HTB: Return - OSCP Prep Write-up
Return is one of those machines where the initial foothold is almost embarrassingly easy - and then it hands you a privilege escalation path that is genuinely worth knowing. Server Operators is not talked about as much as SeBackupPrivilege, but it is just as dangerous. Machine info Name Return Platform HackTheBox OS Windows Difficulty Easy TL;DR A printer admin web panel allows changing the LDAP server address - pointing it at Kali captures cleartext credentials for svc-printer svc-printer has WinRM access and is a member of Server Operators, which allows stopping and reconfiguring Windows services Abused sc.exe to hijack a service binary path and create a local admin user Ran secretsdump, passed the Administrator hash via evil-winrm Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.34.220 Open ports include 80 (HTTP), 88 (Kerberos), 389 (LDAP), 445 (SMB), 5985 (WinRM). Standard Windows domain controller spread. Port 80 is the interesting one. ...