HackTheBox - Retired - Cascade

Hackthebox - Retired- Cascade

Recon

As usual I start with a simple UP/Down scan on all TCP ports.

$ nmap -T4 -p- -oX ./nmapb.xml cascade.htb

Hmmm… don't know if this is because it's a new box or intentional, but my normal nmap scan gets nada.  I took its advice and added the -Pn

$ nmap -T4 -p- -Pn -oX ./nmapb.xml 10.10.10.182

Then converted that to HTML

 

A bunch of open ports

DNS, LDAP, net bios, winRM

Let's repeat the scan with the -A switch to try all the things :) on the ports we found 

nmap -T4 -p53,88,135,139,389,445,646,3268,3269,5985,49154,49155,49157,49158,49173 -A -Pn -oX ./nmapf.xml cascade.htb

Then I'll convert that to HTML too

Ok so let's see what we can find poking around the services we see

Let's start with smb 

It let me login in anonymous but no share for me..

But as for RPC..

We got some data

We got back a list of domain users

CascGuest

arksvc

s.smith

r.thompson

util

j.wakefield

s.hickson

j.goodhand

a.turnbull

e.crowe

b.hanson

d.burman

BackupSvc

j.allen

i.croft

I'm going to go through each of these users with queryuser to see if there is anything interesting.

The first named user has a vbs set for a logon script.

That might be useful later.

J.wakefeild has a different .vbs

   

Ok let's automate this a bit and run enum4linux

Here is the password policy

Got some group memberships

For domain users

Group IT

HR

Remote Management

Audit share

Denied RODC Password Replication Group

GP creator owners

Data Share

Since we have a list of user names I tried to AS-REP roast to see if we could get a hash for any user that was set to not require Pre-Authentication….

NOPE

We will have to find another way to get a foothold

So I decided to dump all the ldap out and grep around to see if I can find anything 

$ ldapsearch -x -b "dc=cascade,dc=local" "*" -h 10.10.10.182  >> /home/circusmonkey/Desktop/HTB/cascade/ldap.txt

Now I just grepped through my txt file looking for anything interesting.

I tried grepping for "Pass"

Nothing tried "pas" same results

Then I tried "=" to look for base64… There was alot

Didn't anything interesting thing there either

Then I tried the box name "cascade"

And I saw this

Looks like ryan's AD has a field called cascadelegacyPWD

clk0bjVldmE=

I went back to my ldap dump to look at all the settings I was able to get from ryan

So there is a double equal sign there so it's probably base64 right? 

Let's check

echo ""  && echo "clk0bjVldmE=" | base64 -d && echo ""

I know this probably isn't the most efficient way to add spacing here.

rY4n5eva

I wonder if we can get some SMB info now

 smbclient -L \\\\cascade.local -U cascade\\r.thompson

Let's go over to exploitation now

Exploit

Let's start poking around in the SMB and see if we can find anything interesting

I stared in the IT folder because…. Well, because that might be where we can find the best things

Under the s.smtih folder under tmp I found a registry file used to configure the registry

I used get to download it to my computer

Found this 

"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f

Interesting

I found this blog with an exe that says it can decrypt this password.

https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/

I fired up my windows VM and tried tried it

sT333ve2

Maybe that is the password for

I think there was a Steve user let's check and see in our ldap dump we did earlier.

And guess what?

That's his AD password too, so that is two accounts we have creds for 

And steve…. Steve has access to a shared drive name audit.

Let's connect up to it and see what we see there

$ smbclient \\\\cascade.local\\audit$ -U cascade\\s.smith

A folder called DB? What is in there?

We'll use get to download that DB and see if there is anything else in there.

Well this table is interesting

ArkSvc

BQO5l5Kj9MdErXx6Q6AGOw==

Guess what else we can connect to with Steve's creds?

WinRM

$ evil-winrm -i 10.10.10.182 -u cascade\\s.smith -p sT333ve2

Under under desktop we get the user flag

I found this email somewhere

So they had a TempAdmin user they were using during a project.

I also found this log which shows them moving the account to the recycling bin in AD

Let's check out that Audit Exe file we found earlier.

I downloaded the whole Audit folder audit folder to a windows box and loaded the exe up in jet brains to decompile the program

Pretty quickly I found this decryption function.

Looks like maybe the passwords are stored in AES 128 encryption. Here is the IV and the key size 128.. That is most of the info we might need to decode that arksrv password we found. Now we need to the secret key

And there is the key

I used this to decrypt the arksrv password we found

https://www.devglan.com/online-tools/aes-encryption-decryption

We got some more base64 out… lets decode it now

w3lc0meFr31nd

Let's see if it lets us connect up to winRM with these new creds..

Still can't get into the admin Desktop folder for root.txt

Remember this part of the email we found earlier?

I wonder if this is the normal admin account password?

Nope…. But can we restore that TempAdmin account we saw earlier and was referenced in email?

If as arksvc we look at the ad recycling bin

Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects

We can see the TempAdmin account here in deleted objects

I tried to restore it but no luck

But if we look at the the properties for the user

Get-ADObject -Filter {DisplayName -like 'Tempadmin'} -IncludeDeletedObjects -properties *

We see this

cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz

We found one of those legacy passwords earlier and it was just base64.

baCT3r1aN00dles

Let's try to connect up now and see if we can get the flag...

Couldn't get in using WinrRM…

What about SMB?

And the flag?

Got that flag yo