HackTheBox - Return Writeup
Box author | MrR3boot
Nmap
First, let’s start scanning the IP address with the Nmap.
result
|
|
That’s a bunch of open ports. Turns out, this machine is an Active Directory Domain.
Http
The port 80
is got my attention because the Nmap scan result says, the title of the webpage is HTB Printer Admin Panel
. Let’s take a look at it, which is running on Microsoft IIS
.
It is a simple webpage and a lot of the buttons on the navigation bar don’t work at all. However, when I clicked on the Settings
button. I’ve been greeted by this!
So, I tried to change the password first and play around with it but nothing has happens. Then, I google around and found this HackTricks - AD information in printers. It highlights some blogs too:
- https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/
- https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856
- https://grimhacker.com/2018/03/09/just-a-printer/
NetCat
First, let’s start the nc
and listen to port 389
. Then, in the settings
page, change the Server Address
into your IP address which is tun0, and click Update
.
In the image above. The nc
successfully grabs the password and it’s in form of clear-text
.
Evil-WinRM
Now, I have the password of the svc-printer
user. Let’s try to connect to this machine by using Evil-WinRM
.
YES! I’m in. This user also can read the user flag
located in this directory C:\Users\svc-printer\Desktop
.
Server Operators
The first thing I love to do is run this command whoami /all
. This command is gonna display user, group, and privileges information for the user who is currently logged on.
Here’s the result. The BUILTIN\Server Operators
caught my eyes. Why? because this group can create and delete network shared resources, start and stop services, back up and restore files. Need more information on this group. Here’s the link Microsoft - Server Operators
So, I start googling around and found this cube0x0 - Poc’ing Beyond Domain Admin - Part 1. This article shows us how to stop and start services.
nc.exe
First, I’m gonna start the python http server
in my attack machine in the directory called www
and it contains the copy of the nc.exe
file. Then, download
it into the victim machine which is a Windows machine.
System Shell
So, In this article is straight forward and I’m gonna change the service configuration. In this case, I’m gonna change the VSS config
to run the nc.exe
but first, I’m gonna start the nc listener
in my attack machine on my desired port. Anyways, the command is down below:
|
|
TA DAAA!!! now I’m an authority\system
.