Cascade HacktheBox Walkthrough

at 2:41 AM Monday, January 18, 2021

Today, we’re going to solve another Hack the box Challenge called “Cascade” and the machine is part of the retired lab, so you can connect to the machine using your HTB VPN and then start to solve the CTF. This laboratory is of an medium level. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. The credit for making this lab goes to The credit for making this lab goes to VBScrub. Let’s start and learn how to breach it.

Level: Medium

Task: find user.txt and root.txt file on the victim’s machine.

Penetration Testing Methodology

Reconnaissance

§  Nmap

Enumeration

§  enum4linux for User Enumeration

§  Lightweight Directory Access Protocol(ldap)

§  SMB Share

§  VNC  Registry Password Decryption using  vncpasswd.py

Exploitation

§  WinRM Low Privilege Shell

§  Enumerating for user flag

§  SMB Share Enumeration

§  Disassembling .exe and .dll files using dnSpy

§  Decrypting AES encrypted hash

Privilege Escalation

§  Abusing Active Directory Recycle Bin

§  Snugging root.txt

 

Walkthrough

Reconnaissance

Since these labs are online, therefore they have static IP. The IP of Cascade is 10.129.26.146 so let’s start with nmap port enumeration.

From the given image below, we can observe that we found ports 53, 88, 135, 139, 389, 445, 636, 3268, 49154, 49155, 49157 and 49158 are open. This means the services like domain , Kerberos-sec , LDAP, multiple RPC ports  etc are running in the victim’s network.

nmap -A 10.129.26.146



Enumeration

We saw port 445 (smb) is open which means there may be a shared directory, so to further enumerate this as well as other ports, we tool help of Enum4Linux tool. From the result , we got some User details.

enum4linux 10.129.26.146



 

Here is the list of enumerated users we found with help of enum4linux.

 


Next we used ldapsearch to perform ldap-queries and saved the output in result.txt file.

 

ldapsearch -x -b "dc=cascade,dc=local" -H ldap://10.129.26.146

 



 

The result of above query gave us a user named Ryan Thompson and also we found base64 encoded string “clk0bjVldmE=” .

 



Now are next task is to decode the string which we found above in ldapsearch . And we found a password “rY4n5eva” .

 

echo "clk0bjVldmE=" | base64 –d

 


Now our next target focused around TCP Port 139 which was an open netbios-ssn. Since we found user named Ryan Thompson and the password “rY4n5eva”. So we decided to use smbclient to enumerate any SMB Shared folders .

 

Now we went inside the Data share and found a directory named IT . Further we dived inside the directory named IT and found a directory named Email.Archives . Now let’s go inside Email.Archives and found file with .html extension named Meeting_Notes_June_2018.html and which we download to our kali system using get command.

 

And now again we went back to directory named IT and found another directory named Temp and now its time to dive inside Temp directory and we found another directory named s.smith which can also be a user. After going inside s.smith we found file with .reg extension which we download to our kali system using get command.

 

smbclient \\\\10.129.26.146\\Data -U r.thompson

ls

cd IT

ls

cd “Email.Archives”

ls

get Meeting_Notes_June_2018.html

cd ..

ls

cd Temp

ls

cd s.smith

ls

get “VNC Install.reg”



We looked into the content of html file named Meeting_Notes_June_2018.html and found that the meeting notes talks about TempAdmin user which has same password as Administrator account.



Now let’s look inside the content of file named VNC Install.reg which we found in user s.smith named directory using cat command . Boom we found  hex password string.

 


 

Next task in our hands is to decode the hex password string which we found in VNC Install.reg. We will decode this hex string using this amazing tool named vncpasswd.py which is easily available on GitHub .  Here’s the link to download the tool  link .

Now lets install the tool and crack the password. Voila we found our password for user s.smith “sT333ve2”.

 

./vncpasswd.py -d -H 6bcf2a4b6e5aca0f

 


Exploitation

Till now we have found login credentials of User named s.smith . So now by using Evil-WinRM we try to access remote machine shell of target machine. As a result, it will give the access of victim shell by providing its Powershell as given below.

 

evil-winrm -u s.smith -p sT333ve2 -i 10.129.26.146

 

After logging in we traversed to the Desktop of the user to read the user.txt flag.

