HackTheBox Writeup — Resolute
Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.
The IP of this box is 10.10.10.169
Port Scan
Running nmap full port scan on it , we get
We got alot of Open Ports, running service scan on it
We can see we have much things to enumerate on
Enum4Linux
Using the Enum4Linux tool
We can see that user marko’s password is exposed as Welcom123!
We can use these creds for login through multiple methods, one of them being WinRM
From the NMAP scan, we see that Port 5985 is Open, so we can try Evil-WinRM tool to connect
We get authentication error, but from the enum4linux tool, we got many users and now we put those users in a txt file
Here we have list of the users in a txt file named users.txt
Here we use simple bash scripting to bruteforce users and now we wait till we get the correct creds and get logged in automatically
We got connected successfully as user melanie, moving onto getting user flag
Moving further to priv esc
Privilege Escalation
Checking for hidden files and folders in the root directory
We see a strange folder named PSTranscripts, entering it we dont see anything until looking for hidden files and folders again
We see one more folder in it and looking further into it
We get a txt file related to Powershell or something so we check the contents of it
If we look carefully, we can see that it leaks password for user ryan so we again use Evil-WinRM to connect to that account
We got connected successfully, looking for the group membership of the current user
We can see that the current user is a group member of DnsAdmins which is prone to a getting SYSTEM using DLL injection method
We create a malicious dll using msfvenom for the dll injection
Also we start up a smbserver using Impacket’s smbserver.py
Now we injected the malicious dll and then check the netcat listener
We got shell as SYSTEM and now we get the root flag
