Active
Notes And Projects
Notes And Projects
  • Write-Ups
    • ✅ Active - Easy
    • 🌈Cascade- Medium
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • SMB
  • RPC
  • Kerberos
  • LDAP
  • Decrypting a VNC Password and Further Network Enumeration
  1. Write-Ups

Cascade- Medium

Previous✅ Active - Easy

Last updated 9 months ago

The "Cascade" machine on is categorized as an Medium-level target. It's ideal to

Reconnaissance

Our initial step involved verifying connectivity with a ping test. This helps determine if we can reach the target machine and provides information such as the Time to Live (TTL) value, which can help us identify the operating system. Typically, a TTL of 64 suggests a Linux system, and a TTL of 128 or less indicates a Windows machine.

Following this initial check, we proceeded with a SYN TCP port scan against all ports. We used flags such as -Pn and -n, along with setting a minimum rate of 5000 packets per second, to expedite the scan.

nmap -sS -p- -Pn -n --min-rate 5000 $IP -oG nmap/allports -vvv

Once we identified all the open ports on the target, we conducted a second scan using the -sVC flags. This scan was aimed at retrieving detailed information such as service versions and other relevant data that would be crucial for our enumeration phase.

nmap -sVC -p53,88,135,139,389,445,636,3268,3269,5985,49154,49155,49157,49158,49173 -oN nmap/targeted -vv 10.129.27.139

As you can see, several ports indicative of a domain controller are open, including port 88 for Kerberos, 445 for SMB, 389 for LDAP, and 135 for RPC. This is crucial information because it allows us to leverage various tools tailored to these protocols. Tools such as kerbrute for testing Kerberos authentication, ldapsearch for querying LDAP services, smbmap for SMB server enumeration, and crackmapexec for assessing the security of network services can be used to gather comprehensive information about the domain.

Enumeration

SMB

The first port we chose to enumerate was SMB, as our goal was to identify any accessible shares on the network and the domain name, which we planned to add to the /etc/hosts file. To achieve this, we utilized crackmapexec to gather the necessary information. However, for reasons unknown, crackmapexec did not yield any results. Consequently, we decided to proceed with the enumeration of the remaining ports.

RPC

As we mentioned the crackmapexec appears not to work without credentials. So, we started enumerate RCP port using rpcclient using a null in order to enumerate potentials users on the domain. Usually we use the following one-liner to extract the users list.

rpcclient -U '%' $IP -c 'enumdomusers' | grep -oP '\[.*?\]' | grep -v '0x' | tr -d '[]' > Users.txt

Kerberos

After obtaining the list of users, one effective strategy is to check for valid credentials using kerbrute. We recommend this approach because, while kerbrute validates the users, it also checks to see if any user is vulnerable to ASREPRoast. This dual-functionality makes kerbrute particularly useful in both verifying user accounts and enhancing security assessments by identifying specific vulnerabilities.

kerbrute userenum --dc 10.129.27.139 -d cascade.local Users.txt -

LDAP

Continuing with our enumeration, we used ldapsearch to gather additional information which could aid in gaining initial access to the system or identifying potential attack vectors for further enumeration. By filtering results by userPrincipalName, we discovered an uncommon field for the user r.thompson, which appears to contain a Base64 encoded password. This finding is particularly significant as decoding this encoded string may provide direct credentials for accessing other system resources or escalating privileges within the network. Here's how to proceed:

Decrypting a VNC Password and Further Network Enumeration

Using the decoded credentials, we progressed further in our enumeration efforts. With these credentials, we gained access to SMB shares which housed several files. Among these, the most noteworthy discovery was in the IT/Temp/s.smith/VNC directory, where we found a VNC log containing an encrypted password.

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
......
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
........
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""

To decode the encrypted password found in the VNC log, we followed a systematic approach. We initially leveraged the VNCpwd tool, which is specifically designed to decode passwords encrypted by TightVNC using a known static key. Here are the steps involved:

  1. Clone and Build VNCpwd: We started by cloning the VNCpwd repository and compiling the tool:

git clone https://github.com/jeroennijhof/vncpwd.git
cd vncpwd
make

Prepare the Encrypted Password: Next, we extracted the encrypted password from the VNC log and prepared it for decryption:

echo "encrypted_password_here" | xxd -r -p > encrypted_vnc_password

Decrypt the Password: Using the compiled VNCpwd tool, we decrypted the password:

./vncpwd encrypted_vnc_password

Validate the Decrypted Password: With the decrypted password in hand, we validated it against the SMB service using Crackmapexec to ensure it provided access:

crackmapexec smb 10.129.221.124 -u username -p 'decrypted_password'

  • This step confirmed that the decrypted credentials were valid and provided access to additional network resources.

  • Access SMB Shares: Armed with valid credentials, we accessed the relevant SMB shares to retrieve critical files:

After successfully downloading files from the SMB share, we proceeded to inspect the source code of various executables and libraries found within these shares. To accomplish this, we used tools like dotPeek to examine the compiled .NET assemblies for any hardcoded keys or additional credentials that might be exploited for deeper access.

During our inspection, we focused on the MailModule of an application where the code revealed intriguing elements:

.

🌈
HackTheBox