Create Resolute.md

2024-11-24 21:03:07 +00:00 · 2021-12-23 20:21:10 +05:00 · 2021-12-23 20:21:10 +05:00 · 5c192d6ab6
commit 5c192d6ab6
parent 9438e20551
1 changed files with 105 additions and 0 deletions
--- a/HackTheBox/Resolute.md
+++ b/HackTheBox/Resolute.md
@ -0,0 +1,105 @@
+# HackTheBox - Resolute
+
+## NMAP
+
+```bash
+PORT      STATE SERVICE      VERSION        
+53/tcp    open  domain       Simple DNS Plus
+88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-15 09:37:43Z)                      
+135/tcp   open  msrpc        Microsoft Windows RPC
+139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
+389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
+445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)               
+464/tcp   open  kpasswd5?         
+593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0     
+636/tcp   open  tcpwrapped
+3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
+3269/tcp  open  tcpwrapped
+5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)    
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Not Found                    
+9389/tcp  open  mc-nmf       .NET Message Framing        
+47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0             
+|_http-title: Not Found                      
+49664/tcp open  msrpc        Microsoft Windows RPC
+49665/tcp open  msrpc        Microsoft Windows RPC
+49666/tcp open  msrpc        Microsoft Windows RPC
+49667/tcp open  msrpc        Microsoft Windows RPC
+49671/tcp open  msrpc        Microsoft Windows RPC
+49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
+49677/tcp open  msrpc        Microsoft Windows RPC
+49688/tcp open  msrpc        Microsoft Windows RPC
+49862/tcp open  unknown
+Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+```
+
+From port 88 this tells us that this is an active directory because on this port `kerberos` runs which is responsible for authenticating users so knowing this will help us in our enumeration and what steps we should take
+
+## SMB/LDAP
+
+Since smb is enabled we can try to login as anonymous user if it's disabled
+
+<img src="https://i.imgur.com/lrb6YVR.png"/>
+
+now we can try to enumerate LDAP as from there we can get some information of what are user names , group names and domain name of the machine using either `enum4linux-ng` or `windapsearch`
+
+<img src="https://i.imgur.com/p3pALUm.png"/>
+
+<img src="https://i.imgur.com/Dc0LQVd.png"/>
+
+We have the usernames just need to grep for `username` and then use these names against `kerbrute` to find which are valid domain users and we one of these users have pre-authentication disabled then we can get a user hash which we can crack
+
+<img src="https://i.imgur.com/WdBCxC1.png"/>
+
+We can sort this only to grab username by using `awk`
+
+<img src="https://i.imgur.com/xsniwoV.png"/>
+
+So running kerbrute we found 24 usernames that are valid out of 27
+
+<img src="https://i.imgur.com/63jbK6C.png"/>
+
+If we go back to enum4linux result we see in the description a password for `marko` user
+
+<img src="https://i.imgur.com/qlh0Quy.png"/>
+
+But this password didn't worked for him
+
+<img src="https://i.imgur.com/sXPDe2U.png"/>
+
+So next option is to just perform a passwordspray attack
+
+<img src="https://i.imgur.com/2Pi1mOQ.png"/>
+
+We can list shares on smb
+
+<img src="https://i.imgur.com/YcoAURW.png"/>
+
+The `NETLOGON` share seems to have nothing in it
+
+<img src="https://i.imgur.com/Yba1SaF.png"/>
+
+So I tried to see if I can kerberoast a user which is assoiciated with any SPNs but doesn't seem if there were any accounts like that 
+
+<img src="https://i.imgur.com/PKI7Usa.png"/>
+
+Then I realized that I didn't check `winrm`
+
+<img src="https://i.imgur.com/8NSjD3D.png"/>
+
+And we can actually use it to get a remote session using `evil-winrm`
+
+
+
+
+So to enumrate AD , we have two options either running `sharphound`  powershell script or `python bloodhound injestor`
+
+<img src="https://i.imgur.com/2pvClra.png"/>
+
+## References
+
+```
+melanie:Welcome123!
+```