Tools

impacket-
sudo apt install -y python-impacket

evil-winrm-
git clone https://github.com/Hackplayers/evil-winrm
cd evil-winrm
install gem evil-winrm

Foothold

enum4linux 10.10.10.169

From the output, I obtained both a list of users, as well as a password that appeared to be setup for first time users on the box.

User:

I attempted using the login for each user until one was able to successfully authenticate. I then grabbed the user flag for the box:

Root:

After some further enumeration, I came across the following file stating another set of login credentials:

I then ended my session as melanie, and authenticated as ryan. I then ran another command to list what groups ryan was a part of on the box:

The group that stuck out to me here was DnsAdmins. I took some time to research DnsAdmins privilege escalation, and came across an interesting method I figured was worth a try. This included the following steps:

Create a listener with netcat using:

Generate a .dll injection payload for windows using msfvenom:

Created an SMB share on my box so Resolute could grab my .dll file:

Went back to my user shell on Resolute to complete the injection attack:

My netcat terminal popped an admin shell which allowed me to grab the root.txt:

And there was r00t for Resolute.