Thoughts, stories and ideas.
Cascade HTB

Good morning all,

I present to you today a post relating to the "Cascade" machine, created by @VbScrub and available on the HackTheBox platform.

Hack The Box :: Penetration Testing Labs
An online platform to test and advance your skills in penetration testing and cyber security.

Accessible since March 28 as a replacement for "Sniper", it is a Windows machine of Intermediate difficulty (MEDIUM).

Without further ado, let's start our investigations!

Enumeration

My first enumeration phase will begin, once is not custom, with a port scan carried out using the nmap tool .

nmap -sC -sV -p- 10.10.10.182
nmap scan Cascade
Port scan result from the nmap tool

This first analysis will thus reveal the presence of several accessible services such as DNS, LDAP, SMB, WINRM, RPC or even Kerberos… A set of services traditionally observed on Active Directory domain controllers.

In order to quickly list the main information accessible from the LDAP directory, I used the enum4linux tool allowing me to retrieve the list of users, groups or even the password policy applied to domain users:

enum4linux -a 10.10.10.182
Users registered on the CASC-DC1 machine
Users registered on the CASC-DC1 machine

In addition to the traditional “ Builtin Groups ”, we will note the presence of groups such as IT , Production , Factory , Finance , HR , Time , Audit Share or even Data Share ; these last two groups may imply the presence of dedicated shares on the network.

Local groups registered on the CASC-DC1 machine
Local groups registered on the CASC-DC1 machine

However, querying the available shares from a  "Null Session" will be unsuccessful.

List of shares available without authentication on CASC-DC1
List of shares available without authentication on CASC-DC1

Having a list of users present on CASC-DC1, including several accounts resembling service accounts ( ArkSv c, BackupSvc and util ), I then wanted to control the vulnerability of these latter to an AS- type attack. REP Roast .

For those wishing to deepen all notions relating to attacks on Active Directory, I can only recommend the excellent site of Sean Metcalf ( @ PyroTek3 ): https://adsecurity.org/

A good description of the functioning mechanism of the AS-REP Roast attack, rather educational, is also available in French (Cocorico!) On the Pixis website ( @HackAndDo )

AS_REP Roasting
Lors d’une demande de TGT, l’utilisateur doit, par défaut, s’authentifier auprès du KDC pour que celui-ci lui réponde. Il arrive que cette authentification préalable ne soit pas demandée pour certains comptes, permettant à un attaquant d’abuser de cette configuration

In order to carry out this operation, I therefore relied on the GetNPUsers.py script present on the Impacket suite: a must for operating Windows systems. Unfortunately, none of the accounts on this machine were vulnerable to this attack.

python3 ./GetNPUsers.py cascade.local / -request -dc-ip 10.10.10.182 -no-pass -usersfile users.txt
Impacket output
Impacket output

A quick attempt to bruteforce accounts, carried out using the CrackMapExec tool and relying on a list made up of the main information collected during our investigations (login, name, first name, etc.), will also prove to be unsuccessful ...

Extract from the bruteforce attack carried out with the CrackMapExec tool
Extract from the bruteforce attack carried out with the CrackMapExec tool

SMB and Kerberos seeming unusable for the moment, I decided afterwards to carry out a manual enumeration of the LDAP service.


Note that the LDAP directory was searchable from an anonymous connection on TCP port 389, which is not always the case!


When checking user input, a particular attribute was identifiable on the user r.thompson : attribute cascadeLegacyPwd whose value clk0bjVldmE=

Extract from LDAP entry for user r.thompson
Extract from LDAP entry for user r.thompson


The sign "=" present at the end of our character string is often the sign of an encoding in Base64, we proceed to a decryption test… confirming our hypothesis!

echo "clk0bjVldmE =" | base64 -d (Result = rY4n5eva)
Authentication successful as r.thompson
Authentication successful as r.thompson

Initial access

Study of accessible shares

The new identifiers obtained now allow us to perform a new enumeration with the rights of the user r.thompson

Note that attempting to connect remotely from the WinRM protocol will be unnecessary at this time; the r.thompson user who is not part of the " Remote Management Users" group

The initial enumeration of users and groups revealed that our user r.thompson belonged to the "Data Share " and " IT  " groups. Also, I carried out a new analysis of the shares accessible from this new user… This is how we can see the presence of the " Data" share , accessible in read only:

Shares visible to user r.thompson
Shares visible to user r.thompson

Without further ado, let's access this sharing!

smbclient -U r.thompson% rY4n5eva //10.10.10.182/Data

We are now accessing a new data tree… However, our user being a member of the " IT " group, we can easily imagine that he only has access to the corresponding folder!

Within the IT file, we will find several documents:

  • A " Meetings_Notes_June_2018.html " file , present in the IT \ Email Archives folder: this is a memo informing us of the production of a new network and also indicating the use of an account from temporary administration for this operation. The temporary administration account was “ TempAdmin ” and had the same password as the company administration account … Some interesting information for the rest!
  • The " dcdiag.log " file , found under \ IT \ Logs \ DCs \… without much interest;
  • The " ArkAdRecycleBin.log " file , found under \ IT \ Logs \ Ark AD Recycle Bin \: this file will give us an idea of ​​the usefulness of the ArkSvc service account, which seems to be used in order to perform restore operations on the 'Active Directory;
  • The " VNC install.reg " file found under \ IT \ Temp \ s.smith \: this file, found in the user's s.smith folder , contains the password used by the VNC service… Rather interesting!
Extract from the "VNC install.reg" file
Extract from the "VNC install.reg" file

System access as s.smith

We now have sufficient elements to continue our access to the IS.

The VNC password, present in the register in hexadecimal format, can be recovered in clear. For this purpose several publicly available tools can be used. For my part, I opted for the latter:

trinitronx/vncpasswd.py
A Python implementation of vncpasswd, w/decryption abilities & extra features ;-) - trinitronx/vncpasswd.py

After installing the prerequisites, using the tool will provide us with the VNC password in clear as desired:

./vncpasswd.py -d -H 6bcf2a4b6e5aca0f
What originality Steve!
What originality Steve!

Now, having previously observed that s.smith was part of the " Remote Management Users " group, we can make a remote connection, via the WinRM protocol, using the credentials obtained… And voila!

evil-winrm -i 10.10.10.182 -u s.smith -p sT333ve2
Welcome s.smith!
Welcome s.smith!

Now, let's get our user flag ...

Flag user.txt
Flag user.txt

Privilege escalation

Access to the system as ArkSvc

Like the operations carried out with the r.thompson account , we must now perform a new enumeration with the rights of our new user.

A new analysis of the accessible shares will then tell us that s.smith has access to the Audit $ hidden share.

Shares visible to user s.smith
Shares visible to user s.smith

Let's go see what it contains!

smbclient -U s.smith% sT333ve2 //10.10.10.182/Audit$

Among these files, we can retain:

  • The RunAudit.bat file: the latter provides us with information on the launch of the executable file CascAudit.exe which is based on the Audit.db database ;
Contents of the RunAudit.bat file
Contents of the RunAudit.bat file

The Audit.db file , found under \ DB: this SQLite database contains the password of the ArkSvc user in the Ldap table . It also refers to the deleted temporary administration account, namely TempAdmin. We will also note that the password seems to be encoded in Base64. However, a simple decryption operation will not provide any usable password ... Therefore, we can assume that a processing of the latter, before its insertion in the database, is carried out by the program CascAudit.exe ;

The CascAudit.exe file: program used with the Audit.db database ;

  • The CascCrypto.dll file: DLL used by the CascAudit.exe program , probably containing the latter's encryption / decryption functions… and at the same time supporting the hypothesis formulated as to the password present in the Audit database . db .

For the rest of the investigations, I had to use a disassembler in order to read the source code of the CascAudit.exe and CascCrypto.dll files . The "JetBrains DotPeek" software (freeware) will have been used to meet this need.

dotPeek : Décompilateur .NET et navigateur assembleur gratuit par JetBrains
dotPeek est un outil gratuit basé sur ReSharper. Il peut décompiler de manière fiable n’importe quel assembly .NET en code C# ou IL.

We can now observe that the CascAudit.exe file refers to the CascCrypto library and that its main program tells us about the key used for decryption of passwords: c4scadek3y654321

View of the CascAudit.exe file
View of the CascAudit.exe file

Regarding the CascCrypto DLL, the analysis of the DecryptString method will reveal the encryption algorithm used, namely AES in CBC mode , as well as the value of the Initialization Vector (IV): 1tdyjCbY1Ix49842 . We will also have confirmation that the final string is encoded in Base64 format.

View of the CascCrypto.dll file
View of the CascCrypto.dll file

We now have all the information we need to decrypt our password:

  • Password (AES + Base64): BQO5l5Kj9MdErXx6Q6AGOw ==
  • Key: c4scadek3y654321
  • IV: 1tdyjCbY1Ix49842
In order to simply perform this decryption operation, I advise you to use the excellent CyberChef site.
CyberChef
The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

And here is the result!

Decryption made from CyberChef
Decryption made from CyberChef

To conclude, an authentication test will confirm the validity of this password for the ArkSvc user:

Welcome ArkSvc!
Welcome ArkSvc!

All we have to do is log in with our new login details on the server!

evil-winrm -i 10.10.10.182 -u ArkSvc -p w3lc0meFr31nd

Access to the system as Administrator

This last phase of operation turned out to be rather rapid, given the information revealed during our successive analyzes. The author took great care to leave us several clues during each of the enumeration phases… which was really pleasant and reinforced the readability of the expected final exploitation!

To summarize the useful information in our possession:

  • The TempAdmin administration account was created temporarily for a network migration operation;
  • This user has the same password as the company's administrator account;
  • The logs mentioning the ArkSvc user refer to the "ARK AD RECYCLE BIN MANAGER" program, used for restoring objects in the Active Directory ;
  • The ArkSvc user belongs to the " AD Recycle Bin " group.

From these elements, it was easy to imagine that the TempAdmin user had been deleted and that we had to try to restore it ... The first hypothesis will have been confirmed by requesting the objects deleted from the directory from our PowerShell console:

Get-ADObject -IncludeDeletedObjects -Filter {objectClass -eq "user" -and IsDeleted -eq $ True}
List of objects deleted in the Active Directory
List of objects deleted in the Active Directory

However, the second hypothesis relating to the restoration of this account will prove to be unsuccessful; the ArkSvc account not having sufficient rights to perform this operation:

Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects | Restore-ADObject

To finish, I was thus inspired by the method of elevation of the user r.thompson … Wouldn't sensitive information be present in the LDAP entry of the TempAdmin user ?

All I had to do was verify this hypothesis by requesting our deleted user to display its properties. Thus we will see again the presence of the attribute cascadeLegacyPwd whose value YmFDVDNyMWFOMDBkbGVz

Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects -Properties *

A Base64 decryption of the observed value will provide us with the clear password of the TempAdmin user : baCT3r1aN00dles

echo " YmFDVDNyMWFOMDBkbGVz" | base64 -d     (baCT3r1aN00dles)

An attempt to authenticate as Administrator with the username obtained will confirm that the passwords for the TempAdmin and Administrator accounts were indeed identical!

Welcome Administrator!
Welcome Administrator!

A last connection will finally be made as Administrator ...

evil-winrm -i 10.10.10.182 -u Administrator -p baCT3r1aN00dles

In order to retrieve our last root.txt flag!

Flag root.txt
Flag root.txt

Conclusion

This is where my presentation of the "Cascade" machine ends. I particularly appreciated the program analysis phase (similar to the "Nest" machine by the same author) as well as the general coherence of this challenge, delivering several clues as the privilege escalation phases progress. to orient the attacker on the final method of exploitation… A very beautiful machine in my opinion, giving pride of place to the enumeration!

Regarding the elevation through the cascadeLegacyPwd attribute , I am not sure that this is the most realistic on an Active Directory but hey ... this remains a detail knowing that many sensitive information is often present in the within LDAP user entries. I would also give an opinion concerning the difficulty of this machine which seems to me to have been evaluated on the rise. But here again, this assessment will be really subjective since it is highly dependent on the areas of predilection of each.

I warmly thank @VbScrub for their contribution! And you for reading my write-up, Until next time!

Your friendly neighborhood Hacker

You've successfully subscribed to Flaviu Popescu
Welcome back! You've successfully signed in.
Great! You've successfully signed up.
Success! Your account is fully activated, you now have access to all content.