HackTheBox Writeup — Resolute
In this article, we will discuss a proposed solution to pwn the Resolute machine from HackTheBox.
I started normally with a port scan, and it returned a bunch of open ports.
We got some interesting results, suggesting this is an Active Directory server.
I’ve started gathering more information using a tool called ‘enum4linux’, which is available through Kali Linux, and on Github also. (https://github.com/portcullislabs/enum4linux)
From the output I could get a list containing the available users on the system.
The tool searched for the descriptions of every user and we retrieved a password: Welcome123!
So we got some credentials, let’s see where we can use them.
The port 5985 is active on the machine, which is the WinRM protocol (basically a remote PowerShell).
I’ve tried to login with our credentials through a tool called evil-winrm, which can be found on Github (https://github.com/Hackplayers/evil-winrm)
After thinking a little, I’ve concluded that I must try our password for every user, and probably we will succeed.
After so many login failures, I’ve finally logged in with the following credentials:
Getting Second User
While enumerating the system, I’ve found the home directory for other user named Ryan.
I’ve tried to search for files that contain the string “ryan” and I’ve found the actual password for the user: Serv3r4Admin4cc123!
I successfully logged in through WinRM with the following set of credentials:
Now we must find a way to escalate our privileges in order to get access to the Administrator account.
While checking the groups and privileges I came across something very strange, the user Ryan was member of the group DNSAdmins.
Basically, this group allows its members to control the DNS process of the machine.
I’ve listed the running processes to make sure that our controllable process is active, and it was like that.
After a quick search on Google I found this article very useful:
So, in order to elevate our privileges we have to inject a malicious DLL into the DNS process, the code inside of DLL will be executed when the process starts.
Because we are a member of the DNSAdmins group, we can restart the process in order to load our DLL payload.
Firstly, I’ve verified the architecture of the machine and it was running on 64 bits, so we will generate our DLL according to that fact, using msfvenom on Kali Linux.
After that we have to use dnscmd on the remote machine (10.10.10.169) in order to inject our DLL with the following syntax:
dnscmd [IP address] /config /serverlevelplugindll [path for DLL]
I will host my DLL locally through a SMB share using smbserver.py from impacket (for more details, check here: https://blog.ropnop.com/transferring-files-from-kali-to-windows/#smb )
After the DLL is successfully injected we have to restart the process using sc.exe.
And here we are!
As a final note, the part with the users is a bit CTF-stylish, but the root part teaches you how to exploit an interesting attack vector.