SBN

Hack the Box (HTB) machines walkthrough series — Cascade (Part 1)

Today, we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is the first half of an HTB machine named Cascade.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

The walkthrough

Note: Only writeups of retired HTB machines are allowed. The machine in this article, named Cascade, is retired.

Let’s start with this machine.

  1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
  2. The Cascade machine IP is 10.10.10.182.
  3. We will adopt our usual methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information about the machine as possible.
  4. As usual, let’s start with the Nmap scan to gather more information around the services running on this machine. [CLICK IMAGES TO ENLARGE]
    Command used: nmap -sC -sV -oA Cascade 10.10.10.182
  5. Since so many ports are available and looking at them from a usage perspective, this seems to be a domain controller.
  6. We’ll run enum4linux on the machine to enumerate more information about it. It reveals following usernames and groups.
  7. Running ldapsearch on the domain as well to gather more details.
  8. ldapsearch output reveals a password (cascadeLegacyPwd).
  9. Base64-decoding it reveals the password.
  10. Because we have seen SMB ports as well in the nmap section, let’s try to list shares using the password decoded above.
  11. After multiple tries with the recovered username, the decoded password worked for r.thompson. We can now log in via the decoded (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Security Ninja. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/WrQ74GDYqVg/