Hack the Box (HTB) machines walkthrough series — Cascade (part 2)

We’re continuing from Part 1 of this machine, where we carried out a lot of enumeration and decoding to gain shell access as the user s.smith while also recovering the user flag. In this second part of the article, we will finish with this machine by escalating our privileges to root and grabbing the root flag.

The walkthrough

1. Working from previous recovered creds for user s.smith, we have gone back to SMB enumeration. A share named “Audit” was also present, which was not accessible for user r.thompson. Let’s check if s.smith can get into that share.
   
2. And it can! We can get into Audit share. Below are the contents of it.
   
3. Let’s start enumerating these. From the DB folder, we got an Audit.DB file whose contents are shown below. This is encrypted; thus, we need to decrypt it. Let’s check whether we can find the key from other recovered artifacts.
   
4. Looking into the CascCrypto.exe and CascAudit.dll files, we can see some other interesting artifacts as well.
   • We got the below DecryptString, which accepts a key but has the IV key mentioned in it.
     
   • Looking into the other .exe, which is calling the function in the above DLL, we can see that the key value passed in cleartext in the call to the function DecryptString.
     
5. Armed with all the artifacts (an encrypted text, a IV key/factor and encryption key), we can use the online utility to decode the password as shown below.
   
6. Using the recovered password, we can use it with user arksvc and try to enumerate from it.
   
7. Looking into the user groups, it has access to “AD Recycle Group,” which is also from the last post. We have seen from the log file that some artifacts have been deleted. From meeting (Read more...)