Return HTB - Writeup
very small, easy one. in this one, i use HTB's pwnbox, and actually it's pretty smooth! easy to use when i'm not on my home computer.
after scanning all the ports, we find that port 80 is open and consists of a printer application. in the settings, we can redirect the local address to our own and start a listener on port 389.
here, we get creds for svc-printer
after logging in with evilwinrm and getting sharphound on, we see we're a part of the local administrators group and can make use of WriteDacl https://imgur.com/a/06YANGZ
net group "domain admins" svc-printer /add /domain
that's it!