HackTheBox Writeup — Resolute

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is 10.10.10.169

Port Scan

We got alot of Open Ports, running service scan on it

We can see we have much things to enumerate on

Enum4Linux

We can see that user marko’s password is exposed as Welcom123!

We can use these creds for login through multiple methods, one of them being WinRM

From the NMAP scan, we see that Port 5985 is Open, so we can try Evil-WinRM tool to connect

We get authentication error, but from the enum4linux tool, we got many users and now we put those users in a txt file

Here we have list of the users in a txt file named users.txt

Here we use simple bash scripting to bruteforce users and now we wait till we get the correct creds and get logged in automatically

We got connected successfully as user melanie, moving onto getting user flag

Moving further to priv esc

Privilege Escalation

We see a strange folder named PSTranscripts, entering it we dont see anything until looking for hidden files and folders again

We see one more folder in it and looking further into it

We get a txt file related to Powershell or something so we check the contents of it

If we look carefully, we can see that it leaks password for user ryan so we again use Evil-WinRM to connect to that account

We got connected successfully, looking for the group membership of the current user

We can see that the current user is a group member of DnsAdmins which is prone to a getting SYSTEM using DLL injection method

We create a malicious dll using msfvenom for the dll injection

Also we start up a smbserver using Impacket’s smbserver.py

Now we injected the malicious dll and then check the netcat listener

We got shell as SYSTEM and now we get the root flag

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover