Cascade was a medium rated Windows machine where a legacy password found in LDAP enabled access to SMB shares. In those shares were various files, one of which was a registry file containing a password for VNC which was decrypted and used to gain a shell. This password also allowed access to a share which had a database and an .exe file. The database contained an encrypted password and some light reverse engineering was done on the .exe to decrypt it. This allowed a pivot to another user account which had access to the Active Directory recycle bin, allowing us to recover a temporary administrator's password. This password was the same as the 'normal' administrator's and was used to gain an admin shell. This one was a bit involved to strap in and let's go!
Enumeration
nmap scan:
![](/content/images/2020/07/image-96.png)
We can tell that this is a domain controller. Note that the domain is shown as 'cascade.local' so I added that to my /etc/hosts file.
Next I dumped all of the LDAP info with a script I wrote. This one isn't on my github yet as I want to test it against more HTB boxes first:
![](/content/images/2020/07/image-97.png)
Let's check the usernames:
![](/content/images/2020/07/image-98.png)
I tried a few things here like ASREP roasting which failed so I started sifting through the volumes of LDAP data. There was so much data that it took 2-3 tries to find what I needed in the users-full.txt file:
![](/content/images/2020/07/image-99.png)
Base64 decoding the string:
![](/content/images/2020/07/image-100.png)
Let's throw that password at CrackMapExec just to confirm I have the username right:
![](/content/images/2020/07/image-101.png)
Ryan does not have permissions for Win-RM so let's check SMB:
![](/content/images/2020/07/image-102.png)
He does not have permission for the juicy 'Audit$' share so let's check 'Data':
![](/content/images/2020/07/image-103.png)
There are files scattered throughout the directories so I downloaded them all:
![](/content/images/2020/07/image-104.png)
![](/content/images/2020/07/image-105.png)
![](/content/images/2020/07/image-106.png)
![](/content/images/2020/07/image-107.png)
Let's check the meeting notes first:
![](/content/images/2020/07/image-108.png)
Setting the temporary admin account password to the same as the normal admin account password? Genius!
![](/content/images/2020/07/image-131.png)
ArkAdRecyclebin.log:
![](/content/images/2020/07/image-109.png)
This tells us that the AD recycle bin program is being run as 'ArkSvc' and two objects were deleted - 'Test' and 'TempAdmin'.
Finally, the VNC .reg file:
![](/content/images/2020/07/image-132.png)
Initial Foothold
See that strange looking password? A quick search turned up this article. The author links to an online decrypter but it either didn't load or skeeved me out so I went to github and found this tool instead. Running it yielded a password:
![](/content/images/2020/07/image-111.png)
Let's throw that at CME:
![](/content/images/2020/07/image-112.png)
I used the creds to score a shell as Steve:
![](/content/images/2020/07/image-113.png)
User flag:
![](/content/images/2020/07/image-114.png)
User Pivot
Steve has access to the 'Audit$' share:
![](/content/images/2020/07/image-115.png)
I downloaded everything in there and started going through them. I checked out the database file first:
![](/content/images/2020/07/image-116.png)
Sweet, creds for ArkSvc! Unfortunately they are encrypted so I kept looking. I opened up CascAudit in ILSpy and found this:
![](/content/images/2020/07/image-133.png)
Okay, that's the key - wtf do I do with it?? I was stuck here for a while until I opened up the CascCrypto.dll file in ILSpy and saw this:
![](/content/images/2020/07/image-118.png)
This was looking promising. Armed with the Initialization Vector, cipher mode and key, I headed over to CyberChef and plugged things in:
![](/content/images/2020/07/image-119.png)
The password worked and we now have a shell as ark-svc:
![](/content/images/2020/07/image-120.png)
Privilege Escalation
We can see that ark-svc belongs to the 'AD Recycle Bin' group:
![](/content/images/2020/07/image-121.png)
I never knew that AD had a recycle bin. It makes sense but never occurred to me. Some googling around and I found this helpful article. The first thing I did was import the AD module:
![](/content/images/2020/07/image-123.png)
The next step took was to output a list of deleted objects:
![](/content/images/2020/07/image-124.png)
Now, to narrow down the query to just 'tempadmin' and show all properties:
![](/content/images/2020/07/image-125.png)
Base64 decode that sucker:
![](/content/images/2020/07/image-126.png)
Bacteria noodles??? Ok, let's go with that and try psexec:
![](/content/images/2020/07/image-128.png)
Root flag:
![](/content/images/2020/07/image-129.png)