This is basically a simple python script to decrypt the password in HackTheBox's Cascade Machine.

README.md

This script is designed to decrypt passwords stored in an SQLite database from the LDAP table using AES encryption in CBC mode. It is specifically tailored for use with a predefined encryption key and IV (initialization vector) as per the provided C# encryption logic.

Install the cryptography library using pip:

pip install cryptography

Before running the script, ensure that the SQLite database file is correctly referenced in the script. Modify the database connection string if needed:

conn = sqlite3.connect('/path/to/your/database.db')

Run:

➜  Cascade python3 decrypt.py
ID: 1, User: ArkSvc, Domain: cascade.local
Decrypted Password: XXXXXXXXXXXXX

decrypt.py

import sqlite3
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from base64 import b64decode

def decrypt_string(encrypted, key):
    backend = default_backend()
    iv = b'1tdyjCbY1Ix49842'
    cipher = Cipher(algorithms.AES(key.encode()), modes.CBC(iv), backend=backend)
    decryptor = cipher.decryptor()
    decrypted = decryptor.update(b64decode(encrypted)) + decryptor.finalize()
    # Strip padding
    unpadded = decrypted.rstrip(b"\x00")
    return unpadded.decode('utf-8')

def main():
    conn = sqlite3.connect('/path/to/Audit.db')
    cursor = conn.cursor()
    cursor.execute("SELECT id, uname, domain, pwd FROM LDAP")
    rows = cursor.fetchall()
    for row in rows:
        id, uname, domain, encrypted_pwd = row
        print(f"ID: {id}, User: {uname}, Domain: {domain}")
        try:
            decrypted_pwd = decrypt_string(encrypted_pwd, "c4scadek3y654321")
            print("Decrypted Password:", decrypted_pwd)
        except Exception as e:
            print("Error decrypting password:", e)

    cursor.close()
    conn.close()

if __name__ == "__main__":
    main()