Cascade-Hack The Box

Cascade is a Windows machine that just got retired. This had got an active directory which we will try to penetrate in and get the admin privilege.

Let’s begin with the nmap scan

sudo nmap -sS -sV

Image for post

After doing the map enumeration, I decided to try LDAP enumeration using ldapsearch

ldapsearch -x -b “dc=CASCADE, dc=local” -h

Image for post

From this enumeration, I found few usernames and something interesting with r.thompson user

Image for post

We got a password

Let’s try to decode it.

Here I used the online tool to decode itBase64 Decode and Encode – OnlineDecode from Base64 or Encode to Base64 with advanced formatting options. Enter our site for an easy-to-use online

Image for post

Now we have the password!

username – r.thompson

password – rY4n5eva

Even though the enumeration with smbclient was not effective in the initial stage and since now we have the username and password lets try login with smbclient.

smbclient -L -U r.thompson

Image for post

We got some disks listed, lets try to access each disk using smbclient

smbclient //”diskname” -U r.thompson

We have an access to “Data” disk here

Image for post

We got some directory listed. Let’s take a stroll through the directories

Image for post

Let’s download using smbget

Image for post

From the meeting_note.html I found some message which can be useful

Image for post

In a directory named Temp, we can see two more directories and in s.smith directory we got a reg file.

Image for post
Image for post

Let’s download this ‘VNC Intsall.reg’ to the local machine (It was already downloaded, but for my ease of use I downloaded it again)

get “VNC Install.reg”

Image for post

Virtual Network Computing (VNC) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer.

I got this on my local machine and I tried to read it using nano and I got a set of mixed characters. I tried again with cat and I got an interesting password

Image for post



We can clone VNC password descriptor form GitHub for cracking this passwordjeroennijhof/vncpwdGitHub is home to over 50 million developers working together to host and review code, manage projects, and build…

I used Metasploit to crack thisfrizb/PasswordDecryptsHandy Stored Password Decryption Techniques VNC uses a hardcoded DES key to store credentials. The same key is used…

Please read the above documentation to see how we are going to decrypt the password

So let’s get Metasploit started and feed the password hash we have

Image for post

From the GitHub documentation, I only just replaced the encrypted part

Rex::Proto::RFB::Cipher.decrypt [“6bcf2a4b6e5aca0f”].pack(‘H*’), fixedkey

The decrypted password is “sT333ve2″

Now we have

username: s.smith

password: sT333ve2

We can try to login using Evil-winrmHackplayers/evil-winrmThe ultimate WinRM shell for hacking/pentesting This shell is the ultimate WinRM shell for hacking/pentesting. WinRM…

Image for post

We got the user flag!!

Now we have to find a way to get the root

logging in using smbclient with same username and password and listed Audit$

smbclient //$ -U s.smith

Image for post

let’s get Audit.db from DB directory

Image for post

We can open Audit.db using SQLite

Image for post

In Ldap table I found this interesting hash for ArkSvc

Image for post

I passed the hash on to google to decode it and I found some compiler had already done some job for me

Image for post

We have a new set of username and password

Username: arksvc

Password: w3lc0meFr31nd

let’s try to access using evil-winrm

evil-winrm -u arksvc -p w3lc0meFr31nd -i

Image for post

Now we have a new shell. But I was confused with next step.

Here I got two users

s.smith and Arksvc, I can’t any difference in

When I went through the files downloaded in the initial period (the one which downloaded using smbget) Isaw a file named ArkAdRecycleBin.log and found this log

Image for post

We can see that ArkSvc has permission to move objects to recycle bin.

We got our clue now, lets try to recover the deleted userIntro to Active Directory Backup & Recovery | AD Recovery | Restore AD AccountWhen I was a little kid, I knew what I wanted to be when I grew up. No, not an astronaut. Definitely not a doctor or a…blog.stealthbits.comActive Directory Deleted Objects | Recover & Restore Deleted AD ObjectEditor’s Note: This is the 2 nd in a series of blogs around Active Directory (AD) backup and recovery using…blog.stealthbits.comActive Directory Recycle Bin | Recover Deleted AD Object | AD Deleted ObjectsEditors note: This is the 3rd in a series of blog around Active Directory (AD) backup and recovery using STEALTHbits…

From the article, I tried the below command

Get-ADObject -filter ‘isDeleted -eq $true’ -includeDeletedObjects -Properties *

and I got TempAdmin’s password

Image for post

Form the mail we leaked before, it was clear that TempAdmin password and the current admin password is same

Image for post

Let’s decode the password

Image for post

Now lets try to be an administrator by

evil-winrm -u administrator -p baCT3r1aN00dles -i


Image for post

We got the root

Just let me know if you have any doubts

If you found this write-up useful, you can respect me on HTB

Image for post

You can connect me on

LinkedIn: Derick N

Twitter: Derick N