16. HackTheBox. Level Medium: Resolute walkthrough. Password spraying. From DnsAdmin to SYSTEM

18 December 2024 5 minutes Author: Lady Liberty

HackTheBox is a popular platform for testing cybersecurity skills. This article provides a step-by-step walkthrough of the Resolute machine, which allows you to practice real-world vulnerability exploitation techniques.

Passing Resolute and raising privileges

The article discusses the process of gathering information about the machine, performing password spraying to gain access to the user account, and escalating privileges from DnsAdmin to SYSTEM by using a malicious DLL.

A VPN is used to connect to the lab. It is recommended to avoid connecting from a work computer or device that stores sensitive data, as the private network may contain experienced cybersecurity professionals.

Recon

This machine has an IP address of 10.10.10.169, which we add to /etc/hosts.

10.10.10.169    resolute.htb

The first step is to scan for open ports. To speed up the process, instead of a lengthy scan of all ports with nmap, masscan is used to get results quickly.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.169  --rate=500

There are many ports open on the host. Now let’s scan them with nmap to filter and select the ones we need.

nmap resolute.htb -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49676,49677,49688,49915

Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.

nmap -A resolute.htb -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49676,49677,49688,49915

The nmap results reveal the domain name megabank.local, which needs to be added to the /etc/hosts file. The main stage of reconnaissance for Windows is a basic enumeration. For this, working from a Linux machine, the enum4linux utility is usually used.

enum4linux -a megabank.local

Among the information received about the domain, users, groups, and password policy, a comment was found for the user account mark, which contains a password. However, attempts to authorize with these credentials on all services are unsuccessful.

USER

Since the system already has a known password and a list of users, it is advisable to apply one of the Lateral Movement techniques — Password Spraying. The essence of this technique is to try to use a known password to authorize on behalf of all available users.

The verification is primarily carried out via SMB. For this, you can use the smb_login module in the Metasploit Framework.

We specify the necessary parameters.

And we successfully find a user who matches this password.

To verify credentials, it is convenient to use the smbmap utility. It is passed the user, password, domain, and host parameters to test access.

After verifying the credentials, a list of available resources is obtained. If you look at the list of open ports, you can see the WinRM service running on port 5985. For convenient interaction with this service from Linux, it is recommended to use the Evil-WinRM tool.

USER2

Evil-WinRM works great, but Meterpreter is a more convenient tool. The program allows you to specify a directory with PowerShell or C# files that are automatically loaded into the session when you connect. The next step is to create a PowerShell file containing the Meterpreter payload.

We create a listener to listen for the connection.

Now we connect with Evil-WinRM and specify the directory with the script.

However, after running the file with the load, the script executes without errors, but the connection is not established.

The script was probably blocked. Since it is written in PowerShell, this is most likely due to AMSI. However, Evil-WinRM has its own built-in utility modules that can help bypass this issue.

As you might guess, you need to use the first available module. After applying it, you need to rerun the load file to check the result.

We are observing a successful combination.

While executing scripts for Recon and analyzing the system, an interesting directory is discovered that deserves further investigation.

This is the directory that stores the text file with the recorded PowerShell session, after the “Start-Transcript” command. We are looking for the file.

We review the contents of the found directory to analyze available files and potentially useful information.

This directory reveals the user session of Ryan. Further analysis allows us to find the command used to transmit the password.

We are trying the credentials for the WinRM service.

And as a result, we log in as Ryan.

ROOT

When checking information about the current user, an interesting detail is revealed: he is a member of the DnsAdmins group, which opens up opportunities for further privilege escalation.

Membership in the DnsAdmins group allows you to elevate privileges to SYSTEM level. This can be accomplished by specifying a DLL to be loaded the next time the service starts. The next step is to create a DLL containing the Meterpreter payload to perform this operation.

Let’s start the listener.

Activate the smb server. Specify the directory, name, and SMB version 2 support.

Using dnscmd, we will specify which DLL to load.

The command was executed successfully, now you need to restart the DNS service so that the DLL with the payload is loaded by the system.

After the DNS service restarts, an SMB connection is observed, confirming the successful loading of the DLL with the payload.

Also an open session.

Successfully loading the DLL and restarting the DNS service resulted in System level privileges, which provides full control over the machine..

Conclusion

This article looks at how to compromise a Resolute machine on HackTheBox using various cybersecurity techniques. We perform port scans, gather domain and user information, use Password Spraying to gain access, connect via WinRM, and bypass AMSI to launch Meterpreter. Using the privileges of the DnsAdmins group, a malicious DLL is created to escalate privileges to SYSTEM level, which terminates the operation of the machine.
Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.