Hack the Box: Cascade

5 min readSep 8, 2020

Cascade was a medium difficulty machine on Hack the box. Here’s my take on solving the machine

TL;DR: There’s a public LDAP database endpoint available. One of users has a custom field that reveals it’s password. Using this access it’s possible to access a SMB share that contains a VNC registry entry containing another user’s password, this time encrypted. There is a publicly accessible tool capable of decrypting the password. Newly acquired credential allow to get access WinRM shell and retrieve a user flag. On top of that it gives acces another SMB share, this time containing a Sqlite database that contains another encrypted password. It’s decryption algorithm and key can be revealed by reverse engineering a .NET application. Retrieved credentials give privleges to read recycled LDAP entries, among which there’s a TempAdmin user with another custom field containg a password. The password also fits to actual Administrator account, givin full control of the machine

Recon

Nmap reveals an AD server:

# nmap cascade.htb -sS -sVPORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-04-16 18:58:31Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC

The LDAP allows null sessions. Quierying it return A LOT of data but there’s a worthy needle in that haystack:

# ldapsearch -x -o ldif-wrap=no -h cascade -b "DC=cascade,DC=local"# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
-- snip --
cascadeLegacyPwd: clk0bjVldmE=

The password is base64 encoded:

User access

With those credentials it’s possible to access a couple of SMB shares:

The most useful share is data which can be downloaded the following way (at least the part r.thompson has access to):

S.smith’s registry entry file VNC Install.reg contains something that looks like a password bytes:

# cat IT/Temp/s.smith/VNC\ Install.reg 
��Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC][HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
-- snip --
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
-- snip --

I turns out VNC encrypts passwords before storing it in the registry. Fortunately there are tools capable of restoring original password. One of them is VncPwd. It’s a Windows app but it works just fine under Wine:

With s.smith’s credentials it’s possible to grab user flag:

Root

S.Smith also has access to previously inaccessible share on SMB, the Audit$:

It contains a CascAudit executable and a Sqlite database:

The DB contains credentials to yet another user, the ArkSvc:

Reversing

The password is encrypted. It’s possible to reverse the CascAudit.exe to learn the algorith and key used to decipher the pass.

CascAudit is a .NET application:

It means it can be easily reversed to source code. I decided to copy the CascAudit.exe and CascCrypto.dll to my Windows machine. There, use IlSpy to decompile it and save Visual Studio Solution using File -> Save Code option.

CascCrypto.dll contains a DecryptString function:

The password should be then encrypted using an AES cipher.

In the MainModule there’s a piece of code that selects the password from Ldap table and decrypts. It also contains a hardcoded encryption key:

The Main function can be edited to display decrypted password:

Running above program will reveal the password:

Administrator account

ArkSvc user is a member of AD Recycle Bin group:

echo "clk0bjVldmE=" | base64 --decode# echo "clk0bjVldmE=" | base64 --decode
rY4n5eva

The “Meeting_Notes_June_2018.html” file downloaded from SMB earlier suggested that there might have been a TempAdmin user on the system, with the same password as actual administrator:

We will be using a temporary account to perform all tasks related to the network migration and this account will be deleted at the end of 2018 once the migration is complete. This will allow us to identify actions related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password).

With that knowledge it’s possible to query Ldap for that user from ArkSvc shell. It also contains a custom field with base64 encoded password:

All that’s left to do is to decode the password and grab the flag: