HackTheBox is a popular platform for testing cybersecurity skills. This article provides a step-by-step walkthrough of the Resolute machine, which allows you to practice real-world vulnerability exploitation techniques.
The article discusses the process of gathering information about the machine, performing password spraying to gain access to the user account, and escalating privileges from DnsAdmin to SYSTEM by using a malicious DLL.
A VPN is used to connect to the lab. It is recommended to avoid connecting from a work computer or device that stores sensitive data, as the private network may contain experienced cybersecurity professionals.
This machine has an IP address of 10.10.10.169, which we add to /etc/hosts.
10.10.10.169 resolute.htb
The first step is to scan for open ports. To speed up the process, instead of a lengthy scan of all ports with nmap, masscan is used to get results quickly.
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.169 --rate=500
There are many ports open on the host. Now let’s scan them with nmap to filter and select the ones we need.
nmap resolute.htb -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49676,49677,49688,49915
Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.
nmap -A resolute.htb -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49676,49677,49688,49915
The nmap results reveal the domain name megabank.local, which needs to be added to the /etc/hosts file. The main stage of reconnaissance for Windows is a basic enumeration. For this, working from a Linux machine, the enum4linux utility is usually used.
enum4linux -a megabank.local
Among the information received about the domain, users, groups, and password policy, a comment was found for the user account mark, which contains a password. However, attempts to authorize with these credentials on all services are unsuccessful.
Since the system already has a known password and a list of users, it is advisable to apply one of the Lateral Movement techniques — Password Spraying. The essence of this technique is to try to use a known password to authorize on behalf of all available users.
The verification is primarily carried out via SMB. For this, you can use the smb_login module in the Metasploit Framework.
We specify the necessary parameters.
And we successfully find a user who matches this password.
To verify credentials, it is convenient to use the smbmap utility. It is passed the user, password, domain, and host parameters to test access.
After verifying the credentials, a list of available resources is obtained. If you look at the list of open ports, you can see the WinRM service running on port 5985. For convenient interaction with this service from Linux, it is recommended to use the Evil-WinRM tool.
Evil-WinRM works great, but Meterpreter is a more convenient tool. The program allows you to specify a directory with PowerShell or C# files that are automatically loaded into the session when you connect. The next step is to create a PowerShell file containing the Meterpreter payload.
We create a listener to listen for the connection.
Now we connect with Evil-WinRM and specify the directory with the script.
However, after running the file with the load, the script executes without errors, but the connection is not established.
As you might guess, you need to use the first available module. After applying it, you need to rerun the load file to check the result.
We are observing a successful combination.
While executing scripts for Recon and analyzing the system, an interesting directory is discovered that deserves further investigation.
This is the directory that stores the text file with the recorded PowerShell session, after the “Start-Transcript” command. We are looking for the file.
We review the contents of the found directory to analyze available files and potentially useful information.
We are trying the credentials for the WinRM service.
And as a result, we log in as Ryan.
When checking information about the current user, an interesting detail is revealed: he is a member of the DnsAdmins group, which opens up opportunities for further privilege escalation.
Let’s start the listener.
Activate the smb server. Specify the directory, name, and SMB version 2 support.
Using dnscmd, we will specify which DLL to load.
After the DNS service restarts, an SMB connection is observed, confirming the successful loading of the DLL with the payload.
Also an open session.