We’re continuing from Part 1 of this machine, where we carried out a lot of enumeration and decoding to gain shell access as the user s.smith while also recovering the user flag. In this second part of the article, we will finish with this machine by escalating our privileges to root and grabbing the root flag.

The walkthrough

  1. Working from previous recovered creds for user s.smith, we have gone back to SMB enumeration. A share named “Audit” was also present, which was not accessible for user r.thompson. Let’s check if s.smith can get into that share.
  2. And it can! We can get into Audit share. Below are the contents of it.
  3. Let’s start enumerating these. From the DB folder, we got an Audit.DB file whose contents are shown below. This is encrypted; thus, we need to decrypt it. Let’s check whether we can find the key from other recovered artifacts.
  4. Looking into the CascCrypto.exe and CascAudit.dll files, we can see some other interesting artifacts as well.
    • We got the below DecryptString, which accepts a key but has the IV key mentioned in it.
    • Looking into the other .exe, which is calling the function in the above DLL, we can see that the key value passed in cleartext in the call to the function DecryptString.
  5. Armed with all the artifacts (an encrypted text, a IV key/factor and encryption key), we can use the online utility to decode the password as shown below.
  6. Using the recovered password, we can use it with user arksvc and try to enumerate from it.
  7. Looking into the user groups, it has access to “AD Recycle Group,” which is also from the last post. We have seen from the log file that some artifacts have been deleted. From meeting notes, we have seen that the TempAdmin creds were also deleted. So we’re connecting dots to recover the artifacts from that group.
  8. Following this article, I queried with limited properties. We can see that TempAdmin is there.
  9. Widening the search to include all properties, we can also see the legacy password for the TempAdmin user.
  10. Base64 decoding it, as shown below.
  11. Since from the message notes, it was mentioned that TempAdmin password is the same as that of Admin password, we are using it to log in as such.
  12. As shown below, the login was successful and we can now grab the root flag.

This was a wonderful machine with lots of learning. Enumeration, decoding, de-compiling binaries, AD groups and enumeration and more — this machine had it all!

We will continue this series with more examples of interesting HTB machines.