diff --git a/HackTheBox/Cascade.md b/HackTheBox/Cascade.md
new file mode 100644
index 0000000..89fa3f5
--- /dev/null
+++ b/HackTheBox/Cascade.md
@@ -0,0 +1,259 @@
+# HackTheBox-Cascade
+
+## NMAP
+
+```bash
+
+PORT STATE SERVICE VERSION
+53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
+| dns-nsid:
+|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
+88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-26 11:29:46Z)
+135/tcp open msrpc Microsoft Windows RPC
+139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
+445/tcp open microsoft-ds?
+636/tcp open tcpwrapped
+3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
+3269/tcp open tcpwrapped
+5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Not Found
+49154/tcp open msrpc Microsoft Windows RPC
+49155/tcp open msrpc Microsoft Windows RPC
+49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
+49158/tcp open msrpc Microsoft Windows RPC
+49170/tcp open msrpc Microsoft Windows RPC
+Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
+Host script results:
+| smb2-security-mode:
+| 2.02:
+|_ Message signing enabled and required
+| smb2-time:
+| date: 2021-12-26T11:30:38
+|_ start_date: 2021-12-26T11:26:31
+
+```
+
+
+## PORT 139/445 (SMB)
+
+We can try to see if there's null authentication on smb to see if we can list and access shares
+
+
+
+Trying `enum4linux-ng` that would try to list usernames from RPC (Remote Procedure Call) using null authentication
+
+
+
+
+
+This could also be doing from `windapsearch` which is written in golang
+
+
+
+So we pretty much get the same results , let's use grep and awk to filter out usernames and save them in a file
+
+
+```bash
+/opt/windap/windapsearch-linux-amd64 -d cascade.local -m users | grep sAMAccountName | awk -F:' ' {'print $2'}
+```
+
+
+
+
+Using `kerbrute` to see which ones are valid usernames and out of 15 users we get 11 users that are valid
+
+
+
+Kerbrute does check for Pre-authenitcation disabled but just to be sure I used impacket's GetNPUsers script
+
+
+
+So I went on using `ldapsearch` to see if I can get some information out of users's properites like the last password being set or can be find the plain text passwords
+
+```bash
+ldapsearch -x -LLL -h 10.10.10.182 -D 'cn=USER,ou=users,dc=cascade,dc=local' -b "dc=cascade,dc=local"
+```
+
+This shows us a ton of information but we can see the results in a file and use `grep` to filter our search
+
+
+
+
+
+```bash
+cat ldap_info | grep cascade
+```
+
+I then just grep for `cascade` and found a base64 encoded text in a `cascadeLegacyPwd` field under `r.thompson` user
+
+
+
+On decoding the base64 text we can get a clear text , maybe this could be his password , so to verify it we can use kerbrute's `passwordspray`
+
+
+
+
+
+But we can only login to smb
+
+
+
+Having user credentials we can try to list any accounts that are associated with a SPN in but there weren't any accounts like that
+
+
+
+In the smb share we do we have some files that we can access
+
+
+
+I decided to come back at these shares and first enumrate the AD through python bloodhound-injestor
+
+```bash
+python3 /opt/Python-Bloodhound/bloodhound.py -d cascade.local -u 'r.thompson' -p 'rY4n5eva' -c all -ns 10.10.10.182
+```
+
+
+
+After getting those json file we need to import them to bloodhound GUI
+
+
+
+
+
+But I didn't find anything that we can do with this user
+
+
+
+All we can gather was that `r.thompson` is a memeber of IT group
+
+
+
+So going back to smb shares we see a folder named `IT` in `Data` share
+
+
+
+
+
+I downloaded every file I could find from this directory
+
+
+
+Looking at the html file and I didn't get anything juicy
+
+
+
+So this was what we could gather as r.thompson, looking at `VNC install.reg` file there was a password in hex
+
+
+
+Looking at this article it seems that we can get the plain text password
+
+https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/
+
+I found a one liner for this to decrypt the vnc hex password to get plain text
+
+```bash
+echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
+ ```
+
+
+
+And with this we got smith's passsword
+
+
+
+Verifiying with crackmapexec to see if we can get a shelll through winrm
+
+
+
+We can now use `evil-winrm` to get a shell as `s.smith` user
+
+
+
+After gettting a shell one thing note is that this user is in `Audit Share` group and back when we listed the shares there was a share named `Audit$` but we weren't able to access it but now we can
+
+
+
+Grabbing the `Audit.db` file we need to open this with `DB Browser For SQLite` which we can install it on ubuntu (it's available by default on kali linux)
+
+
+
+Here we can see the table names and the fields , to view the data in these table switch to `Browse Data`
+
+
+
+`DeletedUserAudit` doesn't have anything here, switch the table to `Ldap` we see the same username that was in that html file and it's password which is encrpyted
+
+
+
+
+
+From here we can't move forward only through using linux as we need to analyze the dll and the executable which can only be done through windows only (regretting for using dual boot )
+
+So after switching to windows and downloading `dnspy` to analyze executables and dll files I was able to retrieve two strings , one was an ecrypted string and the other was the IV key
+
+
+Opening the exe , we can navgiate to main module and see the secret key to decrypt the base64 string we already got from the db file
+
+
+
+
+
+Further more , opening the dll file , we can find IV key and see that it's using CBC mode encryption
+
+
+
+I visited this site https://www.devglan.com/online-tools/aes-encryption-decryption as when trying on cyberchef I didn't understand what format I needed to specify as I was having difficulty in specifying the ouput to be in base64 so that site gave me the option clearly
+
+
+
+
+
+And now all that is left is to decode this text from base64
+
+
+
+Using kerbrute again to check which user does this password belong to (although it's very clear but doing it anyways )
+
+
+
+Logging with this user , we can see that we are in `AD Recycle bin` group
+
+
+
+Now looking back at the meeting note , I understood what it meant , being in this group we need to recover the deleted object so when we get the password of `TempAdmin` we get the password for the `Administrator` account
+
+
+
+Searching for abusing this group , I found that we can read about deleted AD objects using AD management powershell module , so downloading the AD module from here
+
+https://github.com/samratashok/ADModule
+
+
+
+After listing deleted objects we can see again `cascadelegacypwd` field which will show base64 encoded password
+
+
+
+
+
+Now the moment of truth, according to meeting notes we should be able to login as administrator account with this password
+
+
+
+Further we can dump hashes using impacket's `secretsdump.py`
+
+
+
+
+## References
+
+- https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/
+- https://github.com/billchaison/VNCDecrypt
+- https://linuxhint.com/install-sqlite-browser-ubuntu/
+- https://github.com/dnSpy/dnSpy
+- https://www.devglan.com/online-tools/aes-encryption-decryption
+- https://github.com/samratashok/ADModule
+- https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges