use ldapsearch with the following flags
-x simple authentication
-b principal name
-s scope
sub subtree
'*' all
The output was too big, So I searched for Users section for anything might be helpful. there were a lot of users details but this user below has a different record cascadeLegacyPwd .
It's a base64 encoding , Let's decode it in our terminal
It might be a password for that user, Let's check with crackmapexec
I also want to see if we can access the machine with winRM , but It failed
I will continue enumerate the domain with the credentials I found
Bloodhound-python
Fire up bloodhound.py and prepare the zip file for BloodHound GUI
Upload the data to bloodhound
SMB Credentialed Enumeration
List out the shares we have access to and In the next command I will crawl to the shares with Spider_plus Module
These files took my attention, So I downloaded them to my kali machine for examination
There is user TempAdmin and we need to find his password.
This is encrypted password for VNC SERVER, So we need to decrypt it
Confirm access
Access the machine and get the flag
User Flag: 4701aeb4858f9ab9d7cxxxxxxxxxxxx
After I solved the machine, I knew from the community the following attack path was unintended, So I added the intended path to this section, too
Since, The machine release date is 2020, There is a CVE was published on the same year that allow Domain Admins rights from
Dump the ntds database
Access the machine ad administrator with psexe.py
Root Flag: 89f1c7a9f45ddf6f59cxxxxxxxxxxxxxx
After exploring the shares with crackmapexec as user s.smith, I found that he has read access on audit$ share
let's download CascAudit.exe and examine it in dnSpy.exe
The script check of provided arguments.
RunAudit.bat shows the command and appropriate argument
When reading the code, it has a connection string consist of username, domain name, password, So I put breakpoint on text2 to get the password
Provide the path of Audit.db as argument to make the script work properly
We got the username, domain name, and password
Confirm Access
From bloodhound, the user arksvc is a member of AD RECYCLE BIN group which has access to AD Deleted Object
From HackTricks:
We saw Tempadmin before and this record is important cascadeLegacyPwd: YmFDVDNyMWFOxxxxxxx
Decode the value we found
If we combine the pieces together the decoded password is the password of the administrator account
Get the flag
Root Flag: 89f1c7a9f45ddf6f59cxxxxxxxxxxxxxx
