search

Return

Write up for the HTB machine 'Return'

hashtag
1. Inital recon

hashtag
1.1 nmap

nmap -sC -sV 10.10.11.108

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: HTB Printer Admin Panel
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-05-12 04:05:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 18m10s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-05-12T04:05:17
|_  start_date: N/A

nmap -p- 10.10.11.108

hashtag
1.2 Web recon

The web application is hosting a page at 10.10.11.108/settings.php. Submitting the page with the update button and capturing this POST request in burpsuite we can see that there the only field being sent is the ip address.

Spin up a netcat listener and send through the ip of your attacking machine as the value for the ip in the POST request, making sure that your listener is listening on port 389

From there we get this output

Judging by the web application, we can assume that 1edFg43012!! is a potential password

hashtag
2. user.txt

hashtag
2.1 evil-winrm

We can see from our second nmap scan that there is a port for WinRm. Let's use evil-winrm to get a shell

evil-winrm -i 10.10.11.108 -u svc-printer -p '1edFg43012!!'

The user flag can be found at C:\Users\svc-printer\Desktop

hashtag
3. root.txt

As the user svc-printer let's check our privileges using whoami /priv

let's also check which groups the user is in too using whoami /groups

The Server Operatorsarrow-up-right group most importantly allows us to stop and start services

So, let's upload nc64.exe and use that to be the binary for a service. When we start the service, we will be able to catch a shell.

In our evil-winrm shell we can run the command upload /home/kali/Desktop/htb/nc64.exe to upload the nc64.exe binary. Then

to set the binary for the service VSS to cmd.exe with the arguments to run the nc64.exe binary.

Note: sc.exe is Service Control, which is what allows us to create, start, stop, query or delete any windows service.

Then, spin up a netcat listener on the same port you specified in the sc.exe command, then in the evil-winrm shell run sc.exe stop VSS and then sc.exe start VSS and your netcat listener will catch a root shell.

The root flag can be found at C:\Users\Administrator\Desktop

PreviousPCNextIce

Last updated