InfoSec LAB

Cascade_CascAudit.exe

Created: 3 min read

CascAudit.exe

┌──(kali㉿kali)-[~/…/labs/cascade/smb/Audit]
└─$ smbget smb://casc-dc1.cascade.local/Audit$ -U 's.smith%sT333ve2' -e -R
Using workgroup WORKGROUP, user s.smith
Encryption required and server doesn't support SMB3 encryption - failing connect
smb://casc-dc1.cascade.local/Audit$/CascAudit.exe                                                                  
smb://casc-dc1.cascade.local/Audit$/CascCrypto.dll                                                                 
smb://casc-dc1.cascade.local/Audit$/DB/Audit.db                                                                    
smb://casc-dc1.cascade.local/Audit$/RunAudit.bat                                                                   
smb://casc-dc1.cascade.local/Audit$/System.Data.SQLite.dll                                                         
smb://casc-dc1.cascade.local/Audit$/System.Data.SQLite.EF6.dll                                                     
smb://casc-dc1.cascade.local/Audit$/x64/SQLite.Interop.dll                                                         
smb://casc-dc1.cascade.local/Audit$/x86/SQLite.Interop.dll                                                         
Downloaded 3.33MB in 12 seconds

Downloading the whole share to Kali

RunAudit.bat

┌──(kali㉿kali)-[~/…/labs/cascade/smb/Audit]
└─$ cat RunAudit.bat         
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"

The included batch file executes the program with a DB file available at DB/Audit.db

Audit.db

┌──(kali㉿kali)-[~/…/labs/cascade/smb/Audit]
└─$ file DB/Audit.db         
db/audit.db: SQLite 3.x database, last written using SQLite version 3027002, file counter 60, database pages 6, 1st free page 6, free pages 1, cookie 0x4b, schema 4, UTF-8, version-valid-for 60

The DB file is written in SQLite

There are 4 tables within the DB file

DeletedUserAudit

The DeletedUserAudit table contains 3 entries and those represent the deletion that was brought up way back

Ldap

The Ldap table contains the credential for the ArkSvc user The password appears to be encoded in the base64 format

┌──(kali㉿kali)-[~/…/labs/cascade/smb/Audit]
└─$ echo 'BQO5l5Kj9MdErXx6Q6AGOw==' | base64 -d
������D�|zC�;

The decoded result is not in the ASCII characters. It’s likely encrypted and the program might be responsible for that

Misc

Empty

sqlite_sequence

CascAudit.exe

┌──(kali㉿kali)-[~/…/labs/cascade/smb/Audit]
└─$ file CascAudit.exe 
CascAudit.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

The executable itself is an x86 binary written in .NET

I will port the program out to a Windows environment for further enumeration

dnSpy

The binary is loaded to dnSpy

CascAudiot

There’s just the Main() function

This part is responsible for connecting to the SQLite DB. It does that by:

  • pulls data from Uname, Domain, and Pwd columns inside the Ldap table
    • converts them
    • decrypts the password using the Crypto.DecryptString(encryptedString, "c4scadek3y654321") method
      • "c4scadek3y654321" is the encrpytion key

The method is from an external cryptography library; CascCrypto.dll

CascCrypto

It’s right this one; DecryptString(string,string)

It uses a symmetric AES encryption with "1tdyjCbY1Ix49842" as IV (Initialization Vector) I just need to run this.

Building

Creating a console app (.NET)

I’ll name it decryptor Framework does not matter since it’s just a simple AES decryption

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
 
public class CascCrypto
{
    public static string DecryptString(string encryptedString, string key)
    {
        byte[] encryptedBytes = Convert.FromBase64String(encryptedString);
        using (Aes aes = Aes.Create())
        {
            aes.KeySize = 128;
            aes.BlockSize = 128;
            aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
            aes.Mode = CipherMode.CBC;
            aes.Key = Encoding.UTF8.GetBytes(key);
 
            using (MemoryStream memoryStream = new MemoryStream(encryptedBytes))
            {
                using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Read))
                {
                    byte[] decryptedBytes = new byte[encryptedBytes.Length];
                    int decryptedByteCount = cryptoStream.Read(decryptedBytes, 0, decryptedBytes.Length);
                    string decryptedString = Encoding.UTF8.GetString(decryptedBytes, 0, decryptedByteCount);
 
                    return decryptedString;
                }
            }
        }
    }
}
 
class Program
{
    static void Main(string[] args)
    {
        if (args.Length != 1)
        {
            Console.WriteLine("Usage: program_name <encrypted_string>");
            return;
        }
 
        string encryptedString = args[0];
        string key = "c4scadek3y654321";
 
        string decryptedString = CascCrypto.DecryptString(encryptedString, key);
 
        Console.WriteLine("Decrypted String: " + decryptedString);
    }
}

I’ll just then port out the decryption method above and create a main function to run it

Compiling..

program is successfully compiled and now available for decryption.

mono

┌──(kali㉿kali)-[~/…/htb/labs/cascade/decryptor]
└─$ mcs program.cs

I can also use mono to compile a .NET program

┌──(kali㉿kali)-[~/…/htb/labs/cascade/decryptor]
└─$ ll
total 16K
4.0k -rwxr-xr-x 1 kali kali 4.0k jun 26 12:43 program.exe
4.0k drwxr-xr-x 2 kali kali 4.0k jun 26 12:43 .
4.0k -rw-r--r-- 1 kali kali 1.6k jun 26 12:41 program.cs
4.0k drwxr-xr-x 7 kali kali 4.0k jun 26 12:41 ..

Much easier

Decryption

┌──(kali㉿kali)-[~/…/htb/labs/cascade/decryptor]
└─$ ./program.exe BQO5l5Kj9MdErXx6Q6AGOw==   
Decrypted String: w3lc0meFr31nd

The decrypted password for the arksvc user is w3lc0meFr31nd The credential requires validation

Interactive Graph View

Backlinks