HackTheBox Writeup: Cascade

Cascade was a medium rated Windows machine where a legacy password found in LDAP enabled access to SMB shares. In those shares were various files, one of which was a registry file containing a password for VNC which was decrypted and used to gain a shell. This password also allowed access to a share which had a database and an .exe file. The database contained an encrypted password and some light reverse engineering was done on the .exe to decrypt it. This allowed a pivot to another user account which had access to the Active Directory recycle bin, allowing us to recover a temporary administrator's password. This password was the same as the 'normal' administrator's and was used to gain an admin shell. This one was a bit involved to strap in and let's go!

Enumeration

nmap scan:

We can tell that this is a domain controller. Note that the domain is shown as 'cascade.local' so I added that to my /etc/hosts file.

Next I dumped all of the LDAP info with a script I wrote. This one isn't on my github yet as I want to test it against more HTB boxes first:

Let's check the usernames:

I tried a few things here like ASREP roasting which failed so I started sifting through the volumes of LDAP data. There was so much data that it took 2-3 tries to find what I needed in the users-full.txt file:

Base64 decoding the string:

Let's throw that password at CrackMapExec just to confirm I have the username right:

Ryan does not have permissions for Win-RM so let's check SMB:

He does not have permission for the juicy 'Audit$' share so let's check 'Data':

There are files scattered throughout the directories so I downloaded them all:

Let's check the meeting notes first:

Setting the temporary admin account password to the same as the normal admin account password? Genius!

ArkAdRecyclebin.log:

This tells us that the AD recycle bin program is being run as 'ArkSvc' and two objects were deleted - 'Test' and 'TempAdmin'.

Finally, the VNC .reg file:

Initial Foothold

See that strange looking password? A quick search turned up this article. The author links to an online decrypter but it either didn't load or skeeved me out so I went to github and found this tool instead. Running it yielded a password:

Let's throw that at CME:

I used the creds to score a shell as Steve:

User flag:

User Pivot

Steve has access to the 'Audit$' share:

I downloaded everything in there and started going through them. I checked out the database file first:

Sweet, creds for ArkSvc! Unfortunately they are encrypted so I kept looking. I opened up CascAudit in ILSpy and found this:

Okay, that's the key - wtf do I do with it?? I was stuck here for a while until I opened up the CascCrypto.dll file in ILSpy and saw this:

This was looking promising. Armed with the Initialization Vector, cipher mode and key, I headed over to CyberChef and plugged things in:

The password worked and we now have a shell as ark-svc:

Privilege Escalation

We can see that ark-svc belongs to the 'AD Recycle Bin' group:

I never knew that AD had a recycle bin. It makes sense but never occurred to me. Some googling around and I found this helpful article. The first thing I did was import the AD module:

The next step took was to output a list of deleted objects:

Now, to narrow down the query to just 'tempadmin' and show all properties:

Base64 decode that sucker:

Bacteria noodles??? Ok, let's go with that and try psexec:

Root flag: