HackTheBox Writeup — Cascade

Hello Guys , I am Faisal Husaini. My username on HTB is “ferllen” . Also join me on discord.

The IP of this box is 10.10.10.182

Port Scan

We get alot of Open Ports and looking from the ports, we see its an Active Directory environment

Enum4Linux

Here we have the users and also the groups down below

We put the users in a separate txt file

Now we move onto doing some ldap queries

LDAP

ldapsearch -x -b "dc=cascade,dc=local" -H ldap://10.10.10.182

We get alot of results from the query, but looking onto it carefully or either greping for potential password or more usernames

We see something like cascadeLegacyPwd and it has something base64 encoded string , by decoding it

We see its decodes to rY4n5eva

Since we see that wsman is open from NMAP

We can try Evil-WinRM to login to the usernames we have

SMB

crackmapexec smb 10.10.10.182 -u users -p 'rY4n5eva'

We see that the user r.thompson get a hit , so we move onto getting the SMB shares of user r.thompson

We get alot of shares , the one which is useful here is Data

We logged into the SMB share Data and now we try to get all the files which we can

The IT directory was only accessible to us for now, so we get each and every files from every folders inside it

Here are the 4 files we got , looking upon the Meeting Notes html file, we see

We see that it says that it has created a user TempAdmin whose password will be same as the administrator account password

Checking the contents of VNC Install.reg file, we see that it has password in hex, we can decrypt it using a tool method which I found on google

We decrypted the password for user s.smith which we can confirm using crackmapexec too

Since we got a hit on WinRM for that user , we use Evil-WinRM to login

We got logged in successfully and now we move onto getting user flag

Privilege Escalation

We didnt had access to Audit$ share with user r.thompson , but with user s.smith, we do have access to that

Inside of the shares , we see some binaries , dlls and a DB file so we get them all to our local machine

Checking the batch file code , we see it runs the CascAudit.exe binary with the DB file, so we just check the DB file using sqlite3

Upon checking and getting all the information , we see that it has a username ArkSvc and password in base64

When decoding the base64 string , we see that it is still encrypted in some form

Reversing the CascAudit.exe binary and CascCrypto dll

We see that it uses a key for decryption , looking further onto the reversed dll

We see that the function EncryptString uses a string and a key which we saw above and also from the code we can see its using AES encryption , so we can just use Cyber Chef to do the decryption

We got the password decrypted for user ArkSvc

Checking the group permissions of the current user

We see that it has group permissions for AD Recycle Bin which contains the deleted objects of the AD and also we can restore that objects if it is enabled

From the below command we can see the Deleted Objects on the AD Recycle Bin

Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)"  -IncludeDeletedObjects

We see the user TempAdmin which was also on a note before saying that it has the same password as administrator account, so we can try to get its password using listing its properties

Get-ADObject -Filter {displayName -eq "TempAdmin"} -IncludeDeletedObjects -Property *

We got the password in Base64 string format and now decode it

Logging into the administrator account using the creds

We got Administrator access to the domain and now we can get the root flag

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover