Resolute
https://www.hackthebox.eu/home/machines/profile/220
Nmap
We have Kerberos, DNS and LDAP running on the server and the nmap smb-os-discovery script has detected OS as Windows Server 2016. We are likely dealing with a domain controller.
We have got the domain name megabnak.local from the smb-os-discovery which will be useful for when we need to enumerate Kerberos.
SMB
I started off testing null authentication with smbclient and smbmap. Unforutnatley I pulled no results from this.
MSRPC
I was able to connect with rpcclient without any valid credentials.
From here we can grab users and group information. The user information is exceptionally helpful for us when it comes to enumerating Kerberos.
Store the users in a text file and we can these try kerbroating the users.
Kerberos
Now that we have a list of usernames and the domain name we have enough information to attempt a Kerberoast. We will use Impacket's GetNPUsers.py script.
We get no hashes from this. No point in attempting to brute force this many usernames as this will be too slow. We can go back to rpcclient and enumerate further.
Going back through the users I started querying them individually to look for more information and come across an account description for the user 'marko' that hints to a password.
I tried these credentials against SMB and Evil-WinRM and did not receive any valid results.
Hydra
We do have a possibility that the Administrator made a mistake and entered the account description regarding the password onto the wrong active directory account.
As we already have a list of users we can run this against Hydra with the password 'Welcome123!'.
At this point I enumerated all readable shares recursively with smbmap and found no interesting information.
User Shell
We do however, have WinRM open on port 5985 so we can try logging in with Evil-WinRM.
From here we can grab the user flag.
At this point I ended up look everywhere for anything to elevate privileges with. Various commands are blocked making it difficult to extract exact system information in order to review for possible vulnerabilities.
Eventually checking the root drive with dir -ah
we see some hidden folders of which PSTranscripts stands out as being non default.
Moving into the folder and look further again with dir -ah
for hidden files we see a transcripts file.
We can see in the transcript where the use ryan has attempted to map a drive and used his credentials in plaintext.
The credentials we now have are ryan:Serv3r4Admin4cc123!
We can use the credentials again to login with Evil-WinRM:
Viewing the command whoami /all further we see the user ryan is a member of the 'DnsAdmins' group.
This group can be abused to register a malicious DLL in DNS and when executed it gets executed in the context of SYSTEM.
First generate a reverse shell DLL with msfvenom
.
Then set up a SMB
share using Impacket on the attacking machine to the directory where the msfvenom
payload resides.
Then on the target system register a new DNS DLL.
Then set a netcat
listener on the attacking machine:
We can then stop the DNS service then wait about 30 seconds and start it again.
Impacket should recieve connection confrimation on our SMB server.
Then land a SYSTEM shell on netcat
.
Last updated