 

*Evil-WinRM* PS C:\Users\s.smith\Documents> cd ..

*Evil-WinRM* PS C:\Users\s.smith\Documents> cd Desktop

*Evil-WinRM* PS C:\Users\s.smith\Documents> ls

*Evil-WinRM* PS C:\Users\s.smith\Documents> cat user.txt

 


Now again our next target focused around TCP Port 139 which was an open netbios-ssn. Since we found user named s.smith and the password “sT333ve2”. So we decided to use smbclient to enumerate any SMB Shared folders .

 

Now we went inside the Audit share and found two files with .exe and .dll extension and a directory named DB . We download the files to our kali system using get command. And next we went inside the directory named DB and found a file with .db extension named Audit.db and we download to our kali system using get command.

 

smbclient //10.129.26.146/Audit$ -U s.smith

ls

get CascAudit.exe

get CascCrypto.dll

cd DB

ls

get Audit.db



As you can see in above screenshot that we found Audit.db in DB folder whose contents are shown below .




 

We will use select command in Ldap table and boom we found ArkSvc password which is in encrypted form.



Now next task in our hand is to disassemble exe and dll files we found in smb share of User s.smith. Here we used a tool named dnSpy. Here is the link to download the tool dnSpy . Here is the link to download the tool link .

Using dnSpy we disassembled the exe named CascAudit.exe file and tried to extract the information. Boom we found our secret key in clear text in the call to the function Decrypt-String. “c4scadek3y654321”.



Lets move ahead and disassemble the dll file named CascCrypto.dll . We got some useful artifacts which were Decrypt-string. Voila we found our key which is symmetric AES encryption IV “1tdyjCbY1Ix49842”.



Now we have all required material to decrypt ArkSvc password. Next we will use an online tool to decrypt the password. To do so here’s the link .

Boom we got our password for user ArkSvc “w3lc0meFr31nd”.

 



Privilege Escalation

Now it’s time to escalate privileges on the lab. Since we have found login credentials of user ArkSvc . So now by using Evil-WinRM we try to access remote machine shell of target machine. As a result, it will give the access of victim shell by providing its Powershell as given below.

 

evil-winrm -u ArkSvc -p w3lc0meFr31nd -i 10.129.26.146

We navigated to lots of folders but we didn’t found anything useful . So we navigated to documents folder of ArkSvc and used net user command to see the account information and found that the user is in AD Recycle Bin group.

Now if we go back to Notes file we discovered during smb login we got to know that  there was user TempAdmin which has same password as Administrator and was moved to Recycle Bin.



Next we wanted to view the content of recycle bin and the procedure to view content of recycle bin requires the use of Powershell . So we will use this amazing Powershell query which will return all of the deleted objects on our domain. To do so execute the following command:

*Evil-WinRM* PS C:\Users\arksvc\Documents>  Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects



And from the above image we saw that TempAdmin is present in deleted objects. So our next task was to expand our search to include its properties and read them. To do so execute the following command:

*Evil-WinRM* PS C:\Users\arksvc\Documents>  Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *



Now let’s take a look at the Deleted Objects . Boom we found the Legacy password for TempAdmin user which is base64 string.



Now next job in our hands was to decrypt the legacy password of TempAdmin for which we used echo command. After decoding it we found our password for TempAdmin which is same for Administrator as well and the decrypted password is “baCT3r1aN00dles” .


Since we have found login credentials of  Administrator . So now by using Evil-WinRM we try to access remote machine shell of target machine. As a result, it will give the access of victim shell by providing its Powershell as given below. We now enumerate the system, inside “PS C:\Users\ administrator\Documents>” we find a file called “root.txt”. We take a look at the content of the file and find the final flag.

 

evil-winrm -u Administrator -p baCT3r1aN00dles -i 10.129.26.146

*Evil-WinRM* PS C:\Users\administrator\Documents>  cd..

*Evil-WinRM* PS C:\Users\administrator\Documents>  cd Desktop

*Evil-WinRM* PS C:\Users\administrator\Documents>  ls

*Evil-WinRM* PS C:\Users\administrator\Documents>  cat root.txt



 

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact Here

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)