Hello everyone , in this post I will be sharing my walkthrough for HTB-Resolute machine which is a medium level AD machine , starting off with smb and ldap we can find usernames and in one the user’s descrption was a password which we performed a password spray attack to get a valid login for user melanie , using bloodhound , it enumerated the AD and showed that the user ryan was in Contractors group and that group was a member of DNSAdmins group so finding ryan’s password we can escalate as being in DNSAdmins group we had control over the dns service which runs as SYSTEM so loading a malicious dll gave us a reverse shell as SYSTEM
NMAP
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-15 09:37:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49862/tcp open unknown
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windowsFrom port 88 this tells us that this is an active directory because on this port kerberos runs which is responsible for authenticating users so knowing this will help us in our enumeration and what steps we should take
SMB/LDAP
Since smb is enabled we can try to login as anonymous user if it’s disabled
now we can try to enumerate LDAP as from there we can get some information of what are user names , group names and domain name of the machine using either enum4linux-ng or windapsearch
We have the usernames just need to grep for username and then use these names against kerbrute to find which are valid domain users and we one of these users have pre-authentication disabled then we can get a user hash which we can crack
We can sort this only to grab username by using awk
So running kerbrute we found 24 usernames that are valid out of 27
Foothold
If we go back to enum4linux result we see in the description a password for marko user
But this password didn’t worked for him
So next option is to just perform a password spray attack
We can list shares on smb
The NETLOGON share seems to have nothing in it
So I tried to see if I can kerberoast a user which is associated with any SPNs but doesn’t seem if there were any accounts like that
Then I realized that I didn’t check winrm
And we can actually use it to get a remote session using evil-winrm
So to enumerate AD , we have two options either running sharphound powershell script or python bloodhound injestor
Import the json files that this script generates and after that search the username so that we can mark it as pwned and see if we can find a path to higher targets by running the pre-built query
Running the query we don’t see anything interesting that we can do with this user
But if we look at ryan user , he's in the group Contractors
And if we further explore this group , that is a member of DNSAdminsGroup
Privilege Escalation (ryan)
Getting on the machine through evil-winrm we can see a hidden directory called PSTranscripts through dir -Force
We can find a text file by going into this directory
Reading this file we will be able to get the password for ryan
Privilege Escalation (Administrator)
We know that ryan is a member of contractors group and that group is a member of DNSAdmins group so that makes ryan a member of that group
This can lead to privilege escalation to SYSTEM user as having the permission to control dns service we can load a malicious dll file by generating it through msfvenom and hosting it through smb share and then loading it with dnscmd then stopping the dns service with sc.exe stop dns and restarting it with sc.exe start dns to start dnsservice with our malicious dll file
Generating the dll file
Using impacket’s smbserver to start smbserver
Now there was an issue with this box , don’t know if it’s the same with other users, when I was following this article for abusing DNSAdmins group it wouldn’t give me the reverse shell neither it would execute commands from the payload msfvenom -p windows/x64/exec cmd='net group "Administrator" melanie /add' -f dll > dns.dll
Also when we download the dll on the machine it would be removed under a minute so we needed to be quick , so the way I got SYSTEM was , I stopped the dns service first then loaded the dll then started the dns service and saw the response on smb server and got a shell on netcat
To get a proper shell we can now just add ryan to Domain Admins group or local group Administrators
We can verify it with net user ryan
Again , we need to be quick to dump hashes and perform pass the hash attack because it will revert back the changes
