Cascade - Hack The Box
Cascade is a medium difficulty windows machine. which resembles a real-life Active Directory Attack Scenario. Initial foothold involves in getting base64 encode password of r.thompson user from ldap enumeration. With help of those credential we get VNC_Install.reg registry file from Datas.smith share on the box. I contains hex encrypted string we crack it to get s.smith creds and login as s.smith user. Next, we’ll get ArkSvc user encrypted password from Audit.db from Audit$ share and we also grab all the exe and dll file from that share. which helps us to crack the encrypted string. Once we got the ArkSvc user we login to the machine and see his a part of AD Recyle Bin group and we can retrive AD deleted objects and their properties. We managed to retrive TempAdmin base64 encrypted password and we decrypt and use the same password to login as Administrator.