Cascade,a Windows box created by HackTheBox user VbScrub, was an overall easy-medium difficulty box.The Initial enumeration show that the box is a LDAP Server. Using Jxplorer digging in that we get credential for a user and looking in the shares we find a TightVNC registry key which contain password for user s.smith and using vncpwd we can get the password. We can winrm and get user.txt. Again looking the new open smb-shares we find a executable and a sqlite database which contain password for a service account. Reverse Engineering the binary we can get the password. login with the new creds and a mail we saw in the shares earlier we can try to retrieve the password for TempAdmin which is the password for the local admin.
# Nmap 7.80 scan initiated Sat Mar 28 15:23:03 2020 as: nmap -v -sC -sV -oN nmap/Cascade 10.10.10.182 Nmap scan report for 10.10.10.182 Host is up (0.16s latency). Not shown: 986 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-28 19:23:17Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Mar 28 15:26:49 2020 -- 1 IP address (1 host up) scanned in 225.63 seconds
The Initial Enumeration Shows that this is a LDAP server so lets try to run enum4linx to see the data using that we can leak the usernames
we don’t see anything else so i opened jxplorer and connected to the server looking around i saw a legacy password for r.thompson as rY4n5eva.
Using that password on winrm we don’t get anything so lets look at samba share and we see we can read Data share.
Looking in that we find VNCInstall.log inside Temp/s.smith which contain the registry key for TightVNC
“Password”=hex:6b,cf,2a,4b,6e,5a,ca,0f Googling around i found a tool vncpwd using which i cracked the password for s.smith:sT333ve2
using that we can winrm we can get a shell and get user.txt
Enumerating we don’t see anything interesting. So I took a look at samba share
Looking inside the shares i saw a binary and a sqlite database.
Opening the CascAudit.exe in ilspy we can reverse the get the password for arksvc as w3lc0meFr31nd
Looking at the code that is a aes-cbc-128 so i opened CyberChef
Login as ArkSvc using and Enumerating i don’t see anything so going back i saw a mail in the Data share which said that TempAdmin user had same password as Administrator so i checked if i can read Deleted ADObject and we can get
1 2 3 4 5 6
> New production network will be going live on Wednesday so keep an eye out for any issues.
> We will be using a temporary account to perform all tasks related to the network migration and this account will be deleted at the end of 2018 once the migration is complete. This will allow us to identify actions related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password).
> The winner of the “Best GPO” competition will be announced on Friday so get your submissions in soon.
which give us the password for admin as baCT3r1aN00dles and we can login as Administrator
and we can read root.txtf94e11622c01ceb2445b770f33684c64 and we have pwned Cascade💃