4 min read
May 30, 2020

HackTheBox Writeup: Resolute

HackTheBox Writeup: Resolute

Resolute was a medium rated Windows machine in which LDAP was queried for a list of users and an initial account password. This password was sprayed across the found usernames for a shell. Enumerating the system yielded a password for another user who was a member of the DnsAdmins group. These privileges were combined with a DLL injection attack to gain a system shell. All in all, a fun box. Let's get started.

Enumeration

nmap:

This is a pretty typical port list for a domain controller. I checked SMB first but couldn't list any shares so it was time to check LDAP. A piece of key information from this is that the domain is listed as 'megabank.local'. Let's see if we can get a list of users first:

With some bash-fu, I cleaned this up and saved the sAMAccountName fields to 'users.txt'. Next, I dumped everything LDAP would give me into a file 'ldap.txt':

Initial Foothold

This was a ton of info to sift through in the LDAP dump but eventually I found a password in the description field for Marlo Novak:

Does this happen in real life? Yes it does - some admins incorrectly assume that only someone with administrative privileges can read the 'description' field. Anyway, this password didn't work for Marko so I used CrackMapExec to try the password on my list of users:

The nmap scan showed that port 5985 is open. It's the default port for WinRM so I gave that a shot and got a shell:

User flag:

User Pivot

I enumerated the system for quite a while and turned up nothing before remembering that PowerShell needs a flag to view hidden files (on Linux, I do ls -al reflexively without thinking about it). I found an interesting folder 'PSTranscripts' in the root of the drive:

Inside it we find a text file:

In the text file we find creds for Ryan:

I try those creds and they work, giving us a new WinRM shell as Ryan:

Privilege Escalation

On Ryan's desktop there's an interesting note:

I think it's basically to clean up after HTB players who don't clean up after themselves and to avoid spoiling the machine when multiple people are hacking at it - nothing helpful with privilege escalation. Anyway, with Windows machines when I pivot to another user, one of the things I always check is group membership:

The DnsAdmins group caught my eye. A bit of googling around and I found this article which detailed how to escalate to SYSTEM from DnsAdmins.  Basically you create a malicious DLL, run dnscmd to load said DLL, then restart the DNS service.

The DLL

My first thought was to use msfvenom to create a DLL but I ran into allllll kinds of headaches with Windows Defender detecting and killing my attempts. After quite some time, I eventually found this script which uses C for the reverse shell. It required some tweaking as it downloads nc.exe from github.com by default. I edited it to download it from me instead:

I ran the script to generate the DLL with a nc.exe reverse shell payload:

Injecting the DLL

I hosted the DLL in a Samba share and ran dnscmd to inject the DLL:

Restarting the DNS service = pwned

First I started a Python simple HTTP server to host nc.exe for Resolute to download from. The final step was to restart the DNS service:

I saw nc.exe being downloaded from my HTTP server and with a netcat listener, I caught a shell as SYSTEM:

The root flag: