# HackTheBox-Cascade
## NMAP
```bash
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-26 11:29:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-12-26T11:30:38
|_ start_date: 2021-12-26T11:26:31
```
## PORT 139/445 (SMB)
We can try to see if there's null authentication on smb to see if we can list and access shares
Trying `enum4linux-ng` that would try to list usernames from RPC (Remote Procedure Call) using null authentication
This could also be doing from `windapsearch` which is written in golang
So we pretty much get the same results , let's use grep and awk to filter out usernames and save them in a file
```bash
/opt/windap/windapsearch-linux-amd64 -d cascade.local -m users | grep sAMAccountName | awk -F:' ' {'print $2'}
```
Using `kerbrute` to see which ones are valid usernames and out of 15 users we get 11 users that are valid
Kerbrute does check for Pre-authenitcation disabled but just to be sure I used impacket's GetNPUsers script
So I went on using `ldapsearch` to see if I can get some information out of users's properites like the last password being set or can be find the plain text passwords
```bash
ldapsearch -x -LLL -h 10.10.10.182 -D 'cn=USER,ou=users,dc=cascade,dc=local' -b "dc=cascade,dc=local"
```
This shows us a ton of information but we can see the results in a file and use `grep` to filter our search
```bash
cat ldap_info | grep cascade
```
I then just grep for `cascade` and found a base64 encoded text in a `cascadeLegacyPwd` field under `r.thompson` user
On decoding the base64 text we can get a clear text , maybe this could be his password , so to verify it we can use kerbrute's `passwordspray`
But we can only login to smb
Having user credentials we can try to list any accounts that are associated with a SPN in but there weren't any accounts like that
In the smb share we do we have some files that we can access
I decided to come back at these shares and first enumrate the AD through python bloodhound-injestor
```bash
python3 /opt/Python-Bloodhound/bloodhound.py -d cascade.local -u 'r.thompson' -p 'rY4n5eva' -c all -ns 10.10.10.182
```
After getting those json file we need to import them to bloodhound GUI
But I didn't find anything that we can do with this user
All we can gather was that `r.thompson` is a memeber of IT group
So going back to smb shares we see a folder named `IT` in `Data` share
I downloaded every file I could find from this directory
Looking at the html file and I didn't get anything juicy
So this was what we could gather as r.thompson, looking at `VNC install.reg` file there was a password in hex
Looking at this article it seems that we can get the plain text password
https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/
I found a one liner for this to decrypt the vnc hex password to get plain text
```bash
echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
```
And with this we got smith's passsword
Verifiying with crackmapexec to see if we can get a shelll through winrm
We can now use `evil-winrm` to get a shell as `s.smith` user
After gettting a shell one thing note is that this user is in `Audit Share` group and back when we listed the shares there was a share named `Audit$` but we weren't able to access it but now we can
Grabbing the `Audit.db` file we need to open this with `DB Browser For SQLite` which we can install it on ubuntu (it's available by default on kali linux)
Here we can see the table names and the fields , to view the data in these table switch to `Browse Data`
`DeletedUserAudit` doesn't have anything here, switch the table to `Ldap` we see the same username that was in that html file and it's password which is encrpyted
From here we can't move forward only through using linux as we need to analyze the dll and the executable which can only be done through windows only (regretting for using dual boot )
So after switching to windows and downloading `dnspy` to analyze executables and dll files I was able to retrieve two strings , one was an ecrypted string and the other was the IV key
Opening the exe , we can navgiate to main module and see the secret key to decrypt the base64 string we already got from the db file
Further more , opening the dll file , we can find IV key and see that it's using CBC mode encryption
I visited this site https://www.devglan.com/online-tools/aes-encryption-decryption as when trying on cyberchef I didn't understand what format I needed to specify as I was having difficulty in specifying the ouput to be in base64 so that site gave me the option clearly
And now all that is left is to decode this text from base64
Using kerbrute again to check which user does this password belong to (although it's very clear but doing it anyways )
Logging with this user , we can see that we are in `AD Recycle bin` group
Now looking back at the meeting note , I understood what it meant , being in this group we need to recover the deleted object so when we get the password of `TempAdmin` we get the password for the `Administrator` account
Searching for abusing this group , I found that we can read about deleted AD objects using AD management powershell module , so downloading the AD module from here
https://github.com/samratashok/ADModule
After listing deleted objects we can see again `cascadelegacypwd` field which will show base64 encoded password
Now the moment of truth, according to meeting notes we should be able to login as administrator account with this password
Further we can dump hashes using impacket's `secretsdump.py`
## References
- https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/
- https://github.com/billchaison/VNCDecrypt
- https://linuxhint.com/install-sqlite-browser-ubuntu/
- https://github.com/dnSpy/dnSpy
- https://www.devglan.com/online-tools/aes-encryption-decryption
- https://github.com/samratashok/ADModule
- https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges