Hack the Box: Cascade

Recon

# nmap cascade.htb -sS -sVPORT      STATE SERVICE       VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-04-16 18:58:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
# ldapsearch -x -o ldif-wrap=no -h cascade -b "DC=cascade,DC=local"# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
-- snip --
cascadeLegacyPwd: clk0bjVldmE=

User access

# cat IT/Temp/s.smith/VNC\ Install.reg 
��Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC][HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
-- snip --
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
-- snip --

Root

Reversing

Administrator account

echo "clk0bjVldmE=" | base64 --decode# echo "clk0bjVldmE=" | base64 --decode
rY4n5eva
We will be using a temporary account to perform all tasks related to the network migration and this account will be deleted at the end of 2018 once the migration is complete. This will allow us to identify actions related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password).

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Road Draw 2: Motor Racing Hack Free Resources Generator

6 IoT security practices to follow post- Pandemic

New Updates on how UAE combats cybercrime: Punishments and Penalties

{UPDATE} #Breakforcist Hack Free Resources Generator

Global consequence of the specific bug in a Quagga routing engine

Is this the future of the Yubikey ?

JWT Authentication With Spring Boot’s Inbuilt OAuth2 Resource Server

I inflamed my Windows computer to check RansomFree’s protection

inflamed Windows check Ransom protection

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tellico Lungrevink

Tellico Lungrevink

More from Medium

Hack The Box — Previse

Hacker101 Micro-CMS v1 CTF Walkthrough

TryHackMe: [Day 2] Web Exploitation Elf HR Problems

Natas — Overthewire Writeup (0–15)