# Cascade-  Medium

<figure><img src="https://4264356657-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFTAj3opwoJWyy3dgqmeZ%2Fuploads%2F6RfJKnzQinsV9fVCo5X3%2Fimage.png?alt=media&#x26;token=73f30df9-e4dc-46c9-85d9-1f9cddfcf189" alt=""><figcaption></figcaption></figure>

> The "Cascade" machine on [HackTheBox](https://app.hackthebox.com/machines/235) is categorized as an Medium-level target. It's ideal to&#x20;

## Reconnaissance

Our initial step involved verifying connectivity with a ping test. This helps determine if we can reach the target machine and provides information such as the Time to Live (TTL) value, which can help us identify the operating system. Typically, a TTL of 64 suggests a Linux system, and a TTL of 128 or less indicates a Windows machine.

Following this initial check, we proceeded with a SYN TCP port scan against all ports. We used flags such as `-Pn` and `-n`, along with setting a minimum rate of 5000 packets per second, to expedite the scan.

```bash
nmap -sS -p- -Pn -n --min-rate 5000 $IP -oG nmap/allports -vvv
```

\
Once we identified all the open ports on the target, we conducted a second scan using the `-sVC` flags. This scan was aimed at retrieving detailed information such as service versions and other relevant data that would be crucial for our enumeration phase.

```bash
nmap -sVC -p53,88,135,139,389,445,636,3268,3269,5985,49154,49155,49157,49158,49173 -oN nmap/targeted -vv 10.129.27.139
```

<figure><img src="https://4264356657-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFTAj3opwoJWyy3dgqmeZ%2Fuploads%2F0tqp3GSDdrjpWoRncFKk%2Fimage.png?alt=media&#x26;token=db0ca50e-623d-4b68-b631-a715df0e32aa" alt=""><figcaption></figcaption></figure>

\
As you can see, several ports indicative of a domain controller are open, including port 88 for Kerberos, 445 for SMB, 389 for LDAP, and 135 for RPC. This is crucial information because it allows us to leverage various tools tailored to these protocols. Tools such as `kerbrute` for testing Kerberos authentication, `ldapsearch` for querying LDAP services, `smbmap` for SMB server enumeration, and `crackmapexec` for assessing the security of network services can be used to gather comprehensive information about the domain.

## Enumeration

### SMB

The first port we chose to enumerate was SMB, as our goal was to identify any accessible shares on the network and the domain name, which we planned to add to the `/etc/hosts` file. To achieve this, we utilized `crackmapexec` to gather the necessary information. However, for reasons unknown, `crackmapexec` did not yield any results. Consequently, we decided to proceed with the enumeration of the remaining ports.

### RPC

As we mentioned the crackmapexec appears not to work without credentials. So, we started enumerate RCP port using rpcclient using a null in order to enumerate potentials users on the domain.  Usually we use the following one-liner to extract the users list.

```bash
rpcclient -U '%' $IP -c 'enumdomusers' | grep -oP '\[.*?\]' | grep -v '0x' | tr -d '[]' > Users.txt
```

### Kerberos

After obtaining the list of users, one effective strategy is to check for valid credentials using `kerbrute`. We recommend this approach because, while `kerbrute` validates the users, it also checks to see if any user is vulnerable to <mark style="color:red;">ASREPRoast</mark>. This dual-functionality makes `kerbrute` particularly useful in both verifying user accounts and enhancing security assessments by identifying specific vulnerabilities.

```bash
kerbrute userenum --dc 10.129.27.139 -d cascade.local Users.txt -
```

<figure><img src="https://4264356657-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFTAj3opwoJWyy3dgqmeZ%2Fuploads%2FBXXfZWwhcnBFprXpfttO%2Fimage.png?alt=media&#x26;token=0661e248-1cf0-412f-951f-d8bafdfb3144" alt=""><figcaption></figcaption></figure>

### LDAP

Continuing with our enumeration, we used `ldapsearch` to gather additional information which could aid in gaining initial access to the system or identifying potential attack vectors for further enumeration. By filtering results by `userPrincipalName`, we discovered an uncommon field for the user `r.thompson`, which appears to contain a Base64 encoded password. This finding is particularly significant as decoding this encoded string may provide direct credentials for accessing other system resources or escalating privileges within the network. Here's how to proceed:

<figure><img src="https://4264356657-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFTAj3opwoJWyy3dgqmeZ%2Fuploads%2FH92PXOJQ3pQL6jUnBtPk%2FPasted%20image%2020240312180050.png?alt=media&#x26;token=3aaaa172-f23d-4527-99d8-c17de8df54ee" alt=""><figcaption></figcaption></figure>

## Decrypting a VNC Password and Further Network Enumeration

Using the decoded credentials, we progressed further in our enumeration efforts. With these credentials, we gained access to SMB shares which housed several files. Among these, the most noteworthy discovery was in the `IT/Temp/s.smith/VNC` directory, where we found a VNC log containing an encrypted password.

```java
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
......
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
........
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""
```

To decode the encrypted password found in the VNC log, we followed a systematic approach. We initially leveraged the VNCpwd tool, which is specifically designed to decode passwords encrypted by TightVNC using a known static key. Here are the steps involved:

1. **Clone and Build VNCpwd**: We started by cloning the VNCpwd repository and compiling the tool:

```bash
git clone https://github.com/jeroennijhof/vncpwd.git
cd vncpwd
make
```

**Prepare the Encrypted Password**: Next, we extracted the encrypted password from the VNC log and prepared it for decryption:

```bash
echo "encrypted_password_here" | xxd -r -p > encrypted_vnc_password
```

**Decrypt the Password**: Using the compiled VNCpwd tool, we decrypted the password:

```bash
./vncpwd encrypted_vnc_password
```

**Validate the Decrypted Password**: With the decrypted password in hand, we validated it against the SMB service using Crackmapexec to ensure it provided access:

```bash
crackmapexec smb 10.129.221.124 -u username -p 'decrypted_password'
```

* This step confirmed that the decrypted credentials were valid and provided access to additional network resources.
* **Access SMB Shares**: Armed with valid credentials, we accessed the relevant SMB shares to retrieve critical files:

After successfully downloading files from the SMB share, we proceeded to inspect the source code of various executables and libraries found within these shares. To accomplish this, we used tools like `dotPeek` to examine the compiled .NET assemblies for any hardcoded keys or additional credentials that might be exploited for deeper access.

During our inspection, we focused on the `MailModule` of an application where the code revealed intriguing elements:

<figure><img src="https://4264356657-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFTAj3opwoJWyy3dgqmeZ%2Fuploads%2FVUBFbnct6GuPmhvNgval%2FPasted%20image%2020240312193203.png?alt=media&#x26;token=da0772b8-0e63-424d-993d-bb0ea77bc963" alt=""><figcaption></figcaption></figure>

.