Hack The Box :: Resolute
#LDAPAnonymousBind #PowershellTranscript #DNSPluginDLLInjection
Resolute is a Medium Windows box created by egre55. It was released on December 7th, 2019 and retired on May 30th, 2020. The users rated the difficulty of this box 4.8/10 and gave it an appreciation score of 4.7/5.
TL;DR
We can bind anonymously to a Windows 2016 Active Directory where we find a comment in a user object that contains the default password used when creating new users. We do a Password Spraying and find that the password works for the user melanie. As the user is as well part of the Remote Management Users, we can log in through WinRM and grab the user flag. The user ryan is part of the same group plus the DnsAdmins group which has some known escalation path to SYSTEM. We find a hidden Powershell transcript file that leaks his password. We escalate privileges by injecting a malicious DLL into the DNS service.
Note: unless otherwise stated, all commands and scripts you will find below are run on macOS. Especially
sedandbase64syntax may slightly differ from Linux versions. Python 3 is the preferred interpreter.
