HTB: Return Writeup

Return is an easy level machine and the 4th challenge in the printer exploitation track.

Initial Enumeration
To start, I performed an Nmap scan to enumerate open ports and services on the target machine
nmap -sV -Pn -p- -T5 10.129.95.241 > nmapres.txt

We got bunch of ports open among which is a webserver running on port 80.
#img1
Investigating the Web Server
Accessing the web server revealed a settings page. This page included server configuration details and an “Update” button that sends the server information to a specified address.
#img2

On observing the update functionality, I hypothesized that the server might send sensitive information, such as credentials, to the configured server address.

To exploit this, I set up a listener on my machine to capture the data.
The listener was configured to listen on port 389, which is commonly associated with LDAP but in this case, used to capture the server’s outbound traffic.
Then I changed the server address in the settings to point to my machine’s IP & clicked the “Update” button to trigger the server to send its data to my listener.
#img3
Quick & easy .

Using Evil-WinRM for Shell Access
With the credentials in hand, I used Evil-WinRM, a tool specifically designed to exploit Windows Remote Management (WinRM) services, to gain access to the target machine.
#img4
we’re in