Hack the Box (HTB) machines walkthrough series — Cascade (Part 1)

October 5, 2020 by

Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is the first half of an HTB machine named Cascade.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

The walkthrough

Note: Only writeups of retired HTB machines are allowed. The machine in this article, named Cascade, is retired.

Let’s start with this machine.

1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
2. The Cascade machine IP is 10.10.10.182.
3. We will adopt our usual methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information about the machine as possible.
4. As usual, let’s start with the Nmap scan to gather more information around the services running on this machine. [CLICK IMAGES TO ENLARGE]
   

   

   
   Command used: nmap -sC -sV -oA Cascade 10.10.10.182
5. Since so many ports are available and looking at them from a usage perspective, this seems to be a domain controller.
6. We’ll run enum4linux on the machine to enumerate more information about it. It reveals following usernames and groups.
   
7. Running ldapsearch on the domain as well to gather more details.
   
8. ldapsearch output reveals a password (cascadeLegacyPwd).
   
9. Base64-decoding it reveals the password.
   
10. Because we have seen SMB ports as well in the nmap section, let’s try to list shares using the password decoded above.
    
11. After multiple tries with the recovered username, the decoded password worked for r.thompson. We can now log in via the decoded password and see the shares from the machine. Out of the default ones, data share stands out.
12. Let’s get into the data share as well, as shown below. We have some directories under data share. Let’s start enumerating them also.
    
13. Below are some of the artifacts collected from the subdirectories in data share.
    • Meeting Notes 2018.yaml: A meeting notes file was recovered, which mentioned a username (TempAdmin) and hints that the password for this account is same as that of Admin.
      
    • VNS Install reg: Below, “VNS Install reg” is also recovered. Looking into its contents, there was a password in the VNC form in it. I used a utility to decode the VNS password at https://github.com/trinitronx/vncpasswd.py, where we can also see the decoded password.
      

      
      

      
      

      
    • Ark AD Recycle Bin: Continuing enumeration, we also find the ArkAdRecycleBin.log file, which has shown some username such as ArkSvc and some group information.
      

      
      

      
14. With all of the information recovered above, we can try to use the decoded VNC password with s.smith, since the file was recovered under that user folder. If this will not work, we also have multiple usernames recovered from initial enumeration. But the s.smith username worked, and we can now grab the user.txt as shown below.
    

So this is it for this part of this machine. It involved a lot of enumeration and decoding, and finally, we have recovered the user.txt flag.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

In the next part of this article, we will see how we escalated privileges even further to grab the root.txt flag.