Cascade was a medium rated Windows machine where a legacy password found in LDAP enabled access to SMB shares. In those shares were various files, one of which was a registry file containing a password for VNC which was decrypted and used to gain a shell. This password also allowed access to a share which had a database and an .exe file. The database contained an encrypted password and some light reverse engineering was done on the .exe to decrypt it. This allowed a pivot to another user account which had access to the Active Directory recycle bin, allowing us to recover a temporary administrator's password. This password was the same as the 'normal' administrator's and was used to gain an admin shell. This one was a bit involved to strap in and let's go!
We can tell that this is a domain controller. Note that the domain is shown as 'cascade.local' so I added that to my /etc/hosts file.
Next I dumped all of the LDAP info with a script I wrote. This one isn't on my github yet as I want to test it against more HTB boxes first:
Let's check the usernames:
I tried a few things here like ASREP roasting which failed so I started sifting through the volumes of LDAP data. There was so much data that it took 2-3 tries to find what I needed in the users-full.txt file:
Base64 decoding the string:
Let's throw that password at CrackMapExec just to confirm I have the username right:
Ryan does not have permissions for Win-RM so let's check SMB:
He does not have permission for the juicy 'Audit$' share so let's check 'Data':
There are files scattered throughout the directories so I downloaded them all:
Let's check the meeting notes first:
Setting the temporary admin account password to the same as the normal admin account password? Genius!
This tells us that the AD recycle bin program is being run as 'ArkSvc' and two objects were deleted - 'Test' and 'TempAdmin'.
Finally, the VNC .reg file:
See that strange looking password? A quick search turned up this article. The author links to an online decrypter but it either didn't load or skeeved me out so I went to github and found this tool instead. Running it yielded a password:
Let's throw that at CME:
I used the creds to score a shell as Steve:
Steve has access to the 'Audit$' share:
I downloaded everything in there and started going through them. I checked out the database file first:
Sweet, creds for ArkSvc! Unfortunately they are encrypted so I kept looking. I opened up CascAudit in ILSpy and found this:
Okay, that's the key - wtf do I do with it?? I was stuck here for a while until I opened up the CascCrypto.dll file in ILSpy and saw this:
This was looking promising. Armed with the Initialization Vector, cipher mode and key, I headed over to CyberChef and plugged things in:
The password worked and we now have a shell as ark-svc:
We can see that ark-svc belongs to the 'AD Recycle Bin' group:
I never knew that AD had a recycle bin. It makes sense but never occurred to me. Some googling around and I found this helpful article. The first thing I did was import the AD module:
The next step took was to output a list of deleted objects:
Now, to narrow down the query to just 'tempadmin' and show all properties:
Base64 decode that sucker:
Bacteria noodles??? Ok, let's go with that and try psexec: