hackthebox cascade walkthrough

hacktheboxcascade writeup

Starting with nmap

Few ports are open. DNS port 53 is open but of no use as DNS transfer was not working. As other windows box in HTB SMB port is open. Other ports are RPC, kerberos, LDAP, etc

For windows box it is often useful if we scan the UDP port as well. There could be some other service from which we can extract other information such as port 161.

I scanned the full port using masscan, the result is as follows

Note: First, I tried smbclient to list the shares but it denied. So I moved on to ldap.

Lets see what we have in ldap

Note the first namingContexts ie DC=cascade,DC=local

Further

To get the possible users in the machine

Check if any user logged in or not. This is helpful to find the human users.

There are few log on count, specially I was interest in logonCount of 13 and 16

So, our windows users are arksvc and s.smith

These users were not shown in my first attempt but they were in ldap.out file. We can use another approach to find the users in the machine using rpcclient

Going further, I re-checked the output ldap.our file where there is information about the user and I got the following

cascadeLegacyPwd shows the password for user r.thompson. Decode it

Lets try that in other service like SMB

We see there is Data share. Use same smbclient tool to enter the directory

This file can be better view with browser

Few things are disclosed. The username TempAdmin and Steve. Steve is telling that TempAdmin was created to migrate network. We should keep an eye on this user which may be the key to root.

To see if there is any more information I re-visited the shares and found VNC log

I downloaded the file and view it carefully. It also discloses an important information, the password

The password is of VNC and is in Hex format, we will need a tool to decrypt it. Download the cracker from vpnpasswd.py Remove the comma (,) and save it to a file.

Great, we got the password.. The password looks like “Steve” so must be for the user Steve. BTW Steve is the name, we should use “s.smith” as his full name is “Setve Smith” and it is the user format. I tried with smbclient to login then I thought to use evil winrm to login.

We are the member of “Audit Share and IT”. IT, we have explored before, lets try “Audit Share”

There is a database. Lets download and see what we get. We can use smbget to download the file.

To view the database better in Kali Linux, I used sqlitebrowser.

I didn’t see much information, so I decided to export database in CSV format to have better insight.

I selected all four options here and exported in CSV format.

Now, I got four files as the following

I checked the Lda.csv and found another juicy information

It is the password for user ArkSvc in base64. But directly decrypting with base64 -d command didn’t gave any visible result. So I searched the string in Google.com directly and found few post with exact same base64 encrypted string. It also gave me the decoded string after I clicked on RUN button.

So the password is w3lc0meFr31nd

The release date of this hackthebox box windows machine cascade was 28th March and few of these posts were publish on the same date so I assume this is intended path and there is nothing wrong in it.

Going further, login using winrm. BTW I got winrm from here

So far, so good.

We are a member of different group here ie “AD Recycle Bin”. Remember Steve informed that the TempAdmin user will get delete? May be we can find that user in AD Recycle Bin. Since we easily get PowerShell using winrm, it should be relatively easy to view the information for TempAdmin user.

The Get-ADObject PowerShell cmdlet can be used to view deleted objects if the -IncludeDeletedObjects switch is passed.

Along with other information we see that TempAdmin was indeed removed.

Thanks to the power of internet I got the command to view more information about above using DistinguishedName. We can simply run the following command to view more information.

So, in our case I ran the following command

I see cascadeLegacyPwd “YmFDVDNyMWFOMDBkbGVz” , decoding it

I then used impacket psexec to login as user Administrator

Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *