Hack the box-Cascade: An Active Directory Penetration Test.

Derick Neriamparambil
6 min readJul 25, 2020

Cascade is a Windows machine that just got retired. This had got an active directory which we will try to penetrate in and get the admin privilege.

Let's begin with the nmap scan

sudo nmap -sS -sV 10.10.10.182

After doing the map enumeration, I decided to try LDAP enumeration using ldapsearch

ldapsearch -x -b “dc=CASCADE, dc=local” -h 10.10.10.182

From this enumeration, I found few usernames and something interesting with r.thompson user

We got a password

Let's try to decode it.

Here I used the online tool to decode it

Base64 Decode and Encode - Online

Decode from Base64 or Encode to Base64 with advanced formatting options. Enter our site for an easy-to-use online tool.

Now we have the password!

username - r.thompson

password - rY4n5eva

Even though the enumeration with smbclient was not effective in the initial stage and since now we have the username and password lets try login with smbclient.

smbclient -L 10.10.10.182 -U r.thompson

We got some disks listed, lets try to access each disk using smbclient

smbclient //10.10.10.182/”diskname” -U r.thompson

We have an access to “Data” disk here

Derick Neriamparambil

Written by Derick Neriamparambil

29 Followers

Cyber Security Professional

More from Derick Neriamparambil

Recommended from Medium

Lists

Staff Picks

Stories to Help You Level-Up at Work

Self-Improvement 101

Productivity 